From 7460e650af82606825358fa987be40b533141d3e Mon Sep 17 00:00:00 2001
From: Vibhu Pandey <vibhupandey28@gmail.com>
Date: Fri, 10 May 2024 23:23:31 +0530
Subject: [PATCH] feat(workflow): integrate with workflow identity pool (#4945)

* feat(workflows): add wif workflow
* feat(workflows): add name of compute instance
* feat(workflows): fix permissions
* feat(workflows):  add an OR true since github runs with -e
* ci(testing-deployment): include GITHUB envs
* ci(testing-deployment): move GCP information to secrets
* ci(staging-deployment): wif workflow

---------

Co-authored-by: Prashant Shahi <prashant@signoz.io>
---
 .github/workflows/staging-deployment.yaml | 70 +++++++++++++----------
 .github/workflows/testing-deployment.yaml | 68 +++++++++++++---------
 2 files changed, 81 insertions(+), 57 deletions(-)

diff --git a/.github/workflows/staging-deployment.yaml b/.github/workflows/staging-deployment.yaml
index 9b7a5121b2..718eda47db 100644
--- a/.github/workflows/staging-deployment.yaml
+++ b/.github/workflows/staging-deployment.yaml
@@ -9,34 +9,46 @@ jobs:
     name: Deploy latest develop branch to staging
     runs-on: ubuntu-latest
     environment: staging
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     steps:
-      - name: Executing remote ssh commands using ssh key
-        uses: appleboy/ssh-action@v1.0.3
-        env:
-          GITHUB_BRANCH: develop
-          GITHUB_SHA: ${{ github.sha }}
+      - id: 'auth'
+        uses: 'google-github-actions/auth@v2'
         with:
-          host: ${{ secrets.HOST_DNS }}
-          username: ${{ secrets.USERNAME }}
-          key: ${{ secrets.SSH_KEY }}
-          envs: GITHUB_BRANCH,GITHUB_SHA
-          command_timeout: 60m
-          script: |
-            echo "GITHUB_BRANCH: ${GITHUB_BRANCH}"
-            echo "GITHUB_SHA: ${GITHUB_SHA}"
-            export DOCKER_TAG="${GITHUB_SHA:0:7}" # needed for child process to access it
-            export OTELCOL_TAG="main"
-            export PATH="/usr/local/go/bin/:$PATH" # needed for Golang to work
-            docker system prune --force
-            docker pull signoz/signoz-otel-collector:main
-            docker pull signoz/signoz-schema-migrator:main
-            cd ~/signoz
-            git status
-            git add .
-            git stash push -m "stashed on $(date --iso-8601=seconds)"
-            git fetch origin
-            git checkout ${GITHUB_BRANCH}
-            git pull
-            make build-ee-query-service-amd64
-            make build-frontend-amd64
-            make run-signoz
\ No newline at end of file
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: 'sdk'
+        uses: 'google-github-actions/setup-gcloud@v2'
+
+      - name: 'ssh'
+        shell: bash
+        env:
+          GITHUB_BRANCH: ${{ github.head_ref || github.ref_name }}
+          GITHUB_SHA: ${{ github.sha }}
+          GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
+          GCP_ZONE: ${{ secrets.GCP_ZONE }}
+          GCP_INSTANCE: ${{ secrets.GCP_INSTANCE }}
+        run: |
+          read -r -d '' COMMAND <<EOF || true
+          echo "GITHUB_BRANCH: ${GITHUB_BRANCH}"
+          echo "GITHUB_SHA: ${GITHUB_SHA}"
+          export DOCKER_TAG="${GITHUB_SHA:0:7}" # needed for child process to access it
+          export OTELCOL_TAG="main"
+          export PATH="/usr/local/go/bin/:$PATH" # needed for Golang to work
+          docker system prune --force
+          docker pull signoz/signoz-otel-collector:main
+          docker pull signoz/signoz-schema-migrator:main
+          cd ~/signoz
+          git status
+          git add .
