fix: add missing annotation to apps serviceAccount (#10484)

2025-02-27 17:34:00 +08:00 · 2025-02-27 17:34:00 +08:00 · fc4a716ef1
commit fc4a716ef1
parent 4c736bc190
5 changed files with 19 additions and 11 deletions
--- a/.github/actions/deploy/deploy.mjs
+++ b/.github/actions/deploy/deploy.mjs
@ -25,6 +25,7 @@ const {
  AFFINE_GOOGLE_CLIENT_ID,
  AFFINE_GOOGLE_CLIENT_SECRET,
  CLOUD_SQL_IAM_ACCOUNT,
+  APP_IAM_ACCOUNT,
  GCLOUD_CONNECTION_NAME,
  GCLOUD_CLOUD_SQL_INTERNAL_ENDPOINT,
  REDIS_HOST,
@ -99,16 +100,22 @@ const createHelmCommand = ({ isDryRun }) => {
          `--set-string global.redis.password="${REDIS_PASSWORD}"`,
        ]
      : [];
-  const serviceAnnotations =
+  const serviceAnnotations = [
+    `--set-json   web.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
+    `--set-json   graphql.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
+    `--set-json   sync.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
+    `--set-json   doc.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${APP_IAM_ACCOUNT}\\" }"`,
+  ].concat(
    isProduction || isBeta || isInternal
      ? [
-          `--set-json   web.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   graphql.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   sync.service.annotations=\"{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }\"`,
-          `--set-json   cloud-sql-proxy.serviceAccount.annotations=\"{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }\"`,
-          `--set-json   cloud-sql-proxy.nodeSelector=\"{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }\"`,
+          `--set-json   web.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
+          `--set-json   graphql.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
+          `--set-json   sync.service.annotations="{ \\"cloud.google.com/neg\\": \\"{\\\\\\"ingress\\\\\\": true}\\" }"`,
+          `--set-json   cloud-sql-proxy.serviceAccount.annotations="{ \\"iam.gke.io/gcp-service-account\\": \\"${CLOUD_SQL_IAM_ACCOUNT}\\" }"`,
+          `--set-json   cloud-sql-proxy.nodeSelector="{ \\"iam.gke.io/gke-metadata-server-enabled\\": \\"true\\" }"`,
        ]
-      : [];
+      : []
+  );

  const cpu = cpuConfig[buildType];
  const resources = cpu
@ -136,7 +143,7 @@ const createHelmCommand = ({ isDryRun }) => {
    `--namespace  ${namespace}`,
    `--set-string global.app.buildType="${buildType}"`,
    `--set        global.ingress.enabled=true`,
-    `--set-json   global.ingress.annotations=\"{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }\"`,
+    `--set-json   global.ingress.annotations="{ \\"kubernetes.io/ingress.class\\": \\"gce\\", \\"kubernetes.io/ingress.allow-http\\": \\"true\\", \\"kubernetes.io/ingress.global-static-ip-name\\": \\"${STATIC_IP_NAME}\\" }"`,
    `--set-string global.ingress.host="${host}"`,
    `--set        global.objectStorage.r2.enabled=true`,
    `--set-string global.objectStorage.r2.accountId="${R2_ACCOUNT_ID}"`,
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@ -116,6 +116,7 @@ jobs:
          REDIS_HOST: ${{ secrets.REDIS_HOST }}
          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
          CLOUD_SQL_IAM_ACCOUNT: ${{ secrets.CLOUD_SQL_IAM_ACCOUNT }}
+          APP_IAM_ACCOUNT: ${{ secrets.APP_IAM_ACCOUNT }}
          STRIPE_API_KEY: ${{ secrets.STRIPE_API_KEY }}
          STRIPE_WEBHOOK_KEY: ${{ secrets.STRIPE_WEBHOOK_KEY }}
          STATIC_IP_NAME: ${{ secrets.STATIC_IP_NAME }}
--- a/.github/workflows/sync-i18n.yml
+++ b/.github/workflows/sync-i18n.yml
@ -53,7 +53,7 @@ jobs:
        uses: actions/checkout@v4
        with:
          ref: l10n_crowdin_translations
-    
+
      - name: Setup Node.js
        uses: ./.github/actions/setup-node
        with:
--- a/.prettierignore
+++ b/.prettierignore
@ -1,7 +1,7 @@
 # we will make this file shared by prettier|eslint|oxlint
 **/node_modules
 .yarn
-.github
+.github/helm
 .vscode
 .yarnrc.yml
 .docker
--- a/tsconfig.eslint.json
+++ b/tsconfig.eslint.json
@ -3,7 +3,7 @@
  "compilerOptions": {
    "allowJs": true
  },
-  "include": ["."],
+  "include": [".", ".github/actions/*/*.mjs"],
  "exclude": [
    "**/target",
    "**/node_modules",