bug: fix missing field masks on update (#326)

Fixes GH-316
Fixes GH-318

Author: sethvargo

.github/workflows/unit.yml

@@ -38,11 +38,13 @@ jobs:
     - name: 'npm lint'
       # There's no need to run the linter for each operating system, since it
       # will find the same thing 3x and clog up the PR review.
-      if: ${{matrix.os == 'ubuntu-latest'}}
+      if: ${{ matrix.os == 'ubuntu-latest' }}
       run: 'npm run lint'
 
     - name: 'npm test'
       env:
         DEPLOY_CF_PROJECT_ID: '${{ secrets.DEPLOY_CF_PROJECT_ID }}'
+        DEPLOY_CF_SA_EMAIL: '${{ secrets.DEPLOY_CF_SA_EMAIL }}'
         DEPLOY_CF_SA_KEY_JSON: '${{ secrets.DEPLOY_CF_SA_KEY_JSON }}'
+        DEPLOY_CF_SECRET_VERSION_REF: '${{ secrets.DEPLOY_CF_SECRET_VERSION_REF }}'
       run: 'npm run test'

README.md

@@ -129,7 +129,13 @@ jobs:
     All existing secret volume mounts will be removed, even if this parameter is
     not passed.
 
-- `service_account_email`: (Optional) The email address of the IAM service account associated with the function at runtime.
+- `service_account_email`: (Optional) The email address of the Google Cloud
+  service account to use as the runtime service account for the function. If
+  unspecified, the default Cloud Functions runtime service account is used.
+
+    Note this differs from the service account used to deploy the Cloud
+    Function, which is the currently-authenticated principal. See
+    [Authorization](#Authorization) for more information.
 
 - `timeout`: (Optional) The function execution timeout in seconds. Defaults to 60.
 
@@ -211,17 +217,23 @@ automatically private services, while deploying a revision of a public
 
 ## Authorization
 
-There are a few ways to authenticate this action. A service account will be needed
-with the following roles:
+The _deployment_ service account must have the following IAM permissions:
+
+-   Cloud Functions Admin (`roles/cloudfunctions.admin`)
+
+Additionally, the _deployment_ service account must have permissions to act as
+(impersonate) the _runtime_ service account, which can be achieved by granting
+the deployment _service_ account "roles/iam.serviceAccountUser" permissions on
+the _runtime_ service account. If unspecified, the _runtime_ service account is the App Engine Default Service Account `PROJECT_ID@appspot.gserviceaccount.com`.
 
-- Cloud Functions Admin (`cloudfunctions.admin`):
-  - Can create, update, and delete functions.
-  - Can set IAM policies and view source code.
+In some cases, the Cloud Build service account, which defaults as
+`PROJECT_NUMBER@cloudbuild.gserviceaccount.com`, may also need to be granted
+"roles/iam.serviceAccountUser" permission on the _runtime_ service account.
 
-This service account needs to be a member of the `App Engine default service account`
-`(PROJECT_ID@appspot.gserviceaccount.com)`, with role
-`Service Account User` (`roles/iam.serviceAccountUser`). See [additional configuration for deployment](https://cloud.google.com/functions/docs/reference/iam/roles#additional-configuration)
-for further instructions.
+See the Google Cloud documentation to [learn more about custom runtime service
+accounts](https://cloud.google.com/functions/docs/securing/function-identity#individual)
+and [additional configuration for
+deployment](https://cloud.google.com/functions/docs/reference/iam/roles#additional-configuration)
 
 ### Via google-github-actions/auth
 

action.yaml

@@ -121,7 +121,16 @@ inputs:
 
   service_account_email:
     description: |-
-      The email address of the IAM service account associated with the function at runtime.
+      The email address of the Google Cloud service account to use as the
+      runtime service account for the function. If unspecified, the default
+      Cloud Functions runtime service account is used.
+
+      Note this differs from the service account used to deploy the Cloud
+      Function, which is the currently-authenticated principal. However, the
+      deploying service account must have permission to impersonate the runtime
+      service account, which can be achieved by granting the deployment service
+      account "roles/iam.serviceAccountUser" permission on the runtime service
+      account.
     required: false
 
   timeout: