From 154d49869940479c0fc4c379affbeb1df8708f52 Mon Sep 17 00:00:00 2001 From: Dalton Alvarenga Date: Thu, 7 May 2026 10:57:50 -0300 Subject: [PATCH] =?UTF-8?q?fix(ci):=20seta=20quota=5Fproject=20pro=20gclou?= =?UTF-8?q?d=20builds=20submit=20n=C3=A3o=20500=20em=20service=20usage?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `gcloud builds submit` faz uma chamada interna à Service Usage API antes de uploadar o source pro bucket _cloudbuild. Quando autentica via SA key (google-github-actions/auth), o credentials file não tem quota_project, e gcloud cai num default que não é corepetro — a chamada à SU falha com "serviceusage.services.use forbidden" mesmo com roles/serviceusage.serviceUsageConsumer concedida no projeto. Fix: setar billing/quota_project explícito antes do builds submit + env var CLOUDSDK_BILLING_QUOTA_PROJECT como cinto-suspensório. --- .gitea/workflows/cd.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/cd.yml b/.gitea/workflows/cd.yml index e1307bb..43730bb 100644 --- a/.gitea/workflows/cd.yml +++ b/.gitea/workflows/cd.yml @@ -37,9 +37,18 @@ jobs: project_id: ${{ secrets.GCP_PROJECT }} - name: Build & push (Cloud Build, sem Docker local) + env: + # SA key auth não popula quota_project no credentials file → gcloud + # cai em "default" e a chamada à Service Usage API falha com + # "serviceusage.services.use forbidden" mesmo com a role concedida. + CLOUDSDK_BILLING_QUOTA_PROJECT: ${{ secrets.GCP_PROJECT }} run: | IMG="${IMAGE_BASE}/${{ gitea.event.repository.name }}:lab-${{ gitea.run_number }}" - gcloud builds submit --tag "$IMG" --project=${{ secrets.GCP_PROJECT }} --timeout=30m + gcloud config set billing/quota_project "${{ secrets.GCP_PROJECT }}" + gcloud builds submit \ + --tag "$IMG" \ + --project=${{ secrets.GCP_PROJECT }} \ + --timeout=30m echo "IMG=$IMG" >> $GITHUB_ENV - name: Deploy hml2 (apenas em push pra master/main)