ci: switch cloud run env sync to oidc

Pigbibi · Pigbibi · commit 1d17e7ba787d · 2026-03-31T01:02:26.000+08:00
diff --git a/.github/workflows/sync-cloud-run-env.yml b/.github/workflows/sync-cloud-run-env.yml
@@ -4,10 +4,18 @@ on:
   push:
     branches: [ main ]
 
+env:
+  GCP_PROJECT_ID: interactivebrokersquant
+  GCP_WORKLOAD_IDENTITY_PROVIDER: projects/303168642265/locations/global/workloadIdentityPools/github-actions/providers/github-main
+  GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT: ibkr-platform-build@interactivebrokersquant.iam.gserviceaccount.com
+
 jobs:
   sync-cloud-run-env:
     name: Sync Cloud Run Env
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     env:
       ENABLE_GITHUB_ENV_SYNC: ${{ vars.ENABLE_GITHUB_ENV_SYNC }}
       CLOUD_RUN_REGION: ${{ vars.CLOUD_RUN_REGION }}
@@ -20,7 +28,6 @@ jobs:
       IB_GATEWAY_IP_MODE: ${{ vars.IB_GATEWAY_IP_MODE }}
       GLOBAL_TELEGRAM_CHAT_ID: ${{ vars.GLOBAL_TELEGRAM_CHAT_ID }}
       NOTIFY_LANG: ${{ vars.NOTIFY_LANG }}
-      GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
       TELEGRAM_TOKEN: ${{ secrets.TELEGRAM_TOKEN }}
     steps:
       - name: Check whether env sync is configured
@@ -42,7 +49,6 @@ jobs:
             IB_ACCOUNT_GROUP_CONFIG_SECRET_NAME
             GLOBAL_TELEGRAM_CHAT_ID
             NOTIFY_LANG
-            GCP_SA_KEY
           )
 
           missing_vars=()
@@ -70,13 +76,14 @@ jobs:
         if: steps.config.outputs.enabled == 'true'
         uses: google-github-actions/auth@v3
         with:
-          credentials_json: ${{ env.GCP_SA_KEY }}
+          workload_identity_provider: ${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ env.GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT }}
 
       - name: Set up gcloud
         if: steps.config.outputs.enabled == 'true'
         uses: google-github-actions/setup-gcloud@v3
         with:
-          project_id: ${{ steps.auth.outputs.project_id }}
+          project_id: ${{ env.GCP_PROJECT_ID }}
           version: ">= 416.0.0"
 
       - name: Sync Cloud Run environment
diff --git a/README.md b/README.md
@@ -201,7 +201,6 @@ Recommended setup:
   - `GLOBAL_TELEGRAM_CHAT_ID`
   - `NOTIFY_LANG`
 - **Repository Secrets**
-  - `GCP_SA_KEY`
   - `TELEGRAM_TOKEN` (fallback only when `TELEGRAM_TOKEN_SECRET_NAME` is not set)
 - **Optional transition Variables**
   - `IB_GATEWAY_ZONE`
@@ -214,9 +213,9 @@ For now, `STRATEGY_PROFILE` still only supports one strategy profile. The curren
 Important:
 
 - The workflow only becomes strict when `ENABLE_GITHUB_ENV_SYNC=true`. If this variable is unset, the sync job is skipped.
-- Here "shared config" still only means the **IBKR pair** (`InteractiveBrokersPlatform` + `IBKRGatewayManager`). `GCP_SA_KEY`, `TELEGRAM_TOKEN`, and `TELEGRAM_TOKEN_SECRET_NAME` remain repository-specific.
+- Here "shared config" still only means the **IBKR pair** (`InteractiveBrokersPlatform` + `IBKRGatewayManager`). `TELEGRAM_TOKEN` and `TELEGRAM_TOKEN_SECRET_NAME` remain repository-specific.
 - If `IB_ACCOUNT_GROUP_CONFIG_SECRET_NAME` is set, the Cloud Run runtime needs Secret Manager access to that secret.
-- `GCP_SA_KEY` belongs to the GitHub Actions deploy identity, not to the Cloud Run runtime service account.
+- GitHub now authenticates to Google Cloud with OIDC + Workload Identity Federation, so `GCP_SA_KEY` is no longer required for this workflow.
 
 ### Deployment unit and naming
 
@@ -417,7 +416,6 @@ IB_GATEWAY_IP_MODE=internal
   - `GLOBAL_TELEGRAM_CHAT_ID`
   - `NOTIFY_LANG`
 - **仓库级 Secrets**
-  - `GCP_SA_KEY`
   - `TELEGRAM_TOKEN`（仅在没设置 `TELEGRAM_TOKEN_SECRET_NAME` 时作为 fallback）
 - **可选过渡 Variables**
   - `IB_GATEWAY_ZONE`
@@ -430,9 +428,9 @@ IB_GATEWAY_IP_MODE=internal
 注意：
 
 - 只有在 `ENABLE_GITHUB_ENV_SYNC=true` 时，这个 workflow 才会严格校验并执行同步。没打开时会直接跳过。
-- 这里说的“共享配置”仍然只针对 **IBKR 这一组系统**。`GCP_SA_KEY`、`TELEGRAM_TOKEN` 和 `TELEGRAM_TOKEN_SECRET_NAME` 都还是这个仓库自己的配置，不建议提升成所有 quant 共用的全局配置。
+- 这里说的“共享配置”仍然只针对 **IBKR 这一组系统**。`TELEGRAM_TOKEN` 和 `TELEGRAM_TOKEN_SECRET_NAME` 都还是这个仓库自己的配置，不建议提升成所有 quant 共用的全局配置。
 - 如果设置了 `IB_ACCOUNT_GROUP_CONFIG_SECRET_NAME`，Cloud Run 运行时还需要有对应 Secret 的访问权限。
-- `GCP_SA_KEY` 对应的是 GitHub Actions 的部署身份，不是 Cloud Run runtime service account。
+- GitHub 现在通过 OIDC + Workload Identity Federation 登录 Google Cloud，这个 workflow 不再需要 `GCP_SA_KEY`。
 
 ### 部署单元和命名建议
 
diff --git a/docs/ibkr_runtime_rollout.md b/docs/ibkr_runtime_rollout.md
@@ -186,12 +186,11 @@ gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
 
 ### Repository Secrets
 
-- `GCP_SA_KEY`
 - `TELEGRAM_TOKEN`（仅在没设置 `TELEGRAM_TOKEN_SECRET_NAME` 时作为 fallback）
 
 说明：
 
-- `GCP_SA_KEY` 对应的是 **GitHub Actions 用的部署账号**，不是 Cloud Run runtime service account。
+- GitHub 现在通过 OIDC + Workload Identity Federation 登录 Google Cloud，这个 workflow 不再需要 `GCP_SA_KEY`。
 - 如果你现在只用这个 workflow 做“同步已有 Cloud Run service 的 env”，那这个 GitHub Actions 账号只需要能更新目标 Cloud Run service，不需要现在就补 Cloud Build / Artifact Registry 那一套权限。
 
 ## 5. 先把 `ACCOUNT_GROUP=default` 跑通的顺序
