Skip to content

ci(dbt): fix dbt CI auth — correct setup docs, add workflow_dispatch#35

Open
DevDizzle wants to merge 1 commit into
masterfrom
ci/dbt-ci-auth
Open

ci(dbt): fix dbt CI auth — correct setup docs, add workflow_dispatch#35
DevDizzle wants to merge 1 commit into
masterfrom
ci/dbt-ci-auth

Conversation

@DevDizzle

Copy link
Copy Markdown
Owner

Summary

dbt CI has failed on every PR with Access Denied: ... bigquery.jobs.create since it was added (2026-06-23). Root cause: the GCP_SA_KEY secret holds a key for github-deployer@profitscout-lx6bb (created 4 seconds before the secret, 2026-02-01), which had zero permissions on profitscout-fida8 — and the workflow's setup comment prescribed a dataset-level "BigQuery User" grant, which can never provide the project-level bigquery.jobs.create permission.

IAM fixed out-of-band (2026-07-08):

  • roles/bigquery.jobUser on project profitscout-fida8
  • WRITER dataset ACL on profitscout_dbt_ci (isolated CI dataset)
  • READER dataset ACL on profit_scout (sources)

This PR corrects the setup comment to match reality and adds a workflow_dispatch trigger for manual re-runs. The dbt CI run on this PR is the end-to-end verification of the fix.

🤖 Generated with Claude Code

…patch

The setup comment claimed dataset-level "BigQuery User" was enough, but
bigquery.jobs.create is project-level only — every CI run failed with
Access Denied. The secret's key belongs to github-deployer@profitscout-lx6bb
(cross-project); it now has jobUser on the project + WRITER/READER dataset
ACLs. workflow_dispatch added so the pipeline can be re-tested manually.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant