google-github-actions / deploy-cloudrun Goto Github PK
View Code? Open in Web Editor NEWA GitHub Action for deploying services to Google Cloud Run.
Home Page: https://cloud.google.com/run
License: Apache License 2.0
A GitHub Action for deploying services to Google Cloud Run.
Home Page: https://cloud.google.com/run
License: Apache License 2.0
Using Workload Identity Federation results in The incoming JSON object does not contain a client_email field
Expected to authenticate and publish to CR
Unable to retrieve authenticated client: Error: The incoming JSON object does not contain a client_email field
The following YAML works though - with the same service account
- name: Authenticate to Google Cloud To Deploy To Cloud Run
uses: google-github-actions/[email protected]
with:
credentials_json: '${{ secrets.GOOGLE_CLOUD_RUN_DEPLOYER_DEV_KEYFILE_JSON }}'
- name: Authenticate to Google Cloud To Deploy To Cloud Run
uses: google-github-actions/[email protected]
with:
workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
service_account: 'svc-cloud-run-deployer-dev@xxx-dev-tooling.iam.gserviceaccount.com'
- name: Deploy to Cloud Run
uses: google-github-actions/[email protected]
with:
region: australia-southeast1
project_id: xxx-development
metadata: ./service-definition-updated.yaml
No response
Using the example workflow (included below), and changing only the necessary environment variables and secrets as described in the setup instructions, the Deploy to Cloud Run step fails with the unhelpful message The request has errors
. The example workflow specifies [email protected], but I've also tried with 0.3.0 and 0.4.0, with the same results.
on:
push:
branches:
- push-deploy
name: Build and Deploy a Container
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
SERVICE: my-test-service
REGION: us-east4
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Cloud SDK
uses: google-github-actions/[email protected]
with:
project_id: ${{ env.PROJECT_ID }}
service_account_key: ${{ secrets.GCP_SA_KEY }}
export_default_credentials: true # Set to true to authenticate the Cloud Run action
- name: Authorize Docker push
run: gcloud auth configure-docker
- name: Build and Push Container
run: |-
docker build -t gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} frontend/ -f frontend/Dockerfile
docker push gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/[email protected]
with:
service: ${{ env.SERVICE }}
image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
region: ${{ env.REGION }}
- name: Show Output
run: echo ${{ steps.deploy.outputs.url }}
When using tag
input (as listed here), the error below is experienced
Expected behavior
The revision to be tagged with the value supplied
Observed behavior
Warning: Unexpected input(s) 'tag', valid inputs are ['image', 'service', 'region', 'env_vars', 'metadata', 'project_id', 'credentials'] Run google-github-actions/[email protected] with: service: *** image: gcr.io/***/*** credentials: *** tag: 0.1.1-rc.2 env: CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud Setting project Id from credentials Creating a new service... Service *** has been successfully deployed. Error: The operation was canceled.
Action YAML
name: Stage application on Google Cloud Run
on:
push:
tags:
- '*.*.*-rc.*'
jobs:
deploy:
name: Deploy job
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v1
- name: Build Docker image
run: |
docker build . --tag eu.gcr.io/${{ secrets.GCLOUD_PROJECT }}/${{ secrets.GCLOUD_APP_NAME }}
- name: Authenticate into Google Cloud Platform
uses: google-github-actions/setup-gcloud@master
with:
service_account_email: ${{ secrets.GCLOUD_EMAIL }}
service_account_key: ${{ secrets.GCLOUD_AUTH }}
- name: Configure Docker to use Google Cloud Platform
run: "gcloud auth configure-docker --quiet"
- name: Push image to Google Cloud Container Registry
run: docker push eu.gcr.io/${{ secrets.GCLOUD_PROJECT }}/${{ secrets.GCLOUD_APP_NAME }}
- id: get_version
uses: battila7/get-version-action@v2
- name: Deploy to Cloud Run
uses: google-github-actions/[email protected]
with:
service: ${{ secrets.GCLOUD_APP_NAME }}
image: gcr.io/${{ secrets.GCLOUD_PROJECT }}/${{ secrets.GCLOUD_APP_NAME }}
region: ${{ secrets.GCLOUD_REGION }}
credentials: ${{ secrets.GCLOUD_AUTH }}
tag: ${{ steps.get_version.outputs.version }}
Repository
Additional information
I would like to deploy a new cloudrun revision and then assign a percentage of traffic to it. currently the revTraffic
and tagTraffic
parameters, will trigger a traffic update and not deploy a new revision. The current work around is to deploy a new revision in one step with no_traffic
set to true, and then another step with tagTraffic.
I would like the possibility (probably an input like sanitize-values: true) to sanitize the inputs based on GCP naming restrictions.
A prime example is that we produce branch-based deployments and it is common that a branch might be named bug/TICKET-1234
So we produce the name of the service along the lines of ${{ github.ref_name }}-${{ github.event.repository.name }}
but in the case above that would produce bug/TICKET-1234-myapplication
where /
is obviously not allowed.
The other example would be when using something like Renovate which can produce very long branch names meaning the final cloud run service name is >63 characters
The below input would apply a "slugging" of values such as bug/TICKET-1234-myapplication
to bug-ticket-1234-myapplication
It would also trim any result to the max allowed characters for the value
inputs.sanitize-values: true (default false)
No response
I'm getting this error and can't deploy:
Error: The feature 'minimum instances' is not supported in the declared launch stage on resource xxxx. The launch stage annotation should be specified at least as BETA. Please visit https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation for in-depth troubleshooting documentation.
Tried with v0.3.0
and latest main
.
Somehow the wrong service account is being used, I have tried both using credentials file directly and using setup-gcloud
export.
Expected behavior
The service account in my json secret should be used.
Observed behavior
Another service account was used (project default or other?). I was getting the message ERROR: (gcloud.beta.run.deploy) PERMISSION_DENIED: Permission 'iam.serviceaccounts.actAs' denied on service account [email protected] (or it may not exist).
I guess it was a permissions error where my Service Account was trying to actAs
another service account.
