feat(ci): migrate 6 workflows from SA key auth to Workload Identity Federation

MarkusNeusinger · claude · MarkusNeusinger · commit 1cdb8b94f9fc · 2026-04-14T22:45:26.000+02:00
Replace GCS_CREDENTIALS service account key with WIF (google-github-actions/auth@v2
+ workload_identity_provider) across all GCP-authenticated workflows. Removes inline
key file creation and gcloud activate-service-account patterns.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yml
@@ -26,6 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write  # Required for Workload Identity Federation
 
     env:
       ENVIRONMENT: test
@@ -85,11 +86,12 @@ jobs:
       if: steps.check.outputs.should_test == 'true'
       run: uv sync --extra test
 
-    - name: Setup GCP authentication
+    - name: Authenticate to GCP
       if: steps.check.outputs.should_test == 'true'
-      uses: google-github-actions/auth@v3
+      uses: google-github-actions/auth@v2
       with:
-        credentials_json: ${{ secrets.GCS_CREDENTIALS }}
+        project_id: anyplot
+        workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
 
     - name: Start Cloud SQL Proxy
       if: steps.check.outputs.should_test == 'true'
diff --git a/.github/workflows/impl-generate.yml b/.github/workflows/impl-generate.yml
@@ -511,28 +511,28 @@ jobs:
       # ========================================================================
       # Upload to GCS Staging
       # ========================================================================
+      - name: Authenticate to GCP
+        if: steps.pr.outputs.pr_exists == 'true'
+        uses: google-github-actions/auth@v2
+        with:
+          project_id: anyplot
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+
+      - name: Set up Cloud SDK
+        if: steps.pr.outputs.pr_exists == 'true'
+        uses: google-github-actions/setup-gcloud@v2
+
       - name: Upload to GCS Staging
         id: gcs
         if: steps.pr.outputs.pr_exists == 'true'
         env:
-          GCS_CREDENTIALS: ${{ secrets.GCS_CREDENTIALS }}
           SPEC_ID: ${{ steps.inputs.outputs.specification_id }}
           LIBRARY: ${{ steps.inputs.outputs.library }}
         run: |
           IMPL_DIR="plots/${SPEC_ID}/implementations"
           STAGING_PATH="gs://anyplot-images/staging/${SPEC_ID}/${LIBRARY}"
           PUBLIC_URL="https://storage.googleapis.com/anyplot-images/staging/${SPEC_ID}/${LIBRARY}"
 
-          if [ -z "$GCS_CREDENTIALS" ]; then
-            echo "::warning::GCS_CREDENTIALS not configured - skipping upload"
-            echo "uploaded=false" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          # Authenticate
-          echo "$GCS_CREDENTIALS" > /tmp/gcs-key.json
-          gcloud auth activate-service-account --key-file=/tmp/gcs-key.json
-
           # Upload all plot images (original + responsive variants)
           if [ -f "$IMPL_DIR/plot.png" ]; then
             gsutil -m -h "Cache-Control:public, max-age=604800" cp "$IMPL_DIR"/plot*.png "$IMPL_DIR"/plot*.webp "${STAGING_PATH}/"
diff --git a/.github/workflows/impl-merge.yml b/.github/workflows/impl-merge.yml
@@ -22,6 +22,7 @@ jobs:
       pull-requests: write
       issues: write
       actions: write  # Required for gh workflow run sync-postgres.yml
+      id-token: write  # Required for Workload Identity Federation
 
     steps:
       - name: Check conditions
@@ -182,21 +183,23 @@ jobs:
       # Note: quality_score is now set by impl-review.yml before merge
       # The PR already contains the updated metadata when merged
 
+      - name: Authenticate to GCP
+        if: steps.check.outputs.should_run == 'true'
+        uses: google-github-actions/auth@v2
+        with:
+          project_id: anyplot
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+
+      - name: Set up Cloud SDK
+        if: steps.check.outputs.should_run == 'true'
+        uses: google-github-actions/setup-gcloud@v2
+
       - name: Promote GCS images to production
         if: steps.check.outputs.should_run == 'true'
         env:
-          GCS_CREDENTIALS: ${{ secrets.GCS_CREDENTIALS }}
           SPEC_ID: ${{ steps.extract.outputs.specification_id }}
           LIBRARY: ${{ steps.extract.outputs.library }}
         run: |
-          if [ -z "$GCS_CREDENTIALS" ]; then
-            echo "::warning::GCS_CREDENTIALS not configured - skipping promotion"
-            exit 0
-          fi
-
-          echo "$GCS_CREDENTIALS" > /tmp/gcs-key.json
-          gcloud auth activate-service-account --key-file=/tmp/gcs-key.json
-
           STAGING="gs://anyplot-images/staging/${SPEC_ID}/${LIBRARY}"
           PRODUCTION="gs://anyplot-images/plots/${SPEC_ID}/${LIBRARY}"
 
diff --git a/.github/workflows/impl-repair.yml b/.github/workflows/impl-repair.yml
@@ -170,24 +170,26 @@ jobs:
           echo "::notice::Processed images: optimized + responsive variants created"
           ls -la "$IMPL_DIR/"
 
