Search code examples
flutterfirebasegoogle-cloud-platformgithub-actionsworkload-identity

How to deploy flutter to firebase through github actions using workload identity federation

When deploying flutter to firebase from local machine I do following and it works:

flutter build web
firebase deploy

When trying to deploy from GHA , my yaml file looks like this

test_deploy_to_dev:
    name: deploy
    needs:
      - label_check
    permissions:
      contents: read
      id-token: write

    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - id: auth
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/auth@v1'
        with:
          workload_identity_provider: 'projects/1111111/locations/global/workloadIdentityPools/abc/providers/xyz'
          service_account: '[email protected]'

      - uses: subosito/flutter-action@v2
        with:
          channel: 'stable'
          cache: true
      - name: Run flutter pub get
        run: flutter pub get
      - name: Enable flutter web
        run: flutter config --enable-web
      - name: Build Web App
        run: flutter build web
      - name: deploy flutter to firestore
        run: |
          npm install -g firebase-tools
          firebase init
          firebase deploy

Google auth part works. In GHA, I get error - Failed to authenticate, have you run firebase login?

Solution

  • Error Failed to authenticate, have you run firebase login? happens because workload identity is not setup correctly.

    Dont follow Official doc. It has a small error.

    Instead follow Github doc. It shows how to create WIF through CLI and provides a working template to authorize GHA through WIF.

    • Enable "Firebase Management API" in your GCP project
    • Firebase project and gcp project are 2 different things. I was using sv_account from a gcp project to deploy into a different firebase project. Hence all those auth errors shown below.
    • sv_account needs following permissions:
      • Firebase Hosting Admin
      • Service Account User
    • In GHA template provided in Github doc link above: in workload_identity_provider key:
      • workload_identity_provider: 'projects/<gcp-project-id>/locations/global/workloadIdentityPools/<my-pool-id>/providers/<provider-id>'
      • use pool_id and provider_id. Dont use pool_name and provider_name
      • gcp_project_id (all int) is different from project_id.