Naive use of google-github-actions/auth and
google-github-actions/deploy-appengine can lead to leaked credentials.
In particular, uploading static content from the workspace root leads to
servable copies of the credentials file written by
google-github-actions/auth. This is exactly what the Shaka Player Demo
did. Making matters worse, google-github-actions/auth logs credential
filenames for all to see.
All uploaded credentials were expired before I uploaded this PR.
This fixes the leak by installing a gcloudignore file which prevents the
credentials from being uploaded.
Due to limits in the number of versions you can have deployed at once on
App Engine, we can no longer keep every version of the Shaka Player Demo
deployed. So the version index needs to be aware of which versions are
deployed, and only link to versions that are still available.
This makes the index generator aware of App Engine deployments.
Fixes these issues with the demo index deployment (tested by manual deployment):
- Missing `handlers:` field in app.yaml
- Missing handler for the URL `/`
- Missing Flask entrypoint (even though no dynamic content is generated by it)
Closes#4074
Rather than runtime-querying of appengine versions within the
appengine environment, we can instead generate the index at deployment
time (from git tags) and just serve static content. This simplifies
the system and avoids dependence on Google Cloud.
This was less feasible before we adopted GitHub Actions, but is now
relatively simple. The index will be regenerated when the index code
is updated or when a new release is created.
Closes#4074
The script for deploying the demo version index page has a function
that chooses which versions to display. This script has a special
mode meant for testing that shows a default list of demo versions.
This mode was only supposed to trigger when run locally, but the
check did not work properly, so the demo version index was deploying
with a very out-of-date list of versions.
This fixes that check.
Closes#4074
<!--
Please remember to:
1. Use Conventional Commits syntax (fix: ..., feat: ..., etc.) in commits and
PR title (https://www.conventionalcommits.org/)
2. Tag any related or fixed issues ("Issue #123", "Closes #420")
3. Sign the Google CLA if you haven't (https://cla.developers.google.com)
You may delete this comment from the PR description.
-->
Joey Parrish
dependabot[bot]
theodab