https://github.com/google-github-actions/test-infra

Test infrastructure for Google Github Actions.
https://github.com/google-github-actions/test-infra

Last synced: about 12 hours ago
JSON representation

Test infrastructure for Google Github Actions.

• Host: GitHub
• URL: https://github.com/google-github-actions/test-infra
• Owner: google-github-actions
• Created: 2020-10-30T01:17:00.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2024-10-23T23:35:37.000Z (19 days ago)
• Last Synced: 2024-10-24T13:09:35.284Z (18 days ago)
• Language: HCL
• Homepage:
• Size: 158 KB
• Stars: 6
• Watchers: 6
• Forks: 9
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Codeowners: CODEOWNERS

Awesome Lists containing this project

README

        
# Test Infrastructure

This repository defines the GitHub repository configurations and test

infrastructure for testing GitHub Actions.

**This is not an officially supported Google product, and it is not covered by a

Google Cloud support contract. To report bugs or request features in a Google

Cloud product, please contact [Google Cloud

support](https://cloud.google.com/support).**

## Principles

The test infrastructure uses the following principles:

-   There is value in reduction of choice and sane defaults. We minimize the

    number of Terraform variables and conditionals to optimize for readability.

-   Only introduce Terraform variables when they are explicitly needed and have

    sane default values.

-   Minimize dependencies on external modules unless they add significant value

    or mask significant complexity.

## Design

Each project has its own Google Cloud Service Account and Workload Identity

Federation Provider for authentication and authorization. Repositories are

automatically configured with GitHub variables that inject these configuration

variables as:

-   `PROJECT_ID`

-   `SERVICE_ACCOUNT_EMAIL`

-   `WIF_PROVIDER_NAME`

Authentication to the WIF provider is guarded by the organization ID (forks

won't have access) and the numeric repository ID. Using IDs prevents against

replay naming attacks.

Additionally, there is an organization secret (accessible to all repos)

`ACTIONS_BOT_TOKEN` which is a GitHub Personal Access Token for our GitHub

Actions bot. This is largely for authoring commits, since the Google CLA cannot

be signed by the GitHub Actions bot.

Additional per-repository variables and secrets and configuration should reside

inside the project Terraform file.

## Setup

1.  (First time only) Create a `terraform.tfvars` file with the following

    information:

    ```hcl

    # This is the project ID of your Google Cloud project. You must create the Google Cloud project in advance.

    project_id = "TODO"

    # This is the GitHub organization name.

    github_organization_name = "TODO"

    ```

1.  Install and configure the Google Cloud SDK, and authenticate as a principle

    that has permissions to manage resources in the given "project_id".

    ```sh

    gcloud auth login --update-adc

    ```

1.  Create a GitHub Personal Access Token with permissions to administer

    repositories and configuration over the target organization defined in

    "github_organization_name".

    If you use the `gh` cli, you can generate an access token automatically:

    ```shell

    export GITHUB_TOKEN="$(gh auth token)"

    ```

    If you do not use the `gh` cli, you will need to create a Personal Access

    Token (PAT):

    > [Creating Person Access Tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) in the GitHub documentation.

    Save this as the environment variable `GITHUB_TOKEN`:

    ```shell

    export GITHUB_TOKEN="TODO"

    ```

    If you start a new shell, you will need to export the token again. For this

    reason, we recommend storing the token in a password manager so you do not

    have to generate a new one each time.

## Creating new repos

After following the internal team documentation to get legal approval for a new

repository, follow these steps to bootstrap a new project.

1.  Create a new Terraform file with the naming convention:

    ```text

    project_.tf

    ```

1.  Define the `project` module, or copy-paste an existing project as a

    skeleton. Make sure you properly define the repository name, description,

    labels, and ACLs. The following default ACLs are always added:

    ```text

    google-github-actions-bot (triage)

    @google-github-actions/maintainers (admin)

    ```

1.  Add any other resources the project will need, such as secrets or IAM

    permissions. Note that the `project` module automatically configures

    Workload Identity Federation and provides a service account email as an

    output.

1.  If you need to enable any new Google Cloud _services_, add them in the

    `main.tf` file.

1.  Since Google's internal system will have already created the repository, you

    must import it into the Terraform state. You only need to do this the first time.

    ```shell

    terraform import module..github_repository.repo 

    ```

    For example, to import the `setup-gcloud` repo:

    ```shell

    terraform import module.setup-gcloud.github_repository.repo setup-gcloud

    ```

1.  Run `terraform apply` to provision the changes. To limit to just your new

    project, run a targeted apply:

    ```shell

    terraform apply -target module.

    ```

## Rotating Service Account Keys

Only a few repositories rely on Service Account Key JSON files, mostly to test

that the GitHub Action works with exported keys. To rotate all the keys, run

this script:

```shell

./scripts/rotate-service-account-keys

```

The script searches for and taints all `google_service_account_key` resources

and runs `terraform apply`.