deploy-cloudrun
The deploy-cloudrun
GitHub Action deploys to Google Cloud Run. It
can deploy a container image or from source, and the resulting service URL is
available as a GitHub Actions output for use in future steps.
Prerequisites
-
For authenticating to Google Cloud, you must create a Workload Identity Provider or export credentials. See Credentials for more information.
-
For deploying from source, you must run the
actions/checkout@v3
step before this action. -
You must enable the Cloud Run API.
-
This action runs using Node 16. If you are using self-hosted GitHub Actions runners, you must use runner version 2.285.0 or newer.
Usage
jobs:
job_id:
# ...
permissions:
contents: 'read'
id-token: 'write'
steps:
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: '[email protected]'
- id: 'deploy'
uses: 'google-github-actions/deploy-cloudrun@v0'
with:
service: 'hello-cloud-run'
image: 'gcr.io/cloudrun/hello'
- name: 'Use output'
run: 'curl "${{ steps.deploy.outputs.url }}"'
Inputs
-
service
: (Required, unless providingmetadata
) ID of the service or fully-qualified identifier of the service. -
image
: (Required, unless providingmetadata
orsource
) Fully-qualified name of the container image to deploy. For example:gcr.io/cloudrun/hello:latest
or
us-docker.pkg.dev/my-project/my-container/image:1.2.3
-
source
: (Required, unless providingmetadata
orimage
) Path to source to deploy. If specified, this will deploy the Cloud Run service from the code specified at the given source directory.This requires the Artifact Registry API to be enabled. Furthermore, the deploying service account must have the
Cloud Build Service Account
role. The initial deployment will create an Artifact Registry repository which requires theArtifact Registry Admin
role.Learn more about Deploying from source code.
-
suffix
: (Optional) String suffix to append to the revision name. The default value is no suffix. -
env_vars
: (Optional) List of key=value pairs to set as environment variables. All existing environment variables will be retained.with: env_vars: | FOO=bar ZIP=zap
-
secrets
: (Optional) List of key=value pairs to use as secrets. These can either be injected as environment variables or mounted as volumes. All existing environment secrets and volume mounts will be retained.with: secrets: | # As an environment variable: KEY1=secret-key-1:latest # As a volume mount: /secrets/api/key=secret-key-2:latest
-
labels
: (Optional) List of key=value pairs to set as labels on the Cloud Run service. Existing labels will be overwritten.with: labels: my-label=my-value
The GitHub Action will automatically apply the following labels which Cloud Run uses to enhance the user experience:
managed-by: github-actions commit-sha: <sha>
Labels have strict naming and casing requirements. See Requirements for labels for more information.
-
tag
: (Optional) Traffic tag to assign to the newly-created revision. -
timeout
: (Optional) Maximum request execution time, specified as a duration like "10m5s" for ten minutes and 5 seconds. -
flags
: (Optional) Space separate list of other Cloud Run flags. This can be used to access features that are not exposed via this GitHub Action.with: flags: '--add-cloudsql-instances=...'
See the complete list of flags for more information.
-
no_traffic
: (Optional) If true, the newly deployed revision will not receive traffic. The default value is false. -
revision_traffic
: (Optional, mutually-exclusive withtag_traffic
) Comma-separated list of revision traffic assignments.with: revision_traffic: 'my-revision=10' # percentage
-
tag_traffic
: (Optional, mutually-exclusive withrevision_traffic
) Comma-separated list of tag traffic assignments.with: tag_traffix: 'my-tag=10' # percentage
-
project_id
: (Optional) ID of the Google Cloud project in which to deploy the service. The default value is computed from the environment. -
region
: (Optional) Region in which to deploy the service. The default value isus-central1
. -
gcloud_version
: (Optional) Version of thegcloud
CLI to use. The default value islatest
. -
gcloud_component
: (Optional) Component of thegcloud
CLI to use. Valid values arealpha
andbeta
.
Custom metadata YAML
For advanced use cases, you can define a custom Cloud Run metadata file. This is a YAML description of the Cloud Run service. This allows you to customize your service configuration, such as memory limits, CPU allocation, max instances, and more.
metadata
: (Optional) The path to a Cloud Run service metadata file.
To deploying a new service to create a new YAML service definition:
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: SERVICE
spec:
template:
spec:
containers:
- image: IMAGE
To update a revision or to deploy a new revision of an existing service, download and modify the YAML service definition:
gcloud run services describe SERVICE --format yaml > service.yaml
Allowing unauthenticated requests
A Cloud Run product recommendation is that CI/CD systems not set or change settings for allowing unauthenticated invocations. New deployments are automatically private services, while deploying a revision of a public (unauthenticated) service will preserve the IAM setting of public (unauthenticated). For more information, see Controlling access on an individual service.
Outputs
url
: The URL of your Cloud Run service.
Credentials
Via google-github-actions/auth
Use google-github-actions/auth to authenticate the action. This Action supports both the recommended Workload Identity Federation based authentication and the traditional Service Account Key JSON based auth.
See usage for more details.
A service account will be needed with the following roles:
- Cloud Run Admin (
roles/run.admin
):- Can create, update, and delete services.
- Can get and set IAM policies.
This service account needs to be a member of the Compute Engine default service account
,
([email protected])
, with role
Service Account User
. To grant a user permissions for a service account, use
one of the methods found in Configuring Ownership and access to a service account.
Authenticating via Workload Identity Federation
jobs:
job_id:
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: '[email protected]'
- name: 'Deploy to Cloud Run'
uses: 'google-github-actions/deploy-cloudrun@v0'
with:
image: 'gcr.io/cloudrun/hello'
service: 'hello-cloud-run'
Authenticating via Service Account Key JSON
jobs:
job_id:
steps:
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
credentials_json: '${{ secrets.GCP_SA_KEY }}'
- name: 'Deploy to Cloud Run'
uses: 'google-github-actions/deploy-cloudrun@v0'
with:
image: 'gcr.io/cloudrun/hello'
service: 'hello-cloud-run'
Via Application Default Credentials
If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.
jobs:
job_id:
steps:
- name: 'Deploy to Cloud Run'
uses: 'google-github-actions/deploy-cloudrun@v0'
with:
image: 'gcr.io/cloudrun/hello'
service: 'hello-cloud-run'
Example Workflows
setup-gcloud
Migrating from Example using setup-gcloud
:
jobs:
job_id:
steps:
- name: 'Setup Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
with:
project_id: '${{ env.PROJECT_ID }}'
service_account_key: '${{ secrets.GCP_SA_KEY }}'
- name: 'Deploy to Cloud Run'
run: |-
gcloud run deploy $SERVICE \
--region $REGION \
--image gcr.io/$PROJECT_ID/$SERVICE \
--platform managed \
--set-env-vars NAME="Hello World"
Migrated to deploy-cloudrun
:
jobs:
job_id:
steps:
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
credentials_json: '${{ secrets.GCP_SA_KEY }}'
- name: 'Deploy to Cloud Run'
uses: 'google-github-actions/deploy-cloudrun@v0'
with:
service: '${{ env.SERVICE }}'
image: 'gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}'
region: '${{ env.REGION }}'
env_vars: 'NAME="Hello World"'
Note: The action is for the "managed" platform and will not set access privileges such as allowing unauthenticated requests.
Versioning
We recommend pinning to the latest available major version:
- uses: 'google-github-actions/deploy-cloudrun@v0'
While this action attempts to follow semantic versioning, but we're ultimately human and sometimes make mistakes. To prevent accidental breaking changes, you can also pin to a specific version:
- uses: 'google-github-actions/[email protected]'
However, you will not get automatic security updates or new features without
explicitly updating your version number. Note that we only publish MAJOR
and
MAJOR.MINOR.PATCH
versions. There is not a floating alias for
MAJOR.MINOR
.