Revert back to using GITHUB_WORKSPACE for storing credentials

.github/workflows/setup-gcloud-it.yml

@@ -4,7 +4,13 @@ on:
   push:
     branches:
     - 'master'
-    pull_request:
+  pull_request:
+    branches:
+    - 'master'
+
+concurrency:
+  group: '${{github.workflow}}-${{ github.head_ref || github.ref }}'
+  cancel-in-progress: true
 
 jobs:
   versioned:
@@ -136,3 +142,38 @@ jobs:
       - name: Verify project
         shell: bash
         run: gcloud config get-value project | grep ${{ secrets.SETUP_GCLOUD_IT_PROJECT_ID }}
+
+  # This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment
+  # variable is shared with the container and that the path of the file is on
+  # the shared filesystem with the container and that the USER for the container
+  # has permissions to read the file.
+  docker:
+    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
+    name: 'setup-gcloud with docker-based steps'
+    runs-on: 'ubuntu-latest'
+    strategy:
+      fail-fast: false
+    steps:
+    - uses: 'actions/checkout@v2'
+
+    - uses: 'actions/setup-node@v2'
+      with:
+        node-version: '12.x'
+
+    - name: 'npm ci'
+      run: 'npm ci'
+
+    - name: 'npm build'
+      run: 'npm run build'
+
+    - name: 'setup-gcloud'
+      uses: './'
+      with:
+        service_account_key: ${{ secrets.SETUP_GCLOUD_IT_KEY }}
+        export_default_credentials: true
+
+    - name: 'docker'
+      uses: 'docker://alpine:3'
+      with:
+        entrypoint: '/bin/sh'
+        args: '-euc "test -n "${GOOGLE_APPLICATION_CREDENTIALS}" && test -r "${GOOGLE_APPLICATION_CREDENTIALS}"'

.github/workflows/setup-gcloud.yml

@@ -1,6 +1,17 @@
 name: setup-gcloud Unit
 
-on: [push, pull_request]
+on:
+  push:
+    branches:
+    - 'master'
+  pull_request:
+    branches:
+    - 'master'
+
+
+concurrency:
+  group: '${{github.workflow}}-${{ github.head_ref || github.ref }}'
+  cancel-in-progress: true
 
 jobs:
   run:
@@ -11,18 +22,23 @@ jobs:
       matrix:
         operating-system: [ubuntu-latest, windows-latest, macos-latest]
     steps:
-    - uses: actions/checkout@v2
+    - uses: 'actions/checkout@v2'
 
-    - name: Set Node.js 12.x
-      uses: actions/setup-node@master
+    - uses: 'actions/setup-node@v2'
       with:
-        node-version: 12.x
+        node-version: '12.x'
+
+    - name: 'npm ci'
+      run: 'npm ci'
 
-    - name: npm install
-      run: npm install
+    - name: 'npm build'
+      run: 'npm run build'
 
-    - name: Lint
-      run: npm run lint
+    - name: 'run lint'
+      run: 'npm run lint'
+      # There's no need to run the linter for each operating system, since it
+      # will find the same thing 3x and clog up the PR review.
+      if: ${{matrix.operating-system == 'ubuntu-latest'}}
 
-    - name: Test
-      run: npm test
+    - name: 'test'
+      run: 'npm test'

README.md

@@ -77,7 +77,8 @@ steps:
 | `service_account_key`   | _optional_  | | The service account key which will be used for authentication credentials. This key should be [created](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and stored as a [secret](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets). It can be encoded as a [Base64](https://en.wikipedia.org/wiki/Base64) string or as JSON. |
 | `service_account_email` | _optional_  | | Service account email address to use for authentication. This is required for legacy .p12 keys but can be omitted for JSON keys. This is usually of the format `<name>@<project-id>.iam.gserviceaccount.com`. |
 | `export_default_credentials`| _optional_  |`false`| Exports the path to [Default Application Credentials][dac] as the environment variable `GOOGLE_APPLICATION_CREDENTIALS` to be available in later steps. Google Cloud services automatically use this environment variable to find credentials. |
-| `credentials_file_path`     | _optional_  | (temporary file) | Only valid when `export_default_credentials` is `true`. Sets the path at which the credentials should be written. **WARNING:** If you write credentials outside of the GitHub Actions temporary path, they may be cached on self-hosted runners and exposed in future runs! See [Sharing Credentials](#sharing-credentials) for more information. |
+| `credentials_file_path`     | _optional_  | (temporary file) | Only valid when `export_default_credentials` is `true`. Sets the path at which the credentials should be written. |
+| `cleanup_credentials` | _optional_ | `true` | If true, the action will remove any generated credentials from the filesystem upon completion. |
 
 
 ## Example Workflows
@@ -96,9 +97,7 @@ code to [App Engine](https://cloud.google.com/appengine), a fully managed server
 
 ## Sharing Credentials
 
-If `export_default_credentials` is true, this GitHub Action will automatically export the credentials to be available in future steps in the job. By default, the credentials are exported to a temporary file that is automatically cleaned up when the job finishes. This file is available to all steps in the job.
-
-If you want to export credentials to be available to all jobs in a workflow, you can choose a custom `credentials_file_path` that resides in `GITHUB_WORKSPACE`. However, we do **NOT** recommend this approach, as this directory is not automatically cleaned up and can leak credentials files over time.
+If `export_default_credentials` is true, this GitHub Action will automatically export the credentials to be available in future steps in the job. By default, the credentials are exported into `$GITHUB_WORKSPACE` which is available to all steps in the job. The file is automatically deleted when jobs finish, regardless of their status.
 
 
 ## Contributing

action.yml

@@ -68,6 +68,14 @@ inputs:
     default: null
     required: false
 
+  cleanup_credentials:
+    description: |-
+      If true, the action will remove any generated credentials from the
+      filesystem upon completion.
+    default: true
+    required: false
+
 runs:
-  using: node12
-  main: dist/index.js
+  using: 'node12'
+  main: 'dist/main/index.js'
+  post: 'dist/post/index.js'