Set up credentials for GitHub Actions to deploy to your clusters
GCP_CREDENTIALS
to be present.
This secret needs to represent a key file for a service account with permissions to interact with k8s clusters and GCP Artifact Registry.To make it as easy as possible, the koala
CLI can be used to automate the creation of a service account (if one doesn’t exist), add the necessary roles, and download the key file.
Once you’ve installed the CLI (instructions):Make sure you’re working with the right project in GCP:sa-key.json
to your current working dir.GCP_CREDENTIALS
or AWS_CREDENTIALS
according to the cloud provider.sa-key.json
file created in the previous step.main
, the GitHub Actions Workflows won’t be able to push these changes, because the built-in GITHUB_TOKEN token does not have sufficient permissions. This is a well-known limitation of GitHub, requiring slightly inelegant workarounds (see example discussion / FR).
The simplest solution is to create a PAT (Personal Access Token), with a user that has bypass branch protection permissions. Organization and repository administrators can always bypass required pull requests, but you can also create a “service account” specifically for this if you prefer and allow it to bypass branch protection via Repository settings -> Branches -> main -> Edit -> Allow specified actors to bypass required pull requests
.
Step-by-step:
GHA_PAT
and paste the PAT you created in the previous step as the value.
release.yml
and (optionally, for GitOps mode) deploy.yml
to use the PAT when checking out the code: