Unclear instructions for Google Artifact Registry login using Workload Identity

[paololazzari]

What would you like help with?

I would like help with my configuration

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

GitHub, version 40.1.12

Please tell us more about your question or problem

I read the docs, which state:

Just configure ADC / Workload Identity as normal and don't provide a username, password or token. Renovate will automatically retrieve the credentials using the google-auth-library.

Following that, here's how I am running renovate:

- name: 'Google auth'
  uses: 'google-github-actions/auth@v2'
  with:
    project_id: '${{ env.PROJECT_ID }}'
    service_account: '${{ env.SERVICE_ACCOUNT }}'
    workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
    export_environment_variables: true

- name: Self-hosted Renovate
  uses: renovatebot/[email protected]
  with:
    configurationFile: .github/renovate-config.json
    token: ${{ secrets.RENOVATE_TOKEN }}
  env:
    LOG_LEVEL: 'debug'
    RENOVATE_HOST_RULES: '[{"matchHost":"us-central1-docker.pkg.dev"}]'

this fails with:

DEBUG: Could not get Google access token, using no auth

[rarkins]

Please read the section on environment variables at https://github.com/renovatebot/github-action

[paololazzari]

So I should pass a token? Which one?

[rarkins]

You'll need to pass through all necessary credentials that the previous action exported

[paololazzari]

The documentation is confusing because it says not to pass in anything. The gcloud login action has the following outputs:

auth_token: The Google Cloud federated token (for Workload Identity Federation) or self-signed JWT (for a Service Account Key JSON). This output is always available.

access_token: The Google Cloud access token for calling other Google Cloud APIs. This is only available when "token_format" is "access_token".

id_token: The Google Cloud ID token. This is only available when "token_format" is "id_token".

which one would renovate need? auth_token ?

[rarkins]

It's complicated due to the use of GitHub actions. The Google action is exporting env which is then not automatically made available to the renovate action which follows it. You need to find a way to pass it through and you're welcome to submit a PR improving the docs after.

[paololazzari]

Got this working. Full job:

jobs:
  renovate:
    permissions:
      contents: 'read'
      id-token: 'write'

    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/[email protected]

      - name: 'Google auth'
        id: google_auth
        uses: 'google-github-actions/auth@v2'
        with:
          project_id: '${{ env.PROJECT_ID }}'
          service_account: '${{ env.SERVICE_ACCOUNT }}'
          workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
          token_format: "access_token"

      - name: Self-hosted Renovate
        uses: renovatebot/[email protected]
        with:
          configurationFile: .github/renovate.json
          token: ${{ secrets.RENOVATE_TOKEN }}
        env:
          LOG_LEVEL: 'debug'
          RENOVATE_HOST_RULES: '[{"matchHost":"us-central1-docker.pkg.dev","username":"oauth2accesstoken","password":"${{ steps.google_auth.outputs.access_token }}"}]'

make sure that the service account being used has the artifactregistry.repositories.downloadArtifacts permission.

[rarkins]

Great solution! Would it be possible for you to contribute this example to the docs? If not then will copy/paste it on your behalf. It's specific to GitHub Actions, but still useful to add to the main repo

[paololazzari]

Sure, I'm happy to do that. Should I add it in this section https://docs.renovatebot.com/docker/#google-container-registry-google-artifact-registry ?

[rarkins]

I think that's a good place to put it