From 62fa66680c1a3685fff5669e7086757bf9a32517 Mon Sep 17 00:00:00 2001
From: Clark Feusier <cfeusier@gmail.com>
Date: Fri, 13 Feb 2026 13:06:50 -0800
Subject: [PATCH] ci: Use IAP tunneling for VM access and suppress SSH stderr

Switches all SSH/SCP commands to tunnel through IAP, bypassing
firewall rules. Adds stderr suppression to commands that were
leaking connection handshake details in public logs.
---
 .github/workflows/e2e-smoke.yml | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/e2e-smoke.yml b/.github/workflows/e2e-smoke.yml
index 4aaf289..c571adb 100644
--- a/.github/workflows/e2e-smoke.yml
+++ b/.github/workflows/e2e-smoke.yml
@@ -12,6 +12,7 @@ env:
   VM_NAME: ${{ secrets.GCP_VM_NAME }}
   VM_ZONE: ${{ secrets.GCP_VM_ZONE }}
   GCP_PROJECT: ${{ secrets.GCP_PROJECT }}
+  GCP_USE_IAP: "true"
 
 jobs:
   smoke-test:
@@ -65,6 +66,7 @@ jobs:
           for i in $(seq 1 60); do
             if gcloud compute ssh "$VM_NAME" \
               --zone="$VM_ZONE" --project="$GCP_PROJECT" \
+              --tunnel-through-iap \
               --command="echo ready" 2>/dev/null; then
               echo "VM is ready"
               break
@@ -80,13 +82,15 @@ jobs:
         run: |
           echo '${{ secrets.GCP_SA_KEY }}' > /tmp/sa-key.json
           gcloud compute scp /tmp/sa-key.json "$VM_NAME":~/ci-sa-key.json \
-            --zone="$VM_ZONE" --project="$GCP_PROJECT"
+            --zone="$VM_ZONE" --project="$GCP_PROJECT" \
+            --tunnel-through-iap 2>/dev/null
           rm -f /tmp/sa-key.json
 
           echo '${{ secrets.HARNESS_DEPLOY_KEY }}' > /tmp/deploy-key
           chmod 600 /tmp/deploy-key
           gcloud compute scp /tmp/deploy-key "$VM_NAME":~/ci-deploy-key \
-            --zone="$VM_ZONE" --project="$GCP_PROJECT"
+            --zone="$VM_ZONE" --project="$GCP_PROJECT" \
+            --tunnel-through-iap 2>/dev/null
           rm -f /tmp/deploy-key
 
       - name: Run smoke tests on VM
@@ -95,7 +99,8 @@ jobs:
 
           gcloud compute ssh "$VM_NAME" \
             --zone="$VM_ZONE" --project="$GCP_PROJECT" \
-            --command="bash -s -- '$BRANCH'" << 'REMOTE_SCRIPT'
+            --tunnel-through-iap \
+            --command="bash -s -- '$BRANCH'" 2>/dev/null << 'REMOTE_SCRIPT'
           set -eo pipefail
           BRANCH="$1"
 
@@ -155,15 +160,18 @@ jobs:
         run: |
           gcloud compute ssh "$VM_NAME" \
             --zone="$VM_ZONE" --project="$GCP_PROJECT" \
+            --tunnel-through-iap \
             --command="rm -f ~/ci-sa-key.json ~/ci-deploy-key ~/.ssh/ci-deploy-key" 2>/dev/null || true
 
       - name: Fetch results
         if: always()
         run: |
           gcloud compute scp "$VM_NAME":~/test-summary.json ./summary.json \
-            --zone="$VM_ZONE" --project="$GCP_PROJECT" 2>/dev/null || true
+            --zone="$VM_ZONE" --project="$GCP_PROJECT" \
+            --tunnel-through-iap 2>/dev/null || true
           gcloud compute scp "$VM_NAME":~/test-metadata.json ./metadata.json \
-            --zone="$VM_ZONE" --project="$GCP_PROJECT" 2>/dev/null || true
+            --zone="$VM_ZONE" --project="$GCP_PROJECT" \
+            --tunnel-through-iap 2>/dev/null || true
 
       - name: Generate job summary
         if: always()