Skip to content

ci(cd): Firebase デプロイを OIDC + Workload Identity Federation に移行 #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
YasunoriMATSUOKA merged 1 commit into from
Jun 9, 2026
Merged

ci(cd): Firebase デプロイを OIDC + Workload Identity Federation に移行 #72

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions .github/workflows/cd-firebase-mainnet.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ on:

permissions:
contents: read
id-token: write

jobs:
build:
Expand Down Expand Up @@ -53,8 +54,13 @@ jobs:
working-directory: ./functions
- run: npm run build
working-directory: ./functions
- run: npx firebase use mainnet --token=${{ secrets.FIREBASE_TOKEN }}
- run: npx firebase deploy --token=${{ secrets.FIREBASE_TOKEN }} --force
- name: Authenticate to Google Cloud via Workload Identity Federation
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
with:
project_id: ${{ vars.GCP_PROJECT_ID }}
workload_identity_provider: ${{ vars.WIF_PROVIDER }}
service_account: ${{ vars.DEPLOY_SERVICE_ACCOUNT }}
- run: npx firebase deploy --project mainnet --non-interactive --force

- name: Clear env file
if: always()
Expand Down
10 changes: 8 additions & 2 deletions .github/workflows/cd-firebase-testnet.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ on:

permissions:
contents: read
id-token: write

jobs:
build:
Expand Down Expand Up @@ -58,8 +59,13 @@ jobs:
working-directory: ./functions
- run: npm run build
working-directory: ./functions
- run: npx firebase use testnet --token=${{ secrets.FIREBASE_TOKEN }}
- run: npx firebase deploy --token=${{ secrets.FIREBASE_TOKEN }} --force
- name: Authenticate to Google Cloud via Workload Identity Federation
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
with:
project_id: ${{ vars.GCP_PROJECT_ID }}
workload_identity_provider: ${{ vars.WIF_PROVIDER }}
service_account: ${{ vars.DEPLOY_SERVICE_ACCOUNT }}
- run: npx firebase deploy --project testnet --non-interactive --force

- name: Clear env file
if: always()
Expand Down
8 changes: 8 additions & 0 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,11 @@ npm run preview # ビルド結果のプレビュー
- `.github/workflows/ci-react.yml` — PR ごとに `npm audit` → `npm ci` → `npm run build`
- `.github/workflows/ci-functions.yml` — 同上を `functions/` で実行
- いずれも Node 24 環境。コミット前に `npm run typecheck` / `npm run build` が通ることを確認する

## CD(デプロイ)

- `.github/workflows/cd-firebase-testnet.yml` — main への push / 手動実行で testnet(`nemtus-hackathon-test`)へデプロイ
- `.github/workflows/cd-firebase-mainnet.yml` — 手動実行(`workflow_dispatch`)で mainnet(`nemtus-hackathon`)へデプロイ
- **認証は OIDC + Workload Identity Federation(キーレス)**。`google-github-actions/auth` で GCP のデプロイ用サービスアカウントを impersonation し、firebase CLI は ADC(`GOOGLE_APPLICATION_CREDENTIALS`)経由でデプロイする。長期 `FIREBASE_TOKEN` は使わない
- GitHub Environment(`testnet` / `mainnet`)の Variables に `WIF_PROVIDER` / `DEPLOY_SERVICE_ACCOUNT` / `GCP_PROJECT_ID` を設定する。GCP 側の WIF プール・SA 設定手順は移行計画を参照
- ワークフローの permissions に `id-token: write` が必須(OIDC トークン取得のため)
Loading