Giter VIP home page Giter VIP logo

deploy-cloudrun's Introduction

deploy-cloudrun

The deploy-cloudrun GitHub Action deploys to Google Cloud Run. It can deploy a container image or from source, and the resulting service URL is available as a GitHub Actions output for use in future steps.

This is not an officially supported Google product, and it is not covered by a Google Cloud support contract. To report bugs or request features in a Google Cloud product, please contact Google Cloud support.

Prerequisites

  • This action requires Google Cloud credentials that are authorized to access the secrets being requested. See Authorization for more information.

  • This action runs using Node 20. If you are using self-hosted GitHub Actions runners, you must use a runner version that supports this version or newer.

Usage

jobs:
  job_id:
    # ...

    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v4'

    - uses: 'google-github-actions/auth@v2'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: '[email protected]'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-cloudrun@v2'
      with:
        service: 'hello-cloud-run'
        image: 'gcr.io/cloudrun/hello'

    - name: 'Use output'
      run: 'curl "${{ steps.deploy.outputs.url }}"'

Inputs

  • service: (Optional) ID of the service or fully-qualified identifier of the service. This is required unless providing metadata or job.

  • job: (Optional) ID of the job or fully-qualified identifier of the job. This is required unless providing metadata or service.

  • metadata: (Optional) YAML service description for the Cloud Run service. This is required unless providing service or job.

  • image: (Optional) (Required, unless providing metadata or source) Fully-qualified name of the container image to deploy. For example:

    gcr.io/cloudrun/hello:latest

    or

    us-docker.pkg.dev/my-project/my-container/image:1.2.3

  • source: (Optional) (Required, unless providing metadata, image, or job) Path to source to deploy. If specified, this will deploy the Cloud Run service from the code specified at the given source directory.

    Learn more about the required permissions in Deploying from source code.

  • suffix: (Optional) String suffix to append to the revision name. Revision names always start with the service name automatically. For example, specifying 'v1' for a service named 'helloworld', would lead to a revision named 'helloworld-v1'.

  • env_vars: (Optional) List of environment variables that should be set in the environment. These are comma-separated or newline-separated KEY=VALUE. Keys or values that contain separators must be escaped with a backslash (e.g. \, or \\n) unless quoted. Any leading or trailing whitespace is trimmed unless values are quoted.

    env_vars: |-
  FRUIT=apple
  SENTENCE=" this will retain leading and trailing spaces "

    This value will only be set if the input is a non-empty value. If a non-empty value is given, the field values will be overwritten (not merged). To remove all values, set the value to the literal string {}.

    If both env_vars and env_vars_file are specified, the keys in env_vars will take precendence over the keys in env_vars_files.

  • env_vars_file: (Optional) Path to a file on disk, relative to the workspace, that defines environment variables. The file can be newline-separated KEY=VALUE pairs, JSON, or YAML format. If both env_vars and env_vars_file are specified, the keys in env_vars will take precendence over the keys in env_vars_files.

    NAME=person
[email protected]\,[email protected]

    When specified as KEY=VALUE pairs, the same escaping rules apply as described in env_vars. You do not have to escape YAML or JSON.

    If both env_vars and env_vars_file are specified, the keys in env_vars will take precendence over the keys in env_vars_files.

    ⚠️ DEPRECATION NOTICE: This input is deprecated and will be removed in the next major version release.

  • env_vars_update_strategy: (Required, default: merge) Controls how the environment variables are set on the Cloud Run service. If set to "merge", then the environment variables are merged with any upstream values. If set to "overwrite", then all environment variables on the Cloud Run service will be replaced with exactly the values given by the GitHub Action (making it authoritative).

  • secrets: (Optional) List of KEY=VALUE pairs to use as secrets. These are comma-separated or newline-separated KEY=VALUE. Keys or values that contain separators must be escaped with a backslash (e.g. \, or \\n) unless quoted. Any leading or trailing whitespace is trimmed unless values are quoted.

    These can either be injected as environment variables or mounted as volumes. Keys starting with a forward slash '/' are mount paths. All other keys correspond to environment variables:

    with:
  secrets: |-
    # As an environment variable:
    KEY1=secret-key-1:latest

    # As a volume mount:
    /secrets/api/key=secret-key-2:latest

    This value will only be set if the input is a non-empty value. If a non-empty value is given, the field values will be overwritten (not merged). To remove all values, set the value to the literal string {}.

  • secrets_update_strategy: (Required, default: merge) Controls how the secrets are set on the Cloud Run service. If set to merge, then the secrets are merged with any upstream values. If set to overwrite, then all secrets on the Cloud Run service will be replaced with exactly the values given by the GitHub Action (making it authoritative).

  • labels: (Optional) List of labels that should be set on the function. These are comma-separated or newline-separated KEY=VALUE. Keys or values that contain separators must be escaped with a backslash (e.g. \, or \\n) unless quoted. Any leading or trailing whitespace is trimmed unless values are quoted.

    labels: |-
  labela=my-label
  labelb=my-other-label

    This value will only be set if the input is a non-empty value. If a non-empty value is given, the field values will be overwritten (not merged). To remove all values, set the value to the literal string {}.

    Google Cloud restricts the allowed values and length for labels. Please see the Google Cloud documentation for labels for more information.

  • skip_default_labels: (Optional, default: false) Skip applying the special annotation labels that indicate the deployment came from GitHub Actions. The GitHub Action will automatically apply the following labels which Cloud Run uses to enhance the user experience:

    managed-by: github-actions
commit-sha: <sha>

    Setting this to true will skip adding these special labels.

  • tag: (Optional) Traffic tag to assign to the newly-created revision.

  • timeout: (Optional) Maximum request execution time, specified as a duration like "10m5s" for ten minutes and 5 seconds.

  • flags: (Optional) Space separate list of other Cloud Run flags. This can be used to access features that are not exposed via this GitHub Action.

    with:
  flags: '--add-cloudsql-instances=...'

    Flags that include other flags must quote the entire outer flag value. For example, to pass --args=-X=123:

    with:
  flags: '--add-cloudsql-instances=... "--args=-X=123"'

    See the complete list of flags for more information.

    Please note, this GitHub Action does not parse or validate the flags. You are responsible for making sure the flags are available on the gcloud version and subcommand. When using tag_traffic or revision_traffic, the subcommand is gcloud run services update-traffic. For all other values, the subcommand is gcloud run deploy.

  • no_traffic: (Optional, default: false) If true, the newly deployed revision will not receive traffic.

  • revision_traffic: (Optional) Comma-separated list of revision traffic assignments.

    with:
  revision_traffic: 'my-revision=10' # percentage

    To update traffic to the latest revision, use the special tag "LATEST":

    with:
  revision_traffic: 'LATEST=100'

    This is mutually-exclusive with tag_traffic.

  • tag_traffic: (Optional) Comma-separated list of tag traffic assignments.

    with:
  tag_traffic: 'my-tag=10' # percentage

    This is mutually-exclusive with revision_traffic.

  • project_id: (Optional) ID of the Google Cloud project in which to deploy the service.

  • region: (Optional, default: us-central1) Regions in which the Cloud Run services are deployed. This can be a single region or a comma-separated list of regions.

  • gcloud_version: (Optional) Version of the Cloud SDK to install. If unspecified or set to "latest", the latest available gcloud SDK version for the target platform will be installed. Example: "290.0.1".

  • gcloud_component: (Optional) Version of the Cloud SDK components to install and use.

Custom metadata YAML

For advanced use cases, you can define a custom Cloud Run metadata file. This is a YAML description of the Cloud Run service or job. This allows you to customize your service configuration, such as memory limits, CPU allocation, max instances, and more.

⚠️ When using a custom metadata YAML file, all other inputs are ignored!

  • metadata: (Optional) The path to a Cloud Run service or job metadata file.

To deploying a new service to create a new YAML service definition:

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: SERVICE
spec:
  template:
    spec:
      containers:
      - image: IMAGE

To update a revision or to deploy a new revision of an existing service, download and modify the YAML service definition:

gcloud run services describe SERVICE --format yaml > service.yaml

Allowing unauthenticated requests

A Cloud Run product recommendation is that CI/CD systems not set or change settings for allowing unauthenticated invocations. New deployments are automatically private services, while deploying a revision of a public (unauthenticated) service will preserve the IAM setting of public (unauthenticated). For more information, see Controlling access on an individual service.

Outputs

  • url: The URL of the Cloud Run service.

Authorization

There are a few ways to authenticate this action. The caller must have permissions to access the secrets being requested.

You will need to authenticate to Google Cloud as a service account with the following roles:

  • Cloud Run Admin (roles/run.admin):
    • Can create, update, and delete services.
    • Can get and set IAM policies.

This service account needs to be a member of the Compute Engine default service account, ([email protected]), with role Service Account User. To grant a user permissions for a service account, use one of the methods found in Configuring Ownership and access to a service account.

