Add a cloudbuild.yaml for GCB #1315
Conversation
875c7d6 to
9adb9f0
Compare
|
Why not go the other way around and replace those GCB runs with GitHub Actions? You can now use OIDC for securely pushing images to Google Cloud: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform Would be less maintenance and better DX as we all know nobody looks at (or understands) GCB logs 😀 |
|
Gosh, with 2x the CI builds post-#1290 it's even harder to get a clean build. :-/ |
That's not a bad idea, not sure I want to set the plow that deep though since it involves getting buy-in from other teams and this is an action item for a CI incident, I'd like to resolve sooner than later to prevent future bugs from taking down CI. |
I think there may actually be a loophole where direct links to raw GCB output is available with no authentication. Generally the GCB build should be green if the rest are, of course until we once again hit something like this is designed to catch in the first place. Hopefully rare though. I like @BYK's suggestion as a way to make this more open, but again I think that is a future improvement. |
|
Happy to give you a hand as the GCB config for Sentry itself is already public (along with Snuba and Relay). All I'd need from your end would be setting up OIDC which should be a breeze. |
|
Thanks @BYK. Merging this for now. I don't have bandwidth to drive GCB→GHA right now but if you start making PRs I will try to keep up. 😁 |
Closes #1311.