From ae897e64645062a91d3f5cbb22bfcef76fa8cd58 Mon Sep 17 00:00:00 2001 From: Greg Pstrucha <875316+gricha@users.noreply.github.com> Date: Thu, 5 Mar 2026 12:52:24 -0800 Subject: [PATCH 1/3] feat(warden): Upload findings to GCS via Workload Identity Federation Authenticate to GCP using OIDC workload identity and upload warden findings JSON to the warden-logs bucket after each PR scan. Files are stored as timestamped JSON under org/repo paths for downstream analysis. Co-Authored-By: Claude Agent transcript: https://claudescope.sentry.dev/share/1bzpd9bFJDpsTMflTcligEabMBUvuiHXGg3hoDQHdvI --- .github/workflows/warden.yml | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/.github/workflows/warden.yml b/.github/workflows/warden.yml index 23222a0..ea8e898 100644 --- a/.github/workflows/warden.yml +++ b/.github/workflows/warden.yml @@ -9,6 +9,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + id-token: write env: WARDEN_ANTHROPIC_API_KEY: ${{ secrets.WARDEN_ANTHROPIC_API_KEY }} WARDEN_MODEL: ${{ secrets.WARDEN_MODEL }} @@ -24,7 +25,29 @@ jobs: private-key: ${{ secrets.WARDEN_PRIVATE_KEY }} owner: ${{ github.repository_owner }} # access to all repos, cause this is triggered on org level + - name: Authenticate to Google Cloud + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 + with: + workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool + service_account: gha-warden@sac-prod-sa.iam.gserviceaccount.com + - uses: getsentry/warden@v0 + id: warden continue-on-error: true # throw no error for now with: - github-token: ${{ steps.app-token.outputs.token }} \ No newline at end of file + github-token: ${{ steps.app-token.outputs.token }} + + - name: Rename findings file with timestamp + id: rename-findings + if: always() + run: | + DEST="$RUNNER_TEMP/$(date -u +%Y-%m-%dT%H%M%SZ).json" + cp "${{ steps.warden.outputs.findings-file }}" "$DEST" + echo "path=$DEST" >> "$GITHUB_OUTPUT" + + - name: Upload findings to GCS + uses: google-github-actions/upload-cloud-storage@c0f6160ff80057923ff50e5e567695cea181ec23 # v2 + if: always() + with: + path: ${{ steps.rename-findings.outputs.path }} + destination: warden-logs/${{ github.repository }} \ No newline at end of file From 43a514fc00a07039ecf4a705c13ac6d5db20e0f7 Mon Sep 17 00:00:00 2001 From: Greg Pstrucha <875316+gricha@users.noreply.github.com> Date: Thu, 5 Mar 2026 13:00:38 -0800 Subject: [PATCH 2/3] fix(warden): Address review feedback on GCS upload steps Move GCP auth after warden scan with continue-on-error so auth failures don't block scanning. Guard rename/upload on findings-file being non-empty. Use env var instead of direct expression interpolation. Co-Authored-By: Claude Agent transcript: https://claudescope.sentry.dev/share/BKBjQj046vaZRSSn53ACddWCi8IA4OfcDBXrt63hk7U --- .github/workflows/warden.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/warden.yml b/.github/workflows/warden.yml index ea8e898..73a6b19 100644 --- a/.github/workflows/warden.yml +++ b/.github/workflows/warden.yml @@ -25,29 +25,32 @@ jobs: private-key: ${{ secrets.WARDEN_PRIVATE_KEY }} owner: ${{ github.repository_owner }} # access to all repos, cause this is triggered on org level - - name: Authenticate to Google Cloud - uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 - with: - workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool - service_account: gha-warden@sac-prod-sa.iam.gserviceaccount.com - - uses: getsentry/warden@v0 id: warden continue-on-error: true # throw no error for now with: github-token: ${{ steps.app-token.outputs.token }} + - name: Authenticate to Google Cloud + continue-on-error: true + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 + with: + workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool + service_account: gha-warden@sac-prod-sa.iam.gserviceaccount.com + - name: Rename findings file with timestamp id: rename-findings - if: always() + if: always() && steps.warden.outputs.findings-file != '' + env: + FINDINGS_FILE: ${{ steps.warden.outputs.findings-file }} run: | DEST="$RUNNER_TEMP/$(date -u +%Y-%m-%dT%H%M%SZ).json" - cp "${{ steps.warden.outputs.findings-file }}" "$DEST" + cp "$FINDINGS_FILE" "$DEST" echo "path=$DEST" >> "$GITHUB_OUTPUT" - name: Upload findings to GCS uses: google-github-actions/upload-cloud-storage@c0f6160ff80057923ff50e5e567695cea181ec23 # v2 - if: always() + if: always() && steps.rename-findings.outputs.path != '' with: path: ${{ steps.rename-findings.outputs.path }} destination: warden-logs/${{ github.repository }} \ No newline at end of file From c3d1693186c647decb2d51c89b2f2d1a41cf16a0 Mon Sep 17 00:00:00 2001 From: Greg Pstrucha <875316+gricha@users.noreply.github.com> Date: Thu, 5 Mar 2026 13:05:11 -0800 Subject: [PATCH 3/3] fix(warden): Add continue-on-error to GCS upload step Prevent upload failures (e.g. from failed GCP auth) from failing the entire workflow job. Co-Authored-By: Claude --- .github/workflows/warden.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/warden.yml b/.github/workflows/warden.yml index 73a6b19..455aaf4 100644 --- a/.github/workflows/warden.yml +++ b/.github/workflows/warden.yml @@ -49,6 +49,7 @@ jobs: echo "path=$DEST" >> "$GITHUB_OUTPUT" - name: Upload findings to GCS + continue-on-error: true uses: google-github-actions/upload-cloud-storage@c0f6160ff80057923ff50e5e567695cea181ec23 # v2 if: always() && steps.rename-findings.outputs.path != '' with: