-
Notifications
You must be signed in to change notification settings - Fork 5.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
google: update workflow versions and instructions (#2478)
* google: update workflow versions and instructions * Pin hashes
- Loading branch information
Showing
3 changed files
with
197 additions
and
210 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,113 +1,95 @@ | ||
# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the $default-branch branch | ||
# | ||
# Overview: | ||
# | ||
# 1. Authenticate to Google Cloud | ||
# 2. Authenticate Docker to Artifact Registry | ||
# 3. Build a docker container | ||
# 4. Publish it to Google Artifact Registry | ||
# 5. Deploy it to Cloud Run | ||
# This workflow build and push a Docker container to Google Artifact Registry | ||
# and deploy it on Cloud Run when a commit is pushed to the $default-branch | ||
# branch. | ||
# | ||
# To configure this workflow: | ||
# | ||
# 1. Ensure the required Google Cloud APIs are enabled: | ||
# | ||
# Cloud Run run.googleapis.com | ||
# Artifact Registry artifactregistry.googleapis.com | ||
# | ||
# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) | ||
# | ||
# 3. Ensure the required IAM permissions are granted | ||
# 1. Enable the following Google Cloud APIs: | ||
# | ||
# Cloud Run | ||
# roles/run.admin | ||
# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) | ||
# - Artifact Registry (artifactregistry.googleapis.com) | ||
# - Cloud Run (run.googleapis.com) | ||
# - IAM Credentials API (iamcredentials.googleapis.com) | ||
# | ||
# Artifact Registry | ||
# roles/artifactregistry.admin (project or repository level) | ||
# You can learn more about enabling APIs at | ||
# https://support.google.com/googleapi/answer/6158841. | ||
# | ||
# NOTE: You should always follow the principle of least privilege when assigning IAM roles | ||
# 2. Create and configure a Workload Identity Provider for GitHub: | ||
# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. | ||
# | ||
# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT | ||
# Depending on how you authenticate, you will need to grant an IAM principal | ||
# permissions on Google Cloud: | ||
# | ||
# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). | ||
# - Artifact Registry Administrator (roles/artifactregistry.admin) | ||
# - Cloud Run Developer (roles/run.developer) | ||
# | ||
# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io | ||
# You can learn more about setting IAM permissions at | ||
# https://cloud.google.com/iam/docs/manage-access-other-resources | ||
# | ||
# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run | ||
# | ||
# Further reading: | ||
# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying | ||
# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles | ||
# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry | ||
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege | ||
# 3. Change the values in the "env" block to match your values. | ||
|
||
name: Build and Deploy to Cloud Run | ||
name: 'Build and Deploy to Cloud Run' | ||
|
||
on: | ||
push: | ||
branches: [ $default-branch ] | ||
branches: | ||
- '$default-branch' | ||
|
||
env: | ||
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id | ||
GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location | ||
SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name | ||
REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region | ||
PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID | ||
REGION: 'us-central1' # TODO: update to your region | ||
SERVICE: 'my-service' # TODO: update to your service name | ||
WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider | ||
|
||
jobs: | ||
deploy: | ||
# Add 'id-token' with the intended permissions for workload identity federation | ||
runs-on: 'ubuntu-latest' | ||
|
||
permissions: | ||
contents: 'read' | ||
id-token: 'write' | ||
|
||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v2 | ||
- name: 'Checkout' | ||
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 | ||
|
||
- name: Google Auth | ||
id: auth | ||
uses: 'google-github-actions/auth@v0' | ||
# Configure Workload Identity Federation and generate an access token. | ||
# | ||
# See https://github.com/google-github-actions/auth for more options, | ||
# including authenticating via a JSON credentials file. | ||
- id: 'auth' | ||
name: 'Authenticate to Google Cloud' | ||
uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 | ||
with: | ||
token_format: 'access_token' | ||
workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider | ||
service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - [email protected] | ||
|
||
# NOTE: Alternative option - authentication via credentials json | ||
# - name: Google Auth | ||
# id: auth | ||
# uses: 'google-github-actions/auth@v0' | ||
# with: | ||
# credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' | ||
workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' | ||
|
||
# BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) | ||
|
||
# Authenticate Docker to Google Cloud Artifact Registry | ||
- name: Docker Auth | ||
id: docker-auth | ||
uses: 'docker/login-action@v1' | ||
# BEGIN - Docker auth and build | ||
# | ||
# If you already have a container image, you can omit these steps. | ||
- name: 'Docker Auth' | ||
uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 | ||
with: | ||
username: 'oauth2accesstoken' | ||
password: '${{ steps.auth.outputs.access_token }}' | ||
registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' | ||
password: '${{ steps.auth.outputs.auth_token }}' | ||
registry: '${{ env.REGION }}-docker.pkg.dev' | ||
|
||
- name: Build and Push Container | ||
- name: 'Build and Push Container' | ||
run: |- | ||
docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ | ||
docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" | ||
DOCKER_TAG="$${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" | ||
docker build --tag "${DOCKER_TAG}" . | ||
docker push "${DOCKER_TAG}" | ||
- name: 'Deploy to Cloud Run' | ||
|
||
# END - Docker auth and build | ||
# END - Docker auth and build | ||
|
||
- name: Deploy to Cloud Run | ||
id: deploy | ||
uses: google-github-actions/deploy-cloudrun@v0 | ||
uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 | ||
with: | ||
service: ${{ env.SERVICE }} | ||
region: ${{ env.REGION }} | ||
# NOTE: If using a pre-built image, update the image name here | ||
image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} | ||
service: '${{ env.SERVICE }}' | ||
region: '${{ env.REGION }}' | ||
# NOTE: If using a pre-built image, update the image name below: | ||
|
||
image: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}' | ||
# If required, use the Cloud Run URL output in later steps | ||
- name: 'Show output' | ||
run: |2- | ||
# If required, use the Cloud Run url output in later steps | ||
- name: Show Output | ||
run: echo ${{ steps.deploy.outputs.url }} | ||
echo ${{ steps.deploy.outputs.url }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,95 +1,75 @@ | ||
# This workflow will deploy source code on Cloud Run when a commit is pushed to the $default-branch branch | ||
# | ||
# Overview: | ||
# | ||
# 1. Authenticate to Google Cloud | ||
# 2. Deploy it to Cloud Run | ||
# This workflow will deploy source code on Cloud Run when a commit is pushed to | ||
# the $default-branch branch. | ||
# | ||
# To configure this workflow: | ||
# | ||
# 1. Ensure the required Google Cloud APIs are enabled: | ||
# | ||
# Cloud Run run.googleapis.com | ||
# Cloud Build cloudbuild.googleapis.com | ||
# Artifact Registry artifactregistry.googleapis.com | ||
# | ||
# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) | ||
# | ||
# 3. Ensure the required IAM permissions are granted | ||
# 1. Enable the following Google Cloud APIs: | ||
# | ||
# Cloud Run | ||
# roles/run.admin | ||
# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) | ||
# - Artifact Registry (artifactregistry.googleapis.com) | ||
# - Cloud Build (cloudbuild.googleapis.com) | ||
# - Cloud Run (run.googleapis.com) | ||
# - IAM Credentials API (iamcredentials.googleapis.com) | ||
# | ||
# Cloud Build | ||
# roles/cloudbuild.builds.editor | ||
# You can learn more about enabling APIs at | ||
# https://support.google.com/googleapi/answer/6158841. | ||
# | ||
# Cloud Storage | ||
# roles/storage.objectAdmin | ||
# 2. Create and configure a Workload Identity Provider for GitHub: | ||
# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. | ||
# | ||
# Artifact Registry | ||
# roles/artifactregistry.admin (project or repository level) | ||
# Depending on how you authenticate, you will need to grant an IAM principal | ||
# permissions on Google Cloud: | ||
# | ||
# NOTE: You should always follow the principle of least privilege when assigning IAM roles | ||
# - Artifact Registry Administrator (roles/artifactregistry.admin) | ||
# - Cloud Run Source Developer (roles/run.sourceDeveloper) | ||
# | ||
# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT | ||
# You can learn more about setting IAM permissions at | ||
# https://cloud.google.com/iam/docs/manage-access-other-resources. | ||
# | ||
# 5. Change the values for the SERVICE and REGION environment variables (below). | ||
# | ||
# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run | ||
# | ||
# Further reading: | ||
# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity | ||
# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy | ||
# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code | ||
# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege | ||
# 3. Change the values in the "env" block to match your values. | ||
|
||
name: Deploy to Cloud Run from Source | ||
name: 'Deploy to Cloud Run from Source' | ||
|
||
on: | ||
push: | ||
branches: [ $default-branch ] | ||
branches: | ||
- '$default-branch' | ||
|
||
env: | ||
PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id | ||
SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name | ||
REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region | ||
PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID | ||
REGION: 'us-central1' # TODO: update to your region | ||
SERVICE: 'my-service' # TODO: update to your service name | ||
|
||
jobs: | ||
deploy: | ||
# Add 'id-token' with the intended permissions for workload identity federation | ||
runs-on: 'ubuntu-latest' | ||
|
||
permissions: | ||
contents: 'read' | ||
id-token: 'write' | ||
|
||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v2 | ||
- name: 'Checkout' | ||
uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 | ||
|
||
- name: Google Auth | ||
id: auth | ||
uses: 'google-github-actions/auth@v0' | ||
# Configure Workload Identity Federation and generate an access token. | ||
# | ||
# See https://github.com/google-github-actions/auth for more options, | ||
# including authenticating via a JSON credentials file. | ||
- id: 'auth' | ||
name: 'Authenticate to Google Cloud' | ||
uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 | ||
with: | ||
workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider | ||
service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - [email protected] | ||
|
||
# NOTE: Alternative option - authentication via credentials json | ||
# - name: Google Auth | ||
# id: auth | ||
# uses: 'google-github-actions/auth@v0' | ||
# with: | ||
# credentials_json: '${{ secrets.GCP_CREDENTIALS }}' | ||
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: replace with your workload identity provider | ||
|
||
- name: Deploy to Cloud Run | ||
id: deploy | ||
uses: google-github-actions/deploy-cloudrun@v0 | ||
- name: 'Deploy to Cloud Run' | ||
uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 | ||
with: | ||
service: ${{ env.SERVICE }} | ||
region: ${{ env.REGION }} | ||
# NOTE: If required, update to the appropriate source folder | ||
source: ./ | ||
service: '${{ env.SERVICE }}' | ||
region: '${{ env.REGION }}' | ||
# NOTE: If using a different source folder, update the image name below: | ||
source: './' | ||
|
||
# If required, use the Cloud Run url output in later steps | ||
- name: Show Output | ||
run: echo ${{ steps.deploy.outputs.url }} | ||
# If required, use the Cloud Run URL output in later steps | ||
- name: 'Show output' | ||
run: |- | ||
echo ${{ steps.deploy.outputs.url }} |
Oops, something went wrong.
ae01bb2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
deployments/google.yml
Merge #2478 Branch: main 965022-oss-patch3/SHA: f4dbb8424c