diff --git a/.github/workflows/query-tests.yml b/.github/workflows/query-tests.yml index 4f11ede..bb0b84b 100644 --- a/.github/workflows/query-tests.yml +++ b/.github/workflows/query-tests.yml @@ -30,11 +30,13 @@ jobs: - uses: actions/checkout@v6 - name: Authenticate to Google Cloud + id: auth uses: google-github-actions/auth@v2 with: project_id: measurement-lab workload_identity_provider: projects/808951263862/locations/global/workloadIdentityPools/github/providers/m-lab-repos service_account: kb-query-tests@measurement-lab.iam.gserviceaccount.com + token_format: access_token - name: Setup Node uses: actions/setup-node@v4 @@ -43,3 +45,5 @@ jobs: - name: Dry-run decorated queries run: node scripts/test-queries.js + env: + GOOGLE_OAUTH_ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }} diff --git a/scripts/test-queries.js b/scripts/test-queries.js index f964051..d0b990e 100644 --- a/scripts/test-queries.js +++ b/scripts/test-queries.js @@ -98,10 +98,15 @@ function gcloud(cmdArgs) { } } -const token = gcloud(['auth', 'application-default', 'print-access-token']); +// Token sources, in order: explicit env (CI passes one from +// google-github-actions/auth), then local gcloud ADC. +const token = + process.env.GOOGLE_OAUTH_ACCESS_TOKEN || + gcloud(['auth', 'application-default', 'print-access-token']); if (!token) { - console.log(`${yellow}⚠ Skipping query tests: no Application Default Credentials.${reset}`); - console.log(`${dim} Run: gcloud auth application-default login${reset}`); + console.log(`${yellow}⚠ Skipping query tests: no Google Cloud credentials.${reset}`); + console.log(`${dim} Locally: gcloud auth application-default login${reset}`); + console.log(`${dim} CI: set GOOGLE_OAUTH_ACCESS_TOKEN${reset}`); process.exit(0); }