+      - name: Authenticate to GCP
+        if: success()
+        uses: google-github-actions/auth@v2
+        with:
+          project_id: anyplot
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+
+      - name: Set up Cloud SDK
+        if: success()
+        uses: google-github-actions/setup-gcloud@v2
+
       - name: Upload repaired plot to GCS staging
         if: success()
         env:
-          GCS_CREDENTIALS: ${{ secrets.GCS_CREDENTIALS }}
           SPEC_ID: ${{ inputs.specification_id }}
           LIBRARY: ${{ inputs.library }}
         run: |
           IMPL_DIR="plots/${SPEC_ID}/implementations"
           STAGING_PATH="gs://anyplot-images/staging/${SPEC_ID}/${LIBRARY}"
 
-          if [ -z "$GCS_CREDENTIALS" ]; then
-            echo "::warning::GCS_CREDENTIALS not configured"
-            exit 0
-          fi
-
-          echo "$GCS_CREDENTIALS" > /tmp/gcs-key.json
-          gcloud auth activate-service-account --key-file=/tmp/gcs-key.json
-
           # Upload all plot images (original + responsive variants)
           if [ -f "$IMPL_DIR/plot.png" ]; then
             gsutil -m -h "Cache-Control:public, max-age=604800" cp "$IMPL_DIR"/plot*.png "$IMPL_DIR"/plot*.webp "${STAGING_PATH}/"
diff --git a/.github/workflows/impl-review.yml b/.github/workflows/impl-review.yml
@@ -85,12 +85,13 @@ jobs:
             echo "display=1" >> $GITHUB_OUTPUT
           fi
 
-      - name: Setup GCS authentication
+      - name: Authenticate to GCP
         id: gcs
         continue-on-error: true
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@v2
         with:
-          credentials_json: ${{ secrets.GCS_CREDENTIALS }}
+          project_id: anyplot
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
 
       - name: Setup gcloud CLI
         if: steps.gcs.outcome == 'success'
diff --git a/.github/workflows/sync-postgres.yml b/.github/workflows/sync-postgres.yml
@@ -27,6 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write  # Required for Workload Identity Federation
 
     steps:
     - uses: actions/checkout@v6
@@ -43,10 +44,11 @@ jobs:
       run: |
         uv sync
 
-    - name: Setup GCP authentication
-      uses: google-github-actions/auth@v3
+    - name: Authenticate to GCP
+      uses: google-github-actions/auth@v2
       with:
-        credentials_json: ${{ secrets.GCS_CREDENTIALS }}
+        project_id: anyplot
+        workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
 
     - name: Run database migrations
       run: |
diff --git a/.serena/memories/project_overview.md b/.serena/memories/project_overview.md
@@ -1,7 +1,7 @@
-# pyplots - Project Overview
+# anyplot - Project Overview
 
 ## Purpose
-**pyplots** is an AI-powered platform for Python data visualization that automatically discovers, generates, tests, and maintains plotting examples across 9 major libraries. Community proposes plot ideas via GitHub Issues → AI generates code → AI quality review → Deployed.
+**anyplot** is an AI-powered platform for Python data visualization that automatically discovers, generates, tests, and maintains plotting examples across 9 major libraries. Community proposes plot ideas via GitHub Issues → AI generates code → AI quality review → Deployed.
 
 ## Supported Libraries (9)
 matplotlib, seaborn, plotly, bokeh, altair, plotnine, pygal, highcharts, lets-plot
@@ -16,7 +16,7 @@ matplotlib, seaborn, plotly, bokeh, altair, plotnine, pygal, highcharts, lets-pl
 
 ## Directory Structure
 ```
-pyplots/
+anyplot/
 ├── api/                    # FastAPI backend
 │   ├── main.py             # App factory, CORS, lifespan
 │   ├── routers/            # health, specs, libraries, images, plots, stats,
@@ -125,4 +125,4 @@ pyplots/
 2. `approved` label on Issue → spec merges, gets `spec-ready` label
 3. `bulk-generate.yml` → `impl-generate.yml` → `impl-review.yml` → `impl-merge.yml`
 4. `sync-postgres.yml` syncs filesystem to PostgreSQL on push to main
-5. FastAPI serves data, React frontend displays gallery at pyplots.ai
+5. FastAPI serves data, React frontend displays gallery at anyplot.ai
