Evaluate redundancy between SA email project ID and label-based project discovery

[krisrowe]

Observation

The CI workflow hardcodes the full service account email (e.g., gapp-deploy@<project-id>.iam.gserviceaccount.com) which embeds the GCP project ID. At deploy time, gapp setup also discovers the project by querying GCP labels (gapp-{solution-name}=default).

This creates redundancy — the project ID is expressed in two places (SA email and label), and they could theoretically conflict. It raises questions:

1. Is the SA email hardcoding necessary? Could gapp derive the SA from convention (gapp-deploy@{discovered-project}.iam.gserviceaccount.com) after label discovery, eliminating the need to hardcode it in the workflow?

2. What if they conflict? The SA authenticates against one project, but label discovery could find a different project. Is this possible? What happens?

3. One SA per project, not per solution — all solutions in the same project share gapp-deploy@{project}. This is documented in CI.md but worth confirming is the right scoping.

Related

Also worth evaluating: can CI deploy a non-default instance of a solution? Currently discover_project_from_label looks for gapp-{name}=default. There's no path for non-default instances through CI.