github actions/auth失败，没有注入$ACTIONS_ID_TOKEN_REQUEST_TOKEN或$ACTIONS_ID_TOKEN_REQUEST_URL

Question

在github操作中，我正在运行一个尝试将github用于GCP联邦id的操作：

     # see https://github.com/marketplace/actions/authenticate-to-google-cloud#setup
  - id: 'auth'
    name: 'Authenticate to Google Cloud'
    uses: 'google-github-actions/auth@v0'
    with:
      workload_identity_provider: 'projects/1234/locations/global/workloadIdentityPools/my-github-pool/providers/my-github-oidc-provider'
      service_account: 'my-github-sa@projxyz.iam.gserviceaccount.com'

我得到了：

Run google-github-actions/auth@v0

Error: google-github-actions/auth failed with: retry function failed after 1 attempt: 
gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or 
$ACTIONS_ID_TOKEN_REQUEST_URL into this job. 
This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork. 
For more information, please see https://docs.github.com/en/actions/security-guides/automatic- 
token-authentication#permissions-for-the-github_token

我在看参考的医生，但我没有看到任何有用的东西。

我如何让GH注入这些值？

Answer 1

我需要补充一句：

jobs:
   my_job:
   # Need to add these 3 lines to add "id-token" with the intended permissions.
   permissions:
     contents: 'read'
     id-token: 'write'

这里记录了这一点：https://github.com/google-github-actions/auth#usage