fix(ci): secure Terraform backend configuration and workflow permissions

[amaralc]

What and why was modified?

• Fixed GitHub Actions workflow permission validation errors by granting id-token: write to reusable workflow callers
• Moved sensitive backend.tf generation from open-source bootstrap script to deployment pipeline
• Backend configuration now generated dynamically at deployment time using GCP_PROJECT_ID secret
• Added backend.tf to .gitignore to prevent accidental commits of generated files

Security improvements:

• Project ID no longer exposed in bootstrap scripts that live in open-source repositories
• Configuration generated at deployment time ensures secrets stay in CI/CD, not in code
• Least-privilege approach: secrets only used where needed (workflow step environment)

How was it modified?

GitHub Actions Workflow Updates

• Added id-token: write permission to deploy-kernel, deploy-people, and deploy-things jobs
• These permissions are required by the reusable workflow that uses Workload Identity Federation for GCP authentication

Terraform Backend Configuration

• Moved backend.tf generation from teams/kernel/iac/bootstrap/project-setup.sh to .github/workflows/teams-kernel-workflows-deploy-team.yml
• New workflow step "Generate Terraform Backend Configuration" runs before terraform init
• Uses shell heredoc with environment variable substitution to populate GCP_PROJECT_ID at runtime

Git Configuration

• Added backend.tf to .gitignore alongside other Terraform-generated files (tfplan, tfstate, etc.)

Reference links and evaluation steps

1. Review updated workflows in .github/workflows/:

   • teams-kernel-workflows-deploy.yml - Added permissions to deployment jobs
   • teams-kernel-workflows-deploy-team.yml - Added backend.tf generation step

2. Verify bootstrap script cleanup:

   • teams/kernel/iac/bootstrap/project-setup.sh - Backend generation removed

3. Test the deployment workflow:

   • Trigger a deployment workflow run
   • Verify backend.tf is generated with correct bucket name (contains GCP_PROJECT_ID)
   • Verify terraform init succeeds with generated configuration

---

Experiment Record

Field	Details
Challenge	Backend configuration was exposing GCP project ID in open-source bootstrap scripts
Target	Move sensitive configuration generation to CI/CD pipeline, keep bootstrap scripts open-source-safe
Expected result	Workflows validate without permission errors, backend.tf generated at deployment time using secrets
Type of experiment	Testing hypothesis
What happened	Added permissions to workflows, moved backend.tf generation to reusable workflow step, updated .gitignore
What did we learn	Reusable workflows require callers to grant all permissions they need; sensitive config belongs in CI/CD, not bootstrap

Next step

Consider extending this pattern to other environment configurations (e.g., people team, things team backend setups) to ensure consistent security practices across all team deployments.

Summary by CodeRabbit

• Chores
  • Deployment jobs now allow OpenID Connect tokens for improved workflow security.
  • Deployment process requires a project identifier and will generate backend configuration dynamically during deploy.
  • Documentation updated with five new short-term insights and removal of older entries to refresh content.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
explore	Ready	Preview, Comment	Feb 15, 2026 9:17pm

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Makes GCP_PROJECT_ID a required workflow input, adds a pre-auth step that generates a GCS Terraform backend.tf using that project ID, grants id-token: write permission to three deploy jobs, updates the stored production backend.tf placeholder, and refreshes short-term insights in docs.

Changes

Cohort / File(s)	Summary
Deploy workflow (team) ​.github/workflows/teams-kernel-workflows-deploy-team.yml	Made GCP_PROJECT_ID input required; added "Generate Terraform Backend Configuration" step that validates GCP_PROJECT_ID and writes backend.tf (GCS bucket <GCP_PROJECT_ID>-tfstate, prefix production) before GCP auth.
Deploy workflows (permissions) ​.github/workflows/teams-kernel-workflows-deploy.yml	Added id-token: write permission to deploy-kernel, deploy-people, and deploy-things jobs to enable OIDC token issuance.
Terraform backend file teams/kernel/iac/production/backend.tf	Replaced hard-coded GCS bucket name with a project-placeholder bucket name (project-id-placeholder-tfstate) in the Terraform backend block.
Documentation docs/insights-short-term.md	Rotated short-term insights: added recent 2026-02-15 entries and removed older 2026-02-10 entries (content shift).

Sequence Diagram(s)

mermaid
sequenceDiagram
participant GH as GitHub Actions
participant Repo as Repository (iac-path)
participant GCP as Google Cloud (OIDC / gcloud)
participant GCS as GCS (tfstate bucket)
participant TF as Terraform

GH->>Repo: checkout
GH->>Repo: run "Generate Terraform Backend Configuration" (read GCP_PROJECT_ID)
Repo->>GCS: create/write backend.tf (bucket: <GCP_PROJECT_ID>-tfstate, prefix: production)
GH->>GCP: authenticate (OIDC / gcloud) after backend created
GH->>TF: init/apply (uses backend.tf -> GCS)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix(ci): secure Terraform backend configuration and workflow permissions #253 — Appears to add the same backend generation step, GCP_PROJECT_ID handling, and id-token permission changes.
• feat(workflows): teams reuse bootstrap and deploy workflows for independence #252 — Related adjustments to team deploy workflow and Terraform backend handling for GCS and project parameterization.
• Improve bootstrap script logging for clarity and debuggability #251 — Changes Terraform backend handling and backend.tf generation; overlaps with backend config edits here.

Poem

🐰 I nibble configs by moonlit light,
I stitch a bucket name just right,
Tokens given, backends born,
Terraform hops at break of dawn,
Hooray — infra's snug and bright! ✨

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the two main changes: securing Terraform backend configuration and adding workflow permissions, which directly match the changeset.
Description check	✅ Passed	The description fully covers what was modified, why, and how, with clear sections on security improvements, workflow updates, backend configuration, and git changes. It includes reference links and an experiment record as per template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 247-avoid-exposure-and-add-permission

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit c973175

Command	Status	Duration	Result
nx affected --target=build --base=origin/main -...	✅ Succeeded	<1s	View ↗
nx affected --target=test --base=origin/main --...	✅ Succeeded	<1s	View ↗
nx affected --target=lint --base=origin/main --...	✅ Succeeded	<1s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-02-15 21:17:47 UTC

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/teams-kernel-workflows-deploy-team.yml:
- Around line 94-108: The workflow step "Generate Terraform Backend
Configuration" writes backend.tf using the GCP_PROJECT_ID secret but doesn't
validate it; add a guard that checks the environment variable GCP_PROJECT_ID
before creating backend.tf and fail fast with a clear error and non-zero exit if
it's empty (or alternatively mark GCP_PROJECT_ID as required in the
workflow_call inputs); ensure the check references the same env var name
(GCP_PROJECT_ID) and that the error message names the failing step ("Generate
Terraform Backend Configuration") and the target file (backend.tf).

🧹 Nitpick comments (1)

teams/kernel/iac/production/backend.tf (1)

3-5: Add a short placeholder notice to reduce local confusion.
Line 3-Line 5 now uses a placeholder bucket; consider a brief note that CI overwrites this file during deploys.

✍️ Suggested clarification

 terraform {
   backend "gcs" {                             # The Google Cloud Storage backend
+    # NOTE: Placeholder only — CI generates the real backend.tf during deploy.
     bucket = "project-id-placeholder-tfstate" # The name of the bucket to store the state file
     prefix = "production"                     # The path to the state file within the bucket

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud