Switch to using /github/home for storing credentials

The GitHub Action currently puts generated credentials into $GITHUB_WORKSPACE (/github/workspace). Unfortunately this is also the working directory of the checkout, so it's too easy to accidentally bundle the generated credentials into Docker containers, binaries, or anything that uses `*` or `.` as a build context.

In the past, we tried to move the exported credentials into RUNNER_TEMP or other directories, but it always introduced incompatibility with the various community workflows (Docker, self-hosted, etc.):

- google-github-actions/setup-gcloud#148
- google-github-actions/setup-gcloud#149
- google-github-actions/setup-gcloud#405
- google-github-actions/setup-gcloud#412

While undocumented, it appears that `/github/home` is an understood path, AND that path is mounted into Docker containers. That means we can export credentials outside of the workspace and still have them available inside the Docker container without users taking manual actions. This comes at three major costs:

1. We have to write the file into two locations. This isn't ideal, but it's also not the end of the world.

2. We would be relying on an undocumented filepath which GitHub could change at any point in the future. Since this is not part of the publicly-documented API, GitHub is within their rights to change this without notice, potentially breaking everyone/everything.

3. Because of the previous point, there are no environment variables that export these paths. We have to dynamically compile them, and it's a bit messy.

Author: sethvargo

.github/workflows/test.yml

@@ -112,140 +112,140 @@ jobs:
           gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
 
 
-  #
-  # Workload Identity Federation through a Service Account
-  #
-  workload_identity_federation_through_service_account:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
-    name: 'workload_identity_federation_through_service_account'
-    runs-on: '${{ matrix.os }}'
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - 'ubuntu-latest'
-          - 'windows-latest'
-          - 'macos-latest'
-
-    permissions:
-      id-token: 'write'
-
-    steps:
-      - uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
-
-      - uses: 'actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a' # ratchet:actions/setup-node@v4
-        with:
-          node-version: '20.x'
-
-      - name: 'npm build'
-        run: 'npm ci && npm run build'
-
-      - id: 'auth-default'
-        name: 'auth-default'
-        uses: './'
-        with:
-          workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
-          service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
-
-      - uses: 'google-github-actions/setup-gcloud@main' # ratchet:exclude
-        with:
-          version: '>= 363.0.0'
-
-      - name: 'gcloud'
-        run: |-
-          gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
-
-      - id: 'auth-access-token'
-        name: 'auth-access-token'
-        uses: './'
-        with:
-          workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
-          service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
-          token_format: 'access_token'
-
-      - id: 'oauth-token'
-        name: 'oauth-token'
-        run: |-
-          curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
-            --silent \
-            --show-error \
-            --fail \
-            --header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
-
-      - id: 'id-token'
-        name: 'id-token'
-        uses: './'
-        with:
-          workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
-          service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
-          token_format: 'id_token'
-          id_token_audience: 'https://secretmanager.googleapis.com/'
-          id_token_include_email: true
-
-
-  #
-  # Service Account Key JSON
-  #
-  credentials_json:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
-    name: 'credentials_json'
-    runs-on: '${{ matrix.os }}'
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - 'ubuntu-latest'
-          - 'windows-latest'
-          - 'macos-latest'
-
-    steps:
-      - uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
-
-      - uses: 'actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a' # ratchet:actions/setup-node@v4
-        with:
-          node-version: '20.x'
-
-      - name: 'npm build'
-        run: 'npm ci && npm run build'
-
-      - id: 'auth-default'
-        name: 'auth-default'
-        uses: './'
-        with:
-          credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
-
-      - uses: 'google-github-actions/setup-gcloud@main' # ratchet:exclude
-        with:
-          version: '>= 363.0.0'
-
-      - name: 'gcloud'
-        run: |-
-          gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
-
-      - id: 'auth-access-token'
-        name: 'auth-access-token'
-        uses: './'
-        with:
-          credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
-          token_format: 'access_token'
-
-      - id: 'access-token'
-        name: 'access-token'
-        run: |-
-          curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
-            --silent \
-            --show-error \
-            --fail \
-            --header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
-
-      - id: 'auth-id-token'
-        name: 'auth-id-token'
-        uses: './'
-        with:
-          credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
-          token_format: 'id_token'
-          id_token_audience: 'https://secretmanager.googleapis.com/'
-          id_token_include_email: true
+  # #
+  # # Workload Identity Federation through a Service Account
+  # #
+  # workload_identity_federation_through_service_account:
+  #   if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
+  #   name: 'workload_identity_federation_through_service_account'
+  #   runs-on: '${{ matrix.os }}'
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       os:
+  #         - 'ubuntu-latest'
+  #         - 'windows-latest'
+  #         - 'macos-latest'
+
+  #   permissions:
+  #     id-token: 'write'
+
+  #   steps:
+  #     - uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
+
+  #     - uses: 'actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a' # ratchet:actions/setup-node@v4
+  #       with:
+  #         node-version: '20.x'
+
+  #     - name: 'npm build'
+  #       run: 'npm ci && npm run build'
+
+  #     - id: 'auth-default'
+  #       name: 'auth-default'
+  #       uses: './'
+  #       with:
+  #         workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
+  #         service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+
+  #     - uses: 'google-github-actions/setup-gcloud@main' # ratchet:exclude
+  #       with:
+  #         version: '>= 363.0.0'
+
+  #     - name: 'gcloud'
+  #       run: |-
+  #         gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
+
+  #     - id: 'auth-access-token'
+  #       name: 'auth-access-token'
+  #       uses: './'
+  #       with:
+  #         workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
+  #         service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+  #         token_format: 'access_token'
+
+  #     - id: 'oauth-token'
+  #       name: 'oauth-token'
+  #       run: |-
+  #         curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
+  #           --silent \
+  #           --show-error \
+  #           --fail \
+  #           --header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
+
+  #     - id: 'id-token'
+  #       name: 'id-token'
+  #       uses: './'
+  #       with:
+  #         workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
+  #         service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+  #         token_format: 'id_token'
+  #         id_token_audience: 'https://secretmanager.googleapis.com/'
+  #         id_token_include_email: true
+
+
+  # #
+  # # Service Account Key JSON
+  # #
+  # credentials_json:
+  #   if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
+  #   name: 'credentials_json'
+  #   runs-on: '${{ matrix.os }}'
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       os:
+  #         - 'ubuntu-latest'
+  #         - 'windows-latest'
+  #         - 'macos-latest'
+
+  #   steps:
+  #     - uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
+
+  #     - uses: 'actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a' # ratchet:actions/setup-node@v4
+  #       with:
+  #         node-version: '20.x'
+
+  #     - name: 'npm build'
+  #       run: 'npm ci && npm run build'
+
+  #     - id: 'auth-default'
+  #       name: 'auth-default'
+  #       uses: './'
+  #       with:
+  #         credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
+
+  #     - uses: 'google-github-actions/setup-gcloud@main' # ratchet:exclude
+  #       with:
+  #         version: '>= 363.0.0'
+
+  #     - name: 'gcloud'
+  #       run: |-
+  #         gcloud secrets versions access "latest" --secret "${{ vars.SECRET_NAME }}"
+
+  #     - id: 'auth-access-token'
+  #       name: 'auth-access-token'
+  #       uses: './'
+  #       with:
+  #         credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
+  #         token_format: 'access_token'
+
+  #     - id: 'access-token'
+  #       name: 'access-token'
+  #       run: |-
+  #         curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ vars.SECRET_NAME }}/versions/latest:access \
+  #           --silent \
+  #           --show-error \
+  #           --fail \
+  #           --header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
+
+  #     - id: 'auth-id-token'
+  #       name: 'auth-id-token'
+  #       uses: './'
+  #       with:
+  #         credentials_json: '${{ secrets.SERVICE_ACCOUNT_KEY_JSON }}'
+  #         token_format: 'id_token'
+  #         id_token_audience: 'https://secretmanager.googleapis.com/'
+  #         id_token_include_email: true
 
   #
   # This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment

README.md

@@ -26,19 +26,6 @@ support](https://cloud.google.com/support).**
 
 ## Prerequisites
 
--   Run the `actions/checkout@v4` step _before_ this action. Omitting the
-    checkout step or putting it after `auth` will cause future steps to be
-    unable to authenticate.
-
--   To create binaries, containers, pull requests, or other releases, add the
-    following to your `.gitignore`, `.dockerignore` and similar files to prevent
-    accidentally committing credentials to your release artifact:
-
-    ```text
-    # Ignore generated credentials from google-github-actions/auth
-    gha-creds-*.json
-    ```
-
 -   This action runs using Node 20. Use a [runner
     version](https://github.com/actions/virtual-environments) that supports this
     version of Node or newer.
@@ -237,20 +224,9 @@ regardless of the authentication mechanism.
     generate a credentials file which can be used for authentication via gcloud
     and Google Cloud SDKs in other steps in the workflow. The default is true.
 
-    The credentials file is exported into `$GITHUB_WORKSPACE`, which makes it
-    available to all future steps and filesystems (including Docker-based GitHub
-    Actions). The file is automatically removed at the end of the job via a post
-    action. In order to use exported credentials, you **must** add the
-    `actions/checkout` step before calling `auth`. This is due to how GitHub
-    Actions creates `$GITHUB_WORKSPACE`:
-
-     ```yaml
-     jobs:
-      job_id:
-        steps:
-        - uses: 'actions/checkout@v4' # Must come first!
-        - uses: 'google-github-actions/auth@v2'
-     ```
+    The credentials file is exported into the GitHub home directory
+    (`/github/home` on Unix, `C:/TODO/TODO` on Windows) and a special directory
+    in the temp directory that is shared with Docker-based actions.
 
 -   `export_environment_variables`: (Optional) If true, the action will export
     common environment variables which are known to be consumed by popular