ci: harden deploy workflows with credential surface reduction

sserrata · claude · sserrata · commit 2f80d44f887e · 2026-04-14T11:31:59.000-04:00
- Add export_environment_variables: false to google-github-actions/auth
  to prevent automatic export of CLOUDSDK_*/GCP_PROJECT env vars
- Mask credentials_file_path and GCP_PROJECT_NUMBER in logs
- Move Firebase projectId and site target to repository secrets

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/deploy-live.yml b/.github/workflows/deploy-live.yml
@@ -75,10 +75,13 @@ jobs:
         with:
           workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
           service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
+          export_environment_variables: false
 
       - name: Read GCP credentials
         id: creds
         run: |
+          echo "::add-mask::${{ steps.auth.outputs.credentials_file_path }}"
+          echo "::add-mask::${{ secrets.GCP_PROJECT_NUMBER }}"
           creds=$(cat "${{ steps.auth.outputs.credentials_file_path }}")
           echo "::add-mask::$creds"
           echo "sa_key=$creds" >> "$GITHUB_OUTPUT"
@@ -96,9 +99,9 @@ jobs:
         with:
           repoToken: "${{ secrets.GITHUB_TOKEN }}"
           firebaseServiceAccount: "${{ steps.creds.outputs.sa_key }}"
-          projectId: pandev
+          projectId: ${{ secrets.FIREBASE_PROJECT_ID }}
           channelId: live
-          target: docusaurus-openapi.tryingpan.dev
+          target: ${{ secrets.FIREBASE_SITE }}
         env:
           FIREBASE_CLI_PREVIEWS: hostingchannels
 
diff --git a/.github/workflows/deploy-preview.yml b/.github/workflows/deploy-preview.yml
@@ -170,10 +170,13 @@ jobs:
         with:
           workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
           service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
+          export_environment_variables: false
 
       - name: Read GCP credentials
         id: creds
         run: |
+          echo "::add-mask::${{ steps.auth.outputs.credentials_file_path }}"
+          echo "::add-mask::${{ secrets.GCP_PROJECT_NUMBER }}"
           creds=$(cat "${{ steps.auth.outputs.credentials_file_path }}")
           echo "::add-mask::$creds"
           echo "sa_key=$creds" >> "$GITHUB_OUTPUT"
@@ -191,7 +194,7 @@ jobs:
         with:
           repoToken: "${{ secrets.GITHUB_TOKEN }}"
           firebaseServiceAccount: "${{ steps.creds.outputs.sa_key }}"
-          projectId: pandev
+          projectId: ${{ secrets.FIREBASE_PROJECT_ID }}
           expires: 7d
           channelId: "pr${{ github.event.number }}"
           totalPreviewChannelLimit: 25
