ci: Prevent leaked credentials (#8142)

Naive use of google-github-actions/auth and google-github-actions/deploy-appengine can lead to leaked credentials. In particular, uploading static content from the workspace root leads to servable copies of the credentials file written by google-github-actions/auth. This is exactly what the Shaka Player Demo did. Making matters worse, google-github-actions/auth logs credential filenames for all to see. All uploaded credentials were expired before I uploaded this PR. This fixes the leak by installing a gcloudignore file which prevents the credentials from being uploaded.
shaka-project · Feb 21, 2025 · 3a47bd1 · 3a47bd1
1 parent c080f85
commit 3a47bd1
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/.github/workflows/custom-actions/prep-for-appspot/action.yaml b/.github/workflows/custom-actions/prep-for-appspot/action.yaml
@@ -54,3 +54,4 @@ runs:
       run: |
         mv app-engine/shaka-player-demo/* .
         rm README.md
+        mv app-engine/gcloudignore .gcloudignore
diff --git a/.github/workflows/demo-version-index.yaml b/.github/workflows/demo-version-index.yaml
@@ -36,12 +36,13 @@ jobs:
           credentials_json: '${{ secrets.APPENGINE_DEPLOY_KEY }}'
 
       - name: Generate static content
-        run: python3 app-engine/demo-version-index/generate.py
+        run: |
+          python3 app-engine/demo-version-index/generate.py
+          cp app-engine/gcloudignore app-engine/demo-version-index/.gcloudignore
 
       - uses: google-github-actions/deploy-appengine@v2
         with:
           project_id: shaka-player-demo
           version: index
           working_directory: app-engine/demo-version-index/
           promote: false
-
diff --git a/app-engine/gcloudignore b/app-engine/gcloudignore
@@ -0,0 +1,7 @@
+# Defaults you get without an explicit .gcloudignore file
+.git
+.gitignore
+.gcloudignore
+
+# Ignore generated credentials from google-github-actions/auth
+gha-creds-*.json