jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Permissions to dev base SA
Some checks failed
ci/woodpecker/manual/woodpecker Pipeline failed
Details

Browse Source
This commit is contained in:
Josh 2025-09-12 16:42:09 +00:00
parent 1e28611867
commit 4d6aa9b1d3
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.woodpecker.yml
View File

@ -21,7 +21,7 @@ steps:
apt-get update -qq && apt-get install -y -qq skopeo apt-get update -qq && apt-get install -y -qq skopeo
# 👉 impersonate BEFORE minting any tokens # 👉 impersonate BEFORE minting any tokens
gcloud config set auth/impersonate_service_account "woodpecker-ci@aptivaai-dev.iam.gserviceaccount.com" >/dev/null >/dev/null
echo "impersonating: $(gcloud config get-value auth/impersonate_service_account)" echo "impersonating: $(gcloud config get-value auth/impersonate_service_account)"
TOKEN="$(gcloud auth print-access-token)" TOKEN="$(gcloud auth print-access-token)"
@ -62,7 +62,7 @@ steps:
- | - |
set -euo pipefail set -euo pipefail
if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
gcloud config set auth/impersonate_service_account "woodpecker-ci@aptivaai-dev.iam.gserviceaccount.com"
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
PROD_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)" PROD_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
[ "$IMG_TAG" = "$PROD_TAG" ] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$PROD_TAG"; exit 1; } [ "$IMG_TAG" = "$PROD_TAG" ] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$PROD_TAG"; exit 1; }
@ -87,7 +87,7 @@ steps:
- | - |
set -euo pipefail set -euo pipefail
if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
gcloud config set auth/impersonate_service_account "woodpecker-ci@aptivaai-dev.iam.gserviceaccount.com"
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
@ -118,7 +118,7 @@ steps:
mkdir -p ~/.ssh mkdir -p ~/.ssh
# Pull SSH materials for PROD from aptivaai-dev SM (same pattern as staging) # Pull SSH materials for PROD from aptivaai-dev SM (same pattern as staging)
gcloud config set auth/impersonate_service_account "woodpecker-ci@aptivaai-dev.iam.gserviceaccount.com"
gcloud secrets versions access latest \ gcloud secrets versions access latest \
--secret=PROD_SSH_KEY --project=aptivaai-dev \ --secret=PROD_SSH_KEY --project=aptivaai-dev \
| base64 -d > ~/.ssh/id_ed25519 | base64 -d > ~/.ssh/id_ed25519