From 23f583409af3b0c6bcd1c61824b2469c4e09902f Mon Sep 17 00:00:00 2001
From: Bob Callaway <bobcallaway@users.noreply.github.com>
Date: Fri, 14 Jan 2022 16:35:00 -0500
Subject: [PATCH] Use workload identity provider instead of GitHub Secret for
 GCR access (#600)

* stop using github secret and use GCP workload identity pool

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* move to rekor-specific provider

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
---
 .github/workflows/build.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e3c876a..f86bb38 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -52,11 +52,10 @@ jobs:
           version: v0.9.3
 
       - name: Set up Cloud SDK
-        uses: google-github-actions/setup-gcloud@a45a0825993ace67ae6e11cf3011b3e7d6795f82 #v0.3.0
+        uses: google-github-actions/auth@c6c22902f6af237edb96ede5f25a00e864589b2f #v0.4.4
         with:
-          project_id: projectsigstore
-          service_account_key: ${{ secrets.GCP_SERVICE_ACCOUNT }}
-          export_default_credentials: true
+          workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-rekor'
+          service_account: 'github-actions-rekor@projectsigstore.iam.gserviceaccount.com'
 
       - name: creds
         run: gcloud auth configure-docker --quiet
-- 
GitLab