Workload Identity Federation on Chris Liatashttps://liatas.com/tags/workload-identity-federation/Recent content in Workload Identity Federation on Chris LiatasHugoen-usWed, 03 Jun 2026 06:00:00 +0300Keyless Hugo staging: GitLab OIDC + Firebase preview channelshttps://liatas.com/posts/hugo-firebase-preview-channels-gitlab-oidc/Wed, 03 Jun 2026 06:00:00 +0300https://liatas.com/posts/hugo-firebase-preview-channels-gitlab-oidc/<div class="headerclaim">This builds directly on <strong><a href="https://liatas.com/posts/hugo-ci-cd">Continuous Deployment for Hugo websites</a></strong> — the keyless GitLab OIDC + Workload Identity Federation setup. Read that first; here we add a staging preview on a separate branch.</div> <p>The <a href="https://liatas.com/posts/hugo-ci-cd">keyless deploy post</a> gets <code>main</code> → live Firebase Hosting with no stored secrets. The missing half is <strong>staging</strong>: previewing every change at a shareable URL <em>before</em> it goes live. Firebase Hosting <a href="https://firebase.google.com/docs/hosting/test-preview-deploy">preview channels</a> do exactly that — ephemeral, auto-expiring copies of your site, isolated from the live channel — and we can drive them from a <code>dev</code> branch using the <strong>same</strong> Workload Identity Federation (WIF), at no extra cost and with no new infrastructure.</p>Continuous Deployment for Hugo websiteshttps://liatas.com/posts/hugo-ci-cd/Tue, 02 Oct 2018 17:53:53 +0300https://liatas.com/posts/hugo-ci-cd/<div class="headerclaim">The following assume familiarity with Continuous Deployment practices, <a href="https://git-scm.com/">git</a>, Hugo installed and an existing Hugo project, plus a Google Cloud / Firebase project and the <a href="https://cloud.google.com/sdk/"><code>gcloud</code></a> CLI.</div> <aside class="callout"> <h5 class="callout__title"><svg class="callout__icon" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><polyline points="23 4 23 10 17 10"/><polyline points="1 20 1 14 7 14"/><path d="M3.51 9a9 9 0 0 1 14.85-3.36L23 10M1 14l4.64 4.36A9 9 0 0 0 20.49 15"/></svg><span>Rewritten for 2026</span> </h5> <div class="callout__body"><p>The original post deployed with a long-lived <code>FIREBASE_TOKEN</code> (from <code>firebase login:ci</code>) and walked through building your own Hugo container image. Both are now outdated: <code>firebase login:ci</code> tokens are <a href="https://github.com/firebase/firebase-tools/discussions/6283">deprecated</a>, and a public Hugo-extended image removes the need to maintain your own. This version uses <strong>keyless</strong> authentication via <strong>GitLab OIDC + GCP Workload Identity Federation (WIF)</strong> — no secrets stored in GitLab at all.</p>