Via google-github-actions/auth

Use google-github-actions/auth to authenticate the action. You can use Workload Identity Federation or traditional Service Account Key JSON authentication.

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:

    # ...

    - uses: 'google-github-actions/auth@v2'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: '[email protected]'

    - uses: 'google-github-actions/deploy-cloudrun@v2'
      with:
        image: 'gcr.io/cloudrun/hello'
        service: 'hello-cloud-run'

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

jobs:
  job_id:
    steps:
    # ...

    - uses: 'google-github-actions/deploy-cloudrun@v2'
      with:
        image: 'gcr.io/cloudrun/hello'
        service: 'hello-cloud-run'

The action will automatically detect and use the Application Default Credentials.

Example Workflows

deploy-cloudrun's People

Contributors

averikitsch avatar bharathkkb avatar dependabot[bot] avatar donheshanthaka avatar google-github-actions-bot avatar kenta-takeuchi avatar kkr16 avatar m-yamashita01 avatar renovate-bot avatar sethvargo avatar stefafafan avatar steren avatar sulunemre avatar verbanicm avatar vonniklasson avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

google-github-actions-bot averikitsch sharlotta-droid steren eureka-x lgylym jeremysolarz urikatsirprivate rajbos-actions-demo tranduchieu abh006 thaonguyen-ct renovate-bot vonniklasson am11917 mark-mcdonnell expandonline bilalalpaslan archive-42 web-dev-collaborative stefda frodothetrue xtreamsrl 3566666 page2me tayzar-tznw bkniffler tommytroen tejashw btc zyzo890 mabodofutk deviantsfactions mollypi deckhandfirststar01 kkr16 aebrahim codeforfounder davideme brian-mcbride mkmik duarteocarmo vayuway webpee googletweetinc dhanrajsr muflhi01 edenzindia isabella232 umvishwa telus-dvanamst githud-sys chenyt26 atorres-eqrx adrianamusic arvpai m-yamashita01 bon10 kenta-takeuchi modu-ftnc briansu2004 sparkmate prasadjivane rajanish-sapient donheshanthaka phbs1lva dajneem23 vincejv annamuscarella drix0ne kantravikumar spencercorwin acorado umatare5 googlecity313 ota42y simplycubed heidless-stillwater ephilipz gabrielcosi suavdebird makegoodfood scstorytel karupanerura solushunzguru55 yourhomemodpro jamesvillarrubia smbyadav rajeshrajolla intuitisoft-team fxeasy wessribeiro braveenth lonecalvary78 btkelly easy-games ybgara ameliakartikap amaliaputlh roundtofu4

deploy-cloudrun's Issues

ERROR: (gcloud.run.deploy) Invalid value for property [api_endpoint_overrides/run]

TL;DR

Hi team, thanks for sharing the wonderful solution there.

I got an error complaining about the Invalid value for property [api_endpoint_overrides/run]

Expected behavior

No response

Observed behavior

Error: failed to execute gcloud command `gcloud run deploy automation-dummy-api --image $GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA --quiet --platform managed --region $GAR_LOCATION --project XXXX --format json`: ERROR: (gcloud.run.deploy) Invalid value for property [api_endpoint_overrides/run]: The endpoint_overrides property must be an absolute URI beginning with http:// or https:// and ending with a trailing '/'. [https://$GAR_LOCATION-run.googleapis.com/] is not a valid endpoint override.

Action YAML

name: Deployment

on:
  workflow_dispatch:
    inputs:
        version:
          description: 'The version to deploy'
          required: true

env:
  PROJECT_ID: XXXX # ${{ secrets.GCP_PROJECT }}
  GAR_LOCATION: australia-southeast1 # TODO: update region of the Artifact Registry
  REPOSITORY: automation # TODO: update to Artifact Registry docker repository
  IMAGE: automation-template

permissions:
    contents: 'read'
    id-token: 'write'

jobs:
  deployment:
    name: Deployment
    runs-on: ubuntu-latest
    environment: production

    steps:
      - uses: actions/checkout@v2
      - id: auth
        name: 'Authenticate to Google Cloud'
        uses: 'google-github-actions/auth@v0'
        with:
          token_format: 'access_token'
          workload_identity_provider: 'projects/741041240XXX/locations/global/workloadIdentityPools/github-action-pool3/providers/github-action-provider3'
          service_account: '[email protected]'

      - name: Docker configuration
        run: |-
          echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev

      - name: Build
        run: |-
          docker build \
            --tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \
            --build-arg GITHUB_SHA="$GITHUB_SHA" \
            --build-arg GITHUB_REF="$GITHUB_REF" \
            .

      - name: Run Tests
        run: |-
          docker run "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" pytest tests

      # Push the Docker image to Google Artifact Registry
      - name: Publish
        run: |-
          docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA"

      - name: 'Deploy to Cloud Run'
        # You may pin to the exact commit or the version.
        # uses: google-github-actions/deploy-cloudrun@ff8b38330cf81843db9cff366e335c34aa467c44
        uses: google-github-actions/deploy-cloudrun@main
        with:
          # Name of the container image to deploy (e.g. gcr.io/cloudrun/hello:latest).
          # Required if not using a service YAML.
          image: $GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA
          # ID of the service or fully qualified identifier for the service.
          # Required if not using a service YAML.
          service: automation-dummy-api
          # Region in which the resource can be found.
          region: $GAR_LOCATION
          # List of key-value pairs to set as environment variables in the format:
          # KEY1=VALUE1,KEY2=VALUE2. All existing environment variables will be
          # removed first.
          # env_vars: # optional
          # YAML serivce description for the Cloud Run service.
          # metadata: # optional
          # The GCP project ID. Overrides project ID set by credentials.
          # project_id: # optional


### Log output

```text
Error: failed to execute gcloud command `gcloud run deploy automation-dummy-api --image $GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA --quiet --platform managed --region $GAR_LOCATION --project XXXX --format json`: ERROR: (gcloud.run.deploy) Invalid value for property [api_endpoint_overrides/run]: The endpoint_overrides property must be an absolute URI beginning with http:// or https:// and ending with a trailing '/'. [https://$GAR_LOCATION-run.googleapis.com/] is not a valid endpoint override.




### Additional information

_No response_

Allow workflow federation credential files

TL;DR

I would like to use a federated credential file from the google-github-actions/auth workflow to authenticate this workflow

Design

Action YAML

- id: auth
   name: Authenticate to Google Cloud
   uses: google-github-actions/[email protected]
   with:
       create_credentials_file: true
       workload_identity_provider: ...
       service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}

- name: 🚀 Create cloud run revision
        uses: google-github-actions/deploy-cloudrun@main
        with:
          metadata: "./src/cloud-run-deployment.yml"
          credentials_file_path: ${{ steps.auth.output.credentials_file_path }}

Action fails to manage traffic

TL;DR

When deploy-cloudrun executes, using default settings, it doesn't manage traffic and actually send requests to the new container.

Expected behavior

I expected deploy-cloudrun to work just like the manual Cloud Run interface: When a deploy happens, if I don't specify traffic settings, send 100% of traffic to the new container.

Observed behavior

It just deploys the container and walks away. You have to go into the admin and manually send traffic to the new container.

Reproduction

Action YAML

      - name: Deploy to Cloud Run
        uses: google-github-actions/deploy-cloudrun@main
        with:
          service: my-service
          image: gcr.io/my-project/my-service:${{ steps.get_version.outputs.VERSION }}
          credentials: ${{ secrets.GCP_SA_KEY }}
          region: us-east4

Additional information

N/A

Multiple Secrets Syntax

Question

Is there any documentation on how to use more than one secret?
I've tried one secret per line but I got an invalid spec error.

Comma separated entries might be working but it would become a really long line in case of too many secrets.

Ingress and Authentication Triggers

Hey,

I would like to know how can I set the Ingress to "Allow internal traffic only" (--ingress internal) and also the Authentication to "Allow unauthenticated invocations" (--allow-unauthenticated).
Without both settings, my pipeline would not work?

Thanks!

Error authenticating the Cloud SDK when using Workload Identity Federation

TL;DR

I'm trying to use Workload Identity Federation, I'm using it as described in issue #248 (comment) but still get Error: Error authenticating the Cloud SDK. when running the workflow.

I believe my auth setup is correct, because I'm able to build my image and push it to GCR using the same auth steps.

Expected behavior

google-github-actions/deploy-cloudrun should be able to deploy to Cloud Run using Workload Identity Federation

Observed behavior

google-github-actions/deploy-cloudrun fails the deployment to Cloud Run with an authentication error:
Error: Error authenticating the Cloud SDK.

Action YAML

name: test_cr

on:
  push:
    branches:
    - '*'
  pull_request:
    branches: [ main ]

jobs:
  deploycr:
   runs-on: 'ubuntu-latest'
   permissions:
      contents: 'read'
      id-token: 'write'
   steps:
    - id: 'auth'
      name: 'Authenticate to Google Cloud'
      uses: 'google-github-actions/[email protected]'
      with:
        workload_identity_provider: '...'
        service_account: '...'
    - name: Deploy to Cloud Run
      id: deploy
      uses: google-github-actions/deploy-cloudrun@main
      with:
        service: hello-cloud-run 
        image: gcr.io/cloudrun/hello

Log output

No response

Additional information

No response

Support env_vars as a file.

TL;DR

Allow multiple env_vars to be specified in a .env file.

Design

Docker supports specifying multiple environmental variables in a .env file with the command line argument --env-file, and it would be very convenient to easily be able to deploy those to cloud run as well, without needing to re-copy them as a comma separated string in env_vars.

 - name: Deploy to Cloud Run
   id: deploy
  uses: google-github-actions/[email protected]
  with:
    service: my-awesome-service
    image: ...
    env_vars: MY_VAR1=10,MY_VAR2=HELLO,...,MY_VAR_100=WORLD
    env_vars_file: easier_place_to_keep_vars.env

Resources

[flags] - `--args` with equal seems to not be supported properly

TL;DR

--args flags for args requiring equals seems to not be properly supported leading to the addition of extra single quotes.

Expected behavior
Should end-up generating a YAML file like:

args:
        - "--database-host=xxx.xxx.xxx.xx"
        - "--database-name=bar"
        - baz

Observed behavior

For instance:

flags: '--args "--database-host=xxx.xxx.xxx.xx" --args "--database-name=bar" --args baz

Will end-up generating a YAML file like:

args:
        - '"--database-host=xxx.xxx.xxx.xx"'
        - '"--database-name=bar"'
        - baz

Reproduction

Action YAML

name: Deployment

on:
  push:
    branches: [main]

env:
  PROJECT_ID: ${{ secrets.GCP_PROJECT }}
  REGION: europe-west4
  IMAGE_NAME: backend
  VERSION: staging
  BUILD_CACHE: /tmp/.buildx-cache

jobs:
  deploy-backend:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1

      - name: Cache Docker layers
        uses: actions/cache@v2
        with:
          path: ${{ env.BUILD_CACHE }}
          key: ${{ runner.os }}-buildx-${{ hashFiles('./build/Dockerfile') }}
          restore-keys: ${{ runner.os }}-buildx-

      - uses: actions/[email protected]
        with:
          go-version: "1.16.2"
      - run: make test
      - run: make vet

      - name: Setup Cloud SDK
        uses: google-github-actions/[email protected]
        with:
          project_id: ${{ env.PROJECT_ID }}
          service_account_key: ${{ secrets.GCP_CLOUD_RUN_SA_KEY }}
          export_default_credentials: true

      - name: Login to GCR
        uses: docker/login-action@v1
        with:
          registry: gcr.io
          username: _json_key
          password: ${{ secrets.GCP_CLOUD_RUN_SA_KEY }}

      - name: Build and Push Docker image | build-image
        uses: docker/build-push-action@v2
        with:
          file: ./build/Dockerfile
          context: .
          target: build-image
          tags: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
          cache-from: type=local,src=${{ env.BUILD_CACHE }}
          cache-to: type=local,dest=${{ env.BUILD_CACHE }}-new

      - name: Build and Push Docker image | deploy-image
        uses: docker/build-push-action@v2
        with:
          file: ./build/Dockerfile
          context: .
          target: deploy-image
          push: true
          tags: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
          cache-from: type=local,src=${{ env.BUILD_CACHE }}
          cache-to: type=local,dest=${{ env.BUILD_CACHE }}-new

      - # Temp fix
        # https://github.com/docker/build-push-action/issues/252
        # https://github.com/moby/buildkit/issues/1896
        name: Move cache
        run: |
          rm -rf ${{ env.BUILD_CACHE }}
          mv ${{ env.BUILD_CACHE }}-new ${{ env.BUILD_CACHE }}

      - name: Deploy private API to Cloud Run
        id: deploy-private
        uses: google-github-actions/deploy-cloudrun@main
        with:
          service: ${{ env.VERSION }}-private-api
          image: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
          region: ${{ env.REGION }}
          flags: '--service-account=foo --args "--database-host=xxx.xxx.xxx.xx" --args "--database-name=bar" --args "--database-password=secret" --args "--database-user=me" --args private'

      - name: Output private API url
        run: curl "${{ steps.deploy-private.outputs.url }}"

Additional information
No

Cloud run secrets via fails to mount two versions in the same directory

  • TL;DR

I tried mounting both version 1 and 2 of a secret into /secret/1.txt=secretname:1,/secret/2.txt=secretname:2, but only 2 got mounted

Expected behavior
I expected the follwoing resulting yaml being deployed:

spec:
  template:
    spec:
      containers:
      - image: gcr.io/...
        volumeMounts:
        - name: secretname-gic-tar-haq
          readOnly: true
          mountPath: /secret
      volumes:
      - name:  secretname-gic-tar-haq
        secret:
          secretName: secretname
          items:
          - key: '1'
            path: 1.txt
          - key: '1'
            path: 2.txt

Observed behavior

Container failed to start and the following error was logged:

Could not open file at path /secret/1.txt. The path is in a mounted secrets volume, but the exact path does not correspond to any secret specified in the mount configuration.

Reproduction

Action YAML

name: Build and Deploy to Cloud Run

on:
  push:
    branches:
      - main

env:
  PROJECT_ID: ${{ secrets.GCP_PROJECT }}
  SERVICE: ropescore-api
  REGION: europe-west1

jobs:
  setup-build-publish-deploy:
    name: Setup, Build, Publish, and Deploy
    runs-on: ubuntu-latest
    environment: production

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    # Setup gcloud CLI
    - uses: google-github-actions/[email protected]
      with:
        service_account_key: ${{ secrets.GCP_SERVICE_ACCOUNT }}
        project_id: ${{ secrets.GCP_PROJECT }}
        export_default_credentials: true

    # Configure Docker to use the gcloud command-line tool as a credential
    # helper for authentication
    - name: Authorize Docker push
      run: gcloud auth configure-docker

    # Build the Docker image
    - name: Build
      run: |-
        docker build \
          --tag "gcr.io/$PROJECT_ID/$SERVICE:$GITHUB_SHA" \
          --build-arg GITHUB_SHA="$GITHUB_SHA" \
          --build-arg GITHUB_REF="$GITHUB_REF" \
          .

    # Push the Docker image to Google Container Registry
    - name: Publish
      run: |-
        docker push "gcr.io/$PROJECT_ID/$SERVICE:$GITHUB_SHA"

    - name: Deploy to Cloud Run
      id: deploy
      uses: google-github-actions/[email protected]
      with:
        service: ${{ env.SERVICE }}
        image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
        region: ${{ env.REGION }}
        env_vars: SENTRY_DSN=${{ secrets.SENTRY_DSN }},GCP_PROJECT=${{ secrets.GCP_PROJECT }},JWT_ALG=ES256,JWT_PRIVKEY_PATH=${{ secrets.JWT_PRIVKEY_PATH }},JWT_PUBKEY_PATH=${{ secrets.JWT_PUBKEY_PATH }}
        secrets: ${{ secrets.JWT_PRIVKEY_PATH }}=${{ secrets.JWT_PRIVKEY_SECRET }},${{ secrets.JWT_PUBKEY_PATH }}=${{ secrets.JWT_PUBKEY_SECRET }}
        flags: --max-instances=1

    - name: Show Output
      run: echo ${{ steps.deploy.outputs.url }}

Repository
https://github.com/RopeScore/api.ropescore.app/blob/main/.github/workflows/cloud-run.yml

Unclear Error: Request has Errrors with google-github-actions/[email protected]

Question

I'm trying to deploy the below configuration using google-github-actions/[email protected]

gcloud run deploy xyz-service \
  --image gcr.io/x/y:z \
  --region us-central1 \
  --platform managed \
  --max-instances 1 \
  --port 443 \
  --allow-unauthenticated

with the following workflow and service.yaml.

workflow.yaml

- name: deploy to Cloud Run
  id: deploy
    uses: google-github-actions/[email protected]
    with:
      service: xyz-service
      image: gcr.io/x/y:z
      region: us-central1

service.yaml

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: xyz-service
spec:
  template:
    metadata:
      annotations:
        autoscaling.knative.dev/maxScale: '1' 
    spec:
      containers:
      - image: gcr.io/x/y:z
      - env:
        - PORT: 443

I'm getting back

Error: Error: The request has errors
Error: The request has errors

Not sure if it's a limitation or am I doing something wrong?

New revision isn't actually deployed

The github action reports success however when I go to cloud run revision console it shows the latest deployed revision was from a week ago even though the github action ran today. The only way I can get the GH action to work again is to manually deploy a new revision from Cloud Run UI and then run the GH action again. That will work. However then any subsequent GH action won't result in new revision being deployment.

I highly suspect the logic with revision naming is causing issues. This might be the code that's causing the behaviour: https://github.com/google-github-actions/deploy-cloudrun/blob/main/src/cloudRun.ts#L194

This is the GH action example where it reported success but didn't actually deploy a new revision: https://github.com/websu-io/websu/runs/1693522408?check_suite_focus=true

Happy to show it through screenshare as well

The wrong service account is being used

TL;DR

Somehow the wrong service account is being used, I have tried both using credentials file directly and using setup-gcloud export.

Expected behavior
The service account in my json secret should be used.

Observed behavior
Another service account was used (project default or other?). I was getting the message ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist). I guess it was a permissions error where my Service Account was trying to actAs another service account.

Reproduction

Action YAML

# .github/workflows/ci.yml

name: Earthly CI with Google Cloud Run deploy

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      FORCE_COLOR: 1
    steps:
    - uses: actions/checkout@v2
    - name: Put back the git branch into git (Earthly uses it for tagging)
      run: |
        branch=""
        if [ -n "$GITHUB_HEAD_REF" ]; then
          branch="$GITHUB_HEAD_REF"
        else
          branch="${GITHUB_REF##*/}"
        fi
        git checkout -b "$branch" || true
    - name: Login to GAR
      uses: docker/login-action@v1
      with:
        registry: europe-north1-docker.pkg.dev
        username: _json_key
        password: ${{ secrets.GCP_SA_KEY }}
    - name: Download latest earthly
      run: "sudo /bin/sh -c 'wget https://github.com/earthly/earthly/releases/download/v0.4.4/earthly-linux-amd64 -O /usr/local/bin/earthly && chmod +x /usr/local/bin/earthly'"
    - name: Earthly version
      run: earthly --version
    - name: Run build
      run: earthly --push +docker-google
    - uses: google-github-actions/setup-gcloud@master
      with:
        version: '290.0.1'
        service_account_key: ${{ secrets.GCP_SA_KEY }}
        export_default_credentials: true
    - id: Deploy
      uses: google-github-actions/deploy-cloudrun@main
      with:
        image: europe-north1-docker.pkg.dev/b-jmnorlund-net/tide/jmnoz/tide-tera:latest
        service: tide
        region: europe-north1
        credentials: ${{ secrets.GCP_SA_KEY }}

Repository
https://github.com/jmn/tide-tera

Additional information
Using Earthly build tool

Adding secrets on deployment

TL;DR

It's possible to reference secrets either by mounting them as files or add them as environment variables on deployment (see references). It'd be great to have the option to add them on deployment through the GitHub action as well.

Design

Action YAML
Probably the same way you reference environment variables through deployment today, but with the revision tag as suffix. Preferably the underlying --update-secrets tag would be used, so it matches the behaviour of the existing env_vars functionality.

- secrets = LOCAL_ENV_NAME=secret-name:[revision|latest],...

Using a path instead of environment name would mount it as file instead.

Resources

Additional information
N/A

How do I get this action to send traffic to my new revision?

I have the following step in my workflow:

      - name: Deploy to Cloud Run
        uses: google-github-actions/deploy-cloudrun@main
        with:
          service: cathode
          image: gcr.io/nsg-lobby/cathode:${{ steps.get_version.outputs.VERSION }}
          credentials: ${{ secrets.GCP_SA_KEY }}
          region: us-east4

I see the revisions being deployed in Cloud Run, but they never get traffic assigned to them. I have to manually assign traffic in the UI in order for any of the revisions to be active at our URL. Is there any way I can make this action send all traffic to the new revision every time it's deployed? From the documentation that looked like it was the default behavior, but I don't see that in action on my Google Cloud account...

Update to use Node 16

TL;DR

Node 12 is deprecated

Detailed design

  • Cut a release with current features with node12 support
  • Update action.yml to uses: 'node16'
  • Update all tests to use 16 in the matrix
  • Update actions/checkout@v2 -> actions/checkout@v3 everywhere
  • Update README to note node 16 requirement for self-hosted runners (example)
  • Cut a release with node16 support

Additional information

No response

Improve error messages for invalid inputs

TL;DR

Creating service revision results in an error.

Expected behavior

The action should have resulted in creating a new revision using the existing image.

Observed behavior

The action resulted in the below error on the deploy step.
Screen Shot 2021-01-01 at 8 24 02 PM

Reproduction

Action YAML

# Paste your complete GitHub Actions YAML here, removing
# any sensitive values.

# Copyright 2020 Google, LLC.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: BuildDockerGCPRun

on:
  push:
    branches:
    - main

env:
  PROJECT_ID: ${{ secrets.GCE_PROJECT }}
  DB_CONNECTON_JSON: ${{ secrets.DB_CONNECTION_SECRETS }}
  ACTIONS_RUNNER_DEBUG: true
  ACTIONS_STEP_DEBUG: true

jobs:
  setup-build-publish-deploy:
    name: Setup, Build, Publish, and Deploy
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    # Setup gcloud CLI
    - uses: google-github-actions/setup-gcloud@master
      with:
        service_account_key: ${{ secrets.GCE_SA_KEY }}
        project_id: ${{ secrets.GCE_PROJECT }}
        export_default_credentials: true

    # Configure Docker to use the gcloud command-line tool as a credential
    # helper for authentication
    - run: |-
        gcloud --quiet auth configure-docker
        
    - name: Copy SQL Credentials
      run: |-
        echo $DB_CONNECTON_JSON > ./config/config.json

    # Build the Docker image
    - name: Build
      run: |-
        docker build --tag "gcr.io/<projectID>/<image>:${GITHUB_SHA::8}" .

    # Push the Docker image to Google Container Registry
    - name: Publish
      run: |-
        docker push "gcr.io/<projectID>/<image>:${GITHUB_SHA::8}"

    - name: Deploy to Cloud Run
      uses: google-github-actions/[email protected]
      with:
        image: gcr.io/<projectID>/<image>:${GITHUB_SHA::8}
        service: <image>
        credentials: ${{ secrets.GCE_SA_KEY }}

Repository

https://github.com/adityak74/wazirx-visualizer

Additional information

N/A

The feature 'sandbox selector' is not supported in the declared launch

Hello, I've been using this action since last week and everything worked just fine. But since today some errors happen and fail to depoly the image.

Expected behavior

It depolys new cloud run images successfully.

Observed behavior

Run google-github-actions/[email protected]
  with:
    service: ***
    image: asia.gcr.io/***/***:299faf0ea2878d743045b2ab96914290c774e633
    region: asia-northeast1
  env:
    PROJECT_ID: ***
    SERVICE: ***
    SA_KEY: ***
    REGION: asia-northeast1
    IMAGE: asia.gcr.io/***/***
    CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
    GCLOUD_PROJECT: ***
    GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/***/***/0dfa6524-a860-4607-bebf-c46a81b38eaa
Setting project Id from $GCLOUD_PROJECT
Creating a service revision...
Error: Error: The feature 'sandbox selector' is not supported in the declared launch stage on resource ***. The launch stage annotation should be specified at least as BETA. Please visit https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation for in-depth troubleshooting documentation.
