deploy-cloudrun
This action deploys your container image to Cloud Run and makes the URL available to later build steps via outputs.
Prerequisites
This action requires:
-
Google Cloud credentials that are authorized to deploy a Cloud Run service. See the Authorization section below for more information.
Usage
steps:
- id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
image: gcr.io/cloudrun/hello
service: hello-cloud-run
credentials: ${{ secrets.gcp_credentials }}
# Example of using the output
- id: test
run: curl "${{ steps.deploy.outputs.url }}"Inputs
-
image: Name of the container image to deploy (e.g. gcr.io/cloudrun/hello:latest). Required if not using a service YAML. -
service: ID of the service or fully qualified identifier for the service. Required if not using a service YAML. -
region: Region in which the resource can be found. -
credentials: Service account key to use for authentication. This should be the JSON formatted private key which can be exported from the Cloud Console. The value can be raw or base64-encoded. Required if not using a thesetup-gcloudaction with exported credentials. -
env_vars: List of key-value pairs to set as environment variables in the format: KEY1=VALUE1,KEY2=VALUE2. All existing environment variables will be retained. -
metadata: YAML service description for the Cloud Run service. See Metadata customizations for more information. Existing configuration will be retained besides container entrypoint and arguments. -
project_id: (Optional) ID of the Google Cloud project. If provided, this will override the project configured by gcloud.
Metadata customizations
You can store your service specification in a YAML file. This will allow for further service configuration, such as memory limits, CPU allocation, max instances, and more.
- See Deploying a new service to create a new YAML service definition, for example:
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: SERVICE
spec:
template:
spec:
containers:
- image: IMAGE- See Deploy a new revision of an existing service to generated a YAML service specification from an existing service:
gcloud run services describe SERVICE --format yaml > service.yaml
Allow unauthenticated requests
A Cloud Run product recommendation is that CI/CD systems not set or change settings for allowing unauthenticated invocations. New deployments are automatically private services, while deploying a revision of a public (unauthenticated) service will preserve the IAM setting of public (unauthenticated). For more information, see Controlling access on an individual service.
Outputs
url: The URL of your Cloud Run service.
Authorization
There are a few ways to authenticate this action. A service account will be needed with the following roles:
- Cloud Run Admin (
roles/run.admin):- Can create, update, and delete services.
- Can get and set IAM policies.
This service account needs to a member of the Compute Engine default service account,
(PROJECT_NUMBER-compute@developer.gserviceaccount.com), with role
Service Account User. To grant a user permissions for a service account, use
one of the methods found in Configuring Ownership and access to a service account.
Used with setup-gcloud
You can provide credentials using the setup-gcloud action:
- uses: google-github-actions/setup-gcloud@master
with:
version: '290.0.1'
service_account_key: ${{ secrets.GCP_SA_KEY }}
export_default_credentials: true
- id: Deploy
uses: google-github-actions/deploy-cloudrun@main
with:
image: gcr.io/cloudrun/hello
service: hello-cloud-runVia Credentials
You can provide Google Cloud Service Account JSON directly to the action
by specifying the credentials input. First, create a GitHub
Secret that contains the JSON content, then import it into the
action:
- id: Deploy
uses: google-github-actions/deploy-cloudrun@main
with:
credentials: ${{ secrets.GCP_SA_KEY }}
image: gcr.io/cloudrun/hello
service: hello-cloud-runVia Application Default Credentials
If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.
- id: Deploy
uses: google-github-actions/deploy-cloudrun@main
with:
image: gcr.io/cloudrun/hello
service: hello-cloud-runThe action will automatically detect and use the Application Default Credentials.
Example Workflows
Setup
-
Create a new Google Cloud Project (or select an existing project).
-
Create a Google Cloud service account or select an existing one.
-
Add the the following [Cloud IAM roles][roles] to your service account:
-
Cloud Run Admin- allows for the creation of new Cloud Run services -
Service Account User- required to deploy to Cloud Run as service account -
Storage Admin- allow push to Google Container Registry (this grants project level access, but recommend reducing this scope to bucket level permissions.)
-
-
Download a JSON service account key for the service account.
-
Add the following secrets to your repository's secrets:
-
GCP_PROJECT: Google Cloud project ID -
GCP_SA_KEY: the downloaded service account key
-
Deploy a prebuilt container
To run this workflow, push to the branch named example-deploy:
git push YOUR-FORK main:example-deployBuild and deploy a container
To run this workflow, push to the branch named example-build-deploy:
git push YOUR-FORK main:example-build-deployReminder: If this is your first deployment of a service, it will reject all unauthenticated requests. Learn more at allowing unauthenticated requests
Migrating from setup-gcloud
Example using setup-gcloud:
- name: Setup Cloud SDK
uses: google-github-actions/setup-gcloud@v0.2.0
with:
project_id: ${{ env.PROJECT_ID }}
service_account_key: ${{ secrets.GCP_SA_KEY }}
- name: Deploy to Cloud Run
run: |-
gcloud run deploy $SERVICE \
--region $REGION \
--image gcr.io/$PROJECT_ID/$SERVICE \
--platform managed \
--set-env-vars NAME="Hello World"Migrated to deploy-cloudrun:
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun@v0.2.0
with:
service: ${{ env.SERVICE }}
image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}
region: ${{ env.REGION }}
credentials: ${{ secrets.GCP_SA_KEY }}
env_vars: NAME="Hello World"Note: The action is for the "managed" platform and will not set access privileges such as allowing unauthenticated requests.