Upload to Google Cloud Storage with GitHub Actions

#githubactions #googlecloud #gcs

stack:

Google Cloud Storage
Workload Identity Federation
Service Accounts
Static Site (Astro)

ref:

intro:

In this article, we'll create a GitHub Actions workflow that builds an Astro project and uploads the generated dist/ assets to Google Cloud Storage. We'll authenticate securely using Workload Identity Federation (WIF), eliminating the need for long-lived service account keys, and set everything up through the Google Cloud Console (web UI) from end to end. By the end, every push to repo can trigger a build and publish a static site to a GCS bucket.

Objective:

Implement a GitHub Actions pipeline that uploads dist/ to Google Cloud Storage using Workload Identity Federation, employing one WIF pool/provider and a dedicated service account for each repository.

step:

1. Create Workload Identity Federation

open side menu, then choose Workload Identity Federation

choose Create Pool

fill the form in the first phase

fill the form on the second phase, choose OIDC for issuer use GitHub token issuer URL based on GitHub OIDC

keep the provider, we will use it later
provider:projects/111111111111/locations/global/workloadIdentityPools/github-action-pool/providers/github-action-provider

fill form for the third phase

// attribute mapping
google.subject=assertion.sub
attribute.repository=assertion.repository
// conditions
assertion.repository.startsWith("{{git_owner}}/")

change git_owner according yours

2. Create Service Accounts

Open the side menu Service Accounts, then choose the Create service account button

fill form phase 1

fill form phase 2
set permission to minimum, which is storage object user
fill form phase 3

3. Connect Service Account to Workload Identity Federation

click pool we created before
a. choose Grant access button
b. choose Grant access using service account impersonation
c. choose service account we created before
d. in the Select principals, choose repository and fill your owner_name/repo_name
e. choose dismiss, because we dont need the file

f. Wait a minute to see service accounts loading, and you can see the principal will be loaded, you can add another principal for other repo by repeat step on 3.a

4. Create GitHub action workflow

choose New workflow button
choose set up a workflow yourself

in this article, our purpose are upload dist directory to Google Cloud storage

# Sample workflow for building and deploying an Static site to Google Cloud Storage
name: Deploy static site to Google Cloud Storage

on:
  # Runs on pushes targeting the default branch
  push:
    branches: ["main"]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write    # needed for WIF
      contents: read
    env:
      BUCKET: ${{ vars.GCS_BUCKET_NAME }}
      REGION: ${{ vars.GCS_BUCKET_REGION }}
    steps:
      - id: 'checkout'
        uses: 'actions/checkout@v4'

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm

      - run: npm ci
      - run: npm run build

      # Authenticate to GCP (WIF)
      - id: 'auth'
        name: Auth to Google Cloud (WIF)
        uses: 'google-github-actions/auth@v3'
        with:
          workload_identity_provider: ${{ secrets.GCP_WIF_PROVIDER }}
          service_account: ${{ secrets.GCP_SA_EMAIL }}

      - id: 'upload-folder'
        name: 'Upload folder to GCS'
        uses: 'google-github-actions/upload-cloud-storage@v3'
        with:
          path: dist/
          destination: ${{ env.BUCKET }}
          parent: false

put workflow code above on the editor

choose Commit changes... button
choose Commit changes button
set up the env and secret variable
because we dont set target environment, we will use respository scope