Random failures with Direct Workflow Identity Federation

[spiritualpad]

TL;DR

When using Direct WIF, the auth step sometimes fail (happens about 1 in 10 times). This seems like a transient issue that can be easily resolved by retries that was removed in a previous PR.

Expected behavior

Auth to succeed

Observed behavior

Auth failed. Sometimes. very rarely. Should work on a retry.

Action YAML

- name: Google Auth
   uses: 'google-github-actions/auth@v2'
   with:
       project_id: '######'
       workload_identity_provider: 'projects/####/locations/global/workloadIdentityPools/github-actions-oidc/providers/github-actions-oidc'

Log output

##[debug]Evaluating condition for step: 'Google Auth'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Google Auth
##[debug]Register post job cleanup for action: google-github-actions/auth@v[2](https://github.com/######/actions/runs/15042700673/job/42277993550#step:5:2)
##[debug]Loading inputs
##[debug]Loading env
Run google-github-actions/auth@v2
  with:
    project_id: ######
    workload_identity_provider: projects/######(https://github.com/######/actions/runs/15042700673/job/42277993550#step:5:3)051564/locations/global/workloadIdentityPools/github-actions-oidc/providers/github-actions-oidc
    create_credentials_file: true
    export_environment_variables: true
    universe: googleapis.com
    cleanup_credentials: true
    access_token_lifetime: 3600s
    access_token_scopes: https://www.googleapis.com/auth/cloud-platform
    id_token_include_email: false
##[debug]Using workload identity provider "projects/7780[4](https://github.com/######/actions/runs/15042700673/job/42277993550#step:5:4)3051564/locations/global/workloadIdentityPools/github-actions-oidc/providers/github-actions-oidc"
##[debug]ID token url is https://pipelinesghubeus22.actions.githubusercontent.com/7et02vARE37mykD03XezRL8l[5](https://github.com/######/actions/runs/15042700673/job/42277993550#step:5:5)L7Jz3dtv6U6QiB5nn1eQleimZ/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/5ab48a2e-232d-480a-9774-a000bf53a3e9/jobs/4d9fb389-d[6](https://github.com/######/actions/runs/15042700673/job/42277993550#step:5:6)cb-54da-bd2c-8d14fde623e4/idtoken?api-version=2.0&audience=https%3A%2F%2Fiam.googleapis.com%2Fprojects%2F[7](https://github.com/######/actions/runs/15042700673/job/42277993550#step:5:7)78043051564%2Flocations%2Fglobal%2FworkloadIdentityPools%2Fgithub-actions-oidc%2Fproviders%2Fgithub-actions-oidc
::add-mask::***
##[debug]WorkloadIdentityFederationClient: Computed audience, //iam.googleapis.com/projects/77[8](https://github.com/#######/actions/runs/15042700673/job/42277993550#step:5:8)043051564/locations/global/workloadIdentityPools/github-actions-oidc/providers/github-actions-oidc
##[debug]Creating credentials file
##[debug]WorkloadIdentityFederationClient.createCredentialsFile: Creating credentials, {
##[debug]  "outputPath": "/runner-tmp/######/gha-creds-d138bbcd82ab[9](https://github.com/#####/actions/runs/15042700673/job/42277993550#step:5:9)820.json"
##[debug]}
Created credentials file at "/runner-tmp/######/gha-creds-d138bbcd82ab9820.json"
##[debug]WorkloadIdentityFederationClient.getToken: Built request, {
##[debug]  "method": "POST",
##[debug]  "path": "https://sts.googleapis.com/v1/token",
##[debug]  "headers": {},
##[debug]  "body": {
##[debug]    "audience": "//iam.googleapis.com/projects/######/locations/global/workloadIdentityPools/github-actions-oidc/providers/github-actions-oidc",
##[debug]    "grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
##[debug]    "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
##[debug]    "scope": "https://www.googleapis.com/auth/cloud-platform",
##[debug]    "subjectTokenType": "urn:ietf:params:oauth:token-type:jwt",
##[debug]    "subjectToken": "***"
##[debug]  }
##[debug]}
Error: google-github-actions/auth failed with: failed to generate Google Cloud federated token for //iam.googleapis.com/projects/######locations/global/workloadIdentityPools/github-actions-oidc/providers/github-actions-oidc: getaddrinfo EAI_AGAIN sts.googleapis.com
##[debug]Node Action run completed with exit code 1
##[debug]CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE='/runner-tmp/######/gha-creds-d[13](https://github.com/#######/actions/runs/15042700673/job/42277993550#step:5:13)8bbcd82ab9820.json'
##[debug]GOOGLE_APPLICATION_CREDENTIALS='/runner-tmp/######/gha-creds-d138bbcd82ab9820.json'
##[debug]GOOGLE_GHA_CREDS_PATH='/runner-tmp/######/gha-creds-d138bbcd82ab9820.json'
##[debug]Set output credentials_file_path = /runner-tmp/######/gha-creds-d138bbcd82ab98[20](https://github.com/######/actions/runs/15042700673/job/42277993550#step:5:20).json
##[debug]Set output project_id = #######
##[debug]Finishing: Google Auth

Additional information

No response

[github-actions]

Hi there @spiritualpad 👋!

Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.

[sethvargo]

EAI_AGAIN is a DNS lookup timeout error. Are you using self-hosted runners or a proxy? We have thousands for jobs using auth and have never seen this particular error before.

We removed the retry logic because we switched to HttpClient, which does retries, but only on Bad Gateway, Service Unavailable, and Gateway Timeout.

[spiritualpad]

Yes I'm using self hosted runners on a GCP VM, so they should be using Cloud DNS. These are dedicated runners that only do roughly 3 to 5 jobs at any given time, so it shouldn't be the DNS server being overwhelmed. This does not happen often, but its pretty annoying when it does. Would you consider adding the DNS lookup timeout error in retries?

[sethvargo]

We don't own the upstream HttpClient, GitHub does. You could file an issue/Pull Request there.