Setting GOOGLE_APPLICATION_CREDENTIALS for Earthly target

Question

I recently started working with the Earthly framework for our CI/CD pipelines. My previous pipelines were based on docker and had the following bootstrapping:

 docker run \
     -e GOOGLE_APPLICATION_CREDENTIALS \
     -v ${GOOGLE_APPLICATION_CREDENTIALS}:${GOOGLE_APPLICATION_CREDENTIALS} \
     --rm \
     -i \
     ${IMAGE_NAME}:${IMAGE_TAG} \
     deploy-${target}
    }

What is the best practice for passing the google application credentials file to Earthly targe?

Answer 1

The earthly command has a parameter --secret-file <secret-id>=<path> that loads the contents of a file located at <path> into a secret with ID <secret-id> for use within the build environments.

The secret can be referenced within Earthfile recipes as
RUN --secret <arbitrary-env-var-name>=+secrets/<secret-id>.

A complete working example would be:

VERSION 0.6
FROM node:14.20-slim
WORKDIR /app

deps:
    COPY package*.json .
    RUN npm install
    SAVE ARTIFACT package-lock.json AS LOCAL ./package-lock.json
    SAVE ARTIFACT node_modules AS LOCAL ./node_modules

build:
    FROM +deps
    COPY --dir public src ./
    COPY +deps/node_modules node_modules
    RUN npm run build
    SAVE ARTIFACT build AS LOCAL ./build

test:
    FROM +build
    RUN npm run tests

deploy:
    FROM +test
    COPY +build/build build
    COPY firebase.json ./
    RUN npm install -g firebase-tools
    RUN --mount=type=secret,id=+secrets/google_app_creds,target=/root/.config/gcloud/application_default_credentials.json \
        firebase deploy \
        --project project-name \
        --only hosting:example.com

The executing command is:

earthly \
--ci \
--secret-file google_app_creds="${GOOGLE_APPLICATION_CREDENTIALS}" \
+deploy

Please note that compared to the docker flow, the updated one mounts the secret file into a default location for the google application credentials.