Skip to content

feat(warden): Upload findings to GCS via Workload Identity Federation #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gricha merged 3 commits into from
Mar 6, 2026
Merged

feat(warden): Upload findings to GCS via Workload Identity Federation #176

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ae897e6
feat(warden): Upload findings to GCS via Workload Identity Federation
gricha Mar 5, 2026
43a514f
fix(warden): Address review feedback on GCS upload steps
gricha Mar 5, 2026
c3d1693
fix(warden): Add continue-on-error to GCS upload step
gricha Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 28 additions & 1 deletion .github/workflows/warden.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
env:
WARDEN_ANTHROPIC_API_KEY: ${{ secrets.WARDEN_ANTHROPIC_API_KEY }}
WARDEN_MODEL: ${{ secrets.WARDEN_MODEL }}
Expand All @@ -25,6 +26,32 @@ jobs:
owner: ${{ github.repository_owner }} # access to all repos, cause this is triggered on org level

- uses: getsentry/warden@v0
id: warden
continue-on-error: true # throw no error for now
with:
github-token: ${{ steps.app-token.outputs.token }}
github-token: ${{ steps.app-token.outputs.token }}

- name: Authenticate to Google Cloud
continue-on-error: true
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093
with:
workload_identity_provider: projects/868781662168/locations/global/workloadIdentityPools/prod-github/providers/github-oidc-pool
service_account: gha-warden@sac-prod-sa.iam.gserviceaccount.com

- name: Rename findings file with timestamp
id: rename-findings
if: always() && steps.warden.outputs.findings-file != ''
env:
FINDINGS_FILE: ${{ steps.warden.outputs.findings-file }}
run: |
DEST="$RUNNER_TEMP/$(date -u +%Y-%m-%dT%H%M%SZ).json"
cp "$FINDINGS_FILE" "$DEST"
echo "path=$DEST" >> "$GITHUB_OUTPUT"
Copy link
Copy Markdown

@cursor cursor bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absolute path may cause silent GCS upload failure

Medium Severity

The rename step writes the destination file to $RUNNER_TEMP which is an absolute path (e.g., /home/runner/work/_temp/...), and this absolute path is passed to upload-cloud-storage's path input. The google-github-actions/upload-cloud-storage action has documented issues with absolute paths and expects relative paths. Even if it doesn't error on Linux, the default parent: true behavior may cause the full directory tree (home/runner/work/_temp/) to be included in the GCS object name, resulting in files stored at an unexpected location instead of the intended gs://warden-logs/<org>/<repo>/<timestamp>.json. Because continue-on-error: true is set, any failure here would be completely silent, making the entire upload feature appear to work while never actually producing usable output.

Additional Locations (1)

Fix in Cursor Fix in Web


- name: Upload findings to GCS
continue-on-error: true
uses: google-github-actions/upload-cloud-storage@c0f6160ff80057923ff50e5e567695cea181ec23 # v2
if: always() && steps.rename-findings.outputs.path != ''
with:
path: ${{ steps.rename-findings.outputs.path }}
destination: warden-logs/${{ github.repository }}
Loading