ci(cd): Firebase デプロイを OIDC + Workload Identity Federation に移行

[YasunoriMATSUOKA]

概要

GitHub Actions の Firebase デプロイを、長期有効な FIREBASE_TOKEN から OIDC + Workload Identity Federation（キーレス・短命認証） に移行します。

--token 認証は firebase-tools で deprecated 済みであり、FIREBASE_TOKEN は失効しない長期シークレットで漏洩時のリスク（本番含む）が大きいため、google-github-actions/auth でデプロイ用サービスアカウントを impersonation し、Firebase CLI を ADC（GOOGLE_APPLICATION_CREDENTIALS）で動かす方式に変更します。

このPRの変更（コード側）

• cd-firebase-testnet.yml / cd-firebase-mainnet.yml
  • permissions に id-token: write を追加（OIDC トークン取得に必須）
  • deploy 直前に google-github-actions/auth（full commit SHA でピン留め: v3.0.0）を追加
  • firebase use --token / firebase deploy --token を廃止し、firebase deploy --project <alias> --non-interactive --force に変更
  • WIF 設定値は GitHub Environment Variables（WIF_PROVIDER / DEPLOY_SERVICE_ACCOUNT / GCP_PROJECT_ID）から参照
• CLAUDE.md に CD/WIF の説明を追記

マージ前に必要な GCP / GitHub 側の設定（このPRには含まれない手動作業）

⚠️ これらが未設定のまま CD が走ると auth ステップで失敗します。testnet を先に設定・検証してください。

GCP（testnet=nemtus-hackathon-test / mainnet=nemtus-hackathon の各プロジェクト）

1. API 有効化: iamcredentials / sts / iam / cloudresourcemanager
2. Workload Identity Pool github-actions を作成
3. OIDC プロバイダ github（issuer https://token.actions.githubusercontent.com、attribute-condition assertion.repository == 'nemtus/hackathon'）を作成
4. デプロイ用 SA github-deployer@<project>.iam.gserviceaccount.com を作成
5. SA に IAM ロール付与: firebase.admin / iam.serviceAccountUser / cloudfunctions.admin / artifactregistry.admin / cloudbuild.builds.editor / serviceusage.serviceUsageConsumer
6. WIF プリンシパル（attribute.repository/nemtus/hackathon）に roles/iam.workloadIdentityUser を付与

GitHub（Environment testnet / mainnet の Variables）

• WIF_PROVIDER = projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/github-actions/providers/github
• DEPLOY_SERVICE_ACCOUNT = github-deployer@<project>.iam.gserviceaccount.com
• GCP_PROJECT_ID = 各プロジェクトID

検証

1. testnet の GCP/GitHub 設定後、cd-firebase-testnet を手動実行し auth → firebase deploy（hosting/functions/firestore/storage）成功を確認
2. testnet 確認後に mainnet を設定し cd-firebase-mainnet を手動実行で確認
3. 両環境で検証完了後、FIREBASE_TOKEN secret を削除

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• Chores

  • Enhanced CI/CD deployment security by implementing keyless authentication for testnet and mainnet environments, eliminating reliance on stored credentials.

• Documentation

  • Added documentation covering deployment workflow configuration, authentication setup, and required environment variables.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0ef0dbe9-3684-4e2a-9dad-2f24e74fb085

📥 Commits

Reviewing files that changed from the base of the PR and between f19c6f6 and b62eaa4.

📒 Files selected for processing (3)

• .github/workflows/cd-firebase-mainnet.yml
• .github/workflows/cd-firebase-testnet.yml
• CLAUDE.md

---

📝 Walkthrough

Walkthrough

This PR migrates the testnet and mainnet Firebase deployment workflows from secret token authentication to keyless OIDC-based Google Cloud authentication via workload identity federation. Both workflows are updated with new permissions and authentication steps, with supporting documentation added to CLAUDE.md.

Changes

Keyless OIDC/WIF Deployment Migration

Layer / File(s)	Summary
Mainnet keyless deployment .github/workflows/cd-firebase-mainnet.yml	Workflow permissions now include id-token: write. A new google-github-actions/auth step authenticates via WIF using repository variables, and Firebase deploys to mainnet project without stored tokens.
Testnet keyless deployment .github/workflows/cd-firebase-testnet.yml	Workflow permissions now include id-token: write. A new google-github-actions/auth step authenticates via WIF, Firebase deploys to testnet project, and legacy token-based deploy commands are removed.
Deployment documentation CLAUDE.md	New CD section documents testnet/mainnet deployment workflows, OIDC+WIF authentication via ADC, required GitHub Environment variables, and the id-token: write permission requirement.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Tokens fade like morning dew,
OIDC makes auth keyless and true,
Workload identity leads the way,
Firebase deploys with zero delay! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: migrating Firebase deployment from token-based authentication to OIDC + Workload Identity Federation, which matches the core objective of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/firebase-deploy-wif

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

GitHub Actions の Firebase デプロイ認証を、長期シークレット FIREBASE_TOKEN による --token 認証から、OIDC + Workload Identity Federation（WIF）を使った短命・キーレス認証（google-github-actions/auth + ADC）へ移行する PR です。

Changes:

• CD ワークフロー（testnet/mainnet）に permissions: id-token: write を追加し、WIF による OIDC 認証を有効化
• google-github-actions/auth を追加し、FIREBASE_TOKEN/--token 依存を廃止して firebase deploy --project <alias> --non-interactive --force に移行
• CLAUDE.md に CD/WIF 運用の説明を追記

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
CLAUDE.md	CD の認証方式（OIDC + WIF）と必要な GitHub Environment Variables/permissions を追記
.github/workflows/cd-firebase-testnet.yml	testnet デプロイを WIF 認証（auth action + ADC）へ移行し、--token を廃止
.github/workflows/cd-firebase-mainnet.yml	mainnet デプロイを WIF 認証（auth action + ADC）へ移行し、--token を廃止

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.