Merge b5335830a5 into 3864d6aed8

README.md

@@ -12,23 +12,30 @@ GitHub Action to login against a Docker registry.
 
 ___
 
-* [Usage](#usage)
+- [About](#about)
-  * [Docker Hub](#docker-hub)
+- [Usage](#usage)
-  * [GitHub Container Registry](#github-container-registry)
+  - [Docker Hub](#docker-hub)
-  * [GitLab](#gitlab)
+  - [GitHub Container Registry](#github-container-registry)
-  * [Azure Container Registry (ACR)](#azure-container-registry-acr)
+  - [GitLab](#gitlab)
-  * [Google Container Registry (GCR)](#google-container-registry-gcr)
+  - [Azure Container Registry (ACR)](#azure-container-registry-acr)
-  * [Google Artifact Registry (GAR)](#google-artifact-registry-gar)
+    - [Service principal](#service-principal)
-  * [AWS Elastic Container Registry (ECR)](#aws-elastic-container-registry-ecr)
+    - [OpenID Connect (OIDC)](#openid-connect-oidc)
-  * [AWS Public Elastic Container Registry (ECR)](#aws-public-elastic-container-registry-ecr)
+  - [Google Container Registry (GCR)](#google-container-registry-gcr)
-  * [OCI Oracle Cloud Infrastructure Registry (OCIR)](#oci-oracle-cloud-infrastructure-registry-ocir)
+    - [Workload identity federation](#workload-identity-federation)
-  * [Quay.io](#quayio)
+    - [Service account based authentication](#service-account-based-authentication)
-  * [DigitalOcean](#digitalocean-container-registry)
+  - [Google Artifact Registry (GAR)](#google-artifact-registry-gar)
-  * [Authenticate to multiple registries](#authenticate-to-multiple-registries)
+    - [Workload identity federation](#workload-identity-federation-1)
-  * [Set scopes for the authentication token](#set-scopes-for-the-authentication-token)
+    - [Service account based authentication](#service-account-based-authentication-1)
-* [Customizing](#customizing)
+  - [AWS Elastic Container Registry (ECR)](#aws-elastic-container-registry-ecr)
-  * [inputs](#inputs)
+  - [AWS Public Elastic Container Registry (ECR)](#aws-public-elastic-container-registry-ecr)
-* [Contributing](#contributing)
+  - [OCI Oracle Cloud Infrastructure Registry (OCIR)](#oci-oracle-cloud-infrastructure-registry-ocir)
+  - [Quay.io](#quayio)
+  - [DigitalOcean Container Registry](#digitalocean-container-registry)
+  - [Authenticate to multiple registries](#authenticate-to-multiple-registries)
+  - [Set scopes for the authentication token](#set-scopes-for-the-authentication-token)
+- [Customizing](#customizing)
+  - [inputs](#inputs)
+- [Contributing](#contributing)
 
 ## Usage
 
@@ -282,8 +289,9 @@ You can authenticate with workload identity federation or a service account.
 
 #### Workload identity federation
 
-Your service account must have permission to push to GAR. Use the
+Configure [Direct Workload Identity Federation](https://github.com/google-github-actions/auth/blob/v2.1.10/README.md#preferred-direct-workload-identity-federation) for GitHub Actions in Google Cloud and avoid long-lived GCP credentials.
-`google-github-actions/auth` action to authenticate using workload identity as
+Make sure to grant the [principal identity](https://cloud.google.com/iam/docs/workload-identity-federation#principal-types) enough permissions to the GAR repository (E.g.: `roles/artifactregistry.writer`).
+Use the `google-github-actions/auth@v2` action to authenticate using workload identity as
 shown in the following example:
 
 ```yaml
@@ -293,6 +301,11 @@ on:
   push:
     branches: main
 
+env:
+  GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
+  WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
+  REGISTRY_URL: ${{ secrets.REGISTRY_URL }}
+
 jobs:
   login:
     runs-on: ubuntu-latest
@@ -302,16 +315,16 @@ jobs:
         id: auth
         uses: google-github-actions/auth@v3
         with:
-          token_format: access_token
+          project_id: ${{ env.GCP_PROJECT }}
-          workload_identity_provider: <workload_identity_provider>
+          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: <service_account>
+
       -
         name: Login to GAR
         uses: docker/login-action@v4
         with:
-          registry: <location>-docker.pkg.dev
+          registry: ${{ env.REGISTRY_URL}}
           username: oauth2accesstoken
-          password: ${{ steps.auth.outputs.access_token }}
+          password: ${{ steps.auth.outputs.auth_token }}
 ```
 
 > [!NOTE]
@@ -324,6 +337,8 @@ jobs:
 > Replace `<location>` with the regional or multi-regional [location](https://cloud.google.com/artifact-registry/docs/repo-organize#locations)
 > of the repository where the image is stored.
 
+> Set `registry` to the regional or multi-regional [repository URL](https://cloud.google.com/artifact-registry/docs/repo-organize#locations).
+
 #### Service account based authentication
 
 Use a service account with permission to push to GAR and [configure access control](https://cloud.google.com/artifact-registry/docs/access-control).
@@ -678,7 +693,7 @@ credentials, while authenticated access is used only to push `myorg/myimage`.
 The following inputs can be used as `step.with` keys:
 
 | Name            | Type   | Default     | Description                                                                   |
-|-----------------|--------|-------------|-------------------------------------------------------------------------------|
+| --------------- | ------ | ----------- | ----------------------------------------------------------------------------- |
 | `registry`      | String | `docker.io` | Server address of Docker registry. If not set then will default to Docker Hub |
 | `username`      | String |             | Username for authenticating to the Docker registry                            |
 | `password`      | String |             | Password or personal access token for authenticating the Docker registry      |