Home

Awesome

deploy-cloudrun

The deploy-cloudrun GitHub Action deploys to Google Cloud Run. It can deploy a container image or from source, and the resulting service URL is available as a GitHub Actions output for use in future steps.

This is not an officially supported Google product, and it is not covered by a Google Cloud support contract. To report bugs or request features in a Google Cloud product, please contact Google Cloud support.

Prerequisites

Usage

jobs:
  job_id:
    # ...

    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v4'

    - uses: 'google-github-actions/auth@v2'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-cloudrun@v2'
      with:
        service: 'hello-cloud-run'
        image: 'gcr.io/cloudrun/hello'

    - name: 'Use output'
      run: 'curl "${{ steps.deploy.outputs.url }}"'

Inputs

<!-- BEGIN_AUTOGEN_INPUTS --> <!-- END_AUTOGEN_INPUTS -->

Custom metadata YAML

For advanced use cases, you can define a custom Cloud Run metadata file. This is a YAML description of the Cloud Run service or job. This allows you to customize your service configuration, such as memory limits, CPU allocation, max instances, and more.

⚠️ When using a custom metadata YAML file, all other inputs are ignored!

To deploying a new service to create a new YAML service definition:

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: SERVICE
spec:
  template:
    spec:
      containers:
      - image: IMAGE

To update a revision or to deploy a new revision of an existing service, download and modify the YAML service definition:

gcloud run services describe SERVICE --format yaml > service.yaml

Allowing unauthenticated requests

A Cloud Run product recommendation is that CI/CD systems not set or change settings for allowing unauthenticated invocations. New deployments are automatically private services, while deploying a revision of a public (unauthenticated) service will preserve the IAM setting of public (unauthenticated). For more information, see Controlling access on an individual service.

Outputs

<!-- BEGIN_AUTOGEN_OUTPUTS --> <!-- END_AUTOGEN_OUTPUTS -->

Authorization

There are a few ways to authenticate this action. The caller must have permissions to access the secrets being requested.

You will need to authenticate to Google Cloud as a service account with the following roles:

This service account needs to be a member of the Compute Engine default service account, (PROJECT_NUMBER-compute@developer.gserviceaccount.com), with role Service Account User. To grant a user permissions for a service account, use one of the methods found in Configuring Ownership and access to a service account.

Via google-github-actions/auth

Use google-github-actions/auth to authenticate the action. You can use Workload Identity Federation or traditional Service Account Key JSON authentication.

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:

    # ...

    - uses: 'google-github-actions/auth@v2'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

    - uses: 'google-github-actions/deploy-cloudrun@v2'
      with:
        image: 'gcr.io/cloudrun/hello'
        service: 'hello-cloud-run'

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

jobs:
  job_id:
    steps:
    # ...

    - uses: 'google-github-actions/deploy-cloudrun@v2'
      with:
        image: 'gcr.io/cloudrun/hello'
        service: 'hello-cloud-run'

The action will automatically detect and use the Application Default Credentials.

Example Workflows