icu4x icon indicating copy to clipboard operation
icu4x copied to clipboard

Published 20 hours ago verified publisher icon unicode-org

Add webhook to make Workload Identity Providers work on forks

Open sffc opened this issue 2 years ago • 5 comments
trafficstars

We've been using Workload Identity Federation to access GCP resources from the main repository; it has been working smoothly, and this is the recommended approach by Google for GitHub Actions to access these resources.

However, we don't currently use Workload Identity Federation for actions in forked repositories. We currently have a JSON key shared with core contributors, and those core contributors need to add it manually as a secret in their fork. The advantage of this approach is that it is self-service, but it has a steeper barrier to entry than desired. Also, JSON keys are discouraged since they're subject to credential leakage.

A key difference with Workload Identity Federation is that there is an allowlist of repositories whose GitHub Actions are allowed to access the resources. This allowlist lives inside GCP in the form of Attribute Conditions on a Workload Identity Pool Provider.

Therefore, a clean solution to this credentials problem would be to create a GitHub Webhook that triggers when users are added or removed from the unicode-org/icu4x-triage team. The webhook would call the API to add or remove that user from the Workload Identity Federation allowlist. The webhook can be hosted as a Cloud Function similar to the GitHub-Jira bot.

Helpful docs links:

  • GitHub Webhook: https://docs.github.com/en/webhooks/webhook-events-and-payloads#membership
  • GCP Workload Identity Pool Providers: https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers

sffc avatar Oct 23 '23 16:10 sffc

unicode-org/icu4x-triage doesn't change much, it's probably less work to manually update the list.

robertbastian avatar Oct 24 '23 10:10 robertbastian

It's less about the work and more about not being blocked on a specific administrator who knows how to do it.

sffc avatar Oct 25 '23 16:10 sffc

As a first step, can we use identity federation with allowlisted repos?

robertbastian avatar Oct 25 '23 16:10 robertbastian

Yes, this can be done in a few steps:

  1. Manually add all contributors to an allowlist in GCP and switch to Workload Identity Federation for the docs build jobs
  2. Write a script that invokes the GCP APIs to update the allowlist that can be run by anyone with sufficient permissions
  3. Configure a cloud function to run the script in response to the GitHub webhook

sffc avatar Oct 25 '23 16:10 sffc

It looks like we can use pull_request_target to grant access to the job from PRs. One tip is that we could use PR labels to conditionally run the job. For inspiration, see:

https://github.com/GoogleCloudPlatform/alloydb-java-connector/blob/main/.github/workflows/ci.yaml

sffc avatar May 30 '24 23:05 sffc