Migrate to GitHub OIDC based auth for Launchable (#11808)

This change updates the CI workflows to use the new GitHub OpenID
connect based authentication flow.

GitHub started to provide a public-key signed token that contain
pull-request data. This is commonly used as a short-lived token in the
authentication flow (Open ID Connect). Launchable recently started
supporting this. Migrate to this new method.

The permission clause added to the jobs is more restrictive than the
default access except for the "id-token: write" permission
(https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
This should give the e2e tests enough permissions to run. The id-token
permission is necessary to get the OIDC ID tokens as instructed by the
GitHub article
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.

See
https://docs.launchableinc.com/sending-data-to-launchable/migration-to-github-oidc-auth
for the overview and the process.

Signed-off-by: Masaya Suzuki <[email protected]>

Signed-off-by: Masaya Suzuki <[email protected]>

.github/workflows/cluster_endtoend_12.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (12)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_13.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (13)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_15.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (15)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_18.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (18)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_21.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (21)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_22.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (22)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_ers_prs_newfeatures_heavy.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (ers_prs_newfeatures_heavy)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_mysql80.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (mysql80)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_mysql_server_vault.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (mysql_server_vault)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_declarative.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_declarative)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_declarative_mysql57.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_declarative) mysql57
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_ghost.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_ghost)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_ghost_mysql57.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_ghost) mysql57
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_revert.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_revert)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_revert_mysql57.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_revert) mysql57
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_revertible.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_revertible)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_revertible_mysql57.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_revertible) mysql57
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_scheduler.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_scheduler)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_scheduler_mysql57.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_scheduler) mysql57
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_singleton.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_singleton)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_singleton_mysql57.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_singleton) mysql57
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_vrepl.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_vrepl)
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI

.github/workflows/cluster_endtoend_onlineddl_vrepl_mysql57.yml

@@ -9,12 +9,15 @@ concurrency:
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"
-  GITHUB_PR_HEAD_SHA: "${{ github.event.pull_request.head.sha }}"
+  EXPERIMENTAL_GITHUB_OIDC_TOKEN_AUTH: 1
 
 jobs:
   build:
     name: Run endtoend tests on Cluster (onlineddl_vrepl) mysql57
     runs-on: ubuntu-20.04
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
     - name: Skip CI