internal/ci: add gcloud auth to the e2e tests

And un-skip the test script, now that it's set up to run in CI.

Signed-off-by: Daniel Martí <[email protected]>
Change-Id: I7000939a0c8200426d6d8d174c564fa72246461a
Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1171938
Reviewed-by: Roger Peppe <[email protected]>
TryBot-Result: CUEcueckoo <[email protected]>

Author: mvdan

.github/workflows/trybot.yml

@@ -182,15 +182,28 @@ jobs:
         run: go test -race ./...
         env:
           GORACE: atexit_sleep_ms=10
+      - name: gcloud auth for end-to-end tests
+        id: auth
+        if: |-
+          github.repository == 'cue-lang/cue' && ((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
+          Dispatch-Trailer: {"type":"')))) && (matrix.go-version == '1.21.x' && matrix.runner == 'ubuntu-22.04')
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: ${{ secrets.E2E_GCLOUD_KEY }}
+      - if: |-
+          github.repository == 'cue-lang/cue' && ((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
+          Dispatch-Trailer: {"type":"')))) && (matrix.go-version == '1.21.x' && matrix.runner == 'ubuntu-22.04')
+        name: gcloud setup for end-to-end tests
+        uses: google-github-actions/setup-gcloud@v1
       - if: |-
           github.repository == 'cue-lang/cue' && ((github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/heads/release-branch.')) && (! (contains(github.event.head_commit.message, '
           Dispatch-Trailer: {"type":"')))) && (matrix.go-version == '1.21.x' && matrix.runner == 'ubuntu-22.04')
         name: End-to-end test
+        env:
+          GITHUB_TOKEN: ${{ secrets.E2E_GITHUB_TOKEN }}
         run: |-
           cd internal/e2e
           go test
-        env:
-          GITHUB_TOKEN: ${{ secrets.E2E_GITHUB_TOKEN }}
       - if: (matrix.go-version == '1.21.x' && matrix.runner == 'ubuntu-22.04')
         name: Check
         run: |-

.gitignore

@@ -10,3 +10,9 @@ cmd/cue/cue
 # We use test module paths like mod.test or externalmod.test.
 # Don't exclude those as if they were test binaries.
 !**/*mod.test
+
+# Ignore generated credentials from google-github-actions/auth,
+# a GitHub Actions step used in CI for the tests in internal/e2e.
+# Note that CI requires a clean git repo when it finishes,
+# so we don't want it to think the credentials file is untracked.
+gha-creds-*.json

internal/ci/github/trybot.cue

@@ -75,7 +75,7 @@ workflows: trybot: _repo.bashWorkflow & {
 				_goTestRace & {
 					if: _isLatestLinux
 				},
-				_e2eTest,
+				for v in _e2eTestSteps {v},
 				_goCheck,
 				_repo.checkGitClean,
 			]
@@ -115,24 +115,39 @@ workflows: trybot: _repo.bashWorkflow & {
 		run:  "go test ./..."
 	}
 
-	_e2eTest: json.#step & {
-		name: "End-to-end test"
+	_e2eTestSteps: [... json.#step & {
 		// The end-to-end tests require a github token secret and are a bit slow,
 		// so we only run them on pushes to protected branches and on one
 		// environment in the source repo.
 		if: "github.repository == '\(_repo.githubRepositoryPath)' && \(_repo.isProtectedBranch) && \(_isLatestLinux)"
-
-		// The secret is the fine-grained access token "cue-lang/cue ci e2e for modules-testing"
-		// owned by the porcuepine bot account with read+write access to repo administration and code
-		// on the entire cue-labs-modules-testing org. Note that porcuepine is also an org admin,
-		// since otherwise the repo admin access to create and delete repos does not work.
-		env: GITHUB_TOKEN: "${{ secrets.E2E_GITHUB_TOKEN }}"
-
-		run: """
-			cd internal/e2e
-			go test
-			"""
-	}
+	}] & [
+		// Two setup steps per the upstream docs:
+		// https://github.com/google-github-actions/setup-gcloud#service-account-key-json
+		{
+			name: "gcloud auth for end-to-end tests"
+			id: "auth"
+			uses: "google-github-actions/auth@v1"
+			// E2E_GCLOUD_KEY is a key for the service account cue-e2e-ci,
+			// which has the Artifact Registry Repository Administrator role.
+			with: credentials_json: "${{ secrets.E2E_GCLOUD_KEY }}"
+		},
+		{
+			name: "gcloud setup for end-to-end tests"
+			uses: "google-github-actions/setup-gcloud@v1"
+		},
+		{
+			name: "End-to-end test"
+			// The secret is the fine-grained access token "cue-lang/cue ci e2e for modules-testing"
+			// owned by the porcuepine bot account with read+write access to repo administration and code
+			// on the entire cue-labs-modules-testing org. Note that porcuepine is also an org admin,
+			// since otherwise the repo admin access to create and delete repos does not work.
+			env: GITHUB_TOKEN: "${{ secrets.E2E_GITHUB_TOKEN }}"
+			run: """
+				cd internal/e2e
+				go test
+				"""
+		},
+	]
 
 	_goCheck: json.#step & {
 		// These checks can vary between platforms, as different code can be built

internal/e2e/testdata/script/gcloud_upload.txtar

@@ -2,8 +2,6 @@
 # to an off-the-shelf OCI registry which requires authentication.
 # Then fetch that module as a dependency via cmd/cue.
 
-skip 'TODO(mvdan): set up a service account key on GitHub Actions'
-
 gcloud-auth-docker # sets: MODULE, CUE_REGISTRY, CUE_REGISTRY_HOST, CLOUDSDK_CONFIG
 env DOCKER_CONFIG=$WORK/docker-config
 env-fill docker-config/config.json