google-github-actions · sethvargo · Dec 3, 2021 · Dec 3, 2021
@@ -1,109 +1,103 @@
-name: get-secretmanager-secrets Integration
+name: 'integration'
 
 on:
   push:
     branches:
     - 'main'
   pull_request:
+    branches:
+    - 'main'
 
 concurrency:
-  group: '${{ github.head_ref || github.ref }}-it'
+  group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
   cancel-in-progress: true
 
 jobs:
-  gcloud:
+  auth_workload_identity_federation:
     if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
-    name: with setup-gcloud
-    runs-on: ubuntu-latest
+    name: 'auth_workload_identity_federation'
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    runs-on: 'ubuntu-latest'
     steps:
-    - uses: actions/checkout@v2
-    - uses: google-github-actions/setup-gcloud@master
+    - uses: 'actions/checkout@v2'
+
+    - uses: 'actions/setup-node@v2'
       with:
-        service_account_key: ${{ secrets.GET_SECRETMANAGER_SECRETS_SA_KEY_B64 }}
-        export_default_credentials: true
-    - id: build
-      name: Build dist
-      run: |-
-        npm install
-        npm run build
-    - id: secrets
-      name: get secrets
-      uses: ./
+        node-version: '12.x'
+
+    - name: 'npm build'
+      run: 'npm ci && npm run build'
+
+    - uses: 'google-github-actions/auth@main'
       with:
-        secrets: |-
-          token:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_REF }}
-          password:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_VERSION_REF }}
-    - name: get output
-      run: echo '${{ steps.secrets.outputs.token }}${{ steps.secrets.outputs.password }}'
+        workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
+        service_account: '${{ secrets.GET_SECRETMANAGER_SECRETS_SA_EMAIL }}'
 
-  b64_json:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
-    name: with base64 json creds
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - id: build
-      name: Build dist
-      run: |-
-        npm install
-        npm run build
-    - id: secrets
-      name: get secrets
-      uses: ./
+    - id: 'secrets'
+      name: 'secrets'
+      uses: './'
       with:
-        credentials: ${{ secrets.GET_SECRETMANAGER_SECRETS_SA_KEY_JSON }}
         secrets: |-
           token:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_REF }}
           password:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_VERSION_REF }}
-    - name: get output
+
+    - name: 'outputs'
       run: echo '${{ steps.secrets.outputs.token }}${{ steps.secrets.outputs.password }}'
 
-  json:
+  auth_credentials:
     if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
-    name: with json creds
-    runs-on: ubuntu-latest
+    name: 'auth_credentials'
+    runs-on: 'ubuntu-latest'
     steps:
-    - uses: actions/checkout@v2
-    - id: build
-      name: Build dist
-      run: |-
-        npm install
-        npm run build
-    - id: secrets
-      name: get secrets
-      uses: ./
+    - uses: 'actions/checkout@v2'
+
+    - uses: 'actions/setup-node@v2'
+      with:
+        node-version: '12.x'
+
+    - name: 'npm build'
+      run: 'npm ci && npm run build'
+
+    - uses: 'google-github-actions/auth@main'
+      with:
+        credentials_json: '${{ secrets.GET_SECRETMANAGER_SECRETS_SA_KEY_B64 }}'
+
+    - id: 'secrets'
+      name: 'secrets'
+      uses: './'
       with:
-        credentials: ${{ secrets.GET_SECRETMANAGER_SECRETS_SA_KEY_JSON }}
         secrets: |-
           token:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_REF }}
           password:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_VERSION_REF }}
-    - name: get output
+
+    - name: 'outputs'
       run: echo '${{ steps.secrets.outputs.token }}${{ steps.secrets.outputs.password }}'
 
-  wif:
-    permissions:
-      contents: 'read'
-      id-token: 'write'
+  # Deprecated
+  json:
     if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
-    name: with wif
-    runs-on: ubuntu-latest
+    name: 'json'
+    runs-on: 'ubuntu-latest'
     steps:
-    - uses: actions/checkout@v2
-    - uses: google-github-actions/auth@main
+    - uses: 'actions/checkout@v2'
+
+    - uses: 'actions/setup-node@v2'
       with:
-        workload_identity_provider: ${{ secrets.WIF_PROVIDER_NAME }}
-        service_account: ${{ secrets.GET_SECRETMANAGER_SECRETS_SA_EMAIL }}
-    - id: build
-      name: Build dist
-      run: |-
-        npm install
-        npm run build
-    - id: secrets
-      name: get secrets
-      uses: ./
+        node-version: '12.x'
+
+    - name: 'npm build'
+      run: 'npm ci && npm run build'
+
+    - id: 'secrets'
+      name: 'secrets'
+      uses: './'
       with:
+        credentials: '${{ secrets.GET_SECRETMANAGER_SECRETS_SA_KEY_JSON }}'
         secrets: |-
           token:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_REF }}
           password:${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_VERSION_REF }}
-    - name: get output
+
+    - name: 'outputs'
       run: echo '${{ steps.secrets.outputs.token }}${{ steps.secrets.outputs.password }}'
@@ -1,14 +1,16 @@
-on: pull_request_target
+name: 'label'
+
+on: 'pull_request_target'
 
 jobs:
   apply-label:
-    if: github.event.pull_request.head.repo.full_name != github.repository
-    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
+    runs-on: 'ubuntu-latest'
     steps:
-      - uses: actions/github-script@v3
+      - uses: 'actions/github-script@v3'
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
+          github-token: '${{ secrets.GITHUB_TOKEN }}'
+          script: |-
             github.issues.addLabels({
               issue_number: context.issue.number,
               owner: context.repo.owner,

@@ -1,33 +1,45 @@
-name: get-secretmanager-secrets Unit
+name: 'unit'
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+    - 'main'
+  pull_request:
+    branches:
+    - 'main'
 
 concurrency:
-  group: '${{ github.head_ref || github.ref }}-unit'
+  group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
   cancel-in-progress: true
 
 jobs:
   run:
-    name: test
-    runs-on: ${{ matrix.operating-system }}
+    name: 'unit'
+    runs-on: '${{ matrix.os }}'
     strategy:
       matrix:
-        operating-system: [ubuntu-latest, windows-latest, macos-latest]
+        os:
+        - 'ubuntu-latest'
+        - 'windows-latest'
+        - 'macos-latest'
     steps:
-    - uses: actions/checkout@v2
+    - uses: 'actions/checkout@v2'
 
-    - uses: actions/setup-node@master
+    - uses: 'actions/setup-node@v2'
       with:
-        node-version: 12.x
+        node-version: '12.x'
 
-    - name: npm install
-      run: npm install
+    - name: 'npm build'
+      run: 'npm ci && npm run build'
 
-    - name: npm lint
-      run: npm run lint
+    - name: 'npm lint'
+      # There's no need to run the linter for each operating system, since it
+      # will find the same thing 3x and clog up the PR review.
+      if: ${{matrix.os == 'ubuntu-latest'}}
+      run: 'npm run lint'
 
-    - name: npm test
-      run: npm run test
+    - name: 'npm test'
       env:
-        TEST_GET_SECRETMANAGER_SECRETS_CREDENTIALS: ${{ secrets.GET_SECRETMANAGER_SECRETS_SA_KEY_JSON }}
-        TEST_GET_SECRETMANAGER_SECRETS_SECRET_VERSION_REF: ${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_VERSION_REF }}
+        TEST_GET_SECRETMANAGER_SECRETS_CREDENTIALS: '${{ secrets.GET_SECRETMANAGER_SECRETS_SA_KEY_JSON }}'
+        TEST_GET_SECRETMANAGER_SECRETS_SECRET_VERSION_REF: '${{ secrets.GET_SECRETMANAGER_SECRETS_SECRET_VERSION_REF }}'
+      run: npm run test