DEV Community: ADITYA OKKE SUGIARSO

Upload to Google Cloud Storage with GitHub Actions

ADITYA OKKE SUGIARSO — Thu, 25 Sep 2025 02:47:23 +0000

stack:

Google Cloud Storage
Workload Identity Federation
Service Accounts
Static Site (Astro)

ref:

intro:

In this article, we'll create a GitHub Actions workflow that builds an Astro project and uploads the generated dist/ assets to Google Cloud Storage. We'll authenticate securely using Workload Identity Federation (WIF), eliminating the need for long-lived service account keys, and set everything up through the Google Cloud Console (web UI) from end to end. By the end, every push to repo can trigger a build and publish a static site to a GCS bucket.

Objective:

Implement a GitHub Actions pipeline that uploads dist/ to Google Cloud Storage using Workload Identity Federation, employing one WIF pool/provider and a dedicated service account for each repository.

step:

1. Create Workload Identity Federation

open side menu, then choose Workload Identity Federation

choose Create Pool

fill the form in the first phase

fill the form on the second phase, choose OIDC for issuer use GitHub token issuer URL based on GitHub OIDC

keep the provider, we will use it later
provider:projects/111111111111/locations/global/workloadIdentityPools/github-action-pool/providers/github-action-provider

fill form for the third phase

// attribute mapping
google.subject=assertion.sub
attribute.repository=assertion.repository
// conditions
assertion.repository.startsWith("{{git_owner}}/")

change git_owner according yours

2. Create Service Accounts

Open the side menu Service Accounts, then choose the Create service account button

fill form phase 1

fill form phase 2
set permission to minimum, which is storage object user
fill form phase 3

3. Connect Service Account to Workload Identity Federation

click pool we created before
a. choose Grant access button
b. choose Grant access using service account impersonation
c. choose service account we created before
d. in the Select principals, choose repository and fill your owner_name/repo_name
e. choose dismiss, because we dont need the file

f. Wait a minute to see service accounts loading, and you can see the principal will be loaded, you can add another principal for other repo by repeat step on 3.a

4. Create GitHub action workflow

choose New workflow button
choose set up a workflow yourself

in this article, our purpose are upload dist directory to Google Cloud storage

# Sample workflow for building and deploying an Static site to Google Cloud Storage
name: Deploy static site to Google Cloud Storage

on:
  # Runs on pushes targeting the default branch
  push:
    branches: ["main"]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write    # needed for WIF
      contents: read
    env:
      BUCKET: ${{ vars.GCS_BUCKET_NAME }}
      REGION: ${{ vars.GCS_BUCKET_REGION }}
    steps:
      - id: 'checkout'
        uses: 'actions/checkout@v4'

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm

      - run: npm ci
      - run: npm run build

      # Authenticate to GCP (WIF)
      - id: 'auth'
        name: Auth to Google Cloud (WIF)
        uses: 'google-github-actions/auth@v3'
        with:
          workload_identity_provider: ${{ secrets.GCP_WIF_PROVIDER }}
          service_account: ${{ secrets.GCP_SA_EMAIL }}

      - id: 'upload-folder'
        name: 'Upload folder to GCS'
        uses: 'google-github-actions/upload-cloud-storage@v3'
        with:
          path: dist/
          destination: ${{ env.BUCKET }}
          parent: false

put workflow code above on the editor

choose Commit changes... button
choose Commit changes button
set up the env and secret variable
because we dont set target environment, we will use respository scope

set 2 secrets variable we will used on the workflow

and

after we set the secrets, now set the variables

set bucket name and region name based on your bucket info

set bucket name

set bucket region name

5. Push commit to repo or run workflow manually

Send Email using aws-sdk-v2.sesv2 on golang

ADITYA OKKE SUGIARSO — Wed, 20 Aug 2025 15:41:20 +0000

stack:

ref:

prep:

setup access key to use aws sdk

step:

1. initiate ses service on aws
choose your region on aws

2. create identities to use sandbox feature from aws ses

click create identity button

fill form

create another identity for user@gmail.com
and you should get

finally you just need to verify your email by click link verification on the email inbox

2.Initialize Project

$ mkdir ~/helloaws
$ cd ~/helloaws
$ go mod init helloaws

3.Add SDK Dependencies

$ go get github.com/aws/aws-sdk-go-v2/aws
$ go get github.com/aws/aws-sdk-go-v2/config
$ go get github.com/aws/aws-sdk-go-v2/service/sesv2

4.Write Code

package main

import (
    "context"
    "fmt"
    "log"

    "github.com/aws/aws-sdk-go-v2/aws"
    "github.com/aws/aws-sdk-go-v2/config"
    "github.com/aws/aws-sdk-go-v2/service/sesv2"
    "github.com/aws/aws-sdk-go-v2/service/sesv2/types"
)

func main() {
    // Using the SDK's default configuration, load additional config
    // and credentials values from the environment variables, shared
    // credentials, and shared configuration files
    cfg, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion("ap-southeast-1"))
    if err != nil {
        log.Fatalf("unable to load SDK config, %v", err)
    }

    // Build the request with its input parameters
    resp, err := svc.SendEmail(context.TODO(), &sesv2.SendEmailInput{
        FromEmailAddress: aws.String("admin@gmail.com"),
        Destination: &types.Destination{
            ToAddresses: []string{"user@gmail.com"},
        },
        Content: &types.EmailContent{
            Simple: &types.Message{
                Subject: &types.Content{
                    Data: aws.String("Test Email"),
                },
                Body: &types.Body{
                    Text: &types.Content{
                        Data: aws.String("This is a test email sent using AWS SES."),
                    },
                },
            },
        },
    })
    if err != nil {
        fmt.Printf("Error sending email: %v\n", err)
    }

    fmt.Printf("Email sent successfully, message ID: %s\n", *resp.MessageId)
}

5. Check user@gmail.com inbox or spam for the test email

Creating IAM Access Keys for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

ADITYA OKKE SUGIARSO — Wed, 20 Aug 2025 15:33:28 +0000

stack:

ref:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html

intro:

IAM user access keys consist of two parts:

Access key ID (for example: AKIAIOSFODNN7EXAMPLE)
Secret access key (for example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY)

You must use both the access key ID and the secret access key together to authenticate requests made through the AWS SDK.

step:

1. Create IAM user

Open the IAM Dashboard in the AWS Management Console. In the left navigation pane, choose Users.

click Create user button

set user name

on set permissions, create group to attach the policies

Set a group name and choose permission policies. These policies usually provide full access per AWS service. If you need more fine-grained control, you can create your own custom policies by selecting the Create policy button.

after that, review and select Create User button

2. Create access key

choose Create access key
choose local code

fill any meaningful name then choose create key

if sucess, you will have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to put on .env

now you can put both key on .env. AWS SDK will automatically detect the key on .env

AWS_ACCESS_KEY_ID=AKIAZF************
AWS_SECRET_ACCESS_KEY=utiKWhMNy***********************************

Create Golang private package

ADITYA OKKE SUGIARSO — Fri, 15 Aug 2025 05:13:17 +0000

note:

this article based on chatGPT generated content and already tested by me

step:

1. Host your repo somewhere private
E.g. GitHub/GitLab/Bitbucket private repo at

# git
git@github.com:your-org/private-pkg.git

# bitbucket
git@bitbucket.org:your-org/private-pkg.git

2. Initialize the module
In your local checkout:

cd private-pkg
go mod init github.com/your-org/private-pkg

This creates a go.mod with:


module github.com/your-org/private-pkg

go 1.21

3. Write your code
Example foo.go:

package privatepkg

// Hello returns a greeting.
func Hello(name string) string {
    return "Hello, " + name
}

Commit & push:

git add .
git commit -m "initial private-pkg module"
git push origin main

4. Tag a version (Semantic Versioning)
Decide on your first release, e.g. v0.1.0:

git tag v0.1.0
git push origin v0.1.0

Go tooling will recognize that tag as the module’s v0.1.0 version.
5. Tell Go which repos are private
On any machine that will consume your private module, set:

# mark your entire Bitbucket org as private
go env -w GOPRIVATE=bitbucket.org/your-org/*

# mark your entire Github org as private
go env -w GOPRIVATE=github.com/your-org/*

GOPRIVATE - list of glob patterns of module path prefixes that should be considered private. Acts as a default value for GONOPROXY and GONOSUMDB.

6. Consume the module in another project
In your client repo:

go mod init example.com/your-app
go get github.com/your-org/private-pkg@v0.1.0

Import and use:

import "github.com/your-org/private-pkg"

func main() {
    fmt.Println(privatepkg.Hello("World"))
}

Then:

go build

7. Releasing updates

Make changes in private-pkg, bump code.
Update go.mod if you need to require newer dependencies.
Commit and git tag v0.2.0 (or v1.0.0 when you make a breaking change).
git push origin main --tags
In your app: go get github.com/your-org/private-pkg@v0.2.0

Define a Self-Referential Many-to-Many Model in GORM

ADITYA OKKE SUGIARSO — Thu, 14 Aug 2025 20:06:23 +0000

stack:

Language: Go
ORM: GORM

ref:

case:

Self-referential table
Association type: many-to-many
Join table has additional columns beyond the two foreign keys

step:

Define Item

type Item struct {
    ID         string `gorm:"primaryKey; type:VARCHAR(36); NOT NULL"`
    Name       string `gorm:"type:VARCHAR(100); NOT NULL"`
    Price      int32  `gorm:"type:INT; NOT NULL"`
    ChildItems []Item `gorm:"many2many:parent_child_items;foreignKey:ID;joinForeignKey:ParentID;References:ID;joinReferences:ChildID"`
}

Which creates join table: parent_child_items

foreign key: parent_id, reference: items.id
foreign key: client_id, reference: items.id

Define ParentChildItem

type ParentChildItem struct {
    ParentID string `gorm:"primaryKey; type:VARCHAR(36); NOT NULL"`
    ChildID  string `gorm:"primaryKey; type:VARCHAR(36); NOT NULL"`
    CreatedAt time.Time
    DeletedAt gorm.DeletedAt
}

We define this because the parent_child_items table stores more than just parent_id and child_id. It’s a custom association table with extra fields (CreatedAt, DeletedAt), not a pure join table.

Run this code on startup

    db.AutoMigrate(&entity.Item{}, &entity.ParentChildItem{})
    err := db.SetupJoinTable(&entity.Item{}, "ChildItems", &entity.ParentChildItem{})
    if err != nil {
        panic(fmt.Sprintf("Failed to setup join table: %v", err))
    }

Semantic search on go + python

ADITYA OKKE SUGIARSO — Tue, 22 Jul 2025 14:28:44 +0000

stack:

golang (gorm, pgvector-go)
python (langchain)
docker (docker compose)

ref:

setup pgvector

using docker-compose to setup postgres + pgvector

version: '2'
services:
  db-postgres:
    image: postgres
    restart: always
    user: postgres_user
    environment:
      POSTGRES_USER: postgres_user
      POSTGRES_PASSWORD: postgres_pass
    volumes:
      - db-data:/var/lib/postgresql/data
    healthcheck:
      test: [ "CMD", "pg_isready" ]
      interval: 10s
      timeout: 5s
      retries: 5
    ports:
      - "5432:5432"
    networks:
      - default
volumes:
  db-data:
networks:
  default:
    name: wawancara_namespace

separate embedding data and the content

package models

import (
    "time"

    "github.com/pgvector/pgvector-go"
)

// A) Core item
type Item struct {
    ID          int           `gorm:"primaryKey"`
    Name        string        `gorm:"not null"`
    Description string        `gorm:"type:text"`
}

// B) Embeddings table
type ItemVector struct {
    ID         int              `gorm:"primaryKey"`
    ItemID     int              `gorm:"not null;index"`
    Embedding  pgvector.Vector  `gorm:"type:vector(1536);not null"`
    Item       *Item
}

