Deploys your container image to Cloud Run and makes the URL available to later build steps via outputs.
This action requires:
-
Google Cloud credentials that are authorized to deploy a Cloud Run service. See the Credentials below for more information.
-
This action runs using Node 16. If you are using self-hosted GitHub Actions runners, you must use runner version 2.285.0 or newer.
jobs:
job_id:
permissions:
contents: 'read'
id-token: 'write'
steps:
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
- id: 'deploy'
uses: 'google-github-actions/deploy-cloudrun@v0'
with:
service: 'hello-cloud-run'
image: 'gcr.io/cloudrun/hello'
- name: 'Use output'
run: 'curl "${{ steps.deploy.outputs.url }}"'
Name | Requirement | Default | Description |
---|---|---|---|
service |
Required if not using a service YAML via metadata input. |
ID of the service or fully qualified identifier for the service. | |
image |
Required if not using a service YAML via metadata input. |
Name of the container image to deploy (Example: gcr.io/cloudrun/hello:latest ). |
|
region |
optional | us-central1 |
Region in which the resource can be found. |
env_vars |
optional | List of key-value pairs to set as environment variables in the format: KEY1=VALUE1,KEY2=VALUE2 . All existing environment variables will be retained. |
|
secrets |
optional | List of key-value pairs to set as either environment variables or mounted volumes in the format: KEY1=secret-key-1:latest,/secrets/api/key=secret-key-2:latest . The secrets will be fetched from the Secret Manager. The service identity must have permissions to read the secrets. Multiple secrets can be split across multiple lines: secrets: | All existing environment secrets or volumes will be retained. |
|
metadata |
optional | YAML service description for the Cloud Run service (Other inputs will be overridden). See Metadata customizations for more information. | |
project_id |
optional | ID of the Google Cloud project. If provided, this will override the project configured by setup-gcloud . |
|
source |
optional | Deploy from source by specifying the source directory. The Artifact Registry API needs to be enabled and the service account role Cloud Build Service Account is required. The first deployment will create an Artifact Registry repository which requires the Artifact Registry Admin role. Learn more about Deploying from source code. |
|
suffix |
optional | Specify the suffix of the revision name. Revision names always start with named 'helloworld', would lead to a revision named 'helloworld-v1'. | |
tag |
optional | Traffic tag to assign to the newly created revision. | |
timeout |
optional | Set the maximum request execution time. It is specified as a duration; for example, "10m5s" is ten minutes and five seconds. If you don't specify a unit, seconds is assumed. | |
no_traffic |
optional | false |
Set to true to avoid sending traffic to the revision being deployed. |
revision_traffic |
optional | Comma separated list of traffic assignments in the form REVISION-NAME=PERCENTAGE. | |
tag_traffic |
optional | Comma separated list of traffic assignments in the form TAG=PERCENTAGE. | |
flags |
optional | Space separated list of other Cloud Run flags, examples can be found: https://cloud.google.com/sdk/gcloud/reference/run/deploy#FLAGS. | |
gcloud_version |
optional | latest |
Pin the version of Cloud SDK gcloud CLI. |
gcloud_component |
optional | Pin the Cloud SDK gcloud CLI components version, valid values are alpha or beta . |
|
credentials |
Required if not using the setup-gcloud action with exported credentials. |
(Deprecated) This input is deprecated. See auth section for more details. Service account key to use for authentication. This should be the JSON formatted private key which can be exported from the Cloud Console. The value can be raw or base64-encoded. |
You can store your service specification in a YAML file. This will allow for
further service configuration, such as memory limits,
CPU allocation,
max instances,
and more.
Other inputs will be overridden when using metadata
- See Deploying a new service to create a new YAML service definition, for example:
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: SERVICE
spec:
template:
spec:
containers:
- image: IMAGE
- See Deploy a new revision of an existing service to generated a YAML service specification from an existing service:
gcloud run services describe SERVICE --format yaml > service.yaml
A Cloud Run product recommendation is that CI/CD systems not set or change settings for allowing unauthenticated invocations. New deployments are automatically private services, while deploying a revision of a public (unauthenticated) service will preserve the IAM setting of public (unauthenticated). For more information, see Controlling access on an individual service.
url
: The URL of your Cloud Run service.
Use google-github-actions/auth to authenticate the action. This Action supports both the recommended Workload Identity Federation based authentication and the traditional Service Account Key JSON based auth.
See usage for more details.
A service account will be needed with the following roles:
- Cloud Run Admin (
roles/run.admin
):- Can create, update, and delete services.
- Can get and set IAM policies.
This service account needs to a member of the Compute Engine default service account
,
(PROJECT_NUMBER-compute@developer.gserviceaccount.com)
, with role
Service Account User
. To grant a user permissions for a service account, use
one of the methods found in Configuring Ownership and access to a service account.
jobs:
job_id:
permissions:
contents: 'read'
id-token: 'write'
steps:
- uses: actions/checkout@v3
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'my-service-account@my-project.iam.gserviceaccount.com'
- name: 'Deploy to Cloud Run'
uses: 'google-github-actions/deploy-cloudrun@v0'
with:
image: 'gcr.io/cloudrun/hello'
service: 'hello-cloud-run'
jobs:
job_id:
steps:
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
credentials_json: '${{ secrets.GCP_SA_KEY }}'
- name: 'Deploy to Cloud Run'
uses: 'google-github-actions/deploy-cloudrun@v0'
with:
image: 'gcr.io/cloudrun/hello'
service: 'hello-cloud-run'
If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.
jobs:
job_id:
steps:
- name: 'Deploy to Cloud Run'
uses: 'google-github-actions/deploy-cloudrun@v0'
with:
image: 'gcr.io/cloudrun/hello'
service: 'hello-cloud-run'
-
Create a new Google Cloud Project (or select an existing project).
-
Create a Google Cloud service account or select an existing one.
-
Add the the following [Cloud IAM roles][roles] to your service account:
-
Cloud Run Admin
- allows for the creation of new Cloud Run services -
Service Account User
- required to deploy to Cloud Run as service account -
Storage Admin
- allow push to Google Container Registry (this grants project level access, but recommend reducing this scope to bucket level permissions.)
-
-
Download a JSON service account key for the service account.
-
Add the following secrets to your repository's secrets:
-
GCP_PROJECT
: Google Cloud project ID -
GCP_SA_KEY
: the downloaded service account key
-
To run this workflow, push to the branch named example-deploy
:
git push YOUR-FORK main:example-deploy
To run this workflow, push to the branch named example-build-deploy
:
git push YOUR-FORK main:example-build-deploy
Reminder: If this is your first deployment of a service, it will reject all unauthenticated requests. Learn more at allowing unauthenticated requests
Example using setup-gcloud
:
jobs:
job_id:
steps:
- name: 'Setup Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
with:
project_id: '${{ env.PROJECT_ID }}'
service_account_key: '${{ secrets.GCP_SA_KEY }}'
- name: 'Deploy to Cloud Run'
run: |-
gcloud run deploy $SERVICE \
--region $REGION \
--image gcr.io/$PROJECT_ID/$SERVICE \
--platform managed \
--set-env-vars NAME="Hello World"
Migrated to deploy-cloudrun
:
jobs:
job_id:
steps:
- id: 'auth'
uses: 'google-github-actions/auth@v0'
with:
credentials_json: '${{ secrets.GCP_SA_KEY }}'
- name: 'Deploy to Cloud Run'
uses: 'google-github-actions/deploy-cloudrun@v0'
with:
service: '${{ env.SERVICE }}'
image: 'gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}'
region: '${{ env.REGION }}'
env_vars: 'NAME="Hello World"'
Note: The action is for the "managed" platform and will not set access privileges such as allowing unauthenticated requests.
We recommend pinning to the latest available major version:
- uses: 'google-github-actions/deploy-cloudrun@v0'
While this action attempts to follow semantic versioning, but we're ultimately human and sometimes make mistakes. To prevent accidental breaking changes, you can also pin to a specific version:
- uses: 'google-github-actions/deploy-cloudrun@v0.1.1'
However, you will not get automatic security updates or new features without
explicitly updating your version number. Note that we only publish MAJOR
and
MAJOR.MINOR.PATCH
versions. There is not a floating alias for
MAJOR.MINOR
.