KoheiKanagu/github-actions-oidc.sh

## github-actions-oidc.sh
#!/bin/bash
set -exo pipefail

while [[ "$#" -gt 0 ]]; do
  case $1 in
  --project-id=*) PROJECT_ID="${1#*=}" ;;
  --github-repo-name=*) GITHUB_REPO_NAME="${1#*=}" ;;
  --github-repository-owner=*) GITHUB_REPOSITORY_OWNER="${1#*=}" ;;
  *)
    echo "Usage: $0 --project-id=kingu-42 --github-user-name=KoheiKanagu --github-repo-name=kingu_dev"
    exit 1
    ;;
  esac
  shift
done

SERVICE_ACCOUNT_NAME=github-actions@$PROJECT_ID.iam.gserviceaccount.com # Modify as needed
WORKLOAD_IDENTITY_PROVIDER=github-actions-pool                          # Modify as needed
OIDC_PROVIDER_NAME=github-actions-provider                              # Modify as needed

gcloud config set project "$PROJECT_ID"

gcloud services enable iamcredentials.googleapis.com
gcloud iam service-accounts create github-actions

# Firebaseの基本的な機能は使えるはずだが、別途ロールが必要になる場合がある。
# 参考: https://firebase.google.com/docs/projects/iam/permissions
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="serviceAccount:$SERVICE_ACCOUNT_NAME" \
  --role="roles/firebase.developAdmin"

# Cloud Functionsに必要
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="serviceAccount:$SERVICE_ACCOUNT_NAME" \
  --role="roles/cloudfunctions.serviceAgent"

# Firebase Remote Configに必要
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="serviceAccount:$SERVICE_ACCOUNT_NAME" \
  --role="roles/cloudconfig.admin"

# Firebase Extensionsに必要
# https://github.com/firebase/firebase-tools/issues/7754#issuecomment-2383145197
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="serviceAccount:$SERVICE_ACCOUNT_NAME" \
  --role="roles/firebaseextensions.viewer"

# Firebase Extensionsに必要
# 正確には firebase deploy で必要になるようだが、Extensionsのデプロイ以外では必要とされないような？
# https://github.com/firebase/firebase-tools/issues/5777#issuecomment-1531835346
gcloud services enable cloudbilling.googleapis.com

# Cloud FunctionsでonScheduleを使う場合に必要
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="serviceAccount:$SERVICE_ACCOUNT_NAME" \
  --role="roles/cloudscheduler.admin"

gcloud iam workload-identity-pools create $WORKLOAD_IDENTITY_PROVIDER \
  --location="global"

gcloud iam workload-identity-pools providers create-oidc $OIDC_PROVIDER_NAME \
  --location="global" \
  --workload-identity-pool=$WORKLOAD_IDENTITY_PROVIDER \
  --attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository,attribute.actor=assertion.actor" \
  --attribute-condition="assertion.repository_owner=='$GITHUB_REPOSITORY_OWNER'" \
  --issuer-uri="https://token.actions.githubusercontent.com"

GITHUB_ACTIONS_POOL_PROJECT_ID=$(gcloud iam workload-identity-pools describe $WORKLOAD_IDENTITY_PROVIDER --location="global" --format="value(name)" | awk -F'/' '{print $2}')

gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_NAME" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/$GITHUB_ACTIONS_POOL_PROJECT_ID/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/$GITHUB_REPOSITORY_OWNER/$GITHUB_REPO_NAME"

cat <<EOF
====================================
jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v2.1.7
        with:
          workload_identity_provider: 'projects/$GITHUB_ACTIONS_POOL_PROJECT_ID/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
          service_account: '$SERVICE_ACCOUNT_NAME'
====================================

OR

gh variable set WORKLOAD_IDENTITY_PROVIDER --body 'projects/$GITHUB_ACTIONS_POOL_PROJECT_ID/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' --repo $GITHUB_REPOSITORY_OWNER/$GITHUB_REPO_NAME
gh variable set SERVICE_ACCOUNT --body '$SERVICE_ACCOUNT_NAME' --repo $GITHUB_REPOSITORY_OWNER/$GITHUB_REPO_NAME
EOF

cat <<'EOF'

====================================
jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v2.1.7
        with:
          workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ vars.SERVICE_ACCOUNT }}
====================================
EOF
	#!/bin/bash
	set -exo pipefail

	while [[ "$#" -gt 0 ]]; do
	case $1 in
	--project-id=) PROJECT_ID="${1#=}" ;;
	--github-repo-name=) GITHUB_REPO_NAME="${1#=}" ;;
	--github-repository-owner=) GITHUB_REPOSITORY_OWNER="${1#=}" ;;
	*)
	echo "Usage: $0 --project-id=kingu-42 --github-user-name=KoheiKanagu --github-repo-name=kingu_dev"
	exit 1
	;;
	esac
	shift
	done

	SERVICE_ACCOUNT_NAME=github-actions@$PROJECT_ID.iam.gserviceaccount.com # Modify as needed
	WORKLOAD_IDENTITY_PROVIDER=github-actions-pool # Modify as needed
	OIDC_PROVIDER_NAME=github-actions-provider # Modify as needed

	gcloud config set project "$PROJECT_ID"

	gcloud services enable iamcredentials.googleapis.com
	gcloud iam service-accounts create github-actions

	# Firebaseの基本的な機能は使えるはずだが、別途ロールが必要になる場合がある。
	# 参考: https://firebase.google.com/docs/projects/iam/permissions
	gcloud projects add-iam-policy-binding "$PROJECT_ID" \
	--member="serviceAccount:$SERVICE_ACCOUNT_NAME" \
	--role="roles/firebase.developAdmin"

	# Cloud Functionsに必要
	gcloud projects add-iam-policy-binding "$PROJECT_ID" \
	--member="serviceAccount:$SERVICE_ACCOUNT_NAME" \
	--role="roles/cloudfunctions.serviceAgent"

	# Firebase Remote Configに必要
	gcloud projects add-iam-policy-binding "$PROJECT_ID" \
	--member="serviceAccount:$SERVICE_ACCOUNT_NAME" \
	--role="roles/cloudconfig.admin"

	# Firebase Extensionsに必要
	# https://github.com/firebase/firebase-tools/issues/7754#issuecomment-2383145197
	gcloud projects add-iam-policy-binding "$PROJECT_ID" \
	--member="serviceAccount:$SERVICE_ACCOUNT_NAME" \
	--role="roles/firebaseextensions.viewer"

	# Firebase Extensionsに必要
	# 正確には firebase deploy で必要になるようだが、Extensionsのデプロイ以外では必要とされないような？
	# https://github.com/firebase/firebase-tools/issues/5777#issuecomment-1531835346
	gcloud services enable cloudbilling.googleapis.com

	# Cloud FunctionsでonScheduleを使う場合に必要
	gcloud projects add-iam-policy-binding "$PROJECT_ID" \
	--member="serviceAccount:$SERVICE_ACCOUNT_NAME" \
	--role="roles/cloudscheduler.admin"

	gcloud iam workload-identity-pools create $WORKLOAD_IDENTITY_PROVIDER \
	--location="global"

	gcloud iam workload-identity-pools providers create-oidc $OIDC_PROVIDER_NAME \
	--location="global" \
	--workload-identity-pool=$WORKLOAD_IDENTITY_PROVIDER \
	--attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository,attribute.actor=assertion.actor" \
	--attribute-condition="assertion.repository_owner=='$GITHUB_REPOSITORY_OWNER'" \
	--issuer-uri="https://token.actions.githubusercontent.com"

	GITHUB_ACTIONS_POOL_PROJECT_ID=$(gcloud iam workload-identity-pools describe $WORKLOAD_IDENTITY_PROVIDER --location="global" --format="value(name)" \| awk -F'/' '{print $2}')

	gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_NAME" \
	--role="roles/iam.workloadIdentityUser" \
	--member="principalSet://iam.googleapis.com/projects/$GITHUB_ACTIONS_POOL_PROJECT_ID/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository/$GITHUB_REPOSITORY_OWNER/$GITHUB_REPO_NAME"

	cat <<EOF
	====================================
	jobs:
	deploy:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	steps:
	- uses: actions/checkout@v4
	- name: Authenticate to Google Cloud
	uses: google-github-actions/auth@v2.1.7
	with:
	workload_identity_provider: 'projects/$GITHUB_ACTIONS_POOL_PROJECT_ID/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
	service_account: '$SERVICE_ACCOUNT_NAME'
	====================================

	OR

	gh variable set WORKLOAD_IDENTITY_PROVIDER --body 'projects/$GITHUB_ACTIONS_POOL_PROJECT_ID/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider' --repo $GITHUB_REPOSITORY_OWNER/$GITHUB_REPO_NAME
	gh variable set SERVICE_ACCOUNT --body '$SERVICE_ACCOUNT_NAME' --repo $GITHUB_REPOSITORY_OWNER/$GITHUB_REPO_NAME
	EOF

	cat <<'EOF'

	====================================
	jobs:
	deploy:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	steps:
	- uses: actions/checkout@v4
	- name: Authenticate to Google Cloud
	uses: google-github-actions/auth@v2.1.7
	with:
	workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
	service_account: ${{ vars.SERVICE_ACCOUNT }}
	====================================
	EOF