From 4d6aa9b1d30810a03f5f679203145d9ca8294cad Mon Sep 17 00:00:00 2001 From: Josh Date: Fri, 12 Sep 2025 16:42:09 +0000 Subject: [PATCH] Permissions to dev base SA --- .woodpecker.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.woodpecker.yml b/.woodpecker.yml index 2a16e22..808fd8a 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -21,7 +21,7 @@ steps: apt-get update -qq && apt-get install -y -qq skopeo # 👉 impersonate BEFORE minting any tokens - gcloud config set auth/impersonate_service_account "woodpecker-ci@aptivaai-dev.iam.gserviceaccount.com" >/dev/null + >/dev/null echo "impersonating: $(gcloud config get-value auth/impersonate_service_account)" TOKEN="$(gcloud auth print-access-token)" @@ -62,7 +62,7 @@ steps: - | set -euo pipefail if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi - gcloud config set auth/impersonate_service_account "woodpecker-ci@aptivaai-dev.iam.gserviceaccount.com" + IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" PROD_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)" [ "$IMG_TAG" = "$PROD_TAG" ] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$PROD_TAG"; exit 1; } @@ -87,7 +87,7 @@ steps: - | set -euo pipefail if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi - gcloud config set auth/impersonate_service_account "woodpecker-ci@aptivaai-dev.iam.gserviceaccount.com" + IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" @@ -118,7 +118,7 @@ steps: mkdir -p ~/.ssh # Pull SSH materials for PROD from aptivaai-dev SM (same pattern as staging) - gcloud config set auth/impersonate_service_account "woodpecker-ci@aptivaai-dev.iam.gserviceaccount.com" + gcloud secrets versions access latest \ --secret=PROD_SSH_KEY --project=aptivaai-dev \ | base64 -d > ~/.ssh/id_ed25519