#!/bin/bash
set -e

PROJECT_ID="krow-workforce-dev"
PROJECT_NUMBER="933560802882"

echo "============================================"
echo "Permissions au niveau du PROJET"
echo "============================================"
echo ""

echo "1. Artifact Registry Admin pour Cloud Build au niveau projet..."
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
    --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
    --role="roles/artifactregistry.admin" \
    --condition=None

echo ""
echo "2. Storage Admin pour Cloud Build (pour staging bucket)..."
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
    --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
    --role="roles/storage.admin" \
    --condition=None

echo ""
echo "3. Vérification des rôles du service account Cloud Build:"
gcloud projects get-iam-policy ${PROJECT_ID} \
    --flatten="bindings[].members" \
    --filter="bindings.members:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
    --format="table(bindings.role)"

echo ""
echo "============================================"
echo "✅ Permissions au niveau projet configurées!"
echo "============================================"
echo ""
echo "Ces permissions sont plus larges mais devraient résoudre le problème."
echo "Attends 2-3 minutes puis relance: make deploy-launchpad"
echo ""