Error: The feature 'sandbox selector' is not supported in the declared launch stage on resource ***. The launch stage annotation should be specified at least as BETA. Please visit https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation for in-depth troubleshooting documentation.

I visited the https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation page but found nothing I can do as a user of this action.

Reproduction

Action YAML

https://github.com/rainy-me/tsukiyo/blob/master/.github/workflows/depoly-backend.yml

name: Deploy Backend Cloud Run

on:
  push:
    branches:
      - master

# adapted form https://github.com/google-github-actions/deploy-cloudrun/blob/main/.github/workflows/example-workflow.yaml
env:
  PROJECT_ID: ${{ secrets.GCP_PROJECT }}
  SERVICE: ${{ secrets.GCP_SERVICE }}
  SA_KEY: ${{ secrets.GCP_SA_KEY }}
  REGION: asia-northeast1
  IMAGE: asia.gcr.io/${{ secrets.GCP_PROJECT }}/${{ secrets.GCP_SERVICE }}

jobs:
  deploy-backend:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./backend
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Setup Cloud SDK
        uses: google-github-actions/[email protected]
        with:
          project_id: ${{ env.PROJECT_ID }}
          service_account_key: ${{ env.SA_KEY }}
          export_default_credentials: true

      - name: Authorize Docker
        run: gcloud auth configure-docker

      - name: Build and Push Container
        run: |
          docker pull ${{ env.IMAGE }}-cache || true
          docker build . -t ${{ env.IMAGE }}:${{  github.sha }} -f Dockerfile.prod --cache-from=${{ env.IMAGE }}-cache
          docker push ${{ env.IMAGE }}:${{  github.sha }} || true
      - name: Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@main
        with:
          service: ${{ env.SERVICE }}
          image: ${{ env.IMAGE }}:${{ github.sha }}
          region: ${{ env.REGION }}

      - uses: 8398a7/action-slack@v3
        with:
          status: custom
          fields: workflow,job,commit,repo,ref,author,took
          custom_payload: |
            {
              username: 'deploy-backend',
              icon_emoji: ':actix:',
              attachments: [{
                color: '${{ job.status }}' === 'success' ? 'good' : '${{ job.status }}' === 'failure' ? 'danger' : 'warning',
                text: `Deploy backend done in ${process.env.AS_TOOK} :actix:`,
              }]
            }
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

Repository

https://github.com/rainy-me/tsukiyo

specifically the depoly-backend action

Additional information

Allow overwriting image name from the commandline with metadata

TL;DR

When working with metadata customizations it is required to set the image name in the YAML file.
This can cause problems since it is not easily possible to uniquely tag the image with the git commit hash as recommended in the docs.

It would be great if the image name could be overwritten via the command line even if a metadata YAML file is used

Design

It would be great if in the following action the image name of the yaml file would be overwritten instead of silently ignored which can cause quite some frustration since only a hard to miss warning is printed in the logs.

Action YAML

- name: Deploy to Cloud Run
  uses: google-github-actions/deploy-cloudrun@main
  with:
    image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{  github.sha }}
    metadata: ./service.yaml

My current ugly workaround for this is:

- name: Set Image Name
  run: sed -i 's!REPLACE_IMAGE_NAME!gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{  github.sha }}!g' service.yaml

- name: Deploy to Cloud Run
  uses: google-github-actions/deploy-cloudrun@main
  with:
    metadata: ./service.yaml

Sandbox selector is not supported

TL;DR

The deploy action throws following error message
Error: The feature 'sandbox selector' is not supported in the declared launch stage on resource cloud-run-demo. The launch stage annotation should be specified at least as BETA. Please visit https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation for in-depth troubleshooting documentation.

Expected behavior
Deployment to Google Cloud Run. It worked before

Observed behavior
Error as described on top

Reproduction

Action YAML

        - id: deploy
        uses: google-github-actions/deploy-cloudrun@main
        with:
          image: gcr.io/cyril-test-project/cloud-run-demo
          service: cloud-run-demo```

Repository
not public

Additional information
No, I only did some manual deployment through the dashboard in the meantime like change the vCPUs

Allow beta component commands to be utilised

TL;DR

Allow beta commands to be used with the action. Currently, despite using something like the following:

- name: Set up gcloud Cloud SDK environment
        uses: google-github-actions/[email protected]
        with:
          project: my-project
          service_account_key: ${{ secrets.DEPLOY_SA }}
          export_default_credentials: true

      - name: Install beta components
         run: gcloud components install beta

     - name: Deploy to Cloud Run
        uses: google-github-actions/deploy-cloudrun@main
        with:
          ...
          flags: "--no-cpu-throttling ......."

The result will be

--no-cpu-throttling flag is available in one or more alternate release tracks. Try:

  gcloud beta run deploy --no-cpu-throttling

Thus the action becomes unusable for anything requiring beta components.

Design

Action YAML

- name: Deploy to Cloud Run
  uses: google-github-actions/deploy-cloudrun@main
  with:
    components: release (default) | beta | alpha

Existing env-variables are not being deleted

I have changed a sensitive value from "env-variable" to "secrets" with the same name. something like this:

Before
env_vars: DB_URL=${{env.my-dummy-var}}
After
secrets: DB_URL=my-dummy-secret

When the deploy was running "updates" were execute to change those properties so I got this error:

ERROR: (gcloud.beta.run.deploy) Cannot update environment variable [DB_URL] to the given type because it has already been set with a different type.

And this is because the existing variable is not being deleted in cloud run, to solve this I needed to manually delete it in Cloud Run.
The real problem is to execute automatic deployments when changes like this.

Tag input is not supported

TL;DR

When using tag input (as listed here), the error below is experienced

Expected behavior
The revision to be tagged with the value supplied

Observed behavior
Warning: Unexpected input(s) 'tag', valid inputs are ['image', 'service', 'region', 'env_vars', 'metadata', 'project_id', 'credentials'] Run google-github-actions/[email protected] with: service: *** image: gcr.io/***/*** credentials: *** tag: 0.1.1-rc.2 env: CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud Setting project Id from credentials Creating a new service... Service *** has been successfully deployed. Error: The operation was canceled.

Reproduction

Action YAML

name: Stage application on Google Cloud Run
on:
  push:
    tags:
    - '*.*.*-rc.*'

jobs:
  deploy:
    name: Deploy job
    runs-on: ubuntu-latest
    steps:
    - name: Checkout the repository
      uses: actions/checkout@v1

    - name: Build Docker image
      run: |
        docker build . --tag eu.gcr.io/${{ secrets.GCLOUD_PROJECT }}/${{ secrets.GCLOUD_APP_NAME }}

    - name: Authenticate into Google Cloud Platform
      uses: google-github-actions/setup-gcloud@master
      with:
        service_account_email: ${{ secrets.GCLOUD_EMAIL }}
        service_account_key: ${{ secrets.GCLOUD_AUTH }}

    - name: Configure Docker to use Google Cloud Platform
      run: "gcloud auth configure-docker --quiet"

    - name: Push image to Google Cloud Container Registry
      run: docker push eu.gcr.io/${{ secrets.GCLOUD_PROJECT }}/${{ secrets.GCLOUD_APP_NAME }}

    - id: get_version
      uses: battila7/get-version-action@v2

    - name: Deploy to Cloud Run
      uses: google-github-actions/[email protected]
      with:
        service: ${{ secrets.GCLOUD_APP_NAME }}
        image: gcr.io/${{ secrets.GCLOUD_PROJECT }}/${{ secrets.GCLOUD_APP_NAME }}
        region: ${{ secrets.GCLOUD_REGION }}
        credentials: ${{ secrets.GCLOUD_AUTH }}
        tag: ${{ steps.get_version.outputs.version }}

Repository

Additional information

Project inference security risk

The following valid action invocation poses a security risk

- name: 🚀 Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v0
        with:
          service: api
          image: gcr.io/${{ secrets.PROJECT_ID }}/api
          region: us-central1
          secrets: |
            /secrets/secrets.json=secrets:latest

from @sethvargo

[Inferring the project id] poses a security risk..., because the project ID would be interpreted as your project (instead of explicitly opting into that behavior).

Cloud functions does not allow this behavior and cloud run should be consistent with its api especially if it poses a security risk.

Originally posted by @sethvargo in google-github-actions/deploy-cloud-functions#318 (comment)

Set timeout

Question

How could you set the timeout option?

These two tries did not work: it is always 10 minutes:

    steps:
      - uses: actions/checkout@v2
      - uses: google-github-actions/[email protected]
        with:
          service: ${{ secrets.GCP_CLOUDRUN_SERVICE_NAME }}
          region: ${{ secrets.GCP_CLOUDRUN_SERVICE_REGION }}
          credentials: ${{ secrets.GCP_SA_KEY }}
          project_id: ${{ secrets.GCP_PROJECT_ID }}
-          flags: --allow-unauthenticated --timeout=1800
-          flags: --allow-unauthenticated --timeout=30m
          source: .
Click to expand!

image

Custom revision name as action input

TL;DR

Hi! I want to give my revisisons a customised name from this action, whithout using a service.yaml metadata file.

Design

Action YAML

The main use case here I see is including the commit hash from the Actions runner in the revision name, something like the following:

    - name: deploy
      uses: google-github-actions/deploy-cloudrun@main
      with:
        region: ${{ env.REGION }}