+          git stash push -m "stashed on $(date --iso-8601=seconds)"
+          git fetch origin
+          git checkout ${GITHUB_BRANCH}
+          git pull
+          make build-ee-query-service-amd64
+          make build-frontend-amd64
+          make run-signoz
+          EOF
+          gcloud compute ssh ${GCP_INSTANCE} --zone ${GCP_ZONE} --tunnel-through-iap --project ${GCP_PROJECT} --command "${COMMAND}"
diff --git a/.github/workflows/testing-deployment.yaml b/.github/workflows/testing-deployment.yaml
index efb3d58a79..b971eafb6d 100644
--- a/.github/workflows/testing-deployment.yaml
+++ b/.github/workflows/testing-deployment.yaml
@@ -9,35 +9,47 @@ jobs:
     runs-on: ubuntu-latest
     environment: testing
     if: ${{ github.event.label.name == 'testing-deploy' }}
+    permissions:
+      contents: 'read'
+      id-token: 'write'
     steps:
-      - name: Executing remote ssh commands using ssh key
-        uses: appleboy/ssh-action@v1.0.3
+      - id: 'auth'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: 'sdk'
+        uses: 'google-github-actions/setup-gcloud@v2'
+
+      - name: 'ssh'
+        shell: bash
         env:
           GITHUB_BRANCH: ${{ github.head_ref || github.ref_name }}
           GITHUB_SHA: ${{ github.sha }}
-        with:
-          host: ${{ secrets.HOST_DNS }}
-          username: ${{ secrets.USERNAME }}
-          key: ${{ secrets.SSH_KEY }}
-          envs: GITHUB_BRANCH,GITHUB_SHA
-          command_timeout: 60m
-          script: |
-            echo "GITHUB_BRANCH: ${GITHUB_BRANCH}"
-            echo "GITHUB_SHA: ${GITHUB_SHA}"
-            export DOCKER_TAG="${GITHUB_SHA:0:7}" # needed for child process to access it
-            export DEV_BUILD="1"
-            export PATH="/usr/local/go/bin/:$PATH" # needed for Golang to work
-            docker system prune --force
-            cd ~/signoz
-            git status
-            git add .
-            git stash push -m "stashed on $(date --iso-8601=seconds)"
-            git fetch origin
-            git checkout develop
-            git pull
-            # This is added to include the scenerio when new commit in PR is force-pushed
-            git branch -D ${GITHUB_BRANCH}
-            git checkout --track origin/${GITHUB_BRANCH}
-            make build-ee-query-service-amd64
-            make build-frontend-amd64
-            make run-signoz
\ No newline at end of file
+          GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
+          GCP_ZONE: ${{ secrets.GCP_ZONE }}
+          GCP_INSTANCE: ${{ secrets.GCP_INSTANCE }}
+        run: |
+          read -r -d '' COMMAND <<EOF || true
+          echo "GITHUB_BRANCH: ${GITHUB_BRANCH}"
+          echo "GITHUB_SHA: ${GITHUB_SHA}"
+          export DOCKER_TAG="${GITHUB_SHA:0:7}" # needed for child process to access it
+          export DEV_BUILD="1"
+          export PATH="/usr/local/go/bin/:$PATH" # needed for Golang to work
+          docker system prune --force
+          cd ~/signoz
+          git status
+          git add .
+          git stash push -m "stashed on $(date --iso-8601=seconds)"
+          git fetch origin
+          git checkout develop
+          git pull
+          # This is added to include the scenerio when new commit in PR is force-pushed
+          git branch -D ${GITHUB_BRANCH}
+          git checkout --track origin/${GITHUB_BRANCH}
+          make build-ee-query-service-amd64
+          make build-frontend-amd64
+          make run-signoz
+          EOF
+          gcloud compute ssh ${GCP_INSTANCE} --zone ${GCP_ZONE} --tunnel-through-iap --project ${GCP_PROJECT} --command "${COMMAND}"