Skip to content

ci: add GCP Workload Identity Federation for Vertex AI recording workflow #5276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Artemon-line wants to merge 8 commits into
base: main
Choose a base branch
from
+14 −1
Open

ci: add GCP Workload Identity Federation for Vertex AI recording workflow #5276

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ab5199c
ci: add GCP Workload Identity Federation for Vertex AI recording work…
Artemon-line Mar 25, 2026
05e6349
Merge branch 'main' into ci/vertexai-workload-identity-federation
Artemon-line Mar 25, 2026
0d55f4b
Merge branch 'main' into ci/vertexai-workload-identity-federation
Artemon-line Mar 25, 2026
3bc6443
Merge branch 'main' into ci/vertexai-workload-identity-federation
Artemon-line Mar 25, 2026
ce4d2a0
Merge branch 'main' into ci/vertexai-workload-identity-federation
Artemon-line Mar 27, 2026
3a543bd
Merge branch 'main' into ci/vertexai-workload-identity-federation
Artemon-line Mar 27, 2026
fe1d778
Merge branch 'main' into ci/vertexai-workload-identity-federation
Artemon-line Mar 27, 2026
d24f611
Merge branch 'main' into ci/vertexai-workload-identity-federation
Artemon-line Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion .github/workflows/record-integration-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ on:
description: 'Comma-separated list of providers to record'
type: string
required: false
default: 'gpt,azure,watsonx'
default: 'gpt,azure,watsonx,vertexai'
suite:
description: 'Test suite override (default: per-provider from matrix)'
type: string
Expand All @@ -53,9 +53,11 @@ concurrency:
cancel-in-progress: true

# Read-only permissions - no write access
# id-token: write is required for GCP Workload Identity Federation (OIDC token exchange)
permissions:
contents: read
pull-requests: read
id-token: write

jobs:
# Compute PR information for both pull_request and workflow_dispatch
Expand Down Expand Up @@ -195,6 +197,8 @@ jobs:
suite: bedrock-responses
- setup: watsonx
suite: responses
- setup: vertexai
suite: responses
steps:
- name: Check if provider should run
id: should_run
Expand Down Expand Up @@ -222,6 +226,13 @@ jobs:
ref: ${{ needs.compute-pr-info.outputs.pr_head_sha }}
fetch-depth: 0

- name: Authenticate to Google Cloud (Vertex AI)
if: steps.should_run.outputs.run == 'true' && matrix.provider.setup == 'vertexai' && needs.compute-pr-info.outputs.is_fork_pr != 'true'
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
with:
project_id: ${{ secrets.VERTEX_AI_PROJECT }}
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}

# Note: Using full repo path with pinned SHA ensures actions are loaded from
# a trusted commit, not from PR checkout. This is critical for security.
- name: Setup test environment
Expand All @@ -247,6 +258,8 @@ jobs:
TAVILY_SEARCH_API_KEY: ${{ contains(fromJSON('["gpt","azure"]'), matrix.provider.setup) && secrets.TAVILY_SEARCH_API_KEY || '' }}
AWS_BEARER_TOKEN_BEDROCK: ${{ matrix.provider.setup == 'bedrock' && secrets.AWS_BEARER_TOKEN_BEDROCK || '' }}
AWS_DEFAULT_REGION: ${{ matrix.provider.setup == 'bedrock' && 'us-west-2' || '' }}
VERTEX_AI_PROJECT: ${{ matrix.provider.setup == 'vertexai' && secrets.VERTEX_AI_PROJECT || '' }}
VERTEX_AI_LOCATION: ${{ matrix.provider.setup == 'vertexai' && 'global' || '' }}
with:
stack-config: 'server:ci-tests'
setup: ${{ matrix.provider.setup }}
Expand Down
Loading