From d069cfc30901c84b226d08b35ca08bcf2158573d Mon Sep 17 00:00:00 2001
From: Jay Lee <jay0lee@gmail.com>
Date: Sun, 2 Apr 2023 14:33:15 -0400
Subject: [PATCH] Use WIF for service account credentials

---
 .github/workflows/build.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 16b08fe4..2736faa4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -95,6 +95,14 @@ jobs:
           persist-credentials: false
           fetch-depth: 0
 
+      - id: auth
+        name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: projects/297925809119/locations/global/workloadIdentityPools/gha-pool/providers/gha-provider
+          service_account: github-actions-testing-for-gam@gam-project-wyo-lub-ivl.iam.gserviceaccount.com
+          access_token_scopes: "https://www.googleapis.com/auth/iam"
+
       - name: Cache multiple paths
         if: matrix.goal == 'build'
         uses: actions/cache@v3
@@ -580,6 +588,8 @@ jobs:
                brew install gnupg
              fi
              source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz
+             rm $gampath/oauth2service.json
+             $gam create signjwtserviceaccount
              export OAUTHFILE="oauth2.txt-gam-gha-${JID}"
              echo "OAUTHFILE=${OAUTHFILE}" >> $GITHUB_ENV
              export gam_user="gam-gha-${JID}@pdl.jaylee.us"