From fc4a716ef1b7d966d0446f65b99ce0a385fab578 Mon Sep 17 00:00:00 2001
From: LongYinan <lynweklm@gmail.com>
Date: Thu, 27 Feb 2025 17:34:00 +0800
Subject: [PATCH] fix: add missing annotation to apps serviceAccount (#10484)

---
 .github/actions/deploy/deploy.mjs | 23 +++++++++++++++--------
 .github/workflows/deploy.yml      |  1 +
 .github/workflows/sync-i18n.yml   |  2 +-
 .prettierignore                   |  2 +-
 tsconfig.eslint.json              |  2 +-
 5 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/.github/actions/deploy/deploy.mjs b/.github/actions/deploy/deploy.mjs
index b067265248..bc7a7bff98 100644
--- a/.github/actions/deploy/deploy.mjs
+++ b/.github/actions/deploy/deploy.mjs
@@ -25,6 +25,7 @@ const {
   AFFINE_GOOGLE_CLIENT_ID,
   AFFINE_GOOGLE_CLIENT_SECRET,
   CLOUD_SQL_IAM_ACCOUNT,
+  APP_IAM_ACCOUNT,
   GCLOUD_CONNECTION_NAME,
   GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT,
   REDIS_HOST,
@@ -99,16 +100,22 @@ const createHelmCommand = ({ isDryRun }) => {
           `--set-string global.redis.password="${REDIS_PASSWORD}"`,
         ]
       : [];
-  const serviceAnnotations =
+  const serviceAnnotations = [
+    `--set-json   web.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
+    `--set-json   graphql.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
+    `--set-json   sync.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
+    `--set-json   doc.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
+  ].concat(
     isProduction || isBeta || isInternal
       ? [
-          `--set-json   web.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   graphql.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   sync.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   cloud-sql-proxy.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
-          `--set-json   cloud-sql-proxy.nodeSelector=\"{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }\"`,
+          `--set-json   web.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
+          `--set-json   graphql.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
+          `--set-json   sync.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
+          `--set-json   cloud-sql-proxy.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }"`,
+          `--set-json   cloud-sql-proxy.nodeSelector="{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }"`,
         ]
-      : [];
+      : []
+  );
 
   const cpu = cpuConfig[buildType];
   const resources = cpu
@@ -136,7 +143,7 @@ const createHelmCommand = ({ isDryRun }) => {
     `--namespace  ${namespace}`,
     `--set-string global.app.buildType="${buildType}"`,
     `--set        global.ingress.enabled=true`,
-    `--set-json   global.ingress.annotations=\"{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }\"`,
+    `--set-json   global.ingress.annotations="{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }"`,
     `--set-string global.ingress.host="${host}"`,
     `--set        global.objectStorage.r2.enabled=true`,
     `--set-string global.objectStorage.r2.accountId="${R2_ACCOUNT_ID}"`,
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 95b3067851..0507a7e2bb 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -116,6 +116,7 @@ jobs:
           REDIS_HOST: ${{ secrets.REDIS_HOST }}
           REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
           CLOUD_SQL_IAM_ACCOUNT: ${{ secrets.CLOUD_SQL_IAM_ACCOUNT }}
+          APP_IAM_ACCOUNT: ${{ secrets.APP_IAM_ACCOUNT }}
           STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
           STRIPE_WEBHOOK_KEY: ${{ secrets.STRIPE_WEBHOOK_KEY }}
           STATIC_IP_NAME: ${{ secrets.STATIC_IP_NAME }}
diff --git a/.github/workflows/sync-i18n.yml b/.github/workflows/sync-i18n.yml
index ebb83c864b..166acdf4d1 100644
--- a/.github/workflows/sync-i18n.yml
+++ b/.github/workflows/sync-i18n.yml
@@ -53,7 +53,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: l10n_crowdin_translations
-    
+
       - name: Setup Node.js
         uses: ./.github/actions/setup-node
         with:
diff --git a/.prettierignore b/.prettierignore
index fb739dc28e..d885edf83c 100644
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,7 +1,7 @@
 # we will make this file shared by prettier|eslint|oxlint
 **/node_modules
 .yarn
-.github
+.github/helm
 .vscode
 .yarnrc.yml
 .docker
diff --git a/tsconfig.eslint.json b/tsconfig.eslint.json
index 3b54dc9419..c774e4f623 100644
--- a/tsconfig.eslint.json
+++ b/tsconfig.eslint.json
@@ -3,7 +3,7 @@
   "compilerOptions": {
     "allowJs": true
   },
-  "include": ["."],
+  "include": [".", ".github/actions/*/*.mjs"],
   "exclude": [
     "**/target",
     "**/node_modules",