From d9fd08733fab9a2dc9c87d08c3dc68725d715b4c Mon Sep 17 00:00:00 2001 From: Jonah Duckles Date: Fri, 3 Jul 2026 15:48:17 +1200 Subject: [PATCH] Pass WIF access token to test script via env instead of gcloud ADC google-github-actions/auth now mints an OAuth access token (token_format: access_token) which the run step passes as GOOGLE_OAUTH_ACCESS_TOKEN; the script prefers that over shelling out to gcloud, which was failing to produce ADC tokens on the runner. --- .github/workflows/query-tests.yml | 4 ++++ scripts/test-queries.js | 11 ++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/query-tests.yml b/.github/workflows/query-tests.yml index 4f11ede..bb0b84b 100644 --- a/.github/workflows/query-tests.yml +++ b/.github/workflows/query-tests.yml @@ -30,11 +30,13 @@ jobs: - uses: actions/checkout@v6 - name: Authenticate to Google Cloud + id: auth uses: google-github-actions/auth@v2 with: project_id: measurement-lab workload_identity_provider: projects/808951263862/locations/global/workloadIdentityPools/github/providers/m-lab-repos service_account: kb-query-tests@measurement-lab.iam.gserviceaccount.com + token_format: access_token - name: Setup Node uses: actions/setup-node@v4 @@ -43,3 +45,5 @@ jobs: - name: Dry-run decorated queries run: node scripts/test-queries.js + env: + GOOGLE_OAUTH_ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }} diff --git a/scripts/test-queries.js b/scripts/test-queries.js index f964051..d0b990e 100644 --- a/scripts/test-queries.js +++ b/scripts/test-queries.js @@ -98,10 +98,15 @@ function gcloud(cmdArgs) { } } -const token = gcloud(['auth', 'application-default', 'print-access-token']); +// Token sources, in order: explicit env (CI passes one from +// google-github-actions/auth), then local gcloud ADC. +const token = + process.env.GOOGLE_OAUTH_ACCESS_TOKEN || + gcloud(['auth', 'application-default', 'print-access-token']); if (!token) { - console.log(`${yellow}⚠ Skipping query tests: no Application Default Credentials.${reset}`); - console.log(`${dim} Run: gcloud auth application-default login${reset}`); + console.log(`${yellow}⚠ Skipping query tests: no Google Cloud credentials.${reset}`); + console.log(`${dim} Locally: gcloud auth application-default login${reset}`); + console.log(`${dim} CI: set GOOGLE_OAUTH_ACCESS_TOKEN${reset}`); process.exit(0); }