From ccab9b78c43418630fe635cdeb583b61fe57c7b7 Mon Sep 17 00:00:00 2001
From: aalej <alejandromarco@google.com>
Date: Wed, 27 Mar 2024 03:25:45 +0800
Subject: [PATCH] Add Service Usage Consumer role to GitHub Actions service
 account (#6895)

* Add Service Usage Consumer role to GitHub Actions service account

* Added a changelog entry
---
 CHANGELOG.md                        | 1 +
 src/gcp/resourceManager.ts          | 1 +
 src/init/features/hosting/github.ts | 4 ++++
 3 files changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 561369e703e..cda3a6c6860 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1 +1,2 @@
+- Fixes issue where GitHub actions service account cannot add preview URLs to Auth authorized domains (#6895)
 - Release Firestore Emulator 1.19.4. This version fixes a minor bug with reserve ids and adds a `reset` endpoint for Datastore Mode.
diff --git a/src/gcp/resourceManager.ts b/src/gcp/resourceManager.ts
index fc84cbfc051..e1d08bd17d0 100644
--- a/src/gcp/resourceManager.ts
+++ b/src/gcp/resourceManager.ts
@@ -14,6 +14,7 @@ export const firebaseRoles = {
   functionsDeveloper: "roles/cloudfunctions.developer",
   hostingAdmin: "roles/firebasehosting.admin",
   runViewer: "roles/run.viewer",
+  serviceUsageConsumer: "roles/serviceusage.serviceUsageConsumer",
 };
 
 /**
diff --git a/src/init/features/hosting/github.ts b/src/init/features/hosting/github.ts
index 62a45521368..e2918d663e3 100644
--- a/src/init/features/hosting/github.ts
+++ b/src/init/features/hosting/github.ts
@@ -611,6 +611,10 @@ async function createServiceAccountAndKey(
     // https://github.com/firebase/firebase-tools/issues/2732
     firebaseRoles.authAdmin,
 
+    // Required to add preview URLs to Auth authorized domains
+    // https://github.com/firebase/firebase-tools/issues/6828
+    firebaseRoles.serviceUsageConsumer,
+
     // Required for CLI deploys
     firebaseRoles.apiKeysViewer,