chore: update artifact registry (#23845)

alexghr · web-flow · commit c70de5aeda8b · 2026-06-03T21:41:38.000Z
.
diff --git a/spartan/terraform/gke-cluster/iam.tf b/spartan/terraform/gke-cluster/iam.tf
@@ -48,6 +48,12 @@ resource "google_service_account" "ci" {
   description  = "Service account for CI jobs that publish Docker images"
 }
 
+resource "google_service_account" "npm_registry_reader" {
+  account_id   = var.npm_registry_reader_service_account_id
+  display_name = "npm Registry Reader Service Account"
+  description  = "Service account for CI jobs that install internal npm packages"
+}
+
 # Service account for External Secrets Operator
 resource "google_service_account" "eso" {
   account_id   = "external-secrets-operator"
@@ -79,4 +85,3 @@ data "google_iam_policy" "all_users_storage_read" {
     ]
   }
 }
-
diff --git a/spartan/terraform/gke-cluster/npm-registry.tf b/spartan/terraform/gke-cluster/npm-registry.tf
@@ -0,0 +1,25 @@
+resource "google_artifact_registry_repository" "npm_registry" {
+  project       = var.project
+  location      = var.region
+  repository_id = var.npm_registry_repository_id
+  description   = "npm repository"
+  format        = "NPM"
+
+  depends_on = [google_project_service.artifact_registry]
+}
+
+resource "google_artifact_registry_repository_iam_member" "ci_npm_registry_reader" {
+  project    = google_artifact_registry_repository.npm_registry.project
+  location   = google_artifact_registry_repository.npm_registry.location
+  repository = google_artifact_registry_repository.npm_registry.name
+  role       = "roles/artifactregistry.reader"
+  member     = "serviceAccount:${google_service_account.npm_registry_reader.email}"
+}
+
+resource "google_artifact_registry_repository_iam_member" "ci_npm_registry_publisher" {
+  project    = google_artifact_registry_repository.npm_registry.project
+  location   = google_artifact_registry_repository.npm_registry.location
+  repository = google_artifact_registry_repository.npm_registry.name
+  role       = "roles/artifactregistry.writer"
+  member     = "serviceAccount:${google_service_account.ci.email}"
+}
diff --git a/spartan/terraform/gke-cluster/outputs.tf b/spartan/terraform/gke-cluster/outputs.tf
@@ -10,6 +10,10 @@ output "ci_service_account_email" {
   value = google_service_account.ci.email
 }
 
+output "npm_registry_reader_service_account_email" {
+  value = google_service_account.npm_registry_reader.email
+}
+
 output "region" {
   description = "Google cloud region"
   value       = var.region
@@ -30,6 +34,21 @@ output "docker_registry_repository_url" {
   value       = "${var.region}-docker.pkg.dev/${var.project}/${google_artifact_registry_repository.docker_registry.repository_id}"
 }
 
+output "npm_registry_hostname" {
+  description = "Artifact Registry npm hostname"
+  value       = "${var.region}-npm.pkg.dev"
+}
+
+output "npm_registry_repository" {
+  description = "Artifact Registry npm repository resource name"
+  value       = google_artifact_registry_repository.npm_registry.name
+}
+
+output "npm_registry_repository_url" {
+  description = "Artifact Registry npm repository URL for npm config"
+  value       = "https://${var.region}-npm.pkg.dev/${var.project}/${google_artifact_registry_repository.npm_registry.repository_id}/"
+}
+
 output "devnet_network_rpc_ips" {
   description = "Static IPs and hostnames for v4 devnet networks"
   value = {
@@ -40,4 +59,3 @@ output "devnet_network_rpc_ips" {
     }
   }
 }
-
diff --git a/spartan/terraform/gke-cluster/variables.tf b/spartan/terraform/gke-cluster/variables.tf
@@ -16,8 +16,20 @@ variable "docker_registry_repository_id" {
   default     = "aztec"
 }
 
+variable "npm_registry_repository_id" {
+  description = "Artifact Registry npm repository ID for internal Aztec packages."
+  type        = string
+  default     = "aztec-npm"
+}
+
 variable "ci_service_account_id" {
-  description = "Service account ID for CI jobs that push images to the Docker registry."
+  description = "Service account ID for CI jobs that publish internal artifacts."
   type        = string
   default     = "aztec-ci"
 }
+
+variable "npm_registry_reader_service_account_id" {
+  description = "Service account ID for CI jobs that install internal npm packages."
+  type        = string
+  default     = "aztec-npm-reader"
+}

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,12 @@ resource "google_service_account" "ci" {`
`48`	`48`	`description = "Service account for CI jobs that publish Docker images"`
`49`	`49`	`}`
`50`	`50`
	`51`	`+resource "google_service_account" "npm_registry_reader" {`
	`52`	`+ account_id = var.npm_registry_reader_service_account_id`
	`53`	`+ display_name = "npm Registry Reader Service Account"`
	`54`	`+ description = "Service account for CI jobs that install internal npm packages"`
	`55`	`+}`
	`56`	`+`
`51`	`57`	`# Service account for External Secrets Operator`
`52`	`58`	`resource "google_service_account" "eso" {`
`53`	`59`	`account_id = "external-secrets-operator"`
`@@ -79,4 +85,3 @@ data "google_iam_policy" "all_users_storage_read" {`
`79`	`85`	`]`
`80`	`86`	`}`
`81`	`87`	`}`
`82`		`-`