Generate embed data

as per langchain documentation about semantic search, i only implement splitter and embedding method

def text_embed(content: str) -> List[List[np.float32]]:
    # 1) Split into chunks
    splitter = RecursiveCharacterTextSplitter(
        chunk_size=1000,
        chunk_overlap=200,
        add_start_index=True,
    )
    chunks = splitter.split_text(content)

    # 2) Embed each chunk
    embeddings = OpenAIEmbeddings(model="text-embedding-3-small")

    all_vectors: List[List[float]] = []
    for chunk in chunks:
        # 3a) Get a 64‑bit embedding from OpenAI
        vec64: List[float] = embeddings.embed_query(chunk)
        # 3b) Cast down to 32‑bit and convert to plain Python list
        vec32 = np.array(vec64, dtype=np.float32).tolist()
        all_vectors.append(vec32)

    return all_vectors

need to make it to float32 here, because pgvector only accept float32

save data to pgvector

func SaveChunkEmbeddings(db *gorm.DB, cvRankerID int, allVectors [][]float32) error {
    // Bulk insert version:
    items := make([]models.ItemVector, len(allVectors))
    for i, vec := range allVectors {
        items[i] = models.ItemVector{
            ItemID:     cvRankerID,
            ChunkIndex: i,
            Embedding:  pgvector.NewVector(vec),
        }
    }

    if err := db.CreateInBatches(items, 100).Error; err != nil {
        log.Printf("bulk insert embeddings failed: %v", err)
        return err
    }
    return nil
}

now we have data vector for our item

Get embed data from query

When user search something, we just need to get vector of the query

def query_embed(content: str) -> List[np.float32]:
    """
    Embed a single query string into a 32-bit vector.
    """
    embeddings = OpenAIEmbeddings(model="text-embedding-3-small")
    vec64: List[float] = embeddings.embed_query(content)
    vec32 = np.array(vec64, dtype=np.float32).tolist()
    return vec32

then use the vector in our vector table search

func Top5ItemsByEmbedding(db *gorm.DB, embedding []float32) ([]ItemVector, error) {
    var results []ItemVector

    vec := pgvector.NewVector(embedding)

    err := db.
        Model(&entity.ItemVector{}).
Join("Item")
        Select("item_id, MIN(embedding <-> ?) AS score", vec).
        Group("item_id").
        Order("score ASC").
        Limit(5).
        Scan(&results).Error

    return results, err
}

How to secure internal-authorization header

ADITYA OKKE SUGIARSO — Sun, 06 Oct 2024 11:17:43 +0000

stack:
graphql
nginx
docker-compose

request flow diagram

nginx config to allowlist request from other service by using their internal IP

server {
    listen 7000;
    allow 10.101.0.01;
    # internal IP of service A
    deny all;


    location / {
        proxy_pass http://api-project-B:7000;
        # api-project-B is service name on docker-compose
        # 7000 is port used by the application on api-project-B service
    }
}

if your user service and gateway service on 1 instance, and you need internal-authorization header implemented on user service, you can deny access to the user graphql URL so the client can only access to user graphql through gateway

server {
    listen 443 ssl http2;

    location / {
        proxy_pass http://api-gateway:5000;
    }
    # deny access to /user/graphql from client
    location /user/graphql {
        deny all;
    }
}

Simple docker deploy on gcp

ADITYA OKKE SUGIARSO — Sun, 22 Sep 2024 05:10:18 +0000

Setup git on gcp
Set up personal SSH keys on Linux
Use Git cmd to manage repo
Install docker so we can use docker compose
Create SSL certificate
GCP IP Address
Interact with postgres docker container
Install cmake to accommodate makefile

Setup git on gcp

To install Git on Linux, follow these steps:

Update the package index:

sudo apt update

Install Git:

sudo apt install git

Verify the installation:

git --version

You should see the installed Git version.

