From 8f94b15a17ca3880583f63b8229ff5b2cbd4a70d Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Thu, 26 Dec 2024 15:08:57 -0500
Subject: [PATCH] ci(google-auth): use workload identity federation instead of
 json (#10342)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Tim Sweña (Swast) <swast@google.com>
---
 .github/workflows/ci-data.yml             |  3 ++-
 .github/workflows/ibis-backends-cloud.yml | 15 +++++++++------
 .github/workflows/ibis-benchmarks.yml     |  3 ++-
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci-data.yml b/.github/workflows/ci-data.yml
index 1af8e145b7f3..75b0b52b17d5 100644
--- a/.github/workflows/ci-data.yml
+++ b/.github/workflows/ci-data.yml
@@ -42,7 +42,8 @@ jobs:
 
       - uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+          project_id: "ibis-gbq"
+          workload_identity_provider: "${{ vars.WIF_PROVIDER_NAME }}"
 
       - uses: google-github-actions/setup-gcloud@v2
 
diff --git a/.github/workflows/ibis-backends-cloud.yml b/.github/workflows/ibis-backends-cloud.yml
index b82faa859c21..1b1d3a0b7de1 100644
--- a/.github/workflows/ibis-backends-cloud.yml
+++ b/.github/workflows/ibis-backends-cloud.yml
@@ -15,11 +15,6 @@ on:
     types:
       - labeled
 
-permissions:
-  # this allows extractions/setup-just to list releases for `just` at a higher
-  # rate limit while restricting GITHUB_TOKEN permissions elsewhere
-  contents: read
-
 env:
   FORCE_COLOR: "1"
   SQLALCHEMY_WARN_20: "1"
@@ -79,6 +74,13 @@ jobs:
               key: snowpark
               extras:
                 - --extra snowflake
+    # this allows extractions/setup-just to list releases for `just` at a higher
+    # rate limit while restricting GITHUB_TOKEN permissions elsewhere
+    permissions:
+      contents: "read"
+      # required for GCP workload identity federation
+      id-token: "write"
+
     steps:
       - name: checkout
         uses: actions/checkout@v4
@@ -126,7 +128,8 @@ jobs:
 
       - uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+          project_id: "ibis-gbq"
+          workload_identity_provider: "${{ vars.WIF_PROVIDER_NAME }}"
 
       - name: setup databricks credentials
         if: matrix.backend.name == 'databricks'
diff --git a/.github/workflows/ibis-benchmarks.yml b/.github/workflows/ibis-benchmarks.yml
index 2a9de3a4877b..c605e0b7e161 100644
--- a/.github/workflows/ibis-benchmarks.yml
+++ b/.github/workflows/ibis-benchmarks.yml
@@ -43,7 +43,8 @@ jobs:
 
       - uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
+          project_id: "ibis-gbq"
+          workload_identity_provider: "${{ vars.WIF_PROVIDER_NAME }}"
 
       - uses: google-github-actions/setup-gcloud@v2