Use Google Auth Github Action on top of local action for cleanest deploy 🤞

[MaitreyaBuddha]

PR Type

Enhancement, Documentation

---

Description

• Refactor deploy workflow to composite action

• Add dynamic project and credentials env variables

• Simplify PR lint workflow configuration

• Update README and action inputs documentation

---

Changes walkthrough 📝

	Relevant files
Enhancement	deploy-functions.yml Refactor deploy workflow to composite action                          .github/workflows/deploy-functions.yml Add dynamic PROJECT_ID and CREDENTIALS_JSON env Replace manual install/auth steps with composite action Remove verbose Firebase CLI and debug commands +8/-84    action.yml Update composite action auth and inputs                                    action.yml Remove environment input, require project_id Use google-github-actions/auth@v2 for auth step Update post-deployment summary fields +5/-24
Configuration changes	lint-pr-title.yml Update PR lint workflow config                                                      .github/workflows/lint-pr-title.yml Rename workflow to "Lint PR" Switch to pull_request_target event Adjust job permissions and step names +11/-11
Documentation	README.md Update README usage and inputs                                                      README.md Streamline usage examples and remove old sections Update inputs table with service_account_json_b64 Clarify base64 encoding requirement +15/-90

---

Need help?

Type /help how to ... in the comments thread for any questions about PR-Agent usage.

Check out the documentation for more information.

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 3 🔵🔵🔵⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Expression Syntax Verify that the conditional expressions for PROJECT_ID and CREDENTIALS_JSON use valid GitHub Actions expression syntax and yield the expected values for both staging and production environments. env: PROJECT_ID: ${{ github.event.inputs.environment == 'prod' && 'hello-wisdom-prod' || 'hello-wisdom-staging' }} CREDENTIALS_JSON: ${{ github.event.inputs.environment == 'prod' && secrets.FIREBASE_PROD_SERVICE_ACCOUNT || secrets.FIREBASE_STAGING_SERVICE_ACCOUNT }} Docs Mismatch The README introduces an input service_account_json_b64 while the action defines service_account_json. Ensure the documentation aligns with the actual composite action inputs. service_account_json_b64: ${{ inputs.service_account_b64 }} # Must be base64 encoded The action requires the service account JSON to be base64 encoded. How you provide this encoded value is up to your workflow design. Inputs Input Description Required Default functions_dir Directory containing functions and pyproject.toml No functions to_deploy Firebase resource to deploy (e.g. functions) No functions project_id Firebase project ID Yes N/A service_account_json_b64 Base64-encoded Firebase service account JSON Yes N/A </details> </td></tr> </table>

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Use pull_request event Using pull_request_target can expose secrets to untrusted PRs. Switch back to pull_request to safely lint titles without elevated privileges. .github/workflows/lint-pr-title.yml [3-9] on: - pull_request_target: + pull_request: types: - opened - edited - synchronize - reopened Suggestion importance[1-10]: 9 __ Why: Using pull_request_target exposes secrets to untrusted PRs, so switching to pull_request enhances security during title linting.	High
Possible issue	Install gcloud and fix auth quoting Remove the single quotes around the expression so the JSON is correctly injected. Also insert a step to install the GCloud SDK before authenticating to ensure the gcloud CLI is available for downstream commands. action.yml [51-53] -uses: 'google-github-actions/auth@v2' -with: - credentials_json: '${{ inputs.service_account_json }}' +- name: Set up GCloud SDK + uses: google-github-actions/setup-gcloud@v1 +- name: Authenticate with GCP service account key + uses: google-github-actions/auth@v2 + with: + credentials_json: ${{ inputs.service_account_json }} + Suggestion importance[1-10]: 8 __ Why: Ensures the GCloud SDK is installed before authentication and fixes the quoting on credentials_json, enabling proper injection.	Medium
	Fix README input name mismatch The composite action still expects service_account_json, not service_account_json_b64. Align the README with the actual input name so users don’t get errors when they pass secrets. README.md [19] -service_account_json_b64: ${{ inputs.service_account_b64 }} # Must be base64 encoded +service_account_json: ${{ inputs.service_account_b64 }} # Must be base64 encoded Suggestion importance[1-10]: 5 __ Why: The README references a non-existent service_account_json_b64 input, leading to confusion; aligning it with service_account_json prevents user errors.	Low
General	Unquote credentials_json expression Quoting the entire expression may prevent proper evaluation of the JSON. Remove the surrounding quotes so the expression expands correctly. action.yml [53] -credentials_json: '${{ inputs.service_account_json }}' +credentials_json: ${{ inputs.service_account_json }} Suggestion importance[1-10]: 6 __ Why: Removing the surrounding quotes allows the ${{ inputs.service_account_json }} expression to be evaluated correctly.	Low