I have one GitHub project that needs to deploy to different firebase projects based on branches ( development, Production and Staging). I added three firebase projects and three GCP accounts for it. I managed to deploy hosting with w9jds/firebase-action. Still, when I tried to use this action to deploy Firestore rules and storage, it kept giving me the error "FirebaseError: HTTP Error: 403, The caller does not have permission". I could not find the document on what permission I needed to deploy those assets or the detailed error log. Any help would be appreciated.
Here is my yml for you to check
name: Deploy firestore on dev Merge
on:
push:
branches:
- dev
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout#v3
- name: Build
run: npm install && npm run build
- name: Archive Production Artifact
uses: actions/upload-artifact#master
with:
name: dist
path: dist
deploy:
name: Deploy
runs-on: ubuntu-latest
needs: [build]
steps:
- name: Checkout Repo
uses: actions/checkout#v3
- name: Download Artifact
uses: actions/download-artifact#v3
with:
name: dist
path: dist
- name: Deploy to Firebase
uses: docker://w9jds/firebase-action:master
with:
args: deploy --only firestore --project development
env:
GCP_SA_KEY: service_account_key
Related
I have a Scala based multi module project for which I'm having a GitHub Actions pipeline which contains two jobs, one for test and the other for publishing to GitHub packages. Here is my file:
name: Build my projects
on:
push:
paths-ignore:
- 'images/**'
- README.md
branches:
- master
tags:
- 'v*.*.*'
pull_request:
branches:
- master
release:
types: [ created ]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout
- uses: actions/checkout#v2
- name: Cache ivy2
uses: actions/cache#v1
with:
path: ~/.ivy2/cache
key: ${{ runner.os }}-sbt-ivy-cache-${{ hashFiles('**/*.sbt') }}-${{ hashFiles('project/build.properties') }}
- name: SBT Test
run: sbt clean test
publish:
needs: test
steps:
- name: Checkout
- uses: actions/checkout#v2
- name: SBT Publish
run: sbt publish
I would need the following:
Trigger the publish job only when I want to do a release, but how do I know that I want to do a release? Do I tag a release when I commit the changes? If I tag it, then how can I check if there is a tag so that I know that I have to run the publish job?
If you want to trigger a workflow "only when you want to do a release", one option is to manually launch the workflow.
This can be achieved with a specific workflow with following trigger workflow_dispatch:
on:
workflow_dispatch:
inputs:
releaseVersion:
description: 'Release version'
required: true
Here I add an input value that has to be entered manually when launching the workflow. This is not mandatory though if you don't need any input.
See also: https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
Note that triggering the workflow when a tag is pushed is also a solution that makes sense. It's really up to you.
I just had to do this in the publish job:
publish:
runs-on: ubuntu-latest
needs: test
if: startsWith(github.ref, 'refs/tags/v')
So when there is a tag, the publish job knows that it has to run and publish the new package.
GitHub actions yaml:
name: Deploy to Firebase Functions on merge
"on":
push:
branches:
- main
env:
CI: false
jobs:
build_and_deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: "Install yarn packages"
run: yarn
working-directory: "functions"
- name: "Deploy to Firebase"
uses: w9jds/firebase-action#master
with:
args: deploy --only functions
env:
FIREBASE_TOKEN: ${{ secrets.FIREBASE_TOKEN }}
When pushing to main and viewing this action, I got this weird error:
Error: Missing permissions required for functions deploy. You must have permission iam.serviceAccounts.ActAs on service account argus-750f6#appspot.gserviceaccount.com.
To address this error, ask a project Owner to assign your account the "Service Account User" role from this URL: https://console.cloud.google.com/iam-admin/iam?project=argus-750f6
I have enabled that role (I made a custom role for just Service Account User) on argus-750f6#appspot.gserviceaccount.com. I even made argus-750f6#appspot.gserviceaccount.com owner, but that didn't work. I'm at a loss. Any suggestions?
You can check this guide on how to Simple guide to start GitHub Actions to Firebase Functions.
According to the error the service account doesn't have the correct permission role. The service account in the logs is the default service account of App Engine, make sure the default role of this service account is editor. It seems you changed the role of this default service account, that's why it cause an error to your deployment.
Then if you are using Firebase Token, you can proceed to the step 14 in order to generate your token that you will also use, and then proceed to the step 15 to store the token you got.
I'll try to be as clear as possible. I have also asked about related issues but didn't receive a convincing response.
I'm using React and firebase for hosting.
Also, I'm storing my firebase web API key in my .env file.
I set up firebase hosting using Firebase CLI and chose to automatically deploy on merge or pull request.
After the setup finished a .github folder with .yml file was created in my working directory.
.github
- workflows
-firebase-hosting-merge.yml
-firebase-hosting-pull-request.yml
So now when I deploy my project(without pushing to GitHub) manually to firebase by running firebase deploy everything works fine and my app is up and running.
However when I make changes and push my changes to Github. Github actions are triggered and the automatic deployment to the firebase process starts. The build passes all the checks. However, when I visit the hosted URL there is an error I get in the console saying Your API key is invalid, please check you have copied it correctly.
I tried few workarounds like storing my firebase web API key into the Github secrets and accessing it in my .yml file.
# This file was auto-generated by the Firebase CLI
# https://github.com/firebase/firebase-tools
name: Deploy to Firebase Hosting on merge
'on':
push:
branches:
- master
jobs:
build_and_deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- run: npm ci && npm run build --prod
- uses: FirebaseExtended/action-hosting-deploy#v0
with:
repoToken: '${{ secrets.GITHUB_TOKEN }}'
firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_EVENTS_EASY }}'
channelId: live
projectId: my-project
env:
REACT_APP_API_KEY: ${{secrets.REACT_APP_API_KEY}}
FIREBASE_CLI_PREVIEWS: hostingchannels
But I am still getting the error. I feel that the error is definitely due to the environment variables.
I have stored my firebase web API key in my .env.production file located in the root directory.
Somehow GitHub actions are not using my environment variables defined.
Please let me know how can I manage my env variables so that it can be accessed by my workflow.
The answer is put custom env vars in first level before jobs:
name: Deploy to Firebase Hosting on merge
'on':
push:
branches:
- master
env: # <--- here
REACT_APP_API_KEY: ${{secrets.REACT_APP_API_KEY}} # <--- here
jobs:
build_and_deploy:
...
And add this secrets in Github > Your project > Settings > Secrets
You can use Create Envfile Github Action to create a .env file in your workflow.
To add a key to the envfile, add a key/pair to the with: section. It must begin with envkey_.
steps:
- uses: actions/checkout#v2
- name: Use Node.js
uses: actions/setup-node#v1
- name: Make envfile
uses: SpicyPizza/create-envfile#v1
with:
envkey_REACT_APP_API_KEY: ${{secrets.REACT_APP_API_KEY}}
directory: './'
file_name: '.env'
I'm running a Github action that automatically builds and releases a flutter project. But we use a dev and a production Firebase environment. so before the build I'd like to switch out the google-services.json from the dev to the production version. But I can't seem to find an easy way to do this. Or is there a better way to work with dev and production versions of Firebase inside flutter?
probably not very useful but here's the action in it's current state
on:
push:
branches: [ stable ]
name: Build and Release
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#master
with:
fetch-depth: '0'
- name: Bump version and push tag
id: tag
uses: anothrNick/github-tag-action#1.17.2
env:
GITHUB_TOKEN: ${{ secrets.TOKEN }}
WITH_V: true
RELEASE_BRANCHES: stable
- uses: actions/checkout#v1
- uses: actions/setup-java#v1
with:
java-version: '12.x'
- uses: subosito/flutter-action#v1
with:
flutter-version: '1.17.3'
- run: flutter pub get
- run: flutter build appbundle
- name: Create a Release APK
uses: ncipollo/release-action#v1
with:
artifacts: "build/app/outputs/bundle/release/*.aab"
tag: ${{ steps.tag.outputs.tag }}
token: ${{ secrets.TOKEN }}
I'm very, very new to github actions and CI in general. any constructive feedback is always welcome!
Not sure that's the most optimised solution but it's what I found being the easiest to update and maintain.
Step 1 : Store the google-services.json files in the secrets of your Github repository (that way you won't have to commit this file in your repo, that's a bonus) with names like FIREBASE_CONFIG_DEV and FIREBASE_CONFIG_PROD.
Step 2 : Create two workflows : one for the dev, triggered every pull-request for example, and the other one for the release, triggered by a commit on a specific branch like your did
Step 3 : Provide the google-service.json to your project
steps:
- uses: actions/checkout#v1
- name: Provide Firebase Android
env:
FIREBASE_CONFIG_DEV: ${{ secrets.FIREBASE_CONFIG_DEV }}
run: echo $FIREBASE_CONFIG_DEV > ./android/app/google-services.json
Your Dev workflow should look like this
Just edit this snippet to add the creation of the google-services.json to your iOS project and you should be good to go
I'm developing a web API using .Net core 3.1 trying to integrate it to Github Actions to run the integration tests when a pull request is created.
I'm using the secrets manager to store my API tokens and other sensitive data in development mode
secrets.json
{
"Firebase": {
"Login": "foo#bar.com",
"Password": "FooBar",
"Url": "foobar.firebaseapp.com "
},
}
And on GitHub I've tried to add Secrets(GitHub secrets = environment variables) with the same names I have on my secrets JSON but it hasn't worked.
The GitHub secrets that I've created are like
(KEY - VALUE)
LOGIN - foo#bar.com
PASSWORD - FooBar
And on my test class, I'm invoking the environment variables using the following configuration before the tests
public MyTestClass()
{
var builder = new ConfigurationBuilder()
.AddUserSecrets<MyTestClass>()
.AddEnvironmentVariables();
Configuration = builder.Build();
_settings = Configuration.Get<Settings>();
}
And my .yml looks like
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Setup .NET Core
uses: actions/setup-dotnet#v1
with:
dotnet-version: 3.1.300
- name: Nuget
run: dotnet restore
- name: Build
run: dotnet build --configuration Release --no-restore
- name: Test
run: dotnet test --no-restore --verbosity normal
env:
LOGIN: ${{ secrets.LOGIN }}
PASSWORD: ${{ secrets.PASSWORD}}
URL: ${{ secrets.URL}}
How can I load the Settings when executing inside GitHub Actions?
Not sure if i'm not stating the obvious (you didn't mention how you start test app), but GitHub secrets != environment variables. They can be, if user wants that, but it's not done automagically.
- run: program.exe
In this case, program won't know login/password, as there's no way it can access this data.
- run: program.exe
env:
LOGIN: ${{ secrets.LOGIN }}
PASSWORD: ${{ secrets.PASSWORD }}
In this case, program will know login/password, as secrets are "converted" to environment variables, which application can see.
- run: program.exe --login=${{ secrets.LOGIN }} --password=${{ secrets.PASSWORD }}
In this case, program will know login/password, as secrets are passed via command line arguments, which application can see. Environment variables remain unchanged in this case.
Another option is to keep encrypted secrets.json in repository, and decrypt it when workflow is running; see docs for details.