/deploy-appengine

This action deploys your source code to App Engine.

Primary LanguageTypeScript

deploy-appengine

This action deploys your source code to App Engine and makes the URL available to later build steps via outputs. This allows you to parameterize your App Engine deployments.

Prerequisites

  • This action requires Google Cloud credentials that are authorized to deploy an App Engine Application. See the Authorization section below for more information.

  • This action runs using Node 16. If you are using self-hosted GitHub Actions runners, you must use runner version 2.285.0 or newer.

Usage

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-appengine@v1'

    # Example of using the output
    - id: 'test'
      run: 'curl "${{ steps.deploy.outputs.url }}"'

Inputs

  • project_id: (Optional) ID of the Google Cloud project. If not provided, this is inherited from the environment.

  • working_directory: (Optional) The working directory to use. Actions do not honor default working-directory settings. The deliverables input is a relative path based on this setting.

  • deliverables: (Optional) The yaml files for the services or configurations you want to deploy. If not given, defaults to app.yaml in the current directory. If that is not found, attempts to automatically generate necessary configuration files (such as app.yaml) in the current directory (example, app.yaml cron.yaml). Note: the additional deliverables may require additional roles for your service account user.

  • image_url: (Optional) Deploy with a specific container image. The image url must be from one of the valid GCR hostnames (example, gcr.io/).

  • version: (Optional) The version of the app that will be created or replaced by this deployment. If you do not specify a version, one will be generated for you.

  • promote: (Optional) Promote the deployed version to receive all traffic. The default is true.

  • flags: (Optional) Space-separated list of other Cloud Run flags. This can be used to access features that are not exposed via this GitHub Action.

    with:
      flags: '--add-cloudsql-instances=...'

    See the complete list of flags for more information.

app.yaml customizations

Other application configurations can be customized through the app.yaml, ie the service name. See app.yaml Configuration File for more information.

Outputs

  • url: The URL of your App Engine Application.

Authorization

There are a few ways to authenticate this action. The caller must have the following Google Cloud IAM Roles:

  • App Engine Admin (roles/appengine.appAdmin): can manage all App Engine resources
  • Service Account User (roles/iam.serviceAccountUser): to deploy as the service account
  • Storage Admin (roles/compute.storageAdmin): to upload files
  • Cloud Build Editor (roles/cloudbuild.builds.editor): to build the application
  • (optional) Cloud Scheduler Admin (roles/cloudscheduler.admin): to schedule tasks

Note: An owner will be needed to create the App Engine application.

Via google-github-actions/auth

Use google-github-actions/auth to authenticate the action. This Action supports both the recommended Workload Identity Federation based authentication and the traditional Service Account Key JSON based auth.

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: 'my-service-account@my-project.iam.gserviceaccount.com'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-appengine@v1'

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

jobs:
  job_id:
    steps:
    - id: 'deploy'
      uses: 'google-github-actions/deploy-appengine@v1'

Example Workflows

Setup

  1. Clone this repo.

  2. Create a new Google Cloud Project (or select an existing project).

  3. Initialize your App Engine app with your project.

  4. Enable the App Engine Admin API on your project.

  5. Create a Google Cloud service account or select an existing one.

  6. Add required roles to your service account.

  7. Download a JSON service account key for the service account.

  8. Add the following secrets to your repository's secrets:

    • GCP_PROJECT: Google Cloud project ID

    • GCP_SA_KEY: the downloaded service account key

Deploy from source

To run this workflow, push to the branch named example:

git push YOUR-FORK main:example