Add P4SA Flow for Zip Deploy / Local Build

[falahat]

Description

Scenarios Tested

Test plan:

• Remove the permission, and do a build without it to confirm it fails
• Then install this PR/git branch and run the deployment and verify that it auto-adds the permission AND the rollout is successful
• Verify that a source deployment is successful and NOT changed by this code
• Verify that this code is NOT triggered if the apphostinglocalbuilds experiment is disabled

Sample Commands

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the App Hosting deployment preparation by programmatically ensuring that the App Hosting service agent possesses the required IAM permissions for accessing storage resources. This is particularly relevant for scenarios involving local builds, where the service agent needs to interact with project storage. The changes include a new utility function for role assignment, its integration into the deployment workflow under an experimental flag, and comprehensive unit tests to cover these new behaviors and conditions.

Highlights

• Service Agent Role Enforcement: Introduced a new function, ensureAppHostingServiceAgentRoles, to automatically grant the roles/storage.objectViewer IAM role to the App Hosting service agent. This ensures the service agent has the necessary permissions to access project resources, particularly for local builds.
• Local Build Integration: Integrated the service agent role enforcement into the prepare step of the deployment process. This check is performed conditionally when localBuild is enabled in the configuration and the apphostinglocalbuilds experiment is active.
• Experiment Flag Validation: Added validation to ensure that local builds are only attempted when the apphostinglocalbuilds experiment flag is enabled, preventing unexpected behavior if the feature is not active.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request introduces a new P4SA (Project-level Service Account) flow for App Hosting local builds, ensuring the service agent has necessary roles for accessing project resources like storage. This is implemented by adding a new ensureAppHostingServiceAgentRoles function in src/apphosting/backend.ts and integrating its call into the prepare function in src/deploy/apphosting/prepare.ts when local builds are enabled. The changes also include comprehensive unit tests in src/deploy/apphosting/prepare.spec.ts to cover both the happy path and error conditions related to this new functionality and experiment flag. The JSDoc for the prepare function has also been updated for better clarity.

The code generally adheres to the repository's best practices, such as using the central logger and handling errors gracefully. The new functionality is well-tested, including edge cases like disabled experiments.

[falahat]

Fails with:

Unable to verify App Hosting service agent permissions for service-394522926746@gcp-sa-firebaseapphosting.iam.gserviceaccount.com

I need to confirm the name is correct

[falahat]

Actually I just needed to show "Google Created Roles" in pantheon and I was able to see the correct user. I also verified that the user role (bucket viewer permission) was added when I ran a deployment!