Action YAML
# .github/workflows/ci.yml
name: Earthly CI with Google Cloud Run deploy
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-latest
env:
FORCE_COLOR: 1
steps:
- uses: actions/checkout@v2
- name: Put back the git branch into git (Earthly uses it for tagging)
run: |
branch=""
if [ -n "$GITHUB_HEAD_REF" ]; then
branch="$GITHUB_HEAD_REF"
else
branch="${GITHUB_REF##*/}"
fi
git checkout -b "$branch" || true
- name: Login to GAR
uses: docker/login-action@v1
with:
registry: europe-north1-docker.pkg.dev
username: _json_key
password: ${{ secrets.GCP_SA_KEY }}
- name: Download latest earthly
run: "sudo /bin/sh -c 'wget https://github.com/earthly/earthly/releases/download/v0.4.4/earthly-linux-amd64 -O /usr/local/bin/earthly && chmod +x /usr/local/bin/earthly'"
- name: Earthly version
run: earthly --version
- name: Run build
run: earthly --push +docker-google
- uses: google-github-actions/setup-gcloud@master
with:
version: '290.0.1'
service_account_key: ${{ secrets.GCP_SA_KEY }}
export_default_credentials: true
- id: Deploy
uses: google-github-actions/deploy-cloudrun@main
with:
image: europe-north1-docker.pkg.dev/b-jmnorlund-net/tide/jmnoz/tide-tera:latest
service: tide
region: europe-north1
credentials: ${{ secrets.GCP_SA_KEY }}
Repository
https://github.com/jmn/tide-tera
Additional information
Using Earthly build tool
Hey there,
Is there any reason as to why we're not accepting single quotes here? If formatting all flag parameters with double quotes as starting delimiters and single quotes as value delimiters I get all my =
s escaped. If this is as intended // Split on space or "=" if not in quotes
-> // Split on space or "=" if not in double quotes
deploy-cloudrun/src/deploy-cloudrun.ts
Line 239 in 07a7b6c
I would like to use a federated credential file from the google-github-actions/auth workflow to authenticate this workflow
Action YAML
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
create_credentials_file: true
workload_identity_provider: ...
service_account: ${{ secrets.SERVICE_ACCOUNT_EMAIL }}
- name: ๐ Create cloud run revision
uses: google-github-actions/deploy-cloudrun@main
with:
metadata: "./src/cloud-run-deployment.yml"
credentials_file_path: ${{ steps.auth.output.credentials_file_path }}
Node 12 is deprecated
uses: 'node16'
actions/checkout@v2
-> actions/checkout@v3
everywhereNo response
--args
flags for args requiring equals seems to not be properly supported leading to the addition of extra single quotes.
Expected behavior
Should end-up generating a YAML file like:
args:
- "--database-host=xxx.xxx.xxx.xx"
- "--database-name=bar"
- baz
Observed behavior
For instance:
flags: '--args "--database-host=xxx.xxx.xxx.xx" --args "--database-name=bar" --args baz
Will end-up generating a YAML file like:
args:
- '"--database-host=xxx.xxx.xxx.xx"'
- '"--database-name=bar"'
- baz
Action YAML
name: Deployment
on:
push:
branches: [main]
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
REGION: europe-west4
IMAGE_NAME: backend
VERSION: staging
BUILD_CACHE: /tmp/.buildx-cache
jobs:
deploy-backend:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: ${{ env.BUILD_CACHE }}
key: ${{ runner.os }}-buildx-${{ hashFiles('./build/Dockerfile') }}
restore-keys: ${{ runner.os }}-buildx-
- uses: actions/[email protected]
with:
go-version: "1.16.2"
- run: make test
- run: make vet
- name: Setup Cloud SDK
uses: google-github-actions/[email protected]
with:
project_id: ${{ env.PROJECT_ID }}
service_account_key: ${{ secrets.GCP_CLOUD_RUN_SA_KEY }}
export_default_credentials: true
- name: Login to GCR
uses: docker/login-action@v1
with:
registry: gcr.io
username: _json_key
password: ${{ secrets.GCP_CLOUD_RUN_SA_KEY }}
- name: Build and Push Docker image | build-image
uses: docker/build-push-action@v2
with:
file: ./build/Dockerfile
context: .
target: build-image
tags: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
cache-from: type=local,src=${{ env.BUILD_CACHE }}
cache-to: type=local,dest=${{ env.BUILD_CACHE }}-new
- name: Build and Push Docker image | deploy-image
uses: docker/build-push-action@v2
with:
file: ./build/Dockerfile
context: .
target: deploy-image
push: true
tags: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
cache-from: type=local,src=${{ env.BUILD_CACHE }}
cache-to: type=local,dest=${{ env.BUILD_CACHE }}-new
- # Temp fix
# https://github.com/docker/build-push-action/issues/252
# https://github.com/moby/buildkit/issues/1896
name: Move cache
run: |
rm -rf ${{ env.BUILD_CACHE }}
mv ${{ env.BUILD_CACHE }}-new ${{ env.BUILD_CACHE }}
- name: Deploy private API to Cloud Run
id: deploy-private
uses: google-github-actions/deploy-cloudrun@main
with:
service: ${{ env.VERSION }}-private-api
image: gcr.io/${{ env.PROJECT_ID }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
region: ${{ env.REGION }}
flags: '--service-account=foo --args "--database-host=xxx.xxx.xxx.xx" --args "--database-name=bar" --args "--database-password=secret" --args "--database-user=me" --args private'
- name: Output private API url
run: curl "${{ steps.deploy-private.outputs.url }}"
Additional information
No
Creating service revision results in an error.
Expected behavior
The action should have resulted in creating a new revision using the existing image.
Observed behavior
The action resulted in the below error on the deploy step.
Action YAML
# Paste your complete GitHub Actions YAML here, removing
# any sensitive values.
# Copyright 2020 Google, LLC.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: BuildDockerGCPRun
on:
push:
branches:
- main
env:
PROJECT_ID: ${{ secrets.GCE_PROJECT }}
DB_CONNECTON_JSON: ${{ secrets.DB_CONNECTION_SECRETS }}
ACTIONS_RUNNER_DEBUG: true
ACTIONS_STEP_DEBUG: true
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
# Setup gcloud CLI
- uses: google-github-actions/setup-gcloud@master
with:
service_account_key: ${{ secrets.GCE_SA_KEY }}
project_id: ${{ secrets.GCE_PROJECT }}
export_default_credentials: true
# Configure Docker to use the gcloud command-line tool as a credential
# helper for authentication
- run: |-
gcloud --quiet auth configure-docker
- name: Copy SQL Credentials
run: |-
echo $DB_CONNECTON_JSON > ./config/config.json
# Build the Docker image
- name: Build
run: |-
docker build --tag "gcr.io/<projectID>/<image>:${GITHUB_SHA::8}" .
# Push the Docker image to Google Container Registry
- name: Publish
run: |-
docker push "gcr.io/<projectID>/<image>:${GITHUB_SHA::8}"
- name: Deploy to Cloud Run
uses: google-github-actions/[email protected]
with:
image: gcr.io/<projectID>/<image>:${GITHUB_SHA::8}
service: <image>
credentials: ${{ secrets.GCE_SA_KEY }}
Repository
https://github.com/adityak74/wazirx-visualizer
Additional information
N/A
When working with metadata customizations it is required to set the image
name in the YAML file.
