From 7763e8e95a6518d01ac1b8029d4fb1b6ac8bb68f Mon Sep 17 00:00:00 2001
From: Lai Jiang <jianglai@google.com>
Date: Fri, 7 Jan 2022 11:06:19 -0500
Subject: [PATCH] Use the service account credential to delete unused versions
 (#1484)

---
 release/cloudbuild-delete.yaml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/release/cloudbuild-delete.yaml b/release/cloudbuild-delete.yaml
index de6ef3976..32510a432 100644
--- a/release/cloudbuild-delete.yaml
+++ b/release/cloudbuild-delete.yaml
@@ -19,11 +19,21 @@
 # expanded in the copies sent to Spinnaker, we preserve the brackets around
 # them for safe pattern matching during release.
 # See https://github.com/spinnaker/spinnaker/issues/3028 for more information.
-steps:
-# Delete unused GAE versions.
+#
 # GAE has a limit of ~250 versions per-project, including unused versions. We
 # therefore need to periodically delete old versions. This GCB job finds all
 # stopped versions and delete all but the last 3 (in case we need to rollback).
+steps:
+# Pull the credential for nomulus tool.
+- name: 'gcr.io/$PROJECT_ID/builder:latest'
+  entrypoint: /bin/bash
+  args:
+  - -c
+  - |
+    set -e
+    gcloud secrets versions access latest \
+      --secret nomulus-tool-cloudbuild-credential > tool-credential.json
+# Delete unused GAE versions.
 - name: 'gcr.io/$PROJECT_ID/builder:latest'
   entrypoint: /bin/bash
   args:
@@ -36,6 +46,8 @@ steps:
       project_id="domain-registry-${_ENV}"
     fi
 
+    gcloud auth activate-service-account --key-file=tool-credential.json
+
     for service in default pubapi backend tools
     do
       for version in $(gcloud app versions list \