We're aiming to use this for testing immediately and better
logging/tracing in future, but to make the changes manageable breaking
them into a smaller series that don't directly achieve much.
By initializing on demand, we avoid the need for some context.Context
during "build" time and better reflect the notion of (passive)
builders vs (active) requests.
It's a pretty important message when permissions aren't set correctly;
let's re-enable it and then figure out more accurate conditions for
if it matters.
This means we won't be able to work unless there's a bucket permission
(which actually will typically happen if the state store is in the
same GCS project).
This is the minimal workaround for cherry-picking.
This lets us configure cross-project permissions while ourselves needing
minimal permissions, but also gives us a nice hook for future lockdown
of object-level permissions.
Tessia Piboubès