        image: gcr.io/cloudrun/hello
        revision: hello-${{ github.sha }}

With the resulting revision being resembling hello-18c8429f46c5f2717aece30ec83cf83d04943fda

Resources
N/A

Additional information

There may be a limit on the revision name, and unfortuantely it's not trival to get a short commit hash directly from GitHub, so that could be a blocker here.

Create property to manage cloud run attachments

TL;DR

gcloud run deploy offers add remove set and clear-cloudsql-instances flags. It seems that this should be a first class property like secrets and env's for this action.

Detailed design

This could be improved

      - name: 🚀 Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v0
        with:
          service: api
          image: gcr.io/...
          flags: |
            --set-cloudsql-instances=project:region:db
          env_vars: |
            A=B
          secrets: |
            /secrets/thing=thing:latest

to something like this

      - name: 🚀 Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@v0
        with:
          service: api
          image: gcr.io/...
          env_vars: |
            A=B
          secrets: |
            /secrets/thing=thing:latest
          cloudsql: |
            project:region:db

Additional information

Then the correct flag could be generated based on the existing conventions for env_vars and secrets

Inconsistent masking of Secrets when action fails

TL;DR

In the case of a failing deployment - the printing of the deployment command exposes secrets by not masking them in job output.

I don't know if the fact that we are using the action as part of a reusable workflow is contributing but worth mentioning and included in my example below.

Expected behavior

Any secrets should be masked in job output

Observed behavior

Secrets are not masked

Action YAML

Reusable workflow:

name: Deploy Cloud Run

on:
  workflow_call:
    inputs:
      # <---------- SELECT AUTHENTICATION METHOD --------->
      gcp-sa-auth:
        required: false
        type: boolean
        description: "Set to true to enable GCP Service Account Key authentication"
        default: false
      gcp-oidc-auth:
        required: false
        type: boolean
        description: "Set to true to enable GCP OIDC authentication"
        default: false
      # <--------------- CLOUD RUN OPTIONS --------------->
      cr-service-name:
        required: false
        type: string
        description: "The name to give to the cloud run service"
        default: ${{ github.event.repository.name }}
      cr-image:
        required: true
        type: string
        description: "The full registry + container image path to deploy from"
      cr-region:
        required: true
        type: string
        description: "The GCP region in which to deploy the service"
        default: ""
      cr-suffix:
        required: false
        type: string
        description: "Optional suffix to apply to the revision name (GCP generates if not set)"
        default: ""
      cr-flags:
        required: false
        type: string
        description: "Additional cloud run flags to apply during deployment"
        default: "--port 8080 --cpu 1 --memory 1024Mi --timeout 5m --concurrency 80 --min-instances 0 --max-instances 1 --no-allow-unauthenticated"
      # <----------- GITHUB ENVIRONMENT OPTIONS ---------->
      gh-env-name:
        required: false
        type: string
        description: "The name to give to the environment created in Github"
        default: ${{ github.ref_name }}
      gh-env-url:
        required: false
        type: string
        description: "Override the environment URL. If unset sets to the cloud run service's url"
    secrets:
      # <------------------ OIDC AUTH -------------------->
      wip:
        required: false
        description: "The workfload identity provider to use for OIDC auth"
      service-account:
        required: false
        description: "The service account to impersonate when using OIDC auth"
      # <----------------- SA KEY AUTH ------------------->
      service-account-key:
        required: false
        description: "The service account key to use for service account authentication"
      # <------------------ CLOUD RUN -------------------->
      cr-project-id:
        required: true
        description: "The GCP project in which to deploy the Cloud Run service"
      cr-env-vars:
        required: false
        description: "Comma separated list of KEY=value environment variables to be applied to the service"
    outputs:
      url:
        description: "The URL of the deployed Cloud Run service"
        value: ${{ jobs.deploy.outputs.url }}
      ref-slug:
        description: "A URL sanitized version of the github ref"
        value: ${{ jobs.deploy.outputs.ref-slug }}
      short-sha:
        description: "Captures the short SHA for use in this or later workflow jobs"
        value: ${{ jobs.deploy.outputs.short-sha }}

jobs:
  deploy:
    name: Deploy to Cloud Run
    runs-on: ubuntu-latest
    outputs:
      url: ${{ steps.url.outputs.url }}
      short-sha: ${{ env.GITHUB_SHA_SHORT }}
      ref-slug: ${{ env.GITHUB_REF_SLUG_URL }}
    environment:
      name: ${{ inputs.gh-env-name }}
      url: ${{ steps.url.outputs.url }}
    steps:
      - name: Checkout the code
        uses: actions/checkout@v3

      - name: Slugify github variables
        uses: rlespinasse/[email protected]

      - name: Authenticate to GCP (SA Key)
        if: ${{ inputs.gcp-sa-auth }}
        uses: google-github-actions/auth@v0
        with:
          credentials_json: ${{ secrets.service-account-key }}

      - name: Authenticate to GCP (OIDC)
        if: ${{ inputs.gcp-oidc-auth }}
        uses: google-github-actions/auth@v0
        with:
          workload_identity_provider: ${{ secrets.wip }}
          service_account: ${{ secrets.service-account }}

      - name: Cloud Run
        id: deploy
        uses: google-github-actions/deploy-cloudrun@main
        with:
          project_id: ${{ secrets.cr-project-id }}
          service: ${{ inputs.cr-service-name }}
          image: ${{ inputs.cr-image }}
          region: ${{ inputs.cr-region }}
          suffix: ${{ inputs.cr-suffix }}
          env_vars: ${{ secrets.cr-env-vars }}
          flags: ${{ inputs.cr-flags }}

      # Required to handle override of deployment URL
      - name: Set Deployment URL
        id: url
        run: |
          if [ "${{ inputs.gh-env-url }}" == "" ]; then
            echo "Setting url output to ${{ steps.deploy.outputs.url }}"
            echo "::set-output name=url::${{ steps.deploy.outputs.url }}"
          else
            echo "Setting url output to ${{ inputs.gh-env-url }}"
            echo "::set-output name=url::${{ inputs.gh-env-url }}"
          fi

Consuming project's workflow.

deploy:
    uses: some-org/workflows/.github/workflows/deploy-cloudrun.yml@main
    needs: build
    with:
      gcp-sa-auth: true
      cr-service-name: ${{ github.ref_name }}-${{ github.event.repository.name }}
      cr-image: ${{ needs.build.outputs.image-name }}:${{ needs.build.outputs.image-tag }}
      cr-region: europe-north1
      cr-suffix: ${{ needs.build.outputs.short-sha }}
      cr-flags: '--port 8080 --cpu 1 --memory 2048Mi --timeout 10m --concurrency 80 --min-instances 1 --max-instances 1 --service-account [email protected] --vpc-connector some-vpc-connector --no-cpu-throttling'
    secrets:
      service-account-key: ${{ secrets.SOME_SA_KEY }}
      cr-project-id: some-gcp-project
      cr-env-vars: API_USERNAME=${{ secrets.DEV_API_USERNAME }}, API_PASSWORD=${{ secrets.DEV_API_PASSWORD }}

Log output

Run google-github-actions/deploy-cloudrun@main
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/2992a0a1-967e-4956-9a8c-097c7b24e7c4 -f /home/runner/work/_temp/ff8e5f8a-3635-47fc-8b9e-b9e98f5d5837
Running: gcloud run deploy rv8/355590ccfeae9030-some-project --image eu.gcr.io/***/some-project:rv8-355590ccfeae9030-411cbef --quiet --platform managed --region europe-north1 --update-env-vars API_USERNAME=VISIBLE_IN_PLAIN_TEXT,API_PASSWORD=VISIBLE_IN_PLAIN_TEXT --revision-suffix 411cbef --port 8080 --cpu 1 --memory 2048Mi --timeout 10m --concurrency 80 --min-instances 1 --max-instances 1 --service-account some-service-account@***.iam.gserviceaccount.com --vpc-connector some-vpc-connector --no-cpu-throttling --project *** --format json
Error: failed to execute gcloud command `gcloud run deploy rv8/355590ccfeae9030-some-project --image eu.gcr.io/***/some-project:rv8-355590ccfeae9030-411cbef --quiet --platform managed --region europe-north1 --update-env-vars API_USERNAME=VISIBLE_IN_PLAIN_TEXT,API_PASSWORD=VISIBLE_IN_PLAIN_TEXT --revision-suffix 411cbef --port 8080 --cpu 1 --memory 2048Mi --timeout 10m --concurrency 80 --min-instances 1 --max-instances 1 --service-account some-service-account@***.iam.gserviceaccount.com --vpc-connector some-vpc-connector --no-cpu-throttling --project *** --format json`: ERROR: (gcloud.run.deploy) Invalid resource name [rv8/355590ccfeae9030-some-project]. The name must use only lowercase alphanumeric characters and dashes, cannot begin or end with a dash, and cannot be longer than 63 characters.

Additional information

As you can see - some secrets were correctly masked such as project_id input but specifically those passed via the env_vars input were not and are VISIBLE_IN_PLAIN_TEXT

Consider not requiring `image` and supporting build and deploy from source

I see that deploying to Cloud Run the action requires an image attribute. That makes sense if the user wants to use one step to build a container, and then another step deploy it.

steps:
- id: deploy
  uses: google-github-actions/deploy-cloudrun@main
  with:
    image: gcr.io/cloudrun/hello
    service: hello-cloud-run
    credentials: ${{ secrets.gcp_credentials }}

But we could imagine

steps:
- id: deploy
  uses: google-github-actions/deploy-cloudrun@main
  with:
    service: hello-cloud-run
    credentials: ${{ secrets.gcp_credentials }}

Which would build and deploy the current repo.

Under the hood, gcloud beta run deploy --source . would be used.

Project ID ignored in 0.7.0

TL;DR

It appears that the project_id parameter is now ignored ie:

        - name: Deploy to Cloud Run
          uses: google-github-actions/[email protected]
          with: 
              region: australia-southeast1
              project_id: xxx-development
              metadata: ./service-definition-updated.yaml

Works, the following does not

        - name: Deploy to Cloud Run
          uses: google-github-actions/[email protected]
          with: 
              region: australia-southeast1
              project_id: xxx-development
              metadata: ./service-definition-updated.yaml

Expected behavior

Deployment to succeed. This is an issue when authenticating within one project to use a service account to deploy to another project.

Observed behavior

Deployment fails.

Action YAML

name: Staging - Publish to Cloud Run

on:
 push:
   tags:
     - 'staging*'
env:
  IMAGE_NAME: ${{ values.container }}
  IAM_ROLES: 'roles/run.invoker'
jobs:       
    build:
      name: Build and Push Container
      runs-on: ubuntu-latest
      permissions:
          id-token: write
          contents: write
      steps:
        - name: Checkout
          uses: actions/checkout@v2
        
        - name: Authenticate to Google Cloud To Publish to Docker
          uses: google-github-actions/[email protected]
          with:
            workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
            service_account: '[email protected]'
          
        - name: Configure GCloud Auth provider with Docker
          run: |
                gcloud auth configure-docker australia-southeast1-docker.pkg.dev
        - name: Build Tag & Push Container
          run: | 
                  tagname=${{ github.ref_name }}
                  docker build -t ${{ env.IMAGE_NAME}} --target prod .
                  docker tag ${{ env.IMAGE_NAME}} australia-southeast1-docker.pkg.dev/acme-dev-tooling/acme-docker/${{ env.IMAGE_NAME}}:$tagname
                  docker push australia-southeast1-docker.pkg.dev/acme-dev-tooling/acme-docker/${{ env.IMAGE_NAME}}:$tagname           
    publish:
      needs: build
      runs-on: ubuntu-latest
      permissions:
          id-token: write
          contents: write
      steps: 
        - name: Checkout
          uses: actions/checkout@v2

        - name: Authenticate to Google Cloud To Read Secrets
          uses: google-github-actions/[email protected]
          with:
            workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
            service_account: '[email protected]'

        - name: Setup Python
          uses: actions/setup-python@v2
          with:
            python-version: '3.9.0'
        - name: Install Requirements & Create Service Definition
          run: |
              pip install -r requirements.txt 
              python createServiceDefinition.py
          env:        
            TAG: '${{ github.ref_name }}'
            ENVIRONMENT: dev

        - name: Authenticate to Google Cloud To Deploy To Cloud Run
          uses: google-github-actions/[email protected]
          with:
            credentials_json: '${{ secrets.GOOGLE_CLOUD_RUN_DEPLOYER_DEV_KEYFILE_JSON }}'

        # TODO: figure out why using WLIF seems to ignore the project_id here and fails - if you upgrade the version to 0.7.0

        - name: Deploy to Cloud Run
          uses: google-github-actions/[email protected]
          with: 
              region: australia-southeast1
              project_id: acme-development
              metadata: ./service-definition-updated.yaml

        - name: Authenticate to Google Cloud To Create Service Account
          id: 'auth'
          uses: google-github-actions/[email protected]
          with:
            token_format: 'access_token'
            access_token_lifetime: '300s'
            workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
            service_account: '[email protected]'

        - name: Create Service Account
          run: |
              python createServiceAccount.py
          env:        
            ENVIRONMENT: dev
            ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }}
        
        - name: Bind IAM roles # using environment variables setup in the last step.
          run: | 
                 gcloud run services add-iam-policy-binding ${{ env.SERVICE_NAME }} --project=acme-development --region=australia-southeast1 --member='serviceAccount:${{ env.SERVICE_EMAIL }}' --role='roles/run.invoker'
              # additional gcloud commands here do not bind. TODO: find workaround.

Additional information

I use service accounts from a centralised project with specific permissions in other projects to deploy workloads to different environments. This is not possible using 0.7.0.

Websockets support

Question

Does Cloud Run does not support websockets? And is there any plan in future to support it?

Named revision won't deploy

TL;DR

Naming a revision using YAML metadata, will not deploy with correct revision name.

Expected behavior
Deployed with revision name (either replace or update).

Observed behavior
Deployed to a generated revision name with error Revision 'NAME' does not exist or is deleted.

Reproduction

Action YAML

 - name: Setup Cloud SDK
      uses: google-github-actions/setup-gcloud@master
      with:
        project_id: ${{ secrets.GCP_PROJECT }}
        service_account_key: ${{ secrets.GCP_SA_KEY }}
        export_default_credentials: true

    - name: Deploy to Cloud Run
      id: deploy
      uses: google-github-actions/deploy-cloudrun@main
      with:
        metadata: service.yaml
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: NAME
  annotations:
        run.googleapis.com/launch-stage: BETA
spec:
  template:
    metadata:
      name: NAME-002
    spec:
      containers:
      - image: gcr.io/...
  traffic:
    - percent: 0
      revisionName: NAME-002
      tag: candidate
    - percent: 100
      revisionName: NAME-001

Repository

Additional information

Seems that env_vars is being ignored when setting environment variables

I'm trying to use env_vars to set three environment variables.
I saw this issue (160) and changed the version to 0.6.0 but the problem persists.
This is my .yml:

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

name: Build and Deploy a Container
env:
  PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
  SERVICE: ${{ secrets.GCP_APP_NAME }}
  REGION: us-central1

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Setup Cloud SDK
        uses: google-github-actions/[email protected]
        with:
          project_id: ${{ env.PROJECT_ID }}
          service_account_key: ${{ secrets.GCP_SA_KEY }}
          export_default_credentials: true # Set to true to authenticate the Cloud Run action

      - name: Authorize Docker push
        run: gcloud auth configure-docker

      - name: Build and Push Container
        run: |-
          docker build -t gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} .
          docker push gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}

      - name: Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/[email protected] 
        with:
          service: ${{ env.SERVICE }}
          image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{  github.sha }}
          region: ${{ env.REGION }}
          env_vars: MODE_TOKEN=${{ secrets.MODE_TOKEN }},MODE_PASS=${{ secrets.MODE_PASS }},DISC_WEBHOOK_DATACHANNEL=${{ secrets.DISC_WEBHOOK_DATACHANNEL }}

      - name: Show Output
        run: echo ${{ steps.deploy.outputs.url }}

As you can see, I'm using google-github-actions/[email protected] when deploying to Cloud Run.
But when I check the logs from Github Actions, seems that he is using v0.4.0 instead of v0.6.0:
image

The env_vars options does not appeared in the logs, just service, image and region.

Am I doing something wrong?

Attempting to deploy with deploy-cloudrun results in 'the request has errors'.

Question

Using the example workflow (included below), and changing only the necessary environment variables and secrets as described in the setup instructions, the Deploy to Cloud Run step fails with the unhelpful message The request has errors. The example workflow specifies [email protected], but I've also tried with 0.3.0 and 0.4.0, with the same results.

on:
  push:
    branches:
      - push-deploy

name: Build and Deploy a Container
env:
  PROJECT_ID: ${{ secrets.GCP_PROJECT }}
  SERVICE: my-test-service
  REGION: us-east4

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Setup Cloud SDK
        uses: google-github-actions/[email protected]
        with:
          project_id: ${{ env.PROJECT_ID }}
          service_account_key: ${{ secrets.GCP_SA_KEY }}
          export_default_credentials: true # Set to true to authenticate the Cloud Run action

      - name: Authorize Docker push
        run: gcloud auth configure-docker

      - name: Build and Push Container
        run: |-
          docker build -t gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{  github.sha }} frontend/ -f frontend/Dockerfile
          docker push gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{  github.sha }}

      - name: Deploy to Cloud Run
        id: deploy
        uses: google-github-actions/[email protected]
        with:
          service: ${{ env.SERVICE }}
          image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{  github.sha }}
          region: ${{ env.REGION }}

      - name: Show Output
        run: echo ${{ steps.deploy.outputs.url }}

JSON object does not contain a client_email field

TL;DR

Using Workload Identity Federation results in The incoming JSON object does not contain a client_email field

Expected behavior

Expected to authenticate and publish to CR

Observed behavior

Unable to retrieve authenticated client: Error: The incoming JSON object does not contain a client_email field

The following YAML works though - with the same service account

        - name: Authenticate to Google Cloud To Deploy To Cloud Run
         uses: google-github-actions/[email protected]
