Skip to content

create_credentials_file input validation fails specifically in cleanup step only #477

New issue
New issue
Closed
#478
Closed
create_credentials_file input validation fails specifically in cleanup step only#477
#478
Labels
bugSomething isn't working
@OscarVanL

Description

@OscarVanL
OscarVanL
opened on Apr 24, 2025

TL;DR

The create_credentials_file input provided to this action is failing a validation check, but specifically only in the "Post job cleanup" step. The input I am providing appears to be correct.

Expected behavior

The input I provided is permitted according to the validation error, so I do not believe it should fail the check.

Observed behavior

I have an action that wraps google-github-actions/auth@v2. This action is called in one of two ways. Either standalone and using the input defaults:

      - uses: ./.github/actions/gcp-login

or overriding some of the defaults:

      - uses: ./.github/actions/gcp-login
        with:
          create_credentials_file: true

I can observe that the resulting call to google-github-actions/auth happens with valid inputs:

Run google-github-actions/auth@v2
  with:
    token_format: access_token
    workload_identity_provider: projects/*************/locations/global/workloadIdentityPools/github/providers/*************
    service_account: *************@*************.iam.gserviceaccount.com
    create_credentials_file: false
    export_environment_variables: true
    universe: googleapis.com
    cleanup_credentials: true
    access_token_lifetime: 3600s
    access_token_scopes: https://www.googleapis.com/auth/cloud-platform
    id_token_include_email: false
  env:
    SOURCE_SHA: *************
    HOME: /home/*************
    GITHUB_WORKSPACE: /__w/*************

However, with the above inputs, for some reason, the post-job cleanup step fails with error:

Post job cleanup.
Error: google-github-actions/auth post failed with: input does not meet YAML 1.2 "Core Schema" specification: create_credentials_file
Support boolean input list: `true | True | TRUE | false | False | FALSE`

But as you can see in the earlier logs, the create_credentials_file input was false, which is a valid input.

Additionally, the actual job works as expected, the auth is successful, it gets the token, I'm able to push to GAR successfully, it's just the post-run cleanup step that fails.

Action YAML

The custom action wrapping this action looks like this.

name: "GCP login"
description: "Authenticates to GCP via OpenID Connect"
inputs:
  workload_identity_provider:
    default: "projects/*************/locations/global/workloadIdentityPools/github/providers/*************"
    description: GitHub Workload Identity Pool used to get access tokens.
  service_account:
    default: "*************@*************.iam.gserviceaccount.com"
    description: Which service account to get an access-token from
  docker_registry:
    default: "*************"
    description: Which GAR Registry to use
  create_credentials_file:
    default: false
    description: Whether to create the credentials file on the runner's disk. This is required if you need gcloud afterwards.
runs:
  using: composite
  steps:
    - name: Authenticate to Google Cloud
      id: auth
      uses: google-github-actions/auth@v2
      with:
        token_format: access_token
        workload_identity_provider: ${{ inputs.workload_identity_provider }}
        service_account: ${{ inputs.service_account }}
        create_credentials_file: ${{ inputs.create_credentials_file }}
    - name: Login to GAR
      uses: docker/login-action@v3
      with:
        registry: ${{ inputs.docker_registry }}
        username: oauth2accesstoken
        password: ${{ steps.auth.outputs.access_token }}

Log output

Logs from the workflow itself, where I auth:

Download action repository 'google-github-actions/auth@v2' (SHA:6fc4af4b145ae7821d527454aa9bd537d1f2dc5f)
Run ./.github/actions/gcp-login
  with:
    workload_identity_provider: projects/*************/locations/global/workloadIdentityPools/github/providers/*************
    service_account: *************@*************.iam.gserviceaccount.com
    docker_registry: *************
    create_credentials_file: false
  env:
    SOURCE_SHA: *************
    HOME: /home/*************
    GITHUB_WORKSPACE: /__w/*************
Run google-github-actions/auth@v2
  with:
    token_format: access_token
    workload_identity_provider: projects/*************/locations/global/workloadIdentityPools/github/providers/*************
    service_account: *************@*************.iam.gserviceaccount.com
    create_credentials_file: false
    export_environment_variables: true
    universe: googleapis.com
    cleanup_credentials: true
    access_token_lifetime: 3600s
    access_token_scopes: https://www.googleapis.com/auth/cloud-platform
    id_token_include_email: false
  env:
    SOURCE_SHA: *************
    HOME: /home/*************
    GITHUB_WORKSPACE: /__w/*************
/usr/bin/docker exec  7b75029890513fc446cc47ff677d3b446e227458a82e27fb1f4f5e3fb753b0ff sh -c "cat /etc/*release | grep ^ID"
Run docker/login-action@v3
  with:
    registry: *************
    username: oauth2accesstoken
    password: ***
    ecr: auto
    logout: true
  env:
    SOURCE_SHA: *************
    HOME: /home/*************
    GITHUB_WORKSPACE: /__w/*************
    CLOUDSDK_CORE_PROJECT: *************
    CLOUDSDK_PROJECT: *************
    GCLOUD_PROJECT: *************
    GCP_PROJECT: *************
    GOOGLE_CLOUD_PROJECT: *************
/usr/bin/docker exec  7b75029890513fc446cc47ff677d3b446e227458a82e27fb1f4f5e3fb753b0ff sh -c "cat /etc/*release | grep ^ID"
Logging into *************...
Login Succeeded!

And logs from the cleanup step...

Post job cleanup.
Post job cleanup.
/usr/bin/docker exec  7b75029890513fc446cc47ff677d3b446e227458a82e27fb1f4f5e3fb753b0ff sh -c "cat /etc/*release | grep ^ID"
/usr/bin/docker logout *************
Removing login credentials for *************
Post cache
Post job cleanup.
/usr/bin/docker exec  7b75029890513fc446cc47ff677d3b446e227458a82e27fb1f4f5e3fb753b0ff sh -c "cat /etc/*release | grep ^ID"
Error: google-github-actions/auth post failed with: input does not meet YAML 1.2 "Core Schema" specification: create_credentials_file
Support boolean input list: `true | True | TRUE | false | False | FALSE`

Additional information

Based on my knowledge of GitHub actions being weird in regard to strings vs booleans, and sometimes YAML can be a bit fiddly when inferring types, I decided to quote every instance of this input to ensure it is a string.

For example, I quoted the input:

    - name: Authenticate to Google Cloud
      id: auth
      uses: google-github-actions/auth@v2
      with:
        token_format: access_token
        workload_identity_provider: ${{ inputs.workload_identity_provider }}
        service_account: ${{ inputs.service_account }}
        create_credentials_file: "${{ inputs.create_credentials_file }}"

and I quoted the variable passed into my wrapper action:

      - uses: ./.github/actions/gcp-login
        with:
          create_credentials_file: "true"

and I quoted the default:

name: "GCP login"
description: "Authenticates to GCP via OpenID Connect and provides the access_token as an output."
inputs:
  create_credentials_file:
    default: "false"

Even with this experiment, I encountered the same error.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions