Description
We've been using Workload Identity Federation to access GCP resources from the main repository; it has been working smoothly, and this is the recommended approach by Google for GitHub Actions to access these resources.
However, we don't currently use Workload Identity Federation for actions in forked repositories. We currently have a JSON key shared with core contributors, and those core contributors need to add it manually as a secret in their fork. The advantage of this approach is that it is self-service, but it has a steeper barrier to entry than desired. Also, JSON keys are discouraged since they're subject to credential leakage.
A key difference with Workload Identity Federation is that there is an allowlist of repositories whose GitHub Actions are allowed to access the resources. This allowlist lives inside GCP in the form of Attribute Conditions on a Workload Identity Pool Provider.
Therefore, a clean solution to this credentials problem would be to create a GitHub Webhook that triggers when users are added or removed from the unicode-org/icu4x-triage team. The webhook would call the API to add or remove that user from the Workload Identity Federation allowlist. The webhook can be hosted as a Cloud Function similar to the GitHub-Jira bot.
Helpful docs links:
- GitHub Webhook: https://docs.github.com/en/webhooks/webhook-events-and-payloads#membership
- GCP Workload Identity Pool Providers: https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers