[gha] fix artifactregistry login

Author: rustielin

.github/workflows/ci.yml

@@ -5,22 +5,39 @@ on:
     branches:
       - main
   pull_request:
-    branches:
-      - main
+
+permissions:
+  contents: read
+  id-token: write #required for GCP Workload Identity federation which we use to login into Google Artifact Registry
 
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v4
+
       - uses: pnpm/action-setup@v4
         with:
           version: 9.15.1
+
       - uses: actions/setup-node@v4
         with:
           node-version: '23'
           cache: 'pnpm'
           registry-url: "https://registry.npmjs.org"
-      - run: pnpm install --frozen-lockfile
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT_EMAIL }}
+          create_credentials_file: true # This exports the GOOGLE_APPLICATION_CREDENTIALS env var which is commonly used by CLIs
+
+      - name: Login to GCP Artifact Registry
+        run: pnpm artifactregistry-login
+
+      - name: Install Dependencies
+        run: pnpm install --frozen-lockfile
+
       - run: pnpm lint

package.json

@@ -6,7 +6,8 @@
     "dev": "turbo dev",
     "lint": "turbo lint",
     "fmt": "turbo run fmt",
-    "spellcheck": "turbo run spellcheck"
+    "spellcheck": "turbo run spellcheck",
+    "artifactregistry-login": "pnpm dlx google-artifactregistry-auth"
   },
   "dependencies": {
     "turbo": "2.5.0"