build: experiment with GitHub Actions for healthcare/datasets (#2365)

Author: JustinBeckwith

.github/workflows/healthcare-datasets.yaml

@@ -0,0 +1,31 @@
+name: healthcare-datasets
+on:
+  push:
+    branches:
+    - main
+    paths:
+    - 'healthcare/datasets/**'
+  pull_request:
+  schedule:
+  - cron:  '0 2 * * *'
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+    steps:
+    - uses: 'google-github-actions/[email protected]'
+      with:
+        workload_identity_provider: 'projects/1046198160504/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
+        service_account: '[email protected]'
+        create_credentials_file: 'true'
+        access_token_lifetime: 600s
+    - uses: actions/checkout@v2
+    - uses: actions/setup-node@v2
+      with:
+        node-version: 14
+    - run: npm install
+      working-directory: healthcare/datasets
+    - run: npm test
+      working-directory: healthcare/datasets

buildsetup.sh

@@ -0,0 +1,43 @@
+#! /bin/bash
+
+# This script will configure a given GCP project to use
+# Workload Identity Federation.  To learn more, see:
+# https://github.com/google-github-actions/auth
+
+export PROJECT_ID="long-door-651"
+export POOL_NAME="github-actions-pool"
+export PROVIDER_NAME="github-actions-provider"
+export SERVICE_ACCOUNT="[email protected]"
+export GITHUB_REPO="GoogleCloudPlatform/nodejs-docs-samples"
+
+# Enable the IAM Credentials API
+gcloud services enable iamcredentials.googleapis.com --project "${PROJECT_ID}"
+
+# Create a workload identity pool
+gcloud iam workload-identity-pools create "${POOL_NAME}" \
+  --project="${PROJECT_ID}" \
+  --location="global" \
+  --display-name="GitHub Actions Pool"
+
+# Get the full ID of the Workload Identity Pool
+gcloud iam workload-identity-pools describe "${POOL_NAME}" \
+  --project="${PROJECT_ID}" \
+  --location="global" \
+  --format="value(name)"
+
+export WORKLOAD_IDENTITY_POOL_ID="$(!!)"
+
+# Create a Workload Identity Provider in that pool
+gcloud iam workload-identity-pools providers create-oidc "${PROVIDER_NAME}" \
+  --project="${PROJECT_ID}" \
+  --location="global" \
+  --workload-identity-pool="${POOL_NAME}" \
+  --display-name="GitHub Actions Provider" \
+  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.aud=assertion.aud" \
+  --issuer-uri="https://token.actions.githubusercontent.com"
+
+# Allow authentications from the Workload Identity Provider to impersonate the Service Account.
+# Note executions are limited to requests from this specific repository.
+gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}" \
+  --role="roles/iam.workloadIdentityUser" \
+  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${GITHUB_REPO}"

healthcare/datasets/createDataset.js

@@ -44,5 +44,10 @@ const main = (
   // [END healthcare_create_dataset]
 };
 
+process.on('unhandledRejection', err => {
+  console.error(err.message);
+  process.exitCode = 1;
+});
+
 // node createDataset.js <projectId> <cloudRegion> <datasetId>
 main(...process.argv.slice(2));

healthcare/datasets/system-test/datasets.test.js

@@ -17,34 +17,27 @@
 const assert = require('assert');
 const uuid = require('uuid');
 const {execSync} = require('child_process');
+const healthcare = require('@googleapis/healthcare');
 
-const projectId = process.env.GOOGLE_CLOUD_PROJECT;
 const datasetId = `dataset-${uuid.v4()}`.replace(/-/gi, '_');
 const destinationDatasetId = `destination-${uuid.v4()}`.replace(/-/gi, '_');
 const keeplistTags = 'PatientID';
 const cloudRegion = 'us-central1';
-
-before(() => {
-  assert(
-    process.env.GOOGLE_CLOUD_PROJECT,
-    'Must set GOOGLE_CLOUD_PROJECT environment variable!'
-  );
-  assert(
-    process.env.GOOGLE_APPLICATION_CREDENTIALS,
-    'Must set GOOGLE_APPLICATION_CREDENTIALS environment variable!'
-  );
-});
-after(() => {
-  try {
-    execSync(
-      `node deleteDataset.js ${projectId} ${cloudRegion} ${destinationDatasetId}`
-    );
-  } catch (err) {
-    // Ignore error
-  }
-});
+let projectId;
 
 describe('run datasets tests with 5 retries', function () {
+  before(async () => {
+    projectId = await healthcare.auth.getProjectId();
+  });
+  after(() => {
+    try {
+      execSync(
+        `node deleteDataset.js ${projectId} ${cloudRegion} ${destinationDatasetId}`
+      );
+    } catch (err) {
+      // Ignore error
+    }
+  });
   // Retry every test in this suite 5 times.
   this.retries(5);
   it('should create a dataset', () => {