Document token lifetimes

[fotinakis]

TL;DR

Please document the default token lifetimes which you'll encounter using each different method.

Expected behavior

I would have expected to be able to use Direct Workload Identity Federation method alongside a docker builds which get pushed to Google Artifact Registry, without error.

Observed behavior

It seems that using Direct Workload Identity Federation has a <10 min (?) token lifetime before the token expires. Perhaps this is the id-token default lifetime?

Here is what I think would be a minimal reproduction case of this bug:

      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: ...
          project_id: ...
      - run: gcloud --quiet auth configure-docker us-docker.pkg.dev
      - run: docker buildx build --push -t some_image:tag .

The "bug":

If some_image is a docker build that takes 1 minute to build, all is fine.
If some_image is a docker build that takes >10 minutes, it always fails at the very end with:

#12 ERROR: failed to push us-docker.pkg.dev/[...]: failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://us-docker.pkg.dev/v2/token?scope=repository%3A[...]%3Apull%2Cpush&service=us-docker.pkg.dev: 401 Unauthorized

Switching to Service Account method with token_format: access_token works as it has a 1 hour access_token time (but it would have saved a lot of time to have the Direct method's token lifetime documented, as well as the default service account method without setting the format).

Obviously this is not a "bug" per se — but it's very unexpected behavior if you don't know what to look for and what the token lifetime is for the Direct method, or have any way to configure it.

Action YAML

name: foo
on: [push]
jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/.../locations/global/workloadIdentityPools/.../providers/...
          project_id: ...
      - name: Do thing
        run: docker buildx build --push -t some_image:tag .

Log output

n/a

Additional information

n/a

[github-actions]

Hi there @fotinakis 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

ID Tokens are always 10 minutes, and this is enforced by the GCP IAM credentials API. You can verify this by running gcloud auth print-identity-token and then inspecting the JWT exp value. I've proposed #433 to add this to the docs.

Access Tokens have a default lifetime of 1 hour, and that was already documented in the access token section. They can be extended for longer, but it's complicated and depends on your GCP org setup. This is already documented in the README though.

I've documented that the Direct WIF token has the same 10 minute expiration in #433.

[JacobHayes]

FYI: I think this time may have been lowered to 5 minutes, but I'm still trying to confirm.

I have jobs that, after the auth step, succeed when run in 4m30s but fail when taking 5m6s (from small differences in the built code).