Update readme with workload identity based authentication for GCR and GAR #112
Conversation
|
@crazy-max @jonjohnsonjr Can we merge this PR ? |
|
Seems fine to me, @sethvargo does this look right? |
| @@ -167,8 +171,48 @@ jobs: | |||
| password: ${{ secrets.GCR_JSON_KEY }} | |||
| ``` | |||
|
|
|||
| #### Workload identity federation based authentication | |||
There was a problem hiding this comment.
Nit: I would prefer if WIF was first since it's the preferred method
README.md
Outdated
| steps: | ||
| - id: 'auth' | ||
| name: 'Authenticate to Google Cloud' | ||
| uses: 'google-github-actions/auth@v0.4.1' |
There was a problem hiding this comment.
| uses: 'google-github-actions/auth@v0.4.1' | |
| uses: 'google-github-actions/auth@v0' |
README.md
Outdated
| runs-on: ubuntu-latest | ||
| steps: | ||
| - id: 'auth' | ||
| name: 'Authenticate to Google Cloud' |
There was a problem hiding this comment.
I think this indentation is off by two spaces for this entire section
README.md
Outdated
| steps: | ||
| - id: 'auth' | ||
| name: 'Authenticate to Google Cloud' | ||
| uses: 'google-github-actions/auth@v0.4.1' |
There was a problem hiding this comment.
| uses: 'google-github-actions/auth@v0.4.1' | |
| uses: 'google-github-actions/auth@v0' |
README.md
Outdated
| ``` | ||
| > Replace `<workload_identity_provider>` with configured workload identity provider | ||
|
|
||
| > Replace `<service_account>` with configured service account in workload identity provider which has access to push to GCR |
README.md
Outdated
|
|
||
| on: | ||
| push: | ||
| branches: master |
There was a problem hiding this comment.
Changed in all the places
README.md
Outdated
|
|
||
| on: | ||
| push: | ||
| branches: master |
There was a problem hiding this comment.
Changed in all the places
| password: ${{ steps.auth.outputs.access_token }} | ||
| ``` | ||
|
|
||
| > Replace `<workload_identity_provider>` with configured workload identity provider |
There was a problem hiding this comment.
It appears your commits messages are missing a DCO sign-off, causing the DCO check to fail.
We require all commit messages to have a Signed-off-by line with your name and e-mail, which looks something like:
Signed-off-by: YourFirsName YourLastName <yourname@example.org>
There is no need to open a new pull request, but to fix this (and make CI pass), you need to amend the commit(s) in this pull request, and "force push" the amended commit.
Unfortunately, it's not possible to do so through GitHub's web UI, so this needs to be done through the git commandline.
You can find some instructions in the output of the DCO check (which can be found in the "checks" tab on this pull request), as well as in the Moby contributing guide.
Steps to do so "roughly" come down to:
-
Set your name and e-mail in git's configuration:
git config --global user.name "YourFirstName YourLastName" git config --global user.email "yourname@example.org"(Make sure to use your real name (not your GitHub username/handle) and e-mail)
-
Clone your fork locally
-
Check out the branch associated with this pull request
-
Sign-off and amend the existing commit(s)
git commit --amend --no-edit --signoffIf your pull request contains multiple commits, either squash the commits (if needed) or sign-off each individual commit.
-
Force push your branch to GitHub (using the
--forceor--force-with-leaseflags) to update the pull request.
Sorry for the hassle (I wish GitHub would make this a bit easier to do), and let me know if you need help or more detailed instructions!
… GAR Signed-off-by: Dinesh B <dineshudt17@gmail.com> Signed-off-by: Dinesh <dineshb@thoughtworks.com>
|
Hi @crazy-max Added the missing sign-off and squashed into one commit. Please review |
As keyless authentication is recommended, added instructions for GCR and GAR.
References:
registry login using access token:
workload identity: