GH actions use workflow identity

Author: moshemorad

.github/workflows/release.yaml

@@ -13,25 +13,35 @@ jobs:
     name: Build images
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     - name: Get release version
       run: echo "$RELEASE_VER"
 
-    - uses: google-github-actions/[email protected]
+    - uses: google-github-actions/auth@v2
       with:
-        service_account_key: ${{ secrets.GKE_PROD_SA_KEY }}
-        project_id: ${{ secrets.GKE_PROD_PROJECT }}
-        export_default_credentials: true
+        project_id: 'genuine-flight-317411'
+        workload_identity_provider: 'projects/429189597230/locations/global/workloadIdentityPools/github/providers/robusta-repos' # prod
 
-    # Configure Docker to use the gcloud command-line tool as a credential helper for authentication
-    - run: |-
-        gcloud auth configure-docker us-central1-docker.pkg.dev
+    - name: Set up gcloud CLI
+      uses: google-github-actions/setup-gcloud@v2
+      with:
+        project_id: genuine-flight-317411
 
-    - run: |-
-        gcloud config get-value project
+    - name: Configure Docker Registry
+      run: gcloud auth configure-docker us-central1-docker.pkg.dev
+
+    - name: Login to Docker Hub
+      uses: docker/login-action@v1
+      with:
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_PASSWORD }}
 
     - name: Update package version
       run: |
@@ -66,11 +76,6 @@ jobs:
         poetry install --no-dev
         poetry publish --build -u __token__ -p ${{ secrets.PYPI_PROJECT_TOKEN }}
 
-    - name: Login to Docker Hub
-      uses: docker/login-action@v1
-      with:
-        username: ${{ secrets.DOCKER_USERNAME }}
-        password: ${{ secrets.DOCKER_PASSWORD }}
 
     - name: Release Docker CLI
       if: "!github.event.release.prerelease"