The question: What is the best way we can use Google API via a service account in Github Actions? Answer: encrypt the credentials and decrypt during Action w/ a configured secret.
- The credentials.json.gpg is originated from the credentials.json that can be downloaded from Cloud Console for the service account.
- Encrypt it via:
gpg --symmetric --cipher-algo AES256 credentials.json- Note the password used, as it will be added as a secret in this repo to be used for decoding the file and accessing Google APIs. - Update the
credentials.json.gpgfile in this repo using the contents of the newly createdcredentials.json.gpg, commit and push. - The password used should be added as a secret, e.g. the
GOOGLE_API_PWsecret in the github repo
Then, in the Github action or script, call gpg to decrypt and write the unencrypted file:
#!/bin/sh