{"id":13481933,"url":"https://github.com/google-github-actions/test-infra","last_synced_at":"2025-06-28T05:35:04.442Z","repository":{"id":37792691,"uuid":"308491111","full_name":"google-github-actions/test-infra","owner":"google-github-actions","description":"Test infrastructure for Google Github Actions.","archived":false,"fork":false,"pushed_at":"2024-10-23T23:35:37.000Z","size":162,"stargazers_count":6,"open_issues_count":0,"forks_count":9,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-10-24T13:09:35.284Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google-github-actions.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-30T01:17:00.000Z","updated_at":"2024-10-23T23:35:40.000Z","dependencies_parsed_at":"2023-01-29T18:30:43.923Z","dependency_job_id":"560ea069-831e-4608-bcfa-7b4b961d26f2","html_url":"https://github.com/google-github-actions/test-infra","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Ftest-infra","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Ftest-infra/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Ftest-infra/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google-github-actions%2Ftest-infra/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google-github-actions","download_url":"https://codeload.github.com/google-github-actions/test-infra/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240849012,"owners_count":19867617,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T17:00:57.568Z","updated_at":"2025-02-26T12:17:38.111Z","avatar_url":"https://github.com/google-github-actions.png","language":"HCL","readme":"# Test Infrastructure\n\nThis repository defines the GitHub repository configurations and test\ninfrastructure for testing GitHub Actions.\n\n**This is not an officially supported Google product, and it is not covered by a\nGoogle Cloud support contract. To report bugs or request features in a Google\nCloud product, please contact [Google Cloud\nsupport](https://cloud.google.com/support).**\n\n\n## Principles\n\nThe test infrastructure uses the following principles:\n\n-   There is value in reduction of choice and sane defaults. We minimize the\n    number of Terraform variables and conditionals to optimize for readability.\n\n-   Only introduce Terraform variables when they are explicitly needed and have\n    sane default values.\n\n-   Minimize dependencies on external modules unless they add significant value\n    or mask significant complexity.\n\n\n## Design\n\nEach project has its own Google Cloud Service Account and Workload Identity\nFederation Provider for authentication and authorization. Repositories are\nautomatically configured with GitHub variables that inject these configuration\nvariables as:\n\n-   `PROJECT_ID`\n-   `SERVICE_ACCOUNT_EMAIL`\n-   `WIF_PROVIDER_NAME`\n\nAuthentication to the WIF provider is guarded by the organization ID (forks\nwon't have access) and the numeric repository ID. Using IDs prevents against\nreplay naming attacks.\n\nAdditionally, there is an organization secret (accessible to all repos)\n`ACTIONS_BOT_TOKEN` which is a GitHub Personal Access Token for our GitHub\nActions bot. This is largely for authoring commits, since the Google CLA cannot\nbe signed by the GitHub Actions bot.\n\nAdditional per-repository variables and secrets and configuration should reside\ninside the project Terraform file.\n\n\n## Setup\n\n1.  (First time only) Create a `terraform.tfvars` file with the following\n    information:\n\n    ```hcl\n    # This is the project ID of your Google Cloud project. You must create the Google Cloud project in advance.\n    project_id = \"TODO\"\n\n    # This is the GitHub organization name.\n    github_organization_name = \"TODO\"\n    ```\n\n1.  Install and configure the Google Cloud SDK, and authenticate as a principle\n    that has permissions to manage resources in the given \"project_id\".\n\n    ```sh\n    gcloud auth login --update-adc\n    ```\n\n1.  Create a GitHub Personal Access Token with permissions to administer\n    repositories and configuration over the target organization defined in\n    \"github_organization_name\".\n\n    If you use the `gh` cli, you can generate an access token automatically:\n\n    ```shell\n    export GITHUB_TOKEN=\"$(gh auth token)\"\n    ```\n\n    If you do not use the `gh` cli, you will need to create a Personal Access\n    Token (PAT):\n\n    \u003e [Creating Person Access Tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) in the GitHub documentation.\n\n    Save this as the environment variable `GITHUB_TOKEN`:\n\n    ```shell\n    export GITHUB_TOKEN=\"TODO\"\n    ```\n\n    If you start a new shell, you will need to export the token again. For this\n    reason, we recommend storing the token in a password manager so you do not\n    have to generate a new one each time.\n\n\n## Creating new repos\n\nAfter following the internal team documentation to get legal approval for a new\nrepository, follow these steps to bootstrap a new project.\n\n1.  Create a new Terraform file with the naming convention:\n\n    ```text\n    project_\u003creponame\u003e.tf\n    ```\n\n1.  Define the `project` module, or copy-paste an existing project as a\n    skeleton. Make sure you properly define the repository name, description,\n    labels, and ACLs. The following default ACLs are always added:\n\n    ```text\n    google-github-actions-bot (triage)\n    @google-github-actions/maintainers (admin)\n    ```\n\n1.  Add any other resources the project will need, such as secrets or IAM\n    permissions. Note that the `project` module automatically configures\n    Workload Identity Federation and provides a service account email as an\n    output.\n\n1.  If you need to enable any new Google Cloud _services_, add them in the\n    `main.tf` file.\n\n1.  Since Google's internal system will have already created the repository, you\n    must import it into the Terraform state. You only need to do this the first time.\n\n    ```shell\n    terraform import module.\u003crepo_name\u003e.github_repository.repo \u003crepo_name\u003e\n    ```\n\n    For example, to import the `setup-gcloud` repo:\n\n    ```shell\n    terraform import module.setup-gcloud.github_repository.repo setup-gcloud\n    ```\n\n1.  Run `terraform apply` to provision the changes. To limit to just your new\n    project, run a targeted apply:\n\n    ```shell\n    terraform apply -target module.\u003crepo_name\u003e\n    ```\n\n\n## Rotating Service Account Keys\n\nOnly a few repositories rely on Service Account Key JSON files, mostly to test\nthat the GitHub Action works with exported keys. To rotate all the keys, run\nthis script:\n\n```shell\n./scripts/rotate-service-account-keys\n```\n\nThe script searches for and taints all `google_service_account_key` resources\nand runs `terraform apply`.\n","funding_links":[],"categories":["HCL"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle-github-actions%2Ftest-infra","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle-github-actions%2Ftest-infra","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle-github-actions%2Ftest-infra/lists"}