auth VS actions-runner-controller

This workflow will authenticate with Google Cloud using the Google Cloud auth GitHub Action and use Docker to authenticate and push to the registry. To make this workflow work (or flow?) we need to set up some Google Cloud resources and add in those values for our environment variables. Make sure to add in the value for PROJECT_ID where you have permission to create resources. The value for IMAGE_NAME can be anything — it’ll be created the first time this workflow runs:

The issue of integration with other tools is also quite strange. Of course, this is not directly related to github actions. For example, what needs to be done to use cloud run https://github.com/google-github-actions/auth#setting-up-wor...

While it is commonly associated with AWS, and their AWS IAM service, IAM is not limited to their platform. All cloud providers, such as Google Cloud and Azure DevOps, offer IAM solutions that allow users to access resources and systems. If you are looking for specific AWS IAM best practices, look no further than our AWS IAM Security Best Practices article:\ For the rest of this article, we will look at the generic best practices that have evolved over the last decade around each part of the basic question we started with, "who can access what?":

I found this but I don't quite get how it works. I haven't done all the steps yet but I get how to set it up. I just don't understand how this just magically authenticates future steps since my code still needs a token. Should I use this to authenticate the script? If so, how do I do it and what would I need in my code? If not what should I use instead?

Cloud Identity and Access Management: This service provides fine-grained control over who has access to what resources within an organization's Google Cloud environment. It can be used to quickly revoke access to compromised accounts or limit access to sensitive resources. https://cloud.google.com/iam

I use google-github-actions/auth in the first step in my job to authenticate to GCP. At this point, I have 6 different GitHub secrets to test out the concept. Each branch has two secrets with the format BRANCH_WIP and BRANCH_SA.

There are 2 core parts authentication to GCP and App Engine deployment. Authentication is performed using auth, while a deployment uses deploy-appengine.

You should have a look at using workload identity federation and OIDC tokens. There’s a guide on https://github.com/google-github-actions/auth It means you no longer need to hardcode service account credentials in GitHub secrets anymore.

Yes, there is a deploy-appengine action that automates the whole App Engine deployment process. Indeed, it uses gcloud commands underneath too. Either way, both approaches need an auth action to authenticate to GCP before any task can be performed.

To set-up the self-hosted runner, an Action Runner Controller (ARC) and Runner scale sets application will be installed via helm. This post will be using Azure Kubernetes Service and ARC that is officialy maintained by Github. There is another ARC that is maintained by the community. You can follow the discussion where github adopted the ARC project into a full Github product here

Before this we were using https://github.com/actions/actions-runner-controller but that's running on K8s instead of VMs. So along with common limitations of running CI jos in K8s/container, it cannot have exactly the same environment as the official GitHub runners. Maintaining a K8s cluster was also very difficult.

ARC is great for running GitHub Actions on Kubernetes:

https://github.com/actions/actions-runner-controller

Almost all of our cicd, builds run on GitHub. I'm talking cypress tests, deployments via terraform and helm to over 25 environments, all backend tests, daily test runs etc. Overall we were racking up a cost of almost 20k on GitHub. With the ARC deployed and using spot instances I think our total infrastructure costs went up about 4-5k even though we added more actions. If we switched back to their runners we'd probably be around 25k at this point.

What else needs to be moved to my artifactory (charts - https://github.com/actions/actions-runner-controller/tree/master/charts ) - if so tar or entire folder or anything else ? ) What should the above steps correspond to?

You need to use the steps in the repo instead of the steps on the docs if you're using enterprise server.

Honestly not a fan of Github docs.....I feel like the ones in the repo are much clearer and easier to understand/read.

Its pretty easy to set up honestly. Deploy this on your k8s cluster https://github.com/actions/actions-runner-controller and a runnerDeployment and youre good to go.

Trying to use the Actions Runner Controller (https://github.com/actions/actions-runner-controller) to utilize self-hosted runners. I keep getting this error on the controller.

I'm convinced one of (or a combination) of things is happening here in regards to authentication. This GH enterprise account is configured with SAML. I feel like that is a valid data point. I'm using https://github.com/actions/actions-runner-controller as a reference guide for what I should be doing. I suspect whoever is Owner of this organization has modified what I can do as a user. The steps in the doc where I can actually Install the Application isn't available to me. When configuring the GitHub App I'm given two options. I select the option for "this account only" knowing the documentation says it is possible to use this Github App with a repo in the Organization as long as I have Admin privileges or I'm the owner.