generated from broadinstitute/golang-project-template
-
Notifications
You must be signed in to change notification settings - Fork 0
63 lines (55 loc) · 2.39 KB
/
sherlock-test-auth-transparency.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: Test Sherlock GHA Auth Transparency
# This workflow is meant to be called manually by a human to check the behavior
# of Sherlock's "auth transparency"--it's ability to correlate the caller of
# a GitHub Action to an actual user that it knows about.
on:
workflow_dispatch:
env:
SHERLOCK_PROD_URL: 'https://sherlock.dsp-devops-prod.broadinstitute.org'
SHERLOCK_DEV_URL: 'https://sherlock-dev.dsp-devops.broadinstitute.org'
jobs:
test:
runs-on: ubuntu-22.04
permissions:
id-token: write
steps:
- name: "Authenticate to GCP"
id: 'iap_auth'
uses: google-github-actions/auth@v2
with:
workload_identity_provider: 'projects/1038484894585/locations/global/workloadIdentityPools/github-wi-pool/providers/github-wi-provider'
service_account: '[email protected]'
token_format: 'id_token'
id_token_audience: '257801540345-1gqi6qi66bjbssbv01horu9243el2r8b.apps.googleusercontent.com'
id_token_include_email: true
create_credentials_file: false
export_environment_variables: false
- name: "Generate GHA OIDC Token"
id: 'gha_auth'
uses: actions/github-script@v7
with:
script: core.setOutput('id_token', await core.getIDToken())
- name: "Get from Sherlock Prod"
shell: bash
run: |
set -ex
echo '## Sherlock Prod' >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
curl --fail-with-body \
"$SHERLOCK_PROD_URL/api/users/v3/me" \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer ${{ steps.iap_auth.outputs.id_token }}' \
-H 'X-GHA-OIDC-JWT: ${{ steps.gha_auth.outputs.id_token }}' | jq >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
- name: "Get from Sherlock Dev"
shell: bash
run: |
set -ex
echo '## Sherlock Dev' >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
curl --fail-with-body \
"$SHERLOCK_DEV_URL/api/users/v3/me" \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer ${{ steps.iap_auth.outputs.id_token }}' \
-H 'X-GHA-OIDC-JWT: ${{ steps.gha_auth.outputs.id_token }}' | jq >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY