scripts: add auth for sccache on protected branches
Why
Protected branches likely require access to a separate, secure GCS bucket for storing the Rust compilation cache. Without proper authentication, sccache cannot write to or read from this protected storage backend, which would result in reduced cache effectiveness and slower CI builds on protected branches.
How
The implementation adds conditional authentication logic after sccache initialization:
-
On protected branches (
CI_COMMIT_REF_PROTECTED = true):- Decodes the
GCP_PROTECTED_SERVICE_ACCOUNTsecret (base64 encoded) - Activates the GCP service account using
gcloud auth activate-service-account - Obtains an OAuth access token via
gcloud auth print-access-token - Exports the token as
GOOGLE_OAUTH_ACCESS_TOKENfor sccache to use
- Decodes the
-
On non-protected branches: No authentication is performed, maintaining the existing behavior
To test this MR, I protected this branch, then I run this pipeline: xxx
runs as protected account : https://gitlab.com/tezos/tezos/-/jobs/12440195653
you can check that we log in the protected service account, and we should then have access to the protected bucket. for example in this job : https://gitlab.com/tezos/tezos/-/jobs/12453443094
Fix: #8161 (closed)