Unable to deploy to Google App Engine using Github Actions - credentials not supplied

Question

I keep getting the same error when attempting to deploy my app from Github to Google App Engine using a GitHub action.

I've tried using both the deploy-appengine action, as well as using setup-gcloud on its own and both provide me with the same error.

Here's the action yaml:

# This is the CI action for the repo. The build must succeed and all tests must pass before any pull requests can be made.

name: Deploy
on:
  pull_request:
    types: closed
    branches:
      - develop
      - master

  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [12.x]

    steps:

      - uses: actions/checkout@v2

      - name: Cache node modules
        uses: actions/cache@v1
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-
      - name: Node ${{ matrix.node-version }}
        uses: actions/setup-node@v1
        with:
          node-version: ${{ matrix.node-version }}

      - name: Install dependencies
        run: npm install

      - name: Configure environments
        run: npm run configure:ci

      - name: Build
        run: npm run build:ci
        env:
          API_URL:                   ${{ secrets.API_URL }}
          FIREBASE_API_KEY:          ${{ secrets.FIREBASE_API_KEY }}
          FIREBASE_AUTH_DOMAIN:      ${{ secrets.FIREBASE_AUTH_DOMAIN }}
          FIREBASE_DATABASE_URL:     ${{ secrets.FIREBASE_DATABASE_URL }}
          PROJECT_ID:                ${{ secrets.PROJECT_ID }}
          STORAGE_BUCKET:            ${{ secrets.STORAGE_BUCKET }}
          FIREBASE_SENDER_ID:        ${{ secrets.FIREBASE_SENDER_ID }}
          FIREBASE_APP_ID:           ${{ secrets.FIREBASE_APP_ID }}
          FIREBASE_MEASUREMENT_ID:   ${{ secrets.FIREBASE_MEASUREMENT_ID }}
          ANGULAR_FIRE_EMAIL:        ${{ secrets.ANGULAR_FIRE_EMAIL }}
          ANGULAR_FIRE_PASSWORD:     ${{ secrets.ANGULAR_FIRE_PASSWORD }}

      - name: Configure app.yaml
        run: npm run app-config:ci
        
      - id: Deploy
        uses: google-github-actions/deploy-appengine@main
        with:
          credentials: ${{ secrets.GCP_SA_KEY }}
          deliverables: dist/app.yaml
          promote: true

And here is what my credential file looks like, it's just plain JSON, not BASE64 and it's stored in by secrets.GCP_SA_KEY secret with a branch rule for develop, which is where I'm firing this action:

{
  "type": "service_account",
  "project_id": "REDACTED",
  "private_key_id": "REDACTED",
  "private_key": "-----BEGIN PRIVATE pm57A==\n-----END PRIVATE KEY-----\n",
  "client_email": "REDACTED@REDACTED.iam.gserviceaccount.com",
  "client_id": "REDACTED",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/REDACTED.iam.gserviceaccount.com"
}

I have granted the appropriate permissions to the service account:

App Engine Admin
Cloud Build Editor
Compute Storage Admin
Service Account User

Every time I try and run the action I get the below output:

Run google-github-actions/deploy-appengine@main
/usr/bin/tar --version
tar (GNU tar) 1.30
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by John Gilmore and Jay Fenlason.
/usr/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/14543984-d6e2-47c0-a6eb-a2a41a371468 -f /home/runner/work/_temp/8a247beb-4bc1-4157-b43f-f27c0f71ba36
/opt/hostedtoolcache/gcloud/333.0.0/x64/bin/gcloud config get-value project
(unset)
Error: No project Id provided.
/opt/hostedtoolcache/gcloud/333.0.0/x64/bin/gcloud auth list

No credentialed accounts.

To login, run:
  $ gcloud auth login `ACCOUNT`

/opt/hostedtoolcache/gcloud/333.0.0/x64/bin/gcloud app deploy --quiet dist/app.yaml --promote
ERROR: (gcloud.app.deploy) You do not currently have an active account selected.
Please run:

  $ gcloud auth login

to obtain new credentials.

If you have already logged in with a different account:

    $ gcloud config set account ACCOUNT

to select an already authenticated account to use.
Error: The process '/opt/hostedtoolcache/gcloud/333.0.0/x64/bin/gcloud' failed with exit code 1

The same thing happens when I provide both the project_id and the SA key. According to the docs I don't need to do any logging in, I can just pass in my Service Account credentials and the rest should take care of itself. Where am I going wrong here?

Answer 1

So the answer to this question was that I had the secrets set up at the environment level.

I currently have 2 environments: develop and main. And I set these secrets at that level.

When I created two new secrets at the Repository level, this resolved the issue.

It does say repository secrets in the documentation, but it could probably do with being a more clear that this won't work with environment level secrets.

I did receive further errors though with permissions. I'd set Compute Storage Admin, but this job needed Cloud Storage Admin.