feat: add pull-reviews to wif

[syntaxsdev]

No description provided.

[coderabbitai]

Walkthrough

The change expands workload identity federation configuration to include the ambient-code/pull-reviews repository, adding it to the allowed repositories list and granting it the Vertex AI user role for project-level access to Google Cloud Platform resources.

Changes

Cohort / File(s)	Summary
Workload Identity & IAM Configuration gcp/workload-identity-federation-direct.tf	Expanded attribute_condition to include ambient-code/pull-reviews in the allowed repositories list. Added new google_project_iam_member resource granting roles/aiplatform.user role to the pull-reviews repository.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided, making it impossible to assess relevance to the changeset.	Add a description explaining the purpose of granting aiplatform.user role to the pull-reviews repository and any relevant context.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding the pull-reviews repository to the workload identity federation configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/add-pull-reviews-to-wif

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@gcp/workload-identity-federation-direct.tf`:
- Line 37: The current attribute_condition on the Workload Identity Federation
provider (attribute_condition) only checks assertion.repository and combined
with the project-level grant of roles/aiplatform.user (the new role binding)
allows any run in ambient-code/pull-reviews to gain broad access; tighten the
condition to also require trusted refs and workflow identity (e.g., include
assertion.ref matching allowed branches/tags and assertion.job_workflow_ref or
assertion.workflow for specific workflow files) and update attribute_mapping to
map assertion.ref and assertion.job_workflow_ref (or assertion.workflow) so
those claims are available for evaluation; additionally, scope the
roles/aiplatform.user grant to the minimum resource (not project-level) or add
the stricter conditional using these mapped attributes to the IAM binding (the
binding that grants roles/aiplatform.user) to ensure only the intended
workflows/refs can assume the role.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 316b00bd-e6cd-4363-9abd-08ab3af6533e

📥 Commits

Reviewing files that changed from the base of the PR and between 0e54acb and 9251d58.

📒 Files selected for processing (1)

• gcp/workload-identity-federation-direct.tf

[ktdreyer]

@syntaxsdev ambient-code/platform#949 adds this action to the platform repo. So perhaps you don't need this pull-reviews repo listed here after all.