From 7781fa764cf3c806730adf719faf4cf7a96c54ce Mon Sep 17 00:00:00 2001
From: Seth Vargo <seth@sethvargo.com>
Date: Fri, 24 Mar 2023 13:53:16 -0400
Subject: [PATCH] Switch to pull non-secret values from env

---
 .github/workflows/integration.yml                | 16 ++++++++--------
 .../.github/workflows/cloud-build.yml            |  4 ++--
 example-workflows/cloud-run/cloud-run.yml        |  2 +-
 example-workflows/gce/.github/workflows/gce.yaml |  2 +-
 .../.github/workflows/gke-kustomize.yml          |  2 +-
 example-workflows/gke/.github/workflows/gke.yml  |  2 +-
 6 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 7430fc1f6..d11cc83e7 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -84,19 +84,19 @@ jobs:
       - name: 'Set project ID'
         uses: './'
         with:
-          project_id: '${{ secrets.PROJECT_ID }}'
+          project_id: '${{ vars.PROJECT_ID }}'
 
       - name: 'Check project ID'
         run: 'npm run integration'
         env:
-          TEST_PROJECT_ID: '${{ secrets.PROJECT_ID }}'
+          TEST_PROJECT_ID: '${{ vars.PROJECT_ID }}'
 
       # Authenticate via WIF
       - name: 'Authenticate via WIF'
         uses: 'google-github-actions/auth@main'
         with:
-          workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
-          service_account: '${{ secrets.SERVICE_ACCOUNT_EMAIL }}'
+          workload_identity_provider: '${{ vars.WIF_PROVIDER_NAME }}'
+          service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
 
       - name: 'Setup gcloud with WIF'
         uses: './'
@@ -104,8 +104,8 @@ jobs:
       - name: 'Check WIF authentication'
         run: 'npm run integration'
         env:
-          TEST_ACCOUNT: '${{ secrets.SERVICE_ACCOUNT_EMAIL }}'
-          TEST_PROJECT_ID: '${{ secrets.PROJECT_ID }}'
+          TEST_ACCOUNT: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+          TEST_PROJECT_ID: '${{ vars.PROJECT_ID }}'
 
       # Authenticate via SAKE
       - name: 'Authenticate via SAKE'
@@ -119,5 +119,5 @@ jobs:
       - name: 'Check SAKE authentication'
         run: 'npm run integration'
         env:
-          TEST_ACCOUNT: '${{ secrets.SERVICE_ACCOUNT_EMAIL }}'
-          TEST_PROJECT_ID: '${{ secrets.PROJECT_ID }}'
+          TEST_ACCOUNT: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+          TEST_PROJECT_ID: '${{ vars.PROJECT_ID }}'
diff --git a/example-workflows/cloud-build/.github/workflows/cloud-build.yml b/example-workflows/cloud-build/.github/workflows/cloud-build.yml
index e0141b9c5..e8319a751 100644
--- a/example-workflows/cloud-build/.github/workflows/cloud-build.yml
+++ b/example-workflows/cloud-build/.github/workflows/cloud-build.yml
@@ -20,7 +20,7 @@ on:
     - 'main'
 
 env:
-  PROJECT_ID: ${{ secrets.RUN_PROJECT }}
+  PROJECT_ID: ${{ vars.RUN_PROJECT }}
   SERVICE_NAME: helloworld-nodejs
 
 jobs:
@@ -43,7 +43,7 @@ jobs:
       uses: 'google-github-actions/auth@v1'
       with:
         workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
-        service_account: '${{ secrets.RUN_SA_EMAIL }}'
+        service_account: '${{ vars.RUN_SA_EMAIL }}'
 
     # Alternative option - authentication via credentials json
     # - id: 'auth'
diff --git a/example-workflows/cloud-run/cloud-run.yml b/example-workflows/cloud-run/cloud-run.yml
index 9fb893def..e6bb641a6 100644
--- a/example-workflows/cloud-run/cloud-run.yml
+++ b/example-workflows/cloud-run/cloud-run.yml
@@ -19,7 +19,7 @@ on:
 
 name: Build and Deploy to Cloud Run
 env:
-  PROJECT_ID: ${{ secrets.GCP_PROJECT }}
+  PROJECT_ID: ${{ vars.GCP_PROJECT }}
   SERVICE: YOUR_SERVICE_NAME
   REGION: YOUR_SERVICE_REGION
 
diff --git a/example-workflows/gce/.github/workflows/gce.yaml b/example-workflows/gce/.github/workflows/gce.yaml
index a4885b228..5cc52d421 100644
--- a/example-workflows/gce/.github/workflows/gce.yaml
+++ b/example-workflows/gce/.github/workflows/gce.yaml
@@ -20,7 +20,7 @@ on:
     - 'main'
 
 env:
-  PROJECT_ID: ${{ secrets.GCE_PROJECT }}
+  PROJECT_ID: ${{ vars.GCE_PROJECT }}
   GCE_INSTANCE: my-githubactions-vm  # TODO: update to instance name
   GCE_INSTANCE_ZONE: us-central1-a   # TODO: update to instance zone
 
diff --git a/example-workflows/gke-kustomize/.github/workflows/gke-kustomize.yml b/example-workflows/gke-kustomize/.github/workflows/gke-kustomize.yml
index 06ad6d8cf..0cccff340 100644
--- a/example-workflows/gke-kustomize/.github/workflows/gke-kustomize.yml
+++ b/example-workflows/gke-kustomize/.github/workflows/gke-kustomize.yml
@@ -20,7 +20,7 @@ on:
     - main
 
 env:
-  PROJECT_ID: ${{ secrets.GKE_PROJECT }}
+  PROJECT_ID: ${{ vars.GKE_PROJECT }}
   GAR_LOCATION: us-central1 # # TODO: update region of the Artifact Registry
   GKE_CLUSTER: cluster-1    # TODO: update to cluster name
   GKE_ZONE: us-central1-c   # TODO: update to cluster zone
diff --git a/example-workflows/gke/.github/workflows/gke.yml b/example-workflows/gke/.github/workflows/gke.yml
index 7b94859f1..13f09b8fd 100644
--- a/example-workflows/gke/.github/workflows/gke.yml
+++ b/example-workflows/gke/.github/workflows/gke.yml
@@ -20,7 +20,7 @@ on:
     - main
 
 env:
-  PROJECT_ID: ${{ secrets.GKE_PROJECT }}
+  PROJECT_ID: ${{ vars.GKE_PROJECT }}
   GKE_CLUSTER: cluster-1    # TODO: update to cluster name
   GKE_ZONE: europe-central2-a	   # TODO: update to cluster zone
   DEPLOYMENT_NAME: gke-hello-app # TODO: update deployment name if changed in deployment.yaml