diff --git a/.github/workflows/buildandpush-app.yaml b/.github/workflows/buildandpush-app.yaml index 4741839..fb87b5a 100644 --- a/.github/workflows/buildandpush-app.yaml +++ b/.github/workflows/buildandpush-app.yaml @@ -38,6 +38,12 @@ jobs: images: name: ImageBuild + permissions: + contents: read + issues: read + checks: write + pull-requests: write + id-token: 'write' needs: build_apps runs-on: ubuntu-latest environment: Dev @@ -49,9 +55,8 @@ jobs: - name: Authenticate with Google Cloud uses: 'google-github-actions/auth@v2' with: - project_id: ${{ secrets.PROJECT_ID }} workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITYPROVIDER }} - credentials_json: ${{ secrets.GCP_CREDENTIALS }} + service_account: ${{ secrets.SERVICE_ACCOUNT }} - name: Build and Push Image run: | diff --git a/.github/workflows/infra-release.yaml b/.github/workflows/infra-release.yaml index 33d888a..fac888c 100644 --- a/.github/workflows/infra-release.yaml +++ b/.github/workflows/infra-release.yaml @@ -8,6 +8,12 @@ on: jobs: terraform-release: + permissions: + contents: read + issues: read + checks: write + pull-requests: write + id-token: 'write' name: "Terraform Release" runs-on: ubuntu-latest environment: Dev @@ -41,18 +47,17 @@ jobs: - name: Authenticate with Google Cloud uses: 'google-github-actions/auth@v2' with: - project_id: ${{ secrets.PROJECT_ID }} workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITYPROVIDER }} - credentials_json: ${{ secrets.GCP_CREDENTIALS }} + service_account: ${{ secrets.SERVICE_ACCOUNT }} - name: Terraform Plan if: ${{ github.event_name == 'pull_request' }} run: | chmod +x ci/scripts/*.sh - python ci/scripts/execute-terraform.py --config ci/configs/pipeline-config.json --command plan --env dev + python3 ci/scripts/execute-terraform.py --config ci/configs/pipeline-config.json --command plan --env dev - name: Terraform Apply if: ${{ github.event_name != 'pull_request' }} run: | chmod +x ci/scripts/*.sh - python ci/scripts/execute-terraform.py --config ci/configs/pipeline-config.json --command apply --env dev + python3 ci/scripts/execute-terraform.py --config ci/configs/pipeline-config.json --command apply --env dev diff --git a/.github/workflows/k8s-apps-release.yaml b/.github/workflows/k8s-apps-release.yaml index 993674c..7c96882 100644 --- a/.github/workflows/k8s-apps-release.yaml +++ b/.github/workflows/k8s-apps-release.yaml @@ -12,6 +12,12 @@ env: jobs: deploy: name: DeployApps + permissions: + contents: read + issues: read + checks: write + pull-requests: write + id-token: 'write' runs-on: ubuntu-latest environment: Dev steps: @@ -22,9 +28,8 @@ jobs: - name: Authenticate with Google Cloud uses: 'google-github-actions/auth@v2' with: - project_id: ${{ secrets.PROJECT_ID }} workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITYPROVIDER }} - credentials_json: ${{ secrets.GCP_CREDENTIALS }} + service_account: ${{ secrets.SERVICE_ACCOUNT }} - name: Configure kubectl uses: google-github-actions/setup-gcloud@v0 diff --git a/ci/scripts/cmd-terraform-generic.sh b/ci/scripts/cmd-terraform-generic.sh index 2f7e01e..a6ccbdf 100644 --- a/ci/scripts/cmd-terraform-generic.sh +++ b/ci/scripts/cmd-terraform-generic.sh @@ -17,6 +17,7 @@ ENV_NAME=$3 WORKSPACE=$4 # Get absolute path of terraform environment +ls ENV_DIR="$(cd "${TERRAFORM_DIRECTORY}/environments/${ENV_NAME}/"; pwd -P)" pushd ${ENV_DIR} > /dev/null