Merge pull request #3711 from ethereum-optimism/zhwrd/circleci-oidc

INF-11 updates docker-publish jobs to use OIDC auth

Merge pull request #3711 from ethereum-optimism/zhwrd/circleci-oidc
INF-11 updates docker-publish jobs to use OIDC auth
37a91aed · mergify[bot] · GitHub · cc738b3d · 09ffddf0 · 37a91aed
Commit 37a91aed authored Oct 18, 2022 by mergify[bot] Committed by GitHub Oct 18, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 44 additions and 1 deletion

config.yml .circleci/config.yml +44 -1

No files found.
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -2,6 +2,48 @@ version: 2.1

 orbs:
  go: circleci/go@1.5.0
+  gcp-cli: circleci/gcp-cli@2.4.1
+commands:
+  gcp-oidc-authenticate:
+    description: "Authenticate with GCP using a CircleCI OIDC token."
+    parameters:
+      project_id:
+        type: env_var_name
+        default: GCP_PROJECT_ID
+      workload_identity_pool_id:
+        type: env_var_name
+        default: GCP_WIP_ID
+      workload_identity_pool_provider_id:
+        type: env_var_name
+        default: GCP_WIP_PROVIDER_ID
+      service_account_email:
+        type: env_var_name
+        default: GCP_SERVICE_ACCOUNT_EMAIL
+      gcp_cred_config_file_path:
+        type: string
+        default: /home/circleci/gcp_cred_config.json
+      oidc_token_file_path:
+        type: string
+        default: /home/circleci/oidc_token.json
+    steps:
+      - run:
+          name: "Create OIDC credential configuration"
+          command: |
+            # Store OIDC token in temp file
+            echo $CIRCLE_OIDC_TOKEN > << parameters.oidc_token_file_path >>
+            # Create a credential configuration for the generated OIDC ID Token
+            gcloud iam workload-identity-pools create-cred-config \
+                "projects/${<< parameters.project_id >>}/locations/global/workloadIdentityPools/${<< parameters.workload_identity_pool_id >>}/providers/${<< parameters.workload_identity_pool_provider_id >>}"\
+                --output-file="<< parameters.gcp_cred_config_file_path >>" \
+                --service-account="${<< parameters.service_account_email >>}" \
+                --credential-source-file=<< parameters.oidc_token_file_path >>
+      - run:
+          name: "Authenticate with GCP using OIDC"
+          command: |
+            # Configure gcloud to leverage the generated credential configuration
+            gcloud auth login --brief --cred-file "<< parameters.gcp_cred_config_file_path >>"
+            # Configure ADC
+            echo "export GOOGLE_APPLICATION_CREDENTIALS='<< parameters.gcp_cred_config_file_path >>'" | tee -a "$BASH_ENV"
 jobs:
  yarn-monorepo:
    docker:
@@ -67,6 +109,7 @@ jobs:
      image: ubuntu-2204:2022.07.1
      resource_class: xlarge
    steps:
+      - gcp-oidc-authenticate
      # Below is CircleCI recommended way of specifying nameservers on an Ubuntu box:
      # https://support.circleci.com/hc/en-us/articles/7323511028251-How-to-set-custom-DNS-on-Ubuntu-based-images-using-netplan
      - run: sudo sed -i '13 i \ \ \ \ \ \ \ \ \ \ \ \ nameservers:' /etc/netplan/50-cloud-init.yaml
@@ -101,7 +144,7 @@ jobs:
      - run:
          name: Publish
          command: |
-            echo "$DOCKER_PASS" | docker login -u "$DOCKER_USERNAME" --password-stdin "<<parameters.repo>>"
+            gcloud auth configure-docker us-central1-docker.pkg.dev
            docker push <<parameters.docker_tags>>

  contracts-bedrock-tests: