Add support for Firebase token as authentication

Author: rafaelalmeidatk

README.md

@@ -12,12 +12,14 @@ A full setup guide can be found [in the Firebase Hosting docs](https://firebase.
 The [Firebase CLI](https://firebase.google.com/docs/cli) can get you set up quickly with a default configuration.
 
 - If you've NOT set up Hosting, run this version of the command from the root of your local directory:
+
 ```bash
 firebase init hosting
 ```
 
 - If you've ALREADY set up Hosting, then you just need to set up the GitHub Action part of Hosting.
   Run this version of the command from the root of your local directory:
+
 ```bash
 firebase init hosting:github
 ```

action.yml

@@ -26,8 +26,11 @@ inputs:
     description: "The GITHUB_TOKEN secret"
     required: false
   firebaseServiceAccount:
-    description: "Firebase service account JSON"
-    required: true
+    description: "Firebase service account JSON. Either this or firebaseToken should be defined"
+    required: false
+  firebaseToken:
+    description: "Firebase token generated by login:ci. Either this or firebaseServiceAccount should be defined"
+    required: false
   expires:
     description: "How long should a preview live? See the preview channels docs for options"
     default: "7d"

bin/action.min.js

@@ -11189,8 +11189,13 @@ function interpretChannelDeployResult(deployResult) {
   };
 }
 
-async function execWithCredentials(args, projectId, gacFilename, debug = false) {
+async function execWithCredentials(args, projectId, credentials, debug = false) {
   let deployOutputBuf = [];
+  const commandCredentials = "gacFilename" in credentials ? {
+    GOOGLE_APPLICATION_CREDENTIALS: credentials.gacFilename
+  } : {
+    FIREBASE_TOKEN: credentials.firebaseToken
+  };
 
   try {
     await exec_2("npx firebase-tools", [...args, ...(projectId ? ["--project", projectId] : []), debug ? "--debug" // gives a more thorough error message
@@ -11202,17 +11207,16 @@ async function execWithCredentials(args, projectId, gacFilename, debug = false)
 
       },
       env: _extends({}, process.env, {
-        FIREBASE_DEPLOY_AGENT: "action-hosting-deploy",
-        GOOGLE_APPLICATION_CREDENTIALS: gacFilename
-      })
+        FIREBASE_DEPLOY_AGENT: "action-hosting-deploy"
+      }, commandCredentials)
     });
   } catch (e) {
     console.log(Buffer.concat(deployOutputBuf).toString("utf-8"));
     console.log(e.message);
 
     if (debug === false) {
       console.log("Retrying deploy with the --debug flag for better error output");
-      await execWithCredentials(args, projectId, gacFilename, true);
+      await execWithCredentials(args, projectId, credentials, true);
     } else {
       throw e;
     }
@@ -11221,23 +11225,23 @@ async function execWithCredentials(args, projectId, gacFilename, debug = false)
   return deployOutputBuf.length ? deployOutputBuf[deployOutputBuf.length - 1].toString("utf-8") : ""; // output from the CLI
 }
 
-async function deployPreview(gacFilename, deployConfig) {
+async function deployPreview(credentials, deployConfig) {
   const {
     projectId,
     channelId,
     target,
     expires
   } = deployConfig;
-  const deploymentText = await execWithCredentials(["hosting:channel:deploy", channelId, ...(target ? ["--only", target] : []), ...(expires ? ["--expires", expires] : [])], projectId, gacFilename);
+  const deploymentText = await execWithCredentials(["hosting:channel:deploy", channelId, ...(target ? ["--only", target] : []), ...(expires ? ["--expires", expires] : [])], projectId, credentials);
   const deploymentResult = JSON.parse(deploymentText.trim());
   return deploymentResult;
 }
-async function deployProductionSite(gacFilename, productionDeployConfig) {
+async function deployProductionSite(credentials, productionDeployConfig) {
   const {
     projectId,
     target
   } = productionDeployConfig;
-  const deploymentText = await execWithCredentials(["deploy", "--only", `hosting${target ? ":" + target : ""}`], projectId, gacFilename);
+  const deploymentText = await execWithCredentials(["deploy", "--only", `hosting${target ? ":" + target : ""}`], projectId, credentials);
   const deploymentResult = JSON.parse(deploymentText);
   return deploymentResult;
 }
@@ -11404,9 +11408,8 @@ async function postChannelSuccessComment(github, context, result, commit) {
 
 const expires = core.getInput("expires");
 const projectId = core.getInput("projectId");
-const googleApplicationCredentials = core.getInput("firebaseServiceAccount", {
-  required: true
-});
+const googleApplicationCredentials = core.getInput("firebaseServiceAccount");
+const firebaseToken = core.getInput("firebaseToken");
 const configuredChannelId = core.getInput("channelId");
 const isProductionDeploy = configuredChannelId === "live";
 const token = process.env.GITHUB_TOKEN || core.getInput("repoToken");
@@ -11444,13 +11447,28 @@ async function run() {
 
     core.endGroup();
     core.startGroup("Setting up CLI credentials");
-    const gacFilename = await createGacFile(googleApplicationCredentials);
-    console.log("Created a temporary file with Application Default Credentials.");
+    let credentials;
+
+    if (googleApplicationCredentials) {
+      console.log("Using Google Application Credentials...");
+      credentials = {
+        gacFilename: await createGacFile(googleApplicationCredentials)
+      };
+      console.log("Created a temporary file with Application Default Credentials.");
+    } else if (firebaseToken) {
+      console.log("Using firebase token...");
+      credentials = {
+        firebaseToken
+      };
+    } else {
+      throw new Error("Either googleApplicationCredential or firebaseToken should be defined");
+    }
+
     core.endGroup();
 
     if (isProductionDeploy) {
       core.startGroup("Deploying to production site");
-      const deployment = await deployProductionSite(gacFilename, {
+      const deployment = await deployProductionSite(credentials, {
         projectId,
         target
       });
@@ -11475,7 +11493,7 @@ async function run() {
 
     const channelId = getChannelId(configuredChannelId, github.context);
     core.startGroup(`Deploying to Firebase preview channel ${channelId}`);
-    const deployment = await deployPreview(gacFilename, {
+    const deployment = await deployPreview(credentials, {
       projectId,
       expires,
       channelId,

src/deploy.ts

@@ -52,6 +52,8 @@ export type ProductionDeployConfig = {
   target?: string;
 };
 
+export type Credentials = { gacFilename: string } | { firebaseToken: string };
+
 export function interpretChannelDeployResult(
   deployResult: ChannelSuccessResult
 ): { expireTime: string; urls: string[] } {
@@ -68,12 +70,17 @@ export function interpretChannelDeployResult(
 
 async function execWithCredentials(
   args: string[],
-  projectId,
-  gacFilename,
+  projectId: string,
+  credentials: Credentials,
   debug: boolean = false
 ) {
   let deployOutputBuf: Buffer[] = [];
 
+  const commandCredentials =
+    "gacFilename" in credentials
+      ? { GOOGLE_APPLICATION_CREDENTIALS: credentials.gacFilename }
+      : { FIREBASE_TOKEN: credentials.firebaseToken };
+
   try {
     await exec(
       "npx firebase-tools",
@@ -93,7 +100,7 @@ async function execWithCredentials(
         env: {
           ...process.env,
           FIREBASE_DEPLOY_AGENT: "action-hosting-deploy",
-          GOOGLE_APPLICATION_CREDENTIALS: gacFilename, // the CLI will automatically authenticate with this env variable set
+          ...commandCredentials,
         },
       }
     );
@@ -105,7 +112,7 @@ async function execWithCredentials(
       console.log(
         "Retrying deploy with the --debug flag for better error output"
       );
-      await execWithCredentials(args, projectId, gacFilename, true);
+      await execWithCredentials(args, projectId, credentials, true);
     } else {
       throw e;
     }
@@ -117,7 +124,7 @@ async function execWithCredentials(
 }
 
 export async function deployPreview(
-  gacFilename: string,
+  credentials: Credentials,
   deployConfig: DeployConfig
 ) {
   const { projectId, channelId, target, expires } = deployConfig;
@@ -130,7 +137,7 @@ export async function deployPreview(
       ...(expires ? ["--expires", expires] : []),
     ],
     projectId,
-    gacFilename
+    credentials
   );
 
   const deploymentResult = JSON.parse(deploymentText.trim()) as
@@ -141,15 +148,15 @@ export async function deployPreview(
 }
 
 export async function deployProductionSite(
-  gacFilename,
+  credentials: Credentials,
   productionDeployConfig: ProductionDeployConfig
 ) {
   const { projectId, target } = productionDeployConfig;
 
   const deploymentText = await execWithCredentials(
     ["deploy", "--only", `hosting${target ? ":" + target : ""}`],
     projectId,
-    gacFilename
+    credentials
   );
 
   const deploymentResult = JSON.parse(deploymentText) as

src/index.ts

@@ -26,6 +26,7 @@ import { existsSync } from "fs";
 import { createCheck } from "./createCheck";
 import { createGacFile } from "./createGACFile";
 import {
+  Credentials,
   deployPreview,
   deployProductionSite,
   ErrorResult,
@@ -40,9 +41,8 @@ import {
 // Inputs defined in action.yml
 const expires = getInput("expires");
 const projectId = getInput("projectId");
-const googleApplicationCredentials = getInput("firebaseServiceAccount", {
-  required: true,
-});
+const googleApplicationCredentials = getInput("firebaseServiceAccount");
+const firebaseToken = getInput("firebaseToken");
 const configuredChannelId = getInput("channelId");
 const isProductionDeploy = configuredChannelId === "live";
 const token = process.env.GITHUB_TOKEN || getInput("repoToken");
@@ -80,15 +80,29 @@ async function run() {
     endGroup();
 
     startGroup("Setting up CLI credentials");
-    const gacFilename = await createGacFile(googleApplicationCredentials);
-    console.log(
-      "Created a temporary file with Application Default Credentials."
-    );
+    let credentials: Credentials;
+
+    if (googleApplicationCredentials) {
+      console.log("Using Google Application Credentials...");
+      credentials = {
+        gacFilename: await createGacFile(googleApplicationCredentials),
+      };
+      console.log(
+        "Created a temporary file with Application Default Credentials."
+      );
+    } else if (firebaseToken) {
+      console.log("Using firebase token...");
+      credentials = { firebaseToken };
+    } else {
+      throw new Error(
+        "Either googleApplicationCredential or firebaseToken should be defined"
+      );
+    }
     endGroup();
 
     if (isProductionDeploy) {
       startGroup("Deploying to production site");
-      const deployment = await deployProductionSite(gacFilename, {
+      const deployment = await deployProductionSite(credentials, {
         projectId,
         target,
       });
@@ -113,7 +127,7 @@ async function run() {
     const channelId = getChannelId(configuredChannelId, context);
 
     startGroup(`Deploying to Firebase preview channel ${channelId}`);
-    const deployment = await deployPreview(gacFilename, {
+    const deployment = await deployPreview(credentials, {
       projectId,
       expires,
       channelId,

test/deploy.test.ts

@@ -70,7 +70,7 @@ describe("deploy", () => {
     exec.exec = jest.fn(fakeExec).mockImplementationOnce(fakeExecFail);
 
     const deployOutput: ChannelSuccessResult = (await deployPreview(
-      "my-file",
+      { gacFilename: "my-file" },
       baseChannelDeployConfig
     )) as ChannelSuccessResult;
 
@@ -94,7 +94,7 @@ describe("deploy", () => {
       exec.exec = jest.fn(fakeExec);
 
       const deployOutput: ChannelSuccessResult = (await deployPreview(
-        "my-file",
+        { gacFilename: "my-file" },
         baseChannelDeployConfig
       )) as ChannelSuccessResult;
 
@@ -117,7 +117,7 @@ describe("deploy", () => {
         target: "my-second-site",
       };
 
-      await deployPreview("my-file", config);
+      await deployPreview({ gacFilename: "my-file" }, config);
 
       // Check the arguments that exec was called with
       // @ts-ignore Jest adds a magic "mock" property
@@ -134,7 +134,7 @@ describe("deploy", () => {
       exec.exec = jest.fn(fakeExec);
 
       const deployOutput: ProductionSuccessResult = (await deployProductionSite(
-        "my-file",
+        { gacFilename: "my-file" },
         baseLiveDeployConfig
       )) as ProductionSuccessResult;