Set up personal SSH keys on Linux

To clone a repo on bitbucket, you need to set up personal SSH keys

Install OpenSSH on your device. For Debian, Ubuntu, Linux Mint, and other Debian-based distributions:

sudo apt update && sudo apt install openssh-client
ssh -V

Start the SSH Agent. To check if SSH agent is running:

ps -ax | grep ssh-agent

output should be like this

19998 ??         0:00.20 /usr/bin/ssh-agent -l

To start the agent, run:

eval $(ssh-agent)

You may need to add this command to your ~/.bashrc, ~/.zshrc, ~/.profile, or equivalent shell configuration file.
use

nano ~/.profile

then put eval $(ssh-agent) on it

Create an SSH key pair.

cd ~
ssh-keygen -t ed25519 -b 4096 -C "{username@emaildomain.com}" -f ~/.ssh/{ssh-key-name}

{username@emaildomain.com} is the email address associated with the Bitbucket Cloud account, such as your work email account.

{ssh-key-name} is the output filename for the keys. We recommend using a identifiable name such as bitbucket_work.

Once complete, ssh-keygen will output two files:

{ssh-key-name} — the private key.

{ssh-key-name}.pub — the public key.

Add your key to the SSH agent.

ssh-add ~/.ssh/{ssh-key-name}

To ensure the correct SSH key is used when connecting to Bitbucket, update or create your SSH configuration file (~/.ssh/config) with the following settings:

Host bitbucket.org
  AddKeysToAgent yes
  IdentityFile ~/.ssh/{ssh-key-name}

Provide Bitbucket Cloud with your public key.
Check that your SSH authentication works. To test that the SSH key was added successfully:

ssh -T git@bitbucket.org

output should be like this

authenticated via ssh key.

You can use git to connect to Bitbucket. Shell access is disabled

Use Git cmd to manage repo

clone the repo using clone command

git clone git@bitbucket.org:{org-name}/{repo-name}.git

above is just sample, you can get the command from clone button in bitbucket repository

move to repository folder using cd command

cd {repo-name}

use git status to check changes and your current branch

git status

change current branch using git checkout

git checkout {branch-name}

update your local branch and local commit history according to remote

git fetch

pull the changes from remote using git pull

git pull

Install docker so we can use docker compose

full step to install docker on debian are in here

summarize steps:

Run the following command to uninstall all conflicting packages:

for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done

Set up Docker's apt repository. the step are divided by 2:

First, Add Docker's official GPG key, run these commands:

sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

Second, Add the repository to Apt sources, run these commands:

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

Install the Docker packages.

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Verify that the Docker Engine installation is successful by running the hello-world image.

docker --version

Create SSL certificate

Step-by-step instructions to install Certbot on linux

Install snapd

sudo apt update
sudo apt install snapd

Update snapd

sudo snap install core

Remove previous Certbot packages

sudo apt-get remove certbot

Install Certbot

sudo snap install --classic certbot

Once certbot is installed, execute the following command to ensure the certbot command can be run:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Generate SSL Certificate with Let’s Encrypt

sudo certbot certonly --manual --preferred-challenges dns -d *.domain.com -d domain.com

you will get acme value to put on your DNS, in above example, you will get 2 acme that need to put orderly one by one, below are sample DNS TXT acme

Please deploy a DNS TXT record under the name:

_acme-challenge.domain.com.

with the following value:

pdUqtrqSHGKKPv3x2yDyvi0hZhMEUmJtxay82Fhd29f

you need to put value above to your DNS dashboard, my DNS dashboard are look like this

after you add the record(s), you can enter on the cmd to continue to the next acme or the next step

Success generated SSL will have this info

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/domain.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/domain.com/privkey.pem
This certificate expires on 2024-12-17.
These files will be updated when the certificate renews.

use both according your approach how to apply SSL on your domain

GCP IP Address

Upgrade your internal and external IP address on GCP to static, so it will not changing when the instance got restart

Interact with postgres docker

connect to docker cli

sudo docker exec -it {docker-container-name} sh

connect to postgres cli

psql -h localhost -U {user-name}

create database

CREATE DATABASE {database-name};

connect to the database

\c {database-name}

or you can immediate put the database name as parameter while connect to postgres cli

psql -h localhost -U {user-name} -d {database-name}

Install cmake to accommodate makefile

Update the Debian System Before Installing CMake

sudo apt update && sudo apt upgrade

Install CMake via APT Command

sudo apt install cmake