From e8929274889d1659f4199ba9f27ac453f60b7ecf Mon Sep 17 00:00:00 2001
From: Pigbibi <20649888+Pigbibi@users.noreply.github.com>
Date: Fri, 8 May 2026 04:36:18 +0800
Subject: [PATCH] Fix Cloud Run invocation ID token

---
 .github/workflows/invoke-cloud-run.yml  | 25 +++++++++++++++++++++----
 tests/test_invoke_cloud_run_workflow.sh |  5 ++++-
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/invoke-cloud-run.yml b/.github/workflows/invoke-cloud-run.yml
index 733371e..8f9de5f 100644
--- a/.github/workflows/invoke-cloud-run.yml
+++ b/.github/workflows/invoke-cloud-run.yml
@@ -63,7 +63,8 @@ jobs:
           project_id: ${{ env.GCP_PROJECT_ID }}
           version: ">= 416.0.0"
 
-      - name: Invoke service
+      - name: Resolve service URL
+        id: service
         run: |
           set -euo pipefail
 
@@ -85,8 +86,24 @@ jobs:
             exit 1
           fi
 
-          token="$(gcloud auth print-identity-token --audiences="${service_url}")"
+          echo "url=${service_url}" >> "$GITHUB_OUTPUT"
+          echo "path=${raw_path}" >> "$GITHUB_OUTPUT"
+
+      - name: Authenticate for service invocation
+        id: invoke-auth
+        uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ env.GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT }}
+          token_format: id_token
+          id_token_audience: ${{ steps.service.outputs.url }}
+          id_token_include_email: true
+
+      - name: Invoke service
+        run: |
+          set -euo pipefail
+
           curl --fail-with-body --show-error --silent \
             --request POST \
-            --header "Authorization: Bearer ${token}" \
-            "${service_url}${raw_path}"
+            --header "Authorization: Bearer ${{ steps.invoke-auth.outputs.id_token }}" \
+            "${{ steps.service.outputs.url }}${{ steps.service.outputs.path }}"
diff --git a/tests/test_invoke_cloud_run_workflow.sh b/tests/test_invoke_cloud_run_workflow.sh
index 56e73bf..531c710 100644
--- a/tests/test_invoke_cloud_run_workflow.sh
+++ b/tests/test_invoke_cloud_run_workflow.sh
@@ -14,6 +14,9 @@ grep -Fq "CLOUD_RUN_REGION: \${{ vars.CLOUD_RUN_REGION }}" "$workflow_file"
 grep -Fq "CLOUD_RUN_SERVICE: \${{ vars.CLOUD_RUN_SERVICE }}" "$workflow_file"
 grep -Fq "longbridge-hk|longbridge-sg" "$workflow_file"
 grep -Fq "gcloud run services describe \"\${CLOUD_RUN_SERVICE}\"" "$workflow_file"
-grep -Fq "gcloud auth print-identity-token --audiences=\"\${service_url}\"" "$workflow_file"
+grep -Fq "token_format: id_token" "$workflow_file"
+grep -Fq "id_token_audience: \${{ steps.service.outputs.url }}" "$workflow_file"
+grep -Fq "id_token_include_email: true" "$workflow_file"
 grep -Fq "curl --fail-with-body --show-error --silent" "$workflow_file"
 grep -Fq -- "--request POST" "$workflow_file"
+grep -Fq "steps.invoke-auth.outputs.id_token" "$workflow_file"