Add manual job in CI to deploy secret-matcher to video-scanner-live

Since we can only setup one GitLab/GCP IAM integration under https://gitlab.com/gitlab-com/gl-security/security-research/video-scanner/youtube-video-scanner/-/settings/integrations, I will manually setup the integration to video-scanner-live so we can deploy secret-matcher to video-scanner-live via GitLab CI.

Documented Steps

1. Get GCP project ID and number

gcloud projects describe $LIVE_PROJECT_ID --format="value(projectNumber)"
623408993310

2. define gitlab project ID

export GITLAB_PROJECT_ID="47653961"

3. I confirmed that video-scanner-live already has a Workload Identity Pool called GitLab:

gcloud iam workload-identity-pools describe gitlab \
    --location=global \
    --project=$LIVE_PROJECT_ID
description: GitLab.com Workload Identity Federation Pool
displayName: GitLab
name: projects/623408993310/locations/global/workloadIdentityPools/gitlab
state: ACTIVE

4. When visiting the Workload Identity Pools page in GCP, I don't see the required provider under this workload identity pool that points to our gitlab project with ID 47653961, so we will run the following commands to create the provider + grant permissions:

# Create provider
gcloud iam workload-identity-pools providers create-oidc gitlab-project-$GITLAB_PROJECT_ID \
    --project=$LIVE_PROJECT_ID \
    --location=global \
    --workload-identity-pool=gitlab \
    --display-name="gitlab-project-$GITLAB_PROJECT_ID" \
    --description="GitLab OIDC Provider for Project $GITLAB_PROJECT_ID" \
    --attribute-condition="assertion.project_id == \"$GITLAB_PROJECT_ID\"" \
    --attribute-mapping="google.subject=assertion.project_id,attribute.project_id=assertion.project_id,attribute.project_path=assertion.project_path,attribute.ref=assertion.ref,attribute.ref_type=assertion.ref_type,attribute.namespace_id=assertion.namespace_id,attribute.namespace_path=assertion.namespace_path,attribute.user_email=assertion.user_email,attribute.aud=assertion.aud" \
    --allowed-audiences="https://gitlab.com" \
    --issuer-uri="https://gitlab.com"


LIVE_WORKLOAD_IDENTITY="principalSet://iam.googleapis.com/projects/${LIVE_PROJECT_NUMBER}/locations/global/workloadIdentityPools/gitlab/attribute.project_id/${GITLAB_PROJECT_ID}"

# Grant Artifact Registry permissions
gcloud projects add-iam-policy-binding $LIVE_PROJECT_ID \
    --member="$LIVE_WORKLOAD_IDENTITY" \
    --role="roles/artifactregistry.writer"

# Grant Cloud Run permissions
gcloud projects add-iam-policy-binding $LIVE_PROJECT_ID \
    --member="$LIVE_WORKLOAD_IDENTITY" \
    --role="roles/run.admin"

# Grant service account user permissions
gcloud projects add-iam-policy-binding $LIVE_PROJECT_ID \
    --member="$LIVE_WORKLOAD_IDENTITY" \
    --role="roles/iam.serviceAccountUser"

5. Setup CI/CD templates

It was a bit tricky trying to get the live deployment jobs to use this new LIVE_WORKLOAD_IDENTITY, turns out we need to explicitly override the OIDC credentials in the job. Opened feat: Deploy secret-matcher to video-scanner-li... (!101 - merged) to achieve this.