Home

Awesome

deploy-cloud-functions

This action deploys your function source code to Cloud Functions and makes the URL available to later build steps via outputs.

[!CAUTION]

This README corresponds to the "v3" GitHub Action, which is currently in beta. If you are using "v2", see the documentation for google-github-actions/deploy-cloud-functions@v2.

This is not an officially supported Google product, and it is not covered by a Google Cloud support contract. To report bugs or request features in a Google Cloud product, please contact Google Cloud support.

Prerequisites

Usage

jobs:
  job_id:
    runs-on: 'ubuntu-latest'
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v4'

    - id: 'auth'
      uses: 'google-github-actions/auth@v2'
      with:
        project_id: 'my-project'
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-cloud-functions@v3'
      timeout-minutes: 10
      with:
        name: 'my-function'
        runtime: 'nodejs22'

    # Example of using the output
    - id: 'test'
      run: 'curl "${{ steps.deploy.outputs.url }}"'

Inputs

[!IMPORTANT]

In addition to these inputs, we highly recommend setting job and step-level timeouts, which can be used to control total deployment time.

<!-- BEGIN_AUTOGEN_INPUTS --> <!-- END_AUTOGEN_INPUTS -->

Allowing unauthenticated requests

The Cloud Functions product recommendation is that CI/CD systems not set or change settings for allowing unauthenticated invocations. New deployments are automatically private services, while deploying a revision of a public (unauthenticated) service will preserve the IAM setting of public (unauthenticated). For more information, see Controlling access on an individual service.

Outputs

<!-- BEGIN_AUTOGEN_OUTPUTS --> <!-- END_AUTOGEN_OUTPUTS -->

Authorization

The deployment service account must have the following IAM permissions:

Additionally, the deployment service account must have permissions to act as (impersonate) the runtime service account, which can be achieved by granting the deployment service account "roles/iam.serviceAccountUser" permissions on the runtime service account. See the Google Cloud documentation to learn more about custom runtime service accounts and additional configuration for deployment

Via google-github-actions/auth

Use google-github-actions/auth to authenticate the action. You can use Workload Identity Federation or traditional Service Account Key JSON authentication.

Authenticating via Workload Identity Federation

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v4'

    - id: 'auth'
      uses: 'google-github-actions/auth@v2'
      with:
        project_id: 'my-project'
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-cloud-functions@v3'
      timeout-minutes: 10
      with:
        name: 'my-function'
        runtime: 'nodejs22'

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

jobs:
  job_id:
    steps:
    - uses: 'actions/checkout@v4'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-cloud-functions@v3'
      timeout-minutes: 10
      with:
        name: 'my-function'
        runtime: 'nodejs22'

The action will automatically detect and use the Application Default Credentials.