This can cause problems since it is not easily possible to uniquely tag the image with the git commit hash as recommended in the docs.
It would be great if the image name could be overwritten via the command line even if a metadata YAML file is used
It would be great if in the following action the image name of the yaml file would be overwritten instead of silently ignored which can cause quite some frustration since only a hard to miss warning is printed in the logs.
Action YAML
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun@main
with:
image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
metadata: ./service.yaml
My current ugly workaround for this is:
- name: Set Image Name
run: sed -i 's!REPLACE_IMAGE_NAME!gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}!g' service.yaml
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun@main
with:
metadata: ./service.yaml
Allow multiple env_vars to be specified in a .env
file.
Docker supports specifying multiple environmental variables in a .env
file with the command line argument --env-file
, and it would be very convenient to easily be able to deploy those to cloud run as well, without needing to re-copy them as a comma separated string in env_vars.
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/[email protected]
with:
service: my-awesome-service
image: ...
env_vars: MY_VAR1=10,MY_VAR2=HELLO,...,MY_VAR_100=WORLD
env_vars_file: easier_place_to_keep_vars.env
Resources
I have changed a sensitive value from "env-variable" to "secrets" with the same name. something like this:
Before
env_vars: DB_URL=${{env.my-dummy-var}}
After
secrets: DB_URL=my-dummy-secret
When the deploy was running "updates" were execute to change those properties so I got this error:
ERROR: (gcloud.beta.run.deploy) Cannot update environment variable [DB_URL] to the given type because it has already been set with a different type.
And this is because the existing variable is not being deleted in cloud run, to solve this I needed to manually delete it in Cloud Run.
The real problem is to execute automatic deployments when changes like this.
Does this github action support the Google Cloud Run preview deployments per PR, that is supported with google cloud build?
My assumption is it's just a wrapper on the gcloud tooling so I would assume it does?
gcloud run deploy offers add remove set and clear-cloudsql-instances flags. It seems that this should be a first class property like secrets and env's for this action.
This could be improved
- name: ๐ Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@v0
with:
service: api
image: gcr.io/...
flags: |
--set-cloudsql-instances=project:region:db
env_vars: |
A=B
secrets: |
/secrets/thing=thing:latest
to something like this
- name: ๐ Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@v0
with:
service: api
image: gcr.io/...
env_vars: |
A=B
secrets: |
/secrets/thing=thing:latest
cloudsql: |
project:region:db
Then the correct flag could be generated based on the existing conventions for env_vars and secrets
Does Cloud Run does not support websockets? And is there any plan in future to support it?
I manually changed traffic rules and afterwards the action won't automatically deploy new revisions to be the latest serving revision. The CLI has a command to automatically make latest the serving revision, it would be great if there was a parameter for the github action called force_latest
that would force the latest revision to be the serving revisios by using this command:
gcloud run services update-traffic [[SERVICE] --to-latest
I'm trying to use Workload Identity Federation, I'm using it as described in issue #248 (comment) but still get Error: Error authenticating the Cloud SDK.
when running the workflow.
I believe my auth setup is correct, because I'm able to build my image and push it to GCR using the same auth steps.
google-github-actions/deploy-cloudrun should be able to deploy to Cloud Run using Workload Identity Federation
google-github-actions/deploy-cloudrun fails the deployment to Cloud Run with an authentication error:
Error: Error authenticating the Cloud SDK.
name: test_cr
on:
push:
branches:
- '*'
pull_request:
branches: [ main ]
jobs:
deploycr:
runs-on: 'ubuntu-latest'
permissions:
contents: 'read'
id-token: 'write'
steps:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/[email protected]'
with:
workload_identity_provider: '...'
service_account: '...'
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
service: hello-cloud-run
image: gcr.io/cloudrun/hello
No response
No response
deploy-cloudrun/src/deploy-cloudrun.ts
Line 239 in 92e1db9
Create & maintain minor release tags such as v0.8
, v0.9
, etc. to prevent breaking changes from breaking deployments when pinned to the major release, which is the only tag available.
While pinning to the latest major version works (There's a v0
tag), the same is not available for each minor version - No v0.8
tag.
Given that newer minor version releases might contain breaking changes - such as the v0.9.0
release, pinning to the major version will cause broken deploys at some point.
This is a request to maintain minor release tags such as ย v0.8
, v0.9
, so that we get bug fixes and other non-breaking changes, without the risk of our build breaking due to updates.
No response
Naming a revision using YAML metadata, will not deploy with correct revision name.
Expected behavior
Deployed with revision name (either replace or update).
Observed behavior
Deployed to a generated revision name with error Revision 'NAME' does not exist or is deleted
.
Action YAML
- name: Setup Cloud SDK
uses: google-github-actions/setup-gcloud@master
with:
project_id: ${{ secrets.GCP_PROJECT }}
service_account_key: ${{ secrets.GCP_SA_KEY }}
export_default_credentials: true
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
metadata: service.yaml
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: NAME
annotations:
run.googleapis.com/launch-stage: BETA
spec:
template:
metadata:
name: NAME-002
spec:
containers:
- image: gcr.io/...
traffic:
- percent: 0
revisionName: NAME-002
tag: candidate
- percent: 100
revisionName: NAME-001
Repository
Additional information
How could you set the timeout option?
These two tries did not work: it is always 10 minutes:
steps:
- uses: actions/checkout@v2
- uses: google-github-actions/[email protected]
with:
service: ${{ secrets.GCP_CLOUDRUN_SERVICE_NAME }}
region: ${{ secrets.GCP_CLOUDRUN_SERVICE_REGION }}
credentials: ${{ secrets.GCP_SA_KEY }}
project_id: ${{ secrets.GCP_PROJECT_ID }}
- flags: --allow-unauthenticated --timeout=1800
- flags: --allow-unauthenticated --timeout=30m
source: .
Allow beta commands to be used with the action. Currently, despite using something like the following:
- name: Set up gcloud Cloud SDK environment
uses: google-github-actions/[email protected]
with:
project: my-project
service_account_key: ${{ secrets.DEPLOY_SA }}
export_default_credentials: true
- name: Install beta components
run: gcloud components install beta
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun@main
with:
...
flags: "--no-cpu-throttling ......."
The result will be
--no-cpu-throttling flag is available in one or more alternate release tracks. Try:
gcloud beta run deploy --no-cpu-throttling
Thus the action becomes unusable for anything requiring beta components.
Action YAML
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun@main
with:
components: release (default) | beta | alpha
I'm having this problem when setting a Github Actions:
ERROR: (gcloud.run.deploy) PERMISSION_DENIED: Permission 'run.services.get' denied on resource 'namespaces/***/services/***' (or resource may not exist).
My .yml
is as follows:
name: Cloud Run Deploy
on:
push:
branches: [main]
pull_request:
branches: [main]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
deploy:
name: Setup Cloud Run Deploy
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Setup Cloud SDK
uses: google-github-actions/[email protected]
with:
project_id: ${{ secrets.GCP_PROJECT_ID }}
service_account_key: ${{ secrets.GCP_SA_KEY }}
- name: Deploy to Cloud Run
run: |-
gcloud run deploy ${{ secrets.GCP_APP_NAME }} \
--region us-central1 \
--image gcr.io/${{ secrets.GCP_PROJECT_ID }}/${{ secrets.GCP_APP_NAME }} \
--platform managed
Am I doing something wrong?
I created a service account with some roles, like:
I created some secrets as well, as the documentation states.
Thank you.
When deploy-cloudrun
executes, using default settings, it doesn't manage traffic and actually send requests to the new container.
Expected behavior
I expected deploy-cloudrun
to work just like the manual Cloud Run interface: When a deploy happens, if I don't specify traffic settings, send 100% of traffic to the new container.
Observed behavior
It just deploys the container and walks away. You have to go into the admin and manually send traffic to the new container.
Action YAML
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun@main
with:
service: my-service
image: gcr.io/my-project/my-service:${{ steps.get_version.outputs.VERSION }}
credentials: ${{ secrets.GCP_SA_KEY }}
region: us-east4
Additional information
N/A
Hi team, thanks for sharing the wonderful solution there.
I got an error complaining about the Invalid value for property [api_endpoint_overrides/run]
No response
Error: failed to execute gcloud command `gcloud run deploy automation-dummy-api --image $GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA --quiet --platform managed --region $GAR_LOCATION --project XXXX --format json`: ERROR: (gcloud.run.deploy) Invalid value for property [api_endpoint_overrides/run]: The endpoint_overrides property must be an absolute URI beginning with http:// or https:// and ending with a trailing '/'. [https://$GAR_LOCATION-run.googleapis.com/] is not a valid endpoint override.
name: Deployment
on:
workflow_dispatch:
inputs:
version:
description: 'The version to deploy'
required: true
env:
PROJECT_ID: XXXX # ${{ secrets.GCP_PROJECT }}
GAR_LOCATION: australia-southeast1 # TODO: update region of the Artifact Registry
REPOSITORY: automation # TODO: update to Artifact Registry docker repository
IMAGE: automation-template
permissions:
contents: 'read'
id-token: 'write'
jobs:
deployment:
name: Deployment
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/checkout@v2
- id: auth
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v0'
with:
token_format: 'access_token'
workload_identity_provider: 'projects/741041240XXX/locations/global/workloadIdentityPools/github-action-pool3/providers/github-action-provider3'
service_account: '[email protected]'
- name: Docker configuration
run: |-
echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$GAR_LOCATION-docker.pkg.dev
- name: Build
run: |-
docker build \
--tag "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \
--build-arg GITHUB_SHA="$GITHUB_SHA" \
--build-arg GITHUB_REF="$GITHUB_REF" \
.
- name: Run Tests
run: |-
docker run "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" pytest tests
# Push the Docker image to Google Artifact Registry
- name: Publish
run: |-
docker push "$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA"
- name: 'Deploy to Cloud Run'
# You may pin to the exact commit or the version.
# uses: google-github-actions/deploy-cloudrun@ff8b38330cf81843db9cff366e335c34aa467c44
uses: google-github-actions/deploy-cloudrun@main
with:
# Name of the container image to deploy (e.g. gcr.io/cloudrun/hello:latest).
# Required if not using a service YAML.
image: $GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA
# ID of the service or fully qualified identifier for the service.
# Required if not using a service YAML.
service: automation-dummy-api
# Region in which the resource can be found.
region: $GAR_LOCATION
# List of key-value pairs to set as environment variables in the format:
# KEY1=VALUE1,KEY2=VALUE2. All existing environment variables will be
# removed first.
# env_vars: # optional
# YAML serivce description for the Cloud Run service.
# metadata: # optional
# The GCP project ID. Overrides project ID set by credentials.
# project_id: # optional
### Log output
```text
Error: failed to execute gcloud command `gcloud run deploy automation-dummy-api --image $GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA --quiet --platform managed --region $GAR_LOCATION --project XXXX --format json`: ERROR: (gcloud.run.deploy) Invalid value for property [api_endpoint_overrides/run]: The endpoint_overrides property must be an absolute URI beginning with http:// or https:// and ending with a trailing '/'. [https://$GAR_LOCATION-run.googleapis.com/] is not a valid endpoint override.
### Additional information
_No response_
In the case of a failing deployment - the printing of the deployment command exposes secrets by not masking them in job output.
I don't know if the fact that we are using the action as part of a reusable workflow is contributing but worth mentioning and included in my example below.
