google-cloud-cpp icon indicating copy to clipboard operation
google-cloud-cpp copied to clipboard
verified publisher icon googleapis

Use Workload Identity Federation for GHA build cache

Open coryan opened this issue 2 years ago • 2 comments

The build cache for GitHub Actions uses a service account key. These expire after 90d and need to be manually rotated. We could use (WIF) Workload Identity Federation to configure the cache.

We already have a workflow using WIF:

https://github.com/googleapis/google-cloud-cpp/blob/17c04558715c9c5492be40cd00cd13ca7677761d/.github/workflows/external-account-integration.yml#L64-L71

And apparently both sccache and Bazel support WIF:

https://github.com/mozilla/sccache/blob/main/docs/Gcs.md#external-accounts https://www.omerlh.info/2022/05/16/how-to-fast-and-secure-builds-with-bazel-remote-cache/

It seems like it is "simply" a matter of gluing all the pieces together.

coryan avatar Oct 16 '23 15:10 coryan

Subscribing for updates. I will try and get to this week if I have time. Or next operator shift.

alevenberg avatar Nov 07 '23 16:11 alevenberg

This would remove the key update maintenance we currently perform. We want to do it. We need to test to see if WIF works with sccache and bazel for this to move forward.

scotthart avatar Apr 24 '24 19:04 scotthart

We've done some refactoring of build cache access. Nonetheless, we probably still want to figure out how to reduce toil regarding this.

scotthart avatar Oct 16 '24 19:10 scotthart

Service appears to have been replaced by apihub. Closing.

scotthart avatar Oct 16 '24 19:10 scotthart