feat: migrate Docker workflows to Workload Identity Federation

[paulbalaji]

Summary

Replace stored GCLOUD_SERVICE_KEY with OIDC-based authentication using Google Cloud Workload Identity Federation. This eliminates long-lived service account keys in favor of short-lived tokens generated on-demand.

Changes

• Update monorepo-docker.yml to use WIF
• Update rust-docker.yml to use WIF
• Update simapp-docker.yml to use WIF
• Update ccip-server-docker.yml to use WIF

Benefits

• No long-lived secrets — Tokens are generated on-demand and expire quickly
• Auditable — All token requests are logged in GCP Cloud Audit Logs
• Rotationless — No key rotation maintenance required

GitHub Repository Variables Required

After GCP setup is complete, add these repository variables (Settings → Secrets and variables → Actions → Variables):

Variable	Value
GCP_WORKLOAD_IDENTITY_PROVIDER	projects/116541836866/locations/global/workloadIdentityPools/github-actions/providers/github
GCP_SERVICE_ACCOUNT	github-actions-gcr@abacus-labs-dev.iam.gserviceaccount.com

GCP Setup Instructions

See setup gist for complete GCP configuration instructions for the security engineer.

Stacked on #7565

🤖 Generated with Claude Code

Greptile Summary

This PR migrates Docker workflows from long-lived service account keys to OIDC-based Workload Identity Federation (WIF) for Google Cloud authentication. All four Docker workflows (monorepo-docker.yml, rust-docker.yml, simapp-docker.yml, and the new ccip-server-docker.yml) now use short-lived tokens generated on-demand via google-github-actions/auth@v2.

Key changes:

• Replaced docker/login-action with google-github-actions/auth@v2 + gcloud auth configure-docker
• Changed environment check from GCLOUD_SERVICE_KEY secret to GCP_WORKLOAD_IDENTITY_PROVIDER and GCP_SERVICE_ACCOUNT variables
• Added id-token: write permission to all workflows (required for OIDC token generation)
• Introduced check-env job to gracefully skip builds when WIF not configured

Security improvements:

• Eliminates risk of leaked long-lived credentials
• Tokens auto-expire (no rotation needed)
• All authentication events logged in GCP Cloud Audit Logs

Dependencies:
This PR depends on GCP infrastructure setup (workload identity pool + service account bindings) and requires repository variables GCP_WORKLOAD_IDENTITY_PROVIDER and GCP_SERVICE_ACCOUNT to be configured before workflows will execute.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - standard WIF migration pattern
• The implementation follows Google's recommended WIF authentication pattern correctly. All workflows consistently use the same auth approach with proper permissions. The check-env job provides graceful degradation if variables aren't configured. No breaking changes to existing functionality - workflows simply won't run until variables are set.
• No files require special attention - all changes follow established patterns

Important Files Changed

Filename	Overview
.github/workflows/ccip-server-docker.yml	New workflow correctly uses WIF authentication with proper permissions (id-token: write) and fallback behavior when WIF not configured
.github/workflows/monorepo-docker.yml	Replaced docker/login-action with google-github-actions/auth@v2 for WIF, removed GCLOUD_SERVICE_KEY secret dependency
.github/workflows/rust-docker.yml	Migrated from service key to WIF authentication, follows same pattern as monorepo workflow
.github/workflows/simapp-docker.yml	Updated to use WIF authentication, removed service key dependency
typescript/ccip-server/Dockerfile	Multi-stage build with pnpm deploy creates standalone image; placeholder DATABASE_URL allows Prisma generation during build

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant OIDC as GitHub OIDC Provider
    participant WIF as GCP Workload Identity Pool
    participant SA as Service Account
    participant GCR as Google Container Registry
    participant Depot as Depot Build

    Note over GHA: Workflow Triggered (push/PR/tag)
    
    GHA->>GHA: check-env job validates<br/>GCP_WORKLOAD_IDENTITY_PROVIDER<br/>& GCP_SERVICE_ACCOUNT vars
    
    alt WIF not configured
        GHA->>GHA: Skip build-and-push job
    else WIF configured
        GHA->>GHA: Generate GitHub App token<br/>(for PR comments)
        GHA->>GHA: Checkout code with submodules
        
        Note over GHA,SA: WIF Authentication Flow
        GHA->>OIDC: Request OIDC token<br/>(id-token: write permission)
        OIDC-->>GHA: Return JWT token
        GHA->>WIF: Exchange JWT for GCP token<br/>(google-github-actions/auth@v2)
        WIF->>WIF: Validate token claims<br/>(repo, branch, environment)
        WIF->>SA: Impersonate service account
        SA-->>WIF: Generate short-lived credentials
        WIF-->>GHA: Return GCP access token
        
        GHA->>GHA: Setup gcloud SDK
        GHA->>GHA: Configure Docker auth<br/>(gcloud auth configure-docker)
        
        Note over GHA,Depot: Build & Push
        GHA->>Depot: depot/build-push-action<br/>(multi-platform build)
        Depot->>Depot: Build Docker image
        Depot->>GCR: Push image with tags<br/>(branch/PR/SHA-timestamp)
        GCR-->>Depot: Push complete
        Depot-->>GHA: Build complete
        
        alt Pull Request Event
            GHA->>GHA: Check for relevant changes
            alt Has Changes
                GHA->>GHA: Comment image tags on PR<br/>(via GitHub App token)
            end
        end
    end

Loading

[changeset-bot]

⚠️ No Changeset found

Latest commit: 9f2680a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[paulbalaji]

@greptileai

[greptile-apps]

Greptile found no issues!

From now on, if a review finishes and we haven't found any issues, we will not post anything, but you can confirm that we reviewed your changes in the status check section.

_{This feature can be toggled off in your Code Review Settings by deselecting "Create a status check for each PR".}