          with:
            credentials_json: '${{ secrets.GOOGLE_CLOUD_RUN_DEPLOYER_DEV_KEYFILE_JSON }}'

Action YAML

- name: Authenticate to Google Cloud To Deploy To Cloud Run
            uses: google-github-actions/[email protected]
            with:
              workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
              service_account: 'svc-cloud-run-deployer-dev@xxx-dev-tooling.iam.gserviceaccount.com'

          - name: Deploy to Cloud Run
            uses: google-github-actions/[email protected]
            with: 
                region: australia-southeast1
                project_id: xxx-development
                metadata: ./service-definition-updated.yaml

Additional information

No response

Failed Parsing of List Parameters for inputs secrets and env_vars

TL;DR

If you put in your secrets or env_vars in list format like the docs:

secrets: |
SECRET=secret:latest
SECRET2=secret2:latest

The yaml is parsed incorrectly to the cli resulting in \n being added.
Example:

ERROR: gcloud crashed (ValueError): Invalid secret spec 'db_username:latest\nDB_PASSWORD=db_password:latest'

Expected behavior

I expected the yaml list to be parsed into the cli in a format without newlines.

Observed behavior

Instead newlines get added in to gcloud command called. The same thing happens with env_vars except the cli just takes it in stride and you end up with a env_vars in cloud run with one key and the rest of the key-value pairs on new lines. The current workaround is that we just put our env_vars and secrets in like this.

env_vars: ENV1=whaaat,ENV2=yaahhyaa,ENV3=ok
secrets: SECRET1=secret1:latest,SECRET2=secret2:latest

Action YAML

deploy:
    name: Deploy to GCP Cloud Run
    needs: build_n_push
    runs-on: ubuntu-latest

    # permission for gcp
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
      - name: Checkout # gcp auth needs this step
        uses: actions/checkout@v2

      - name: Get GCP Token
        id: auth
        uses: google-github-actions/auth@v0
        with:
          token_format: access_token
          workload_identity_provider: our/identity/provider
          service_account: our/service/account
          access_token_lifetime: 300s

      - name: Set Docker Metadata
        id: meta
        uses: docker/metadata-action@v3
        with:
          images: our/docker-image
          tags: |
            type=raw,value=latest
      
      - name: Deploy to Cloud Run
        uses: google-github-actions/deploy-cloudrun@v0
        with:
          image: us-central1-docker.pkg.dev/project/repository/${{ steps.meta.outputs.tags }}
          service: servicename
          region: us-central1
          env_vars: |
            RELEASEMODE=development
            NODE_ENV=development
            PORT=4000
            DB_DATABASE=database_name
          secrets: |
            DB_SERVER=db_server:latest
            DB_USERNAME=db_username:latest
            DB_PASSWORD=db_password:latest

Log output

Run google-github-actions/deploy-cloudrun@v0
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/626a8de9-7b8e-4674-b93d-6e539bbd95a2 -f /home/runner/work/_temp/9a140801-40fb-4d40-99ab-ed87987c183b
Running: gcloud beta run deploy **** --image **** --quiet --platform managed --region us-central1 --update-env-vars RELEASEMODE=development
NODE_ENV=development
PORT=4000
DB_DATABASE=**** --update-secrets DB_SERVER=db_server:latest,DB_USERNAME=db_username:latest
DB_PASSWORD=db_password:latest --project ****** --format json
Error: failed to execute gcloud command `gcloud beta run deploy ***** --image **** --quiet --platform managed --region us-central1 --update-env-vars RELEASEMODE=development
NODE_ENV=development
PORT=4000
DB_DATABASE=database_name --update-secrets DB_SERVER=db_server:latest,DB_USERNAME=db_username:latest
DB_PASSWORD=db_password:latest --project database-api-dev --format json`: ERROR: gcloud crashed (ValueError): Invalid secret spec 'db_username:latest\nDB_PASSWORD=db_password:latest'

Additional information

No response

single quotes causes `=` trim

Hey there,

Is there any reason as to why we're not accepting single quotes here? If formatting all flag parameters with double quotes as starting delimiters and single quotes as value delimiters I get all my =s escaped. If this is as intended // Split on space or "=" if not in quotes -> // Split on space or "=" if not in double quotes

deploy-cloudrun/src/deploy-cloudrun.ts

Line 239 in 07a7b6c

return flags.match(/(".*?"|[^"\s=]+)+(?=\s*|\s*$)/g)!; // Split on space or "=" if not in quotes

Sanitise service name and GCP-imposed rules

TL;DR

I would like the possibility (probably an input like sanitize-values: true) to sanitize the inputs based on GCP naming restrictions.

A prime example is that we produce branch-based deployments and it is common that a branch might be named bug/TICKET-1234

So we produce the name of the service along the lines of ${{ github.ref_name }}-${{ github.event.repository.name }} but in the case above that would produce bug/TICKET-1234-myapplication where / is obviously not allowed.

The other example would be when using something like Renovate which can produce very long branch names meaning the final cloud run service name is >63 characters

Detailed design

The below input would apply a "slugging" of values such as bug/TICKET-1234-myapplication to bug-ticket-1234-myapplication

It would also trim any result to the max allowed characters for the value

inputs.sanitize-values: true (default false)

Additional information

No response

Maintain version.minor tags

TL;DR

Create & maintain minor release tags such as v0.8, v0.9, etc. to prevent breaking changes from breaking deployments when pinned to the major release, which is the only tag available.

Detailed design

While pinning to the latest major version works (There's a v0 tag), the same is not available for each minor version - No v0.8 tag.

Given that newer minor version releases might contain breaking changes - such as the v0.9.0 release, pinning to the major version will cause broken deploys at some point.

This is a request to maintain minor release tags such as  v0.8, v0.9, so that we get bug fixes and other non-breaking changes, without the risk of our build breaking due to updates.

Additional information

No response

Add ability to force latest revision

I manually changed traffic rules and afterwards the action won't automatically deploy new revisions to be the latest serving revision. The CLI has a command to automatically make latest the serving revision, it would be great if there was a parameter for the github action called force_latest that would force the latest revision to be the serving revisios by using this command:

gcloud run services update-traffic [[SERVICE] --to-latest

How do you provide the filepath to the `metadata`

Question

So I'm not sure what i'm doing wrong here. But I keep a running: gcloud beta run services replace service.yaml --platform managed --region australia-southeast1 Error: ERROR: (gcloud.beta.run.services.replace) argument FILE: Failed to load YAML from [service.yaml]: Unable to read file [service.yaml]: [Errno 2] No such file or directory: 'service.yaml' error.

I have copied the service.yaml file to every single possible location. relative to the directory path. i.e.
it is now at root of the repo; it is also at the .github folder. it's also at the .github/workflows folder. It is also at the repo_root/infrac/service.yaml location.

Update docs to flag metadata ignores other inputs

I would like to deploy a new cloudrun revision and then assign a percentage of traffic to it. currently the revTraffic and tagTraffic parameters, will trigger a traffic update and not deploy a new revision. The current work around is to deploy a new revision in one step with no_traffic set to true, and then another step with tagTraffic.

Permission 'run.services.get' denied on resource 'namespaces/***/services/***' (or resource may not exist).

Question

I'm having this problem when setting a Github Actions:

ERROR: (gcloud.run.deploy) PERMISSION_DENIED: Permission 'run.services.get' denied on resource 'namespaces/***/services/***' (or resource may not exist).

My .yml is as follows:

name: Cloud Run Deploy

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

jobs:
  deploy:
  
    name: Setup Cloud Run Deploy
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2
        
      - name: Setup Cloud SDK
        uses: google-github-actions/[email protected]
        with:
          project_id: ${{ secrets.GCP_PROJECT_ID }}
          service_account_key: ${{ secrets.GCP_SA_KEY }}

      - name: Deploy to Cloud Run
        run: |-
          gcloud run deploy ${{ secrets.GCP_APP_NAME }} \
            --region us-central1 \
            --image gcr.io/${{ secrets.GCP_PROJECT_ID }}/${{ secrets.GCP_APP_NAME }} \
            --platform managed

Am I doing something wrong?
I created a service account with some roles, like:

  • Cloud Run Admin
  • Service Account User
  • Storage Admin

I created some secrets as well, as the documentation states.
Thank you.

Feature 'minimum instances' is not supported in the declared launch stage

I'm getting this error and can't deploy:

image

Error: The feature 'minimum instances' is not supported in the declared launch stage on resource xxxx. The launch stage annotation should be specified at least as BETA. Please visit https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation for in-depth troubleshooting documentation.

Tried with v0.3.0 and latest main.

Switch to machine-parsable output

TL;DR

Currently, we rely on parsing the text output from the gcloud command to extract the URL and other outputs. This isn't guaranteed to be stable. We should instead use --format=json and parse the resulting output as JSON to extract desired values. This also would enable use to expose more outputs about the revision that we currently do not.

Detailed design

Append `--format=json` to all gcloud commands, parse output as JSON.

Additional information

No response

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.