gargle
gargle copied to clipboard
r-lib
Auth via Google's `auth` GitHub Action
https://cloud.google.com/blog/products/identity-security/enabling-keyless-authentication-from-github-actions
Given that gargle already supports Application Default Credentials, I am optimistic it won't be too hard to make use of this.
Thank you for considering this functionality. I have been trying to build a GitHub Action that uses the YouTube Data API v3, and it would be great to be able to do it all without having to upload a secret. I haven't had luck finding a flow in httr, httr2, or gargle that can handle the access_token returned from the auth GitHub Action:
on: [push]
name: youtube-api-test
jobs:
youtube-api-test:
runs-on: macOS-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
token_format: 'access_token'
workload_identity_provider: 'projects/977381217576/locations/global/workloadIdentityPools/youtube-data-api/providers/youtube-data-api'
service_account: '[email protected]'
- uses: r-lib/actions/setup-r@v2
- uses: r-lib/actions/setup-r-dependencies@v2
with:
cache-version: 2
- name: 'Explore access_token names'
run: |
Rscript -e 'access_token <- jsonlite::fromJSON(Sys.getenv("GOOGLE_APPLICATION_CREDENTIALS"))' \
-e 'names(access_token)'
This returns the following names:
[1] "type" "audience"
[3] "subject_token_type" "token_url"
[5] "service_account_impersonation_url" "credential_source"
Since some R API wrapper package functions (e.g., tuber::list_channel_videos()) expect a httr::oauth2.0_token(), would this auth flow permit the resulting WifToken or other returned files to be compatible with different R API wrapper packages depending on whether they were implemented in httr, httr2, or gargle?
