Switch to gen2 API

google-github-actions · May 19, 2024 · c7bf1ab · c7bf1ab
1 parent 6282b54
commit c7bf1ab
Show file tree

Hide file tree

Showing 15 changed files with 1,318 additions and 892 deletions.
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
@@ -14,25 +14,25 @@ jobs:
     runs-on: 'ubuntu-latest'
 
     steps:
-    - uses: 'actions/checkout@v4'
-
-    - uses: 'google-github-actions/auth@v2'
-      with:
-        workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
-        service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
-
-    - uses: 'google-github-actions/setup-gcloud@v2'
-
-    - name: Delete services
-      run: |-
-        gcloud config set core/project "${{ vars.PROJECT_ID }}"
-        gcloud config set functions/region "us-central1"
-
-        # List and delete all functions that were deployed 30 minutes ago or
-        # earlier. The date math here is a little weird, but we're looking for
-        # deployments "earlier than" 30 minutes ago, so it's less than since
-        # time increases.
-        (IFS=$'\n'; for NAME in $(gcloud functions list --format="value(name)" --filter="updateTime < '-pt30m'"); do
-          echo "Deleting ${NAME}..."
-          gcloud functions delete ${NAME} --quiet
-        done)
+      - uses: 'actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b' # ratchet:actions/checkout@v4
+
+      - uses: 'google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c' # ratchet:google-github-actions/auth@v2
+        with:
+          workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
+          service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+
+      - uses: 'google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200' # ratchet:google-github-actions/setup-gcloud@v2
+
+      - name: Delete services
+        run: |-
+          gcloud config set core/project "${{ vars.PROJECT_ID }}"
+          gcloud config set functions/region "us-central1"
+
+          # List and delete all functions that were deployed 30 minutes ago or
+          # earlier. The date math here is a little weird, but we're looking for
+          # deployments "earlier than" 30 minutes ago, so it's less than since
+          # time increases.
+          (IFS=$'\n'; for NAME in $(gcloud functions list --format="value(name)" --filter="updateTime < '-pt30m'"); do
+            echo "Deleting ${NAME}..."
+            gcloud functions delete ${NAME} --quiet
+          done)
diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml
@@ -16,9 +16,9 @@ on:
 jobs:
   draft-release:
     name: 'Draft release'
-    uses: 'google-github-actions/.github/.github/workflows/draft-release.yml@v0'
+    uses: 'google-github-actions/.github/.github/workflows/draft-release.yml@8cd22c145f2e80541e0b757ccd4b4ded9710715f' # ratchet:google-github-actions/.github/.github/workflows/draft-release.yml@v0
     with:
       version_strategy: '${{ github.event.inputs.version_strategy }}'
     # secrets must be explicitly passed to reusable workflows https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/reusing-workflows#using-inputs-and-secrets-in-a-reusable-workflow
     secrets:
-      ACTIONS_BOT_TOKEN: '${{ secrets.ACTIONS_BOT_TOKEN }}'
+      ACTIONS_BOT_TOKEN: '${{ secrets.ACTIONS_BOT_TOKEN }}'
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -23,28 +23,28 @@ jobs:
       id-token: 'write'
     runs-on: 'ubuntu-latest'
     steps:
-    - uses: 'actions/checkout@v4'
+      - uses: 'actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b' # ratchet:actions/checkout@v4
 
-    - uses: 'actions/setup-node@v4'
-      with:
-        node-version: '20.x'
+      - uses: 'actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8' # ratchet:actions/setup-node@v4
+        with:
+          node-version: '20.x'
 
-    - name: 'npm build'
-      run: 'npm ci && npm run build'
+      - name: 'npm build'
+        run: 'npm ci && npm run build'
 
-    - uses: 'google-github-actions/auth@v2'
-      with:
-        workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
-        service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+      - uses: 'google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c' # ratchet:google-github-actions/auth@v2
+        with:
+          workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
+          service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
 
-    - id: 'deploy'
-      uses: './'
-      with:
-        name: 'https-trigger-${{ github.run_number }}'
-        runtime: 'nodejs16'
-        entry_point: 'helloWorld'
-        source_dir: './tests/test-node-func/'
-        https_trigger_security_level: 'secure_always'
+      - id: 'deploy'
+        uses: './'
+        with:
+          name: 'https-trigger-${{ github.run_number }}'
+          runtime: 'nodejs22'
+          entry_point: 'helloWorld'
+          source_dir: './tests/test-node-func/'
+          https_trigger_security_level: 'secure_always'
 
   event_trigger:
     if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
@@ -53,38 +53,38 @@ jobs:
       id-token: 'write'
     runs-on: 'ubuntu-latest'
     steps:
-    - uses: 'actions/checkout@v4'
+      - uses: 'actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b' # ratchet:actions/checkout@v4
 
-    - uses: 'actions/setup-node@v4'
-      with:
-        node-version: '20.x'
+      - uses: 'actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8' # ratchet:actions/setup-node@v4
+        with:
+          node-version: '20.x'
 
-    - name: 'npm build'
-      run: 'npm ci && npm run build'
+      - name: 'npm build'
+        run: 'npm ci && npm run build'
 
-    - uses: 'google-github-actions/auth@v2'
-      with:
-        workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
-        service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+      - uses: 'google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c' # ratchet:google-github-actions/auth@v2
+        with:
+          workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
+          service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
 
-    - id: 'deploy'
-      uses: './'
-      with:
-        name: 'event-trigger-${{ github.run_number }}'
-        runtime: 'nodejs16'
-        entry_point: 'helloWorld'
-        source_dir: './tests/test-node-func/'
-        event_trigger_type: 'providers/cloud.pubsub/eventTypes/topic.publish'
-        event_trigger_resource: '${{ vars.PUBSUB_TOPIC_NAME }}'
-        event_trigger_retry: true
-        env_vars_file: './tests/env-var-files/test.good.yaml'
-        build_environment_variables: 'FOO=bar, ZIP=zap'
-        build_environment_variables_file: './tests/env-var-files/test.good.yaml'
-        secret_environment_variables: |-
-          FOO=${{ vars.SECRET_VERSION_NAME }}
-          BAR=${{ vars.SECRET_NAME }}
-        secret_volumes: '/etc/secrets/foo=${{ vars.SECRET_VERSION_NAME }}'
-        service_account_email: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
-        min_instances: 2
-        max_instances: 5
-        timeout: 300
+      - id: 'deploy'
+        uses: './'
+        with:
+          name: 'event-trigger-${{ github.run_number }}'
+          runtime: 'nodejs22'
+          entry_point: 'helloWorld'
+          source_dir: './tests/test-node-func/'
+          event_trigger_type: 'providers/cloud.pubsub/eventTypes/topic.publish'
+          event_trigger_resource: '${{ vars.PUBSUB_TOPIC_NAME }}'
+          event_trigger_retry: true
+          environment_variables_file: './tests/env-var-files/test.good.yaml'
+          build_environment_variables: 'FOO=bar, ZIP=zap'
+          build_environment_variables_file: './tests/env-var-files/test.good.yaml'
+          secret_environment_variables: |-
+            FOO=${{ vars.SECRET_VERSION_NAME }}
+            BAR=${{ vars.SECRET_NAME }}
+          secret_volumes: '/etc/secrets/foo=${{ vars.SECRET_VERSION_NAME }}'
+          service_account_email: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+          min_instances: 2
+          max_instances: 5
+          timeout: 300
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,4 +10,4 @@ jobs:
   release:
     if: "startsWith(github.event.head_commit.message, 'Release: v')"
     name: 'Release'
-    uses: 'google-github-actions/.github/.github/workflows/release.yml@v0'
+    uses: 'google-github-actions/.github/.github/workflows/release.yml@8cd22c145f2e80541e0b757ccd4b4ded9710715f' # ratchet:google-github-actions/.github/.github/workflows/release.yml@v0
diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -25,36 +25,36 @@ jobs:
       fail-fast: false
       matrix:
         os:
-        - 'ubuntu-latest'
-        - 'windows-latest'
-        - 'macos-latest'
+          - 'ubuntu-latest'
+          - 'windows-latest'
+          - 'macos-latest'
     runs-on: '${{ matrix.os }}'
 
     steps:
-    - uses: 'actions/checkout@v4'
-
-    - uses: 'actions/setup-node@v4'
-      with:
-        node-version: '20.x'
-
-    - name: 'npm build'
-      run: 'npm ci && npm run build'
-
-    - name: 'npm lint'
-      # There's no need to run the linter for each operating system, since it
-      # will find the same thing 3x and clog up the PR review.
-      if: ${{ matrix.os == 'ubuntu-latest' }}
-      run: 'npm run lint'
-
-    - uses: 'google-github-actions/auth@v2'
-      if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
-      with:
-        workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
-        service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
-
-    - name: 'npm test'
-      env:
-        TEST_PROJECT_ID: '${{ vars.PROJECT_ID }}'
-        TEST_SERVICE_ACCOUNT_EMAIL: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
-        TEST_SECRET_VERSION_NAME: '${{ vars.SECRET_VERSION_NAME }}'
-      run: 'npm run test'
+      - uses: 'actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b' # ratchet:actions/checkout@v4
+
+      - uses: 'actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8' # ratchet:actions/setup-node@v4
+        with:
+          node-version: '20.x'
+
+      - name: 'npm build'
+        run: 'npm ci && npm run build'
+
+      - name: 'npm lint'
+        # There's no need to run the linter for each operating system, since it
+        # will find the same thing 3x and clog up the PR review.
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: 'npm run lint'
+
+      - uses: 'google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c' # ratchet:google-github-actions/auth@v2
+        if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
+        with:
+          workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
+          service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+
+      - name: 'npm test'
+        env:
+          TEST_PROJECT_ID: '${{ vars.PROJECT_ID }}'
+          TEST_SERVICE_ACCOUNT_EMAIL: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+          TEST_SECRET_VERSION_NAME: '${{ vars.SECRET_VERSION_NAME }}'
+        run: 'npm run test'
diff --git a/README.md b/README.md
@@ -67,9 +67,11 @@ jobs:
 
 - `region`: (Optional) [Region](https://cloud.google.com/functions/docs/locations) in which the function should be deployed. Defaults to `us-central1`.
 
-- `env_vars`: (Optional) List of comma-seperated key-value pairs to set as environment variables in the format: `KEY1=VALUE1,KEY2=VALUE2`. All existing environment variables will be removed, even if this parameter is not passed. Keys or values that contain a separator must be escaped with a backslash (`\,`, `\\n`). All leading and trailing whitespace is trimmed.
+- `environment`: (Optional) Runtime environment (generation) for the Cloud Functions. Valid values are `GEN_1` and `GEN_2`. Defaults to unspecified (server value).
 
-- `env_vars_file`: (Optional) Path to a local YAML file with definitions for all environment variables. An example env_vars_file can be found [here](tests/env-var-files/test.good.yaml). All existing environment variables will be removed, even if this parameter is not passed. If `env_vars` is also given, values in `env_vars` take precedence over these values.
+- `environment_variables`: (Optional) List of comma-seperated key-value pairs to set as environment variables in the format: `KEY1=VALUE1,KEY2=VALUE2`. All existing environment variables will be removed, even if this parameter is not passed. Keys or values that contain a separator must be escaped with a backslash (`\,`, `\\n`). All leading and trailing whitespace is trimmed.
+
+- `environment_variables_file`: (Optional) Path to a local YAML file with definitions for all environment variables. An example `environment_variables_file` can be found [here](tests/env-var-files/test.good.yaml). All existing environment variables will be removed, even if this parameter is not passed. If `environment_variables` is also given, values in `environment_variables` take precedence over these values.
 
 - `labels`: (Optional) List of key-value pairs to set as function labels in the form `label1=VALUE1,label2=VALUE2`. All existing labels will be removed, even if this parameter is not passed.
 
@@ -145,9 +147,7 @@ jobs:
 
 - `event_trigger_service`: (Optional) The hostname of the service that should be observed.
 
-- `event_trigger_retry`: (Optional) If true, the event will be retried if the
-  function returns a failure. The default value is false. Note this applies to
-  function invocation from events, not the deployment itself.
+- `event_trigger_retry`: (Optional) If true, the event will be retried if the function returns a failure. The default value is false. Note this applies to function invocation from events, not the deployment itself.
 
 - `deploy_timeout`: (Optional) The function deployment timeout in seconds. Defaults to 300.
 
@@ -157,10 +157,10 @@ jobs:
 
 - `build_environment_variables`: (Optional) List of environment variables that
   should be available while the function is built. Note this is different than
-  runtime environment variables, which should be set with 'env_vars'.
+  runtime environment variables, which should be set with `environment_variables`.
 
 - `build_environment_variables_file`: (Optional) Path to a local YAML file
-  containing variables. See 'env_vars_file' for syntax.
+  containing variables. See `environment_variables_file` for syntax.
 
 - `docker_repository`: (Optional) User managed repository created in Artifact
   Registry optionally with a customer managed encryption key. If specified,
@@ -178,6 +178,19 @@ jobs:
   provide an artifact registry repository using the `docker_repository` field
   that was created with the same key.
 
+-   `universe`: (Optional) The Google Cloud universe to use for constructing API
+    endpoints. The default universe is "googleapis.com", which corresponds to
+    https://cloud.google.com. Trusted Partner Cloud and Google Distributed
+    Hosted Cloud should set this to their universe address.
+
+    You can also override individual API endpoints by setting the environment variable `GHA_ENDPOINT_OVERRIDE_<endpoint>` where endpoint is the API endpoint to override. For example:
+
+    ```yaml
+    env:
+      GHA_ENDPOINT_OVERRIDE_oauth2: 'https://oauth2.myapi.endpoint/v1'
+    ```
+
+
 ### Allowing unauthenticated requests
 
 A Cloud Functions product recommendation is that CI/CD systems not set or change