From 41804686e53066a677f6b5b7811edb4614a4e11c Mon Sep 17 00:00:00 2001
From: Kenny Leung <kleung@chainguard.dev>
Date: Mon, 7 Mar 2022 13:30:28 -0800
Subject: [PATCH] grant cloud build permissions to github action sa (#460)

Signed-off-by: Kenny Leung <kleung@chainguard.dev>
---
 hack/github-oidc-setup.sh | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 mode change 100644 => 100755 hack/github-oidc-setup.sh

diff --git a/hack/github-oidc-setup.sh b/hack/github-oidc-setup.sh
old mode 100644
new mode 100755
index 31be68ff8..2012a7149
--- a/hack/github-oidc-setup.sh
+++ b/hack/github-oidc-setup.sh
@@ -68,3 +68,18 @@ gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT}" \
   --project="${PROJECT_ID}" \
   --role="roles/iam.workloadIdentityUser" \
   --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/${LOCATION}/workloadIdentityPools/${POOL_NAME}/attribute.repository/${REPO}"
+
+# Adding binding is idempotent.
+# Used for kicking off cloud build.
+gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
+  --project="${PROJECT_ID}" \
+  --role="roles/cloudbuild.builds.editor" \
+  --member="serviceAccount:${SERVICE_ACCOUNT}"
+
+# Adding binding is idempotent.
+# Permission needed to run `gcloud builds`
+# https://cloud.google.com/build/docs/securing-builds/configure-access-to-resources#granting_permissions_to_run_gcloud_commands
+gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
+  --project="${PROJECT_ID}" \
+  --role="roles/serviceusage.serviceUsageConsumer" \
+  --member="serviceAccount:${SERVICE_ACCOUNT}"