Simplify self-host docs for gcloud authentication command

[tvi]

No description provided.

[ValentaTomas]

Btw, I think the double login will be in several places in the repo (at least in Makefiles).

[claude]

LGTM — simple one-line doc simplification.

Extended reasoning...

Overview

This PR modifies only self-host.md, replacing two sequential gcloud auth commands (gcloud auth login + gcloud auth application-default login) with the equivalent single-command form (gcloud auth login --update-adc) in the prerequisites section.

Security Risks

None. This is a documentation-only change with no code modifications.

Level of Scrutiny

Minimal scrutiny required. The change is a factual simplification of a CLI invocation in docs — the --update-adc flag is the official shorthand for combining the two steps, so the behavior is identical.

Other Factors

The one bug flagged is a nit: the iac/provider-gcp/Makefile provider-login target still uses the old two-step form, creating a minor inconsistency between docs and the Makefile. However, both approaches are functionally equivalent with no breakage, so this does not block approval.

[claude]

🟡 The PR updates prerequisites in self-host.md to use the simplified gcloud auth login --update-adc, but iac/provider-gcp/Makefile's provider-login target (step 4 of the guide) still uses the old two-step form: gcloud --quiet auth login + gcloud --quiet auth application-default login. This creates a confusing inconsistency where the prerequisite auth step appears redundant since make provider-login re-authenticates with separate commands anyway. The Makefile should be updated to use --update-adc for consistency.

Extended reasoning...

What the bug is: The PR simplifies the gcloud authentication docs to use gcloud auth login --update-adc (a single command that sets both user credentials and Application Default Credentials). However, the provider-login Makefile target in iac/provider-gcp/Makefile was not updated and still runs two separate commands: gcloud --quiet auth login followed by gcloud --quiet auth application-default login.

The specific code path: In self-host.md, the prerequisites section (lines 47-49) now instructs users to run gcloud auth login --update-adc. Then step 4 of the guide tells users to run make provider-login, which internally runs the old two-step approach at Makefile lines 212 and 215.

Why existing code doesn't prevent it: The PR only modified self-host.md and did not update the Makefile. The --update-adc flag was introduced to gcloud auth login as a convenience wrapper for doing both gcloud auth login and gcloud auth application-default login in one step, so the Makefile remains functionally correct but visually inconsistent with the new doc guidance.

Impact: Users following the guide will run gcloud auth login --update-adc as a prerequisite, then make provider-login re-runs the authentication redundantly using the old two-step form. This creates confusion about why the prerequisite step is needed at all, and why the Makefile uses a different approach than what is documented. There is no functional breakage since both approaches achieve the same end state.

How to fix it: Update the provider-login target in iac/provider-gcp/Makefile to replace the two separate gcloud --quiet auth login and gcloud --quiet auth application-default login commands with gcloud --quiet auth login --update-adc. Alternatively, the prerequisites section in the docs could be updated to explain that the manual auth step is optional since make provider-login handles authentication.

Step-by-step proof: (1) User reads prerequisites, runs gcloud auth login --update-adc — sets user credentials AND ADC. (2) User follows step 4: runs make provider-login. (3) Makefile runs gcloud --quiet auth login — re-prompts for user credentials (redundant). (4) Makefile then runs gcloud --quiet auth application-default login — re-sets ADC (also redundant). The user has now authenticated twice using two different invocation styles, which is confusing and inconsistent with the documentation's intent to simplify the auth flow.