From c8e280cafa8adad7758967d40dc554280c14df6b Mon Sep 17 00:00:00 2001
From: Varik Matevosyan <varikmatevosyan@gmail.com>
Date: Thu, 25 Apr 2024 21:03:10 -0500
Subject: [PATCH] Build Cloud Run deployments in separate GCP projects

---
 .github/workflows/build-migrate-deploy.yml | 13 ++++++-------
 lib/hosting/gcp_apis.rb                    |  2 +-
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/build-migrate-deploy.yml b/.github/workflows/build-migrate-deploy.yml
index 22d7962e1..5a2fb0c04 100644
--- a/.github/workflows/build-migrate-deploy.yml
+++ b/.github/workflows/build-migrate-deploy.yml
@@ -18,13 +18,15 @@ jobs:
         run: |
           if [[ ${{ github.ref }} == 'refs/heads/lantern-main' ]]; then
             echo "branch=production" >> $GITHUB_OUTPUT
+            echo "gcr_image=${IMAGE_PRODUCTION}" >> $GITHUB_OUTPUT
           else
             echo "branch=staging" >> $GITHUB_OUTPUT
+            echo "gcr_image=${IMAGE_STAGING}" >> $GITHUB_OUTPUT
           fi
-          echo "gcr_image=${IMAGE}" >> $GITHUB_OUTPUT
           echo "image=lanterndata/lantern-ubicloud" >> $GITHUB_OUTPUT
         env:
-          IMAGE: ${{ format('{0}-docker.pkg.dev/{1}/lanterndata/lantern-ubicloud', secrets.GCP_REGION, secrets.GCP_PROJECT_ID) }}
+          IMAGE_STAGING: ${{ format('{0}-docker.pkg.dev/{1}/lanterndata/lantern-ubicloud', secrets.GCP_REGION, secrets.GCP_PROJECT_ID_STAGING) }}
+          IMAGE_PRODUCTION: ${{ format('{0}-docker.pkg.dev/{1}/lanterndata/lantern-ubicloud', secrets.GCP_REGION, secrets.GCP_PROJECT_ID_PRODUCTION) }}
 
       - name: Checkout code
         uses: actions/checkout@v4
@@ -35,11 +37,8 @@ jobs:
         uses: "google-github-actions/auth@v2"
         with:
           token_format: access_token
-          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
-      - name: "Set up Cloud SDK"
-        uses: "google-github-actions/setup-gcloud@v2"
-
+          workload_identity_provider: ${{ ( steps.set_env.outputs.branch == 'production' && secrets.GCP_WORKLOAD_IDENTITY_PROVIDER_PRODUCTION) || secrets.GCP_WORKLOAD_IDENTITY_PROVIDER_STAGING }}
+          service_account: ${{ ( steps.set_env.outputs.branch == 'production' && secrets.GCP_WORKLOAD_IDENTITY_PROVIDER_PRODUCTION) || secrets.GCP_SERVICE_ACCOUNT_STAGING }}
       # Build and push image
       - name: Login to GCR Container Registry
         uses: docker/login-action@v3
diff --git a/lib/hosting/gcp_apis.rb b/lib/hosting/gcp_apis.rb
index cbe4132aa..c2ee403be 100644
--- a/lib/hosting/gcp_apis.rb
+++ b/lib/hosting/gcp_apis.rb
@@ -257,7 +257,7 @@ def remove_service_account(service_account_email)
 
   def export_service_account_key(service_account_email)
     connection = Excon.new("https://iam.googleapis.com", headers: @host[:headers])
-    response = connection.post(path: "/v1/projects/#{@project}/serviceAccounts/#{service_account_email}/keys", body: JSON.dump({}), expects: [200, 400])
+    response = connection.post(path: "/v1/projects/#{@project}/serviceAccounts/#{service_account_email}/keys", body: JSON.dump({}), expects: [200, 400, 404, 403])
     Hosting::GcpApis.check_errors(response)
     data = JSON.parse(response.body)
     data["privateKeyData"]