Skip to content

build/bake: support GCP WIF registry identities#244

Draft
crazy-max wants to merge 4 commits into
docker:mainfrom
crazy-max:identities-gcp
Draft

build/bake: support GCP WIF registry identities#244
crazy-max wants to merge 4 commits into
docker:mainfrom
crazy-max:identities-gcp

Conversation

@crazy-max

Copy link
Copy Markdown
Member

fixes #146
needs #243

This adds Google Artifact Registry support to the registry-identities flow introduced in #243.

The shared registry identity parser now accepts type: gcp-wif with a registry host, Workload Identity Provider, service account, and project ID. The reusable build.yml and bake.yml workflows use google-github-actions/auth to request an access token in the same job that needs registry access, then pass that token directly to docker/login-action with the oauth2accesstoken username.

This lets callers push to Google Artifact Registry through GitHub OIDC and GCP Workload Identity Federation without storing long-lived registry credentials. The access token is not passed through reusable workflow outputs or caller secrets, and provider-specific authentication remains pinned and controlled inside GitHub Builder.

crazy-max added 4 commits July 3, 2026 21:16
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

registry-auths secret doesn't support dynamic tokens from GCP Workload Identity Federation

1 participant