Any secrets should be masked in job output
Secrets are not masked
Reusable workflow:
name: Deploy Cloud Run
on:
workflow_call:
inputs:
# <---------- SELECT AUTHENTICATION METHOD --------->
gcp-sa-auth:
required: false
type: boolean
description: "Set to true to enable GCP Service Account Key authentication"
default: false
gcp-oidc-auth:
required: false
type: boolean
description: "Set to true to enable GCP OIDC authentication"
default: false
# <--------------- CLOUD RUN OPTIONS --------------->
cr-service-name:
required: false
type: string
description: "The name to give to the cloud run service"
default: ${{ github.event.repository.name }}
cr-image:
required: true
type: string
description: "The full registry + container image path to deploy from"
cr-region:
required: true
type: string
description: "The GCP region in which to deploy the service"
default: ""
cr-suffix:
required: false
type: string
description: "Optional suffix to apply to the revision name (GCP generates if not set)"
default: ""
cr-flags:
required: false
type: string
description: "Additional cloud run flags to apply during deployment"
default: "--port 8080 --cpu 1 --memory 1024Mi --timeout 5m --concurrency 80 --min-instances 0 --max-instances 1 --no-allow-unauthenticated"
# <----------- GITHUB ENVIRONMENT OPTIONS ---------->
gh-env-name:
required: false
type: string
description: "The name to give to the environment created in Github"
default: ${{ github.ref_name }}
gh-env-url:
required: false
type: string
description: "Override the environment URL. If unset sets to the cloud run service's url"
secrets:
# <------------------ OIDC AUTH -------------------->
wip:
required: false
description: "The workfload identity provider to use for OIDC auth"
service-account:
required: false
description: "The service account to impersonate when using OIDC auth"
# <----------------- SA KEY AUTH ------------------->
service-account-key:
required: false
description: "The service account key to use for service account authentication"
# <------------------ CLOUD RUN -------------------->
cr-project-id:
required: true
description: "The GCP project in which to deploy the Cloud Run service"
cr-env-vars:
required: false
description: "Comma separated list of KEY=value environment variables to be applied to the service"
outputs:
url:
description: "The URL of the deployed Cloud Run service"
value: ${{ jobs.deploy.outputs.url }}
ref-slug:
description: "A URL sanitized version of the github ref"
value: ${{ jobs.deploy.outputs.ref-slug }}
short-sha:
description: "Captures the short SHA for use in this or later workflow jobs"
value: ${{ jobs.deploy.outputs.short-sha }}
jobs:
deploy:
name: Deploy to Cloud Run
runs-on: ubuntu-latest
outputs:
url: ${{ steps.url.outputs.url }}
short-sha: ${{ env.GITHUB_SHA_SHORT }}
ref-slug: ${{ env.GITHUB_REF_SLUG_URL }}
environment:
name: ${{ inputs.gh-env-name }}
url: ${{ steps.url.outputs.url }}
steps:
- name: Checkout the code
uses: actions/checkout@v3
- name: Slugify github variables
uses: rlespinasse/[email protected]
- name: Authenticate to GCP (SA Key)
if: ${{ inputs.gcp-sa-auth }}
uses: google-github-actions/auth@v0
with:
credentials_json: ${{ secrets.service-account-key }}
- name: Authenticate to GCP (OIDC)
if: ${{ inputs.gcp-oidc-auth }}
uses: google-github-actions/auth@v0
with:
workload_identity_provider: ${{ secrets.wip }}
service_account: ${{ secrets.service-account }}
- name: Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
project_id: ${{ secrets.cr-project-id }}
service: ${{ inputs.cr-service-name }}
image: ${{ inputs.cr-image }}
region: ${{ inputs.cr-region }}
suffix: ${{ inputs.cr-suffix }}
env_vars: ${{ secrets.cr-env-vars }}
flags: ${{ inputs.cr-flags }}
# Required to handle override of deployment URL
- name: Set Deployment URL
id: url
run: |
if [ "${{ inputs.gh-env-url }}" == "" ]; then
echo "Setting url output to ${{ steps.deploy.outputs.url }}"
echo "::set-output name=url::${{ steps.deploy.outputs.url }}"
else
echo "Setting url output to ${{ inputs.gh-env-url }}"
echo "::set-output name=url::${{ inputs.gh-env-url }}"
fi
Consuming project's workflow.
deploy:
uses: some-org/workflows/.github/workflows/deploy-cloudrun.yml@main
needs: build
with:
gcp-sa-auth: true
cr-service-name: ${{ github.ref_name }}-${{ github.event.repository.name }}
cr-image: ${{ needs.build.outputs.image-name }}:${{ needs.build.outputs.image-tag }}
cr-region: europe-north1
cr-suffix: ${{ needs.build.outputs.short-sha }}
cr-flags: '--port 8080 --cpu 1 --memory 2048Mi --timeout 10m --concurrency 80 --min-instances 1 --max-instances 1 --service-account [email protected] --vpc-connector some-vpc-connector --no-cpu-throttling'
secrets:
service-account-key: ${{ secrets.SOME_SA_KEY }}
cr-project-id: some-gcp-project
cr-env-vars: API_USERNAME=${{ secrets.DEV_API_USERNAME }}, API_PASSWORD=${{ secrets.DEV_API_PASSWORD }}
Run google-github-actions/deploy-cloudrun@main
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/2992a0a1-967e-4956-9a8c-097c7b24e7c4 -f /home/runner/work/_temp/ff8e5f8a-3635-47fc-8b9e-b9e98f5d5837
Running: gcloud run deploy rv8/355590ccfeae9030-some-project --image eu.gcr.io/***/some-project:rv8-355590ccfeae9030-411cbef --quiet --platform managed --region europe-north1 --update-env-vars API_USERNAME=VISIBLE_IN_PLAIN_TEXT,API_PASSWORD=VISIBLE_IN_PLAIN_TEXT --revision-suffix 411cbef --port 8080 --cpu 1 --memory 2048Mi --timeout 10m --concurrency 80 --min-instances 1 --max-instances 1 --service-account some-service-account@***.iam.gserviceaccount.com --vpc-connector some-vpc-connector --no-cpu-throttling --project *** --format json
Error: failed to execute gcloud command `gcloud run deploy rv8/355590ccfeae9030-some-project --image eu.gcr.io/***/some-project:rv8-355590ccfeae9030-411cbef --quiet --platform managed --region europe-north1 --update-env-vars API_USERNAME=VISIBLE_IN_PLAIN_TEXT,API_PASSWORD=VISIBLE_IN_PLAIN_TEXT --revision-suffix 411cbef --port 8080 --cpu 1 --memory 2048Mi --timeout 10m --concurrency 80 --min-instances 1 --max-instances 1 --service-account some-service-account@***.iam.gserviceaccount.com --vpc-connector some-vpc-connector --no-cpu-throttling --project *** --format json`: ERROR: (gcloud.run.deploy) Invalid resource name [rv8/355590ccfeae9030-some-project]. The name must use only lowercase alphanumeric characters and dashes, cannot begin or end with a dash, and cannot be longer than 63 characters.
As you can see - some secrets were correctly masked such as project_id input but specifically those passed via the env_vars input were not and are VISIBLE_IN_PLAIN_TEXT
Hi! I want to give my revisisons a customised name from this action, whithout using a service.yaml metadata file.
Action YAML
The main use case here I see is including the commit hash from the Actions runner in the revision name, something like the following:
- name: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
region: ${{ env.REGION }}
image: gcr.io/cloudrun/hello
revision: hello-${{ github.sha }}
With the resulting revision being resembling hello-18c8429f46c5f2717aece30ec83cf83d04943fda
Resources
N/A
Additional information
There may be a limit on the revision name, and unfortuantely it's not trival to get a short commit hash directly from GitHub, so that could be a blocker here.
We'd like to migrate from gcloud setup, but with this action we can't set a VPC connector on new deployments, which we can do with gcloud using --vpc-connector
Action YAML
- id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
vpc: us-east1
Resources
It's possible to reference secrets either by mounting them as files or add them as environment variables on deployment (see references). It'd be great to have the option to add them on deployment through the GitHub action as well.
Action YAML
Probably the same way you reference environment variables through deployment today, but with the revision tag as suffix. Preferably the underlying --update-secrets
tag would be used, so it matches the behaviour of the existing env_vars
functionality.
- secrets = LOCAL_ENV_NAME=secret-name:[revision|latest],...
Using a path instead of environment name would mount it as file instead.
Resources
Additional information
N/A
The github action reports success however when I go to cloud run revision console it shows the latest deployed revision was from a week ago even though the github action ran today. The only way I can get the GH action to work again is to manually deploy a new revision from Cloud Run UI and then run the GH action again. That will work. However then any subsequent GH action won't result in new revision being deployment.
I highly suspect the logic with revision naming is causing issues. This might be the code that's causing the behaviour: https://github.com/google-github-actions/deploy-cloudrun/blob/main/src/cloudRun.ts#L194
This is the GH action example where it reported success but didn't actually deploy a new revision: https://github.com/websu-io/websu/runs/1693522408?check_suite_focus=true
Happy to show it through screenshare as well
I have the following step in my workflow:
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun@main
with:
service: cathode
image: gcr.io/nsg-lobby/cathode:${{ steps.get_version.outputs.VERSION }}
credentials: ${{ secrets.GCP_SA_KEY }}
region: us-east4
I see the revisions being deployed in Cloud Run, but they never get traffic assigned to them. I have to manually assign traffic in the UI in order for any of the revisions to be active at our URL. Is there any way I can make this action send all traffic to the new revision every time it's deployed? From the documentation that looked like it was the default behavior, but I don't see that in action on my Google Cloud account...
It appears that the project_id parameter is now ignored ie:
- name: Deploy to Cloud Run
uses: google-github-actions/[email protected]
with:
region: australia-southeast1
project_id: xxx-development
metadata: ./service-definition-updated.yaml
Works, the following does not
- name: Deploy to Cloud Run
uses: google-github-actions/[email protected]
with:
region: australia-southeast1
project_id: xxx-development
metadata: ./service-definition-updated.yaml
Deployment to succeed. This is an issue when authenticating within one project to use a service account to deploy to another project.
Deployment fails.
name: Staging - Publish to Cloud Run
on:
push:
tags:
- 'staging*'
env:
IMAGE_NAME: ${{ values.container }}
IAM_ROLES: 'roles/run.invoker'
jobs:
build:
name: Build and Push Container
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Authenticate to Google Cloud To Publish to Docker
uses: google-github-actions/[email protected]
with:
workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
service_account: '[email protected]'
- name: Configure GCloud Auth provider with Docker
run: |
gcloud auth configure-docker australia-southeast1-docker.pkg.dev
- name: Build Tag & Push Container
run: |
tagname=${{ github.ref_name }}
docker build -t ${{ env.IMAGE_NAME}} --target prod .
docker tag ${{ env.IMAGE_NAME}} australia-southeast1-docker.pkg.dev/acme-dev-tooling/acme-docker/${{ env.IMAGE_NAME}}:$tagname
docker push australia-southeast1-docker.pkg.dev/acme-dev-tooling/acme-docker/${{ env.IMAGE_NAME}}:$tagname
publish:
needs: build
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Authenticate to Google Cloud To Read Secrets
uses: google-github-actions/[email protected]
with:
workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
service_account: '[email protected]'
- name: Setup Python
uses: actions/setup-python@v2
with:
python-version: '3.9.0'
- name: Install Requirements & Create Service Definition
run: |
pip install -r requirements.txt
python createServiceDefinition.py
env:
TAG: '${{ github.ref_name }}'
ENVIRONMENT: dev
- name: Authenticate to Google Cloud To Deploy To Cloud Run
uses: google-github-actions/[email protected]
with:
credentials_json: '${{ secrets.GOOGLE_CLOUD_RUN_DEPLOYER_DEV_KEYFILE_JSON }}'
# TODO: figure out why using WLIF seems to ignore the project_id here and fails - if you upgrade the version to 0.7.0
- name: Deploy to Cloud Run
uses: google-github-actions/[email protected]
with:
region: australia-southeast1
project_id: acme-development
metadata: ./service-definition-updated.yaml
- name: Authenticate to Google Cloud To Create Service Account
id: 'auth'
uses: google-github-actions/[email protected]
with:
token_format: 'access_token'
access_token_lifetime: '300s'
workload_identity_provider: 'projects/xxx/locations/global/workloadIdentityPools/github-actions-identity-pool/providers/github-provider'
service_account: '[email protected]'
- name: Create Service Account
run: |
python createServiceAccount.py
env:
ENVIRONMENT: dev
ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }}
- name: Bind IAM roles # using environment variables setup in the last step.
run: |
gcloud run services add-iam-policy-binding ${{ env.SERVICE_NAME }} --project=acme-development --region=australia-southeast1 --member='serviceAccount:${{ env.SERVICE_EMAIL }}' --role='roles/run.invoker'
# additional gcloud commands here do not bind. TODO: find workaround.
I use service accounts from a centralised project with specific permissions in other projects to deploy workloads to different environments. This is not possible using 0.7.0.
Is there any documentation on how to use more than one secret?
I've tried one secret per line but I got an invalid spec error.
Comma separated entries might be working but it would become a really long line in case of too many secrets.
Currently, we rely on parsing the text output from the gcloud command to extract the URL and other outputs. This isn't guaranteed to be stable. We should instead use --format=json
and parse the resulting output as JSON to extract desired values. This also would enable use to expose more outputs about the revision that we currently do not.
Append `--format=json` to all gcloud commands, parse output as JSON.
No response
So I'm not sure what i'm doing wrong here. But I keep a running: gcloud beta run services replace service.yaml --platform managed --region australia-southeast1 Error: ERROR: (gcloud.beta.run.services.replace) argument FILE: Failed to load YAML from [service.yaml]: Unable to read file [service.yaml]: [Errno 2] No such file or directory: 'service.yaml'
error.
I have copied the service.yaml
file to every single possible location. relative to the directory path. i.e.
it is now at root of the repo; it is also at the .github
folder. it's also at the .github/workflows
folder. It is also at the repo_root/infrac/service.yaml
location.
CLI instruction to create the appropriate minimal service account.
e.g.
gcloud create service account ...
gcloud give role service account ...
No response
No response
The deploy action throws following error message
Error: The feature 'sandbox selector' is not supported in the declared launch stage on resource cloud-run-demo. The launch stage annotation should be specified at least as BETA. Please visit https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation for in-depth troubleshooting documentation.
Expected behavior
Deployment to Google Cloud Run. It worked before
Observed behavior
Error as described on top
Action YAML
- id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
image: gcr.io/cyril-test-project/cloud-run-demo
service: cloud-run-demo```
Repository
not public
Additional information
No, I only did some manual deployment through the dashboard in the meantime like change the vCPUs
I tried mounting both version 1 and 2 of a secret into /secret/1.txt=secretname:1,/secret/2.txt=secretname:2
, but only 2 got mounted
Expected behavior
I expected the follwoing resulting yaml being deployed:
spec:
template:
spec:
containers:
- image: gcr.io/...
volumeMounts:
- name: secretname-gic-tar-haq
readOnly: true
mountPath: /secret
volumes:
- name: secretname-gic-tar-haq
secret:
secretName: secretname
items:
- key: '1'
path: 1.txt
- key: '1'
path: 2.txt
Observed behavior
Container failed to start and the following error was logged:
Could not open file at path /secret/1.txt. The path is in a mounted secrets volume, but the exact path does not correspond to any secret specified in the mount configuration.
Action YAML
name: Build and Deploy to Cloud Run
on:
push:
branches:
- main
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
SERVICE: ropescore-api
REGION: europe-west1
jobs:
setup-build-publish-deploy:
name: Setup, Build, Publish, and Deploy
runs-on: ubuntu-latest
environment: production
steps:
- name: Checkout
uses: actions/checkout@v2
# Setup gcloud CLI
- uses: google-github-actions/[email protected]
with:
service_account_key: ${{ secrets.GCP_SERVICE_ACCOUNT }}
project_id: ${{ secrets.GCP_PROJECT }}
export_default_credentials: true
# Configure Docker to use the gcloud command-line tool as a credential
# helper for authentication
- name: Authorize Docker push
run: gcloud auth configure-docker
# Build the Docker image
- name: Build
run: |-
docker build \
--tag "gcr.io/$PROJECT_ID/$SERVICE:$GITHUB_SHA" \
--build-arg GITHUB_SHA="$GITHUB_SHA" \
--build-arg GITHUB_REF="$GITHUB_REF" \
.
# Push the Docker image to Google Container Registry
- name: Publish
run: |-
docker push "gcr.io/$PROJECT_ID/$SERVICE:$GITHUB_SHA"
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/[email protected]
with:
service: ${{ env.SERVICE }}
image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
region: ${{ env.REGION }}
env_vars: SENTRY_DSN=${{ secrets.SENTRY_DSN }},GCP_PROJECT=${{ secrets.GCP_PROJECT }},JWT_ALG=ES256,JWT_PRIVKEY_PATH=${{ secrets.JWT_PRIVKEY_PATH }},JWT_PUBKEY_PATH=${{ secrets.JWT_PUBKEY_PATH }}
secrets: ${{ secrets.JWT_PRIVKEY_PATH }}=${{ secrets.JWT_PRIVKEY_SECRET }},${{ secrets.JWT_PUBKEY_PATH }}=${{ secrets.JWT_PUBKEY_SECRET }}
flags: --max-instances=1
- name: Show Output
run: echo ${{ steps.deploy.outputs.url }}
Repository
https://github.com/RopeScore/api.ropescore.app/blob/main/.github/workflows/cloud-run.yml
Hey,
I would like to know how can I set the Ingress to "Allow internal traffic only" (--ingress internal
) and also the Authentication to "Allow unauthenticated invocations" (--allow-unauthenticated
).
Without both settings, my pipeline would not work?
Thanks!
I see that deploying to Cloud Run the action requires an image
attribute. That makes sense if the user wants to use one step to build a container, and then another step deploy it.
steps:
- id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
image: gcr.io/cloudrun/hello
service: hello-cloud-run
credentials: ${{ secrets.gcp_credentials }}
But we could imagine
steps:
- id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
service: hello-cloud-run
credentials: ${{ secrets.gcp_credentials }}
Which would build and deploy the current repo.
Under the hood, gcloud beta run deploy --source .
would be used.
The following valid action invocation poses a security risk
- name: ๐ Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@v0
with:
service: api
image: gcr.io/${{ secrets.PROJECT_ID }}/api
region: us-central1
secrets: |
/secrets/secrets.json=secrets:latest
from @sethvargo
[Inferring the project id] poses a security risk..., because the project ID would be interpreted as your project (instead of explicitly opting into that behavior).
Cloud functions does not allow this behavior and cloud run should be consistent with its api especially if it poses a security risk.
Originally posted by @sethvargo in google-github-actions/deploy-cloud-functions#318 (comment)
I'm trying to deploy the below configuration using google-github-actions/[email protected]
gcloud run deploy xyz-service \
--image gcr.io/x/y:z \
--region us-central1 \
--platform managed \
--max-instances 1 \
--port 443 \
--allow-unauthenticated
with the following workflow and service.yaml.
workflow.yaml
- name: deploy to Cloud Run
id: deploy
uses: google-github-actions/[email protected]
with:
service: xyz-service
image: gcr.io/x/y:z
region: us-central1
service.yaml
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: xyz-service
spec:
template:
metadata:
annotations:
autoscaling.knative.dev/maxScale: '1'
spec:
containers:
- image: gcr.io/x/y:z
- env:
- PORT: 443
I'm getting back
Error: Error: The request has errors
Error: The request has errors
Not sure if it's a limitation or am I doing something wrong?
Hello, I've been using this action since last week and everything worked just fine. But since today some errors happen and fail to depoly the image.
Expected behavior
It depolys new cloud run images successfully.
Observed behavior
Run google-github-actions/[email protected]
with:
service: ***
image: asia.gcr.io/***/***:299faf0ea2878d743045b2ab96914290c774e633
region: asia-northeast1
env:
PROJECT_ID: ***
SERVICE: ***
SA_KEY: ***
REGION: asia-northeast1
IMAGE: asia.gcr.io/***/***
CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
GCLOUD_PROJECT: ***
GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/***/***/0dfa6524-a860-4607-bebf-c46a81b38eaa
Setting project Id from $GCLOUD_PROJECT
Creating a service revision...
Error: Error: The feature 'sandbox selector' is not supported in the declared launch stage on resource ***. The launch stage annotation should be specified at least as BETA. Please visit https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation for in-depth troubleshooting documentation.
Error: The feature 'sandbox selector' is not supported in the declared launch stage on resource ***. The launch stage annotation should be specified at least as BETA. Please visit https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation for in-depth troubleshooting documentation.
I visited the https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation page but found nothing I can do as a user of this action.
Action YAML
https://github.com/rainy-me/tsukiyo/blob/master/.github/workflows/depoly-backend.yml
name: Deploy Backend Cloud Run
on:
push:
branches:
- master
# adapted form https://github.com/google-github-actions/deploy-cloudrun/blob/main/.github/workflows/example-workflow.yaml
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT }}
SERVICE: ${{ secrets.GCP_SERVICE }}
SA_KEY: ${{ secrets.GCP_SA_KEY }}
REGION: asia-northeast1
IMAGE: asia.gcr.io/${{ secrets.GCP_PROJECT }}/${{ secrets.GCP_SERVICE }}
jobs:
deploy-backend:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./backend
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Cloud SDK
uses: google-github-actions/[email protected]
with:
project_id: ${{ env.PROJECT_ID }}
service_account_key: ${{ env.SA_KEY }}
export_default_credentials: true
- name: Authorize Docker
run: gcloud auth configure-docker
- name: Build and Push Container
run: |
docker pull ${{ env.IMAGE }}-cache || true
docker build . -t ${{ env.IMAGE }}:${{ github.sha }} -f Dockerfile.prod --cache-from=${{ env.IMAGE }}-cache
docker push ${{ env.IMAGE }}:${{ github.sha }} || true
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/deploy-cloudrun@main
with:
service: ${{ env.SERVICE }}
image: ${{ env.IMAGE }}:${{ github.sha }}
region: ${{ env.REGION }}
- uses: 8398a7/action-slack@v3
with:
status: custom
fields: workflow,job,commit,repo,ref,author,took
custom_payload: |
{
username: 'deploy-backend',
icon_emoji: ':actix:',
attachments: [{
color: '${{ job.status }}' === 'success' ? 'good' : '${{ job.status }}' === 'failure' ? 'danger' : 'warning',
text: `Deploy backend done in ${process.env.AS_TOOK} :actix:`,
}]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
Repository
https://github.com/rainy-me/tsukiyo
specifically the depoly-backend
action
Additional information
I'm trying to use env_vars
to set three environment variables.
I saw this issue (160) and changed the version to 0.6.0
but the problem persists.
This is my .yml
:
on:
push:
branches: [main]
pull_request:
branches: [main]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
name: Build and Deploy a Container
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
SERVICE: ${{ secrets.GCP_APP_NAME }}
REGION: us-central1
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Cloud SDK
uses: google-github-actions/[email protected]
with:
project_id: ${{ env.PROJECT_ID }}
service_account_key: ${{ secrets.GCP_SA_KEY }}
export_default_credentials: true # Set to true to authenticate the Cloud Run action
- name: Authorize Docker push
run: gcloud auth configure-docker
- name: Build and Push Container
run: |-
docker build -t gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} .
docker push gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
- name: Deploy to Cloud Run
id: deploy
uses: google-github-actions/[email protected]
with:
service: ${{ env.SERVICE }}
image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}
region: ${{ env.REGION }}
env_vars: MODE_TOKEN=${{ secrets.MODE_TOKEN }},MODE_PASS=${{ secrets.MODE_PASS }},DISC_WEBHOOK_DATACHANNEL=${{ secrets.DISC_WEBHOOK_DATACHANNEL }}
- name: Show Output
run: echo ${{ steps.deploy.outputs.url }}
As you can see, I'm using google-github-actions/[email protected]
when deploying to Cloud Run.
But when I check the logs from Github Actions, seems that he is using v0.4.0
instead of v0.6.0
:
The env_vars
options does not appeared in the logs, just service
, image
and region
.
Am I doing something wrong?
https://github.com/google-github-actions/deploy-cloudrun#usage appears to be a snippet. I am trying to convert over https://github.com/kaihendry/count/blob/gcp-cloudrun/.github/workflows/cloud-run.yml so I am looking for a full example.
Also steps to get the secret GCP key into Github would be nice too please.
If you put in your secrets
or env_vars
in list format like the docs:
secrets: |
SECRET=secret:latest
SECRET2=secret2:latest
The yaml is parsed incorrectly to the cli resulting in \n
being added.
Example:
ERROR: gcloud crashed (ValueError): Invalid secret spec 'db_username:latest\nDB_PASSWORD=db_password:latest'
I expected the yaml list to be parsed into the cli in a format without newlines.
Instead newlines get added in to gcloud
command called. The same thing happens with env_vars
except the cli just takes it in stride and you end up with a env_vars
in cloud run with one key and the rest of the key-value pairs on new lines. The current workaround is that we just put our env_vars
and secrets
in like this.
env_vars: ENV1=whaaat,ENV2=yaahhyaa,ENV3=ok
secrets: SECRET1=secret1:latest,SECRET2=secret2:latest
deploy:
name: Deploy to GCP Cloud Run
needs: build_n_push
runs-on: ubuntu-latest
# permission for gcp
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout # gcp auth needs this step
uses: actions/checkout@v2
- name: Get GCP Token
id: auth
uses: google-github-actions/auth@v0
with:
token_format: access_token
workload_identity_provider: our/identity/provider
service_account: our/service/account
access_token_lifetime: 300s
- name: Set Docker Metadata
id: meta
uses: docker/metadata-action@v3
with:
images: our/docker-image
tags: |
type=raw,value=latest
- name: Deploy to Cloud Run
uses: google-github-actions/deploy-cloudrun@v0
with:
image: us-central1-docker.pkg.dev/project/repository/${{ steps.meta.outputs.tags }}
service: servicename
region: us-central1
env_vars: |
RELEASEMODE=development
NODE_ENV=development
PORT=4000
DB_DATABASE=database_name
secrets: |
DB_SERVER=db_server:latest
DB_USERNAME=db_username:latest
DB_PASSWORD=db_password:latest
Run google-github-actions/deploy-cloudrun@v0
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/626a8de9-7b8e-4674-b93d-6e539bbd95a2 -f /home/runner/work/_temp/9a140801-40fb-4d40-99ab-ed87987c183b
Running: gcloud beta run deploy **** --image **** --quiet --platform managed --region us-central1 --update-env-vars RELEASEMODE=development
NODE_ENV=development
PORT=4000
DB_DATABASE=**** --update-secrets DB_SERVER=db_server:latest,DB_USERNAME=db_username:latest
DB_PASSWORD=db_password:latest --project ****** --format json
Error: failed to execute gcloud command `gcloud beta run deploy ***** --image **** --quiet --platform managed --region us-central1 --update-env-vars RELEASEMODE=development
NODE_ENV=development
PORT=4000
DB_DATABASE=database_name --update-secrets DB_SERVER=db_server:latest,DB_USERNAME=db_username:latest
DB_PASSWORD=db_password:latest --project database-api-dev --format json`: ERROR: gcloud crashed (ValueError): Invalid secret spec 'db_username:latest\nDB_PASSWORD=db_password:latest'
No response
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.