feat: add docker-build and cloudrun-deploy composite actions#5
Merged
Conversation
docker-build: WIF auth → Secret Manager → .env.production → buildx build+push to Artifact Registry cloudrun-deploy: WIF auth → Secret Manager → format env_vars → deploy-cloudrun Both actions eliminate the need for separate publish jobs or inter-job Docker caches. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add Docker build+push path to build@v2 (activated by image-name input) and Cloud Run deploy path to deploy@v2 (activated by cloudrun-service input). Existing static-site callers are unaffected — new inputs default to empty and all new steps are gated behind their respective discriminator inputs. Remove standalone docker-build and cloudrun-deploy actions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ments GitHub's YAML parser rejected inputs from both actions because UTF-8 multi-byte characters (U+2500, U+2014) in comment lines caused silent parse failure, making all inputs appear undefined.
Replaces mutable version tags with pinned commit SHAs in the Docker and Cloud Run steps of build and deploy actions to prevent supply chain attacks. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The --maintained-version CLI flag expects a semver constraint (e.g. 1)
not a prerelease identifier. Writing maintainedVersion to .semrelrc matches
how go-semantic-release expects the config, producing v{major}.x.y-rc.N tags.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add ghcr-image input to actions/build/action.yml. When set the action pulls a pre-built image from GHCR, re-tags it for GCP Artifact Registry (SHA + latest tags), and pushes it -- no Dockerfile or build-time secrets required. All existing Docker build+push and static-build paths are unaffected; each path is guarded by its own discriminator condition. Update README with GHCR pull+retag usage example and runner-contract note. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The Docker build path and the GHCR pull+retag path both registered a step named 'Configure Docker for Artifact Registry'. Conditional gating means only one ever runs, but the Actions UI shows both as separate (one-skipped) lines, which is confusing. Rename to '(build path)' and '(retag path)' for clarity in logs.
- Add 'Validate Cloud Run inputs' step that fails fast when image-name, gcp-region, gcp-project-id, or gcp-repository is missing, and when scheduler-name is set without schedule-time. Avoids gcloud erroring mid-deploy on malformed image references. - 'Format env vars for Cloud Run' is no longer gated on gcp-secret-name. It always sets GOOGLE_CLOUD_PROJECT in Cloud Run mode, matching the README contract, and gracefully handles the no-secret case. - Switch env_vars from comma-delimited to newline-delimited multiline output so secret values containing commas survive the formatting step. deploy-cloudrun v2 accepts either delimiter. - Cloud Scheduler step now reconciles instead of being create-only: existing triggers are updated (schedule, time-zone, uri, oidc), missing ones are created. Step renamed from 'Create Cloud Scheduler' to 'Reconcile Cloud Scheduler'. --project is now passed explicitly in both create and update calls. - Update action description and scheduler-name input docstring to reflect reconcile behavior.
The deploy action now reconciles the Cloud Scheduler trigger on every run (creates if missing, updates if existing) instead of being create-only. Update the Cloud Run job example and the doc box that described it as idempotent / skipped-if-exists.
Contributor
|
Hey @gamechanger1s — I pushed three commits to this branch addressing review feedback. Could you run a verification matrix against your GCP project and report back? What changed
Please verify on a real GCP target Tick each as it passes — these gate moving the
Intentionally not changed (separate follow-ups if you want to file them):
Ping me once the matrix is green and we can move the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the reusable
buildanddeployactions inactions/build/action.ymlandactions/deploy/action.ymlto support GCP Artifact Registry + Cloud Run deployments alongside the existing static-build path. A third path — GHCR pull+retag — is also added to support services whose image is pre-built externally. Thedeployaction now also supports Cloud Run jobs with optional Cloud Scheduler creation.Changes
actions/build/action.ymlimage-name): authenticates via WIF, optionally fetches build-time env vars from Secret Manager into.env.production, builds with Buildx, and pushes SHA + latest tags to Artifact Registryghcr-image): pulls a pre-built image from GHCR, re-tags it for Artifact Registry (SHA + latest), and pushes it — no Dockerfile or build-time secrets required; takes priority over the Docker build pathactions/deploy/action.ymlcloudrun-service): fetches runtime env vars from Secret Manager, formats them asKEY=VAL,..., and deploys viagoogle-github-actions/deploy-cloudrunwithoverwritestrategycloudrun-job): deploys a Cloud Run job using the same shared WIF auth and Secret Manager fetch as the service path; optionally creates a Cloud Scheduler trigger (idempotent — skipped if already exists) whenscheduler-nameandschedule-timeare setcloudrun-flagsinput (e.g. VPC connector, ingress settings, job command/args)README.mdSHA-pinned actions (all verified against GitHub)
get-secretmanager-secrets2b5f97c5a4b9c105e64646762ad4fc3f5128e6f5setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6fbuild-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8deploy-cloudrun251330ba9a8a34bfbc1622895f42e1d53fd14522Test plan
cloudrun-serviceorcloudrun-jobpassed)cloudrun-serviceset, job/scheduler steps skippedcloudrun-jobset, service step skipped, scheduler created ifscheduler-namesetscheduler-nameomitted, scheduler step skipped cleanlyghcr-imageset, no Dockerfile required🤖 Generated with Claude Code