starred/act

Fork 0

mirror of https://github.com/nektos/act.git synced 2026-04-26 09:25:54 +03:00

[GH-ISSUE #2262] Make GCP Workload Identity work with act #1057

New issue

Open

opened 2026-03-01 21:48:35 +03:00 by kerem · 2 comments

kerem commented

2026-03-01 21:48:35 +03:00

Owner

Originally created by @RS185734 on GitHub (Mar 27, 2024).
Original GitHub issue: https://github.com/nektos/act/issues/2262

Act version

0.2.60

Feature description

GCP Recommends not to use a Service account, and we are trying to implement workload identity.

    steps:
      - uses: actions/checkout@v4
      - name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@v2"
        with:
          workload_identity_provider: "projects/some/locations/global/workloadIdentityPools/some-gh-pool/providers/some-gh-provider"
          service_account: "sa_name@project.iam.gserviceaccount.com"

the process works well in Github action but in act I see

[GCP - Rocky 8/GCP-VM-DEPLOY]   ❗  ::error::google-github-actions/auth failed with: gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job. This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork. For more information, please see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

am I missing some variables ?

Originally created by @RS185734 on GitHub (Mar 27, 2024). Original GitHub issue: https://github.com/nektos/act/issues/2262 ### Act version 0.2.60 ### Feature description GCP Recommends not to use a Service account, and we are trying to implement workload identity. ``` steps: - uses: actions/checkout@v4 - name: "Authenticate to Google Cloud" uses: "google-github-actions/auth@v2" with: workload_identity_provider: "projects/some/locations/global/workloadIdentityPools/some-gh-pool/providers/some-gh-provider" service_account: "sa_name@project.iam.gserviceaccount.com" ``` the process works well in Github action but in act I see ``` [GCP - Rocky 8/GCP-VM-DEPLOY] ❗ ::error::google-github-actions/auth failed with: gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job. This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork. For more information, please see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token ``` am I missing some variables ?

kerem added the

kind/feature-request

label

2026-03-01 21:48:35 +03:00

kerem commented

2026-03-01 21:48:36 +03:00

Author

Owner

@aldoborrero commented on GitHub (Jul 26, 2024):

@aldoborrero commented on GitHub (Jul 26, 2024): [Related discussion on google-actions/auth](https://github.com/google-github-actions/auth/issues/401)

kerem commented

2026-03-01 21:48:36 +03:00

Author

Owner

@StevenACoffman commented on GitHub (Jun 6, 2025):

      # GCP auth is for getting secrets from secret manager.
      # download-introspection-json.ts requires a secret to make the request.
      - if: ${{ env.CLOUDSDK_AUTH_ACCESS_TOKEN == '' }}
        name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: "projects/<projectnumber>/locations/global/workloadIdentityPools/github-action-pool/providers/github-action-provider"
          service_account: "github-action@<projectname>.iam.gserviceaccount.com"

Or you could use GOOGLE_APPLICATION_CREDENTIALS, but if you try to use either, you need to be cautious, since splitting multiline GitHub Actions statements runs through all the vagaries of it's partial YAML support, JavaScript syntax, Shell syntax, and other oddities so that way lies madness. See here: https://github.com/orgs/community/discussions/25641#discussioncomment-11142107

So I think this is correct:

      # GCP auth is for getting secrets from secret manager.
      # download-introspection-json.ts requires a secret to make the request.
      - if: ${{ env.CLOUDSDK_AUTH_ACCESS_TOKEN == '' && env.GOOGLE_APPLICATION_CREDENTIALS == ''}}
        name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: "projects/<projectnumber>/locations/global/workloadIdentityPools/github-action-pool/providers/github-action-provider"
          service_account: "github-action@<projectname>.iam.gserviceaccount.com"
      - if: ${{ env.CLOUDSDK_AUTH_ACCESS_TOKEN != '' || env.GOOGLE_APPLICATION_CREDENTIALS != ''}}
        name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v2

Then you could expose one of these to act like this:

export CLOUDSDK_AUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)
act --env 'vars.CLOUDSDK_AUTH_ACCESS_TOKEN='"$CLOUDSDK_AUTH_ACCESS_TOKEN" -j <action_name>

export GOOGLE_APPLICATION_CREDENTIALS="$HOME/Downloads/service-account-file.json"
act --env 'vars.CLOUDSDK_AUTH_ACCESS_TOKEN='"$GOOGLE_APPLICATION_CREDENTIALS" -j <action_name>

See more details here: https://github.com/google-github-actions/auth/issues/401

Your action workflow will also need a redundant copy of the google-github-actions/auth@v2 for the non-workload identity federation case where it gets the credentials from either of those environment variables with an inverted if.

@StevenACoffman commented on GitHub (Jun 6, 2025): ``` # GCP auth is for getting secrets from secret manager. # download-introspection-json.ts requires a secret to make the request. - if: ${{ env.CLOUDSDK_AUTH_ACCESS_TOKEN == '' }} name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v2 with: workload_identity_provider: "projects/<projectnumber>/locations/global/workloadIdentityPools/github-action-pool/providers/github-action-provider" service_account: "github-action@<projectname>.iam.gserviceaccount.com" ``` Or you could use `GOOGLE_APPLICATION_CREDENTIALS`, but if you try to use **_either_**, you need to be cautious, since splitting multiline GitHub Actions statements runs through all the vagaries of it's partial YAML support, JavaScript syntax, Shell syntax, and other oddities so that way lies madness. See here: https://github.com/orgs/community/discussions/25641#discussioncomment-11142107 So I think this is correct: ``` # GCP auth is for getting secrets from secret manager. # download-introspection-json.ts requires a secret to make the request. - if: ${{ env.CLOUDSDK_AUTH_ACCESS_TOKEN == '' && env.GOOGLE_APPLICATION_CREDENTIALS == ''}} name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v2 with: workload_identity_provider: "projects/<projectnumber>/locations/global/workloadIdentityPools/github-action-pool/providers/github-action-provider" service_account: "github-action@<projectname>.iam.gserviceaccount.com" - if: ${{ env.CLOUDSDK_AUTH_ACCESS_TOKEN != '' || env.GOOGLE_APPLICATION_CREDENTIALS != ''}} name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v2 ``` Then you could expose **one** of these to `act` like this: ``` export CLOUDSDK_AUTH_ACCESS_TOKEN=$(gcloud auth print-access-token) act --env 'vars.CLOUDSDK_AUTH_ACCESS_TOKEN='"$CLOUDSDK_AUTH_ACCESS_TOKEN" -j <action_name> ``` or ``` export GOOGLE_APPLICATION_CREDENTIALS="$HOME/Downloads/service-account-file.json" act --env 'vars.CLOUDSDK_AUTH_ACCESS_TOKEN='"$GOOGLE_APPLICATION_CREDENTIALS" -j <action_name> ``` See more details here: https://github.com/google-github-actions/auth/issues/401 Your action workflow will also need a redundant copy of the `google-github-actions/auth@v2` for the non-workload identity federation case where it gets the credentials from either of those environment variables with an inverted `if`.

kerem referenced this issue

2026-03-01 21:52:31 +03:00

[PR #1057] [MERGED] deps: bump go-git #1748

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/act#1057

No description provided.

Rows
Columns