Fix "could not assert Secret Manager permissions" Cloud Build error

[mathu97]

Users are often running into this could not assert Secret Manager permissions error when onboarding to apphosting.

This occurs when the user has no Cloud Build repo connections (including the sentinel Oauth connection) and the secret manager admin role has not been granted to the Cloud Build P4SA. So when the user goes to create an Oauth connection first but Cloud Build has no permissions to save the oath token in secret manager, it throws the above error.

To fix this we just need to ensure that the correct secret manager privileges are set to the Cloud Build P4SA before even creating the initial sentinel Oauth connection.

[tonyjhuang]

Thanks for the fix! I wonder if we can get rid of getOrCreateConnection now by inlining it in the other callsites (which I believe should just be linkGitHubRepository())

[mathu97]

ya we can but I do like that it helps with readability.

[tonyjhuang]

Can we add a test?

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 71.42857% with 2 lines in your changes are missing coverage. Please review.

Project coverage is 54.52%. Comparing base (4a17ca7) to head (bcf2aa0).

Files	Patch %	Lines
src/init/features/apphosting/repo.ts	71.42%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6904      +/-   ##
==========================================
+ Coverage   54.44%   54.52%   +0.07%     
==========================================
  Files         353      353              
  Lines       24652    24657       +5     
  Branches     5094     5095       +1     
==========================================
+ Hits        13423    13443      +20     
+ Misses      10012     9995      -17     
- Partials     1217     1219       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.