Fix CLoud Build SA

[yeshwanth1993]

Fixes #<issue_number_goes_here>

It's a good idea to open an issue first for discussion.

• Tests pass
• Appropriate changes to documentation are included in the PR

[gemini-code-assist]

Code Review

This pull request updates the Cloud Build setup to grant the Cloud Build Service Agent impersonation permissions on the user-provided service account and removes the unused roles/cloudbuild.workerpools.use role. Feedback identifies a critical API incompatibility where project-level IAM methods are incorrectly applied to service account resources, and suggests removing the serviceAccount: prefix from the returned string to ensure compatibility with the Cloud Build API. Additionally, the service account validation logic is noted as being too restrictive for project IDs containing dots or colons.

[gemini-code-assist]

The function currently returns resolvedSA, which includes the serviceAccount: prefix. However, the Cloud Build API's serviceAccount field for triggers expects either the service account email address or its full resource path, not the IAM member string format. Providing the prefix will likely cause the subsequent CreateBuildTrigger call to fail with an invalid argument error.

Suggested change

	return resolvedSA, nil
	return strings.TrimPrefix(resolvedSA, "serviceAccount:"), nil

[gemini-code-assist]

The validation logic for service accounts (and these corresponding tests) appears to be too restrictive. Google Cloud project IDs can contain dots and colons (e.g., for domain-scoped projects like example.com:my-project). The current regex [a-z0-9-]+ used in the implementation will reject valid service accounts from such projects. Consider updating the regex to support these valid project ID formats.