export_default_credentials should place credentials outside of the workspace

[travisgroth]

TL;DR

GOOGLE_APPLICATION_CREDENTIALS should be stored in the action temporary directory, not in the checked out repository. Doing so creates a dirty git state.

Expected behavior
git state is not dirty after exporting GOOGLE_APPLICATION_CREDENTIALS.

Observed behavior
git state is dirty and shows up in automatic version detection and other release automation tools. https://goreleaser.com/, for instance, will hard fail if git state is dirty during a non-snapshot release.

Reproduction

Action YAML

name: Release

on:
  release:
    types:
      - published

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Unshallow
        run: git fetch --prune --unshallow

      - name: Set up Go
        uses: actions/setup-go@v1
        with:
          go-version: 1.14.x

      - uses: GoogleCloudPlatform/github-actions/setup-gcloud@master
        with:
          project_id: myproject
          service_account_key: ${{ secrets.GCP_SERVICE_ACCOUNT }}
          export_default_credentials: true

      - name: Gcloud login
        run: gcloud auth configure-docker

      - name: Check git status
        run: git status

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v1
        with:
          version: latest
          args: release --config .github/goreleaser.yaml
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Repository

https://github.com/pomerium/pomerium/runs/891636795#step:9:31

Additional information
No

[sethvargo]

Hi @travisgroth

The credentials have to be in a shared location in order for authentication to work across steps. In our testing, GitHub Actions cleared the temporary directory between steps (even when documentation said it would be persisted).

[travisgroth]

Hey @sethvargo thanks for the quick response. I suppose it doesn't matter if it's the RUNNER_TEMP directory or another location (title updated). It shouldn't be in the workspace since it can cause these problems. In an extreme case, the credentials could even wind up being packaged or committed.

As far as the RUNNER_TEMP directory in particular, it does look like it persists based on my testing. https://github.com/travisgroth/actions-test/actions/runs/176494577. Maybe that was old or buggy behavior? It seems the azure docker login step stores config in RUNNER_TEMP, and it works between steps in live pipelines we use regularly. That said, just $HOME might be a perfectly good place as well.

[sethvargo]

GH-148

[travisgroth]

👍

[ViacheslavKudinov]

Hi @sethvargo
As I see GH actions do not mount /home/runner/work/_temp/uuidv inside Docker based actions.
After this change, I have lost the ability to use a file with GCP JSON key inside my Docker container.
Previously it was process.env.GITHUB_WORKSPACE which is mounted inside Docker container as volume and I had the path to GCP key inside GOOGLE_APPLICATION_CREDENTIALS variable during execution of GH action.