# GitHub Actions workflow for deploying Gateway to Google Cloud Run # Documentation: https://cloud.google.com/run/docs/deploying # # Required GitHub Secrets: # - GCP_PROJECT_ID: Your Google Cloud Project ID # - GCP_SA_KEY: Service Account JSON key with Cloud Run Admin and Cloud Build Editor roles # - GCP_SERVICE_ACCOUNT_EMAIL: Email of the service account to run Cloud Run service as # # Required Google Cloud Setup: # 1. Create a service account with Cloud Run Admin and Cloud Build Editor roles # 2. Create secret "CONFIG_KEY" in Secret Manager with your master key # 3. Grant the service account access to Secret Manager secrets # 4. Create Cloud SQL instance (if not exists) # 5. Create env_gcp.env file with your configuration name: Deploy Gateway to Google Cloud Run on: push: branches: - main paths: - 'gateway/**' workflow_dispatch: inputs: environment: description: 'Environment to deploy to' required: true default: 'prod' type: choice options: - prod - int env: PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }} SERVICE_NAME: gateway-prod REGION: europe-west6 # Zurich region ENV_FILE: env_gcp.env jobs: deploy: runs-on: ubuntu-latest permissions: contents: read id-token: write # Required for Workload Identity Federation steps: - name: Checkout code uses: actions/checkout@v4 - name: Authenticate to Google Cloud uses: google-github-actions/auth@v2 with: credentials_json: ${{ secrets.GCP_SA_KEY }} # Alternative: Use Workload Identity Federation (more secure) # workload_identity_provider: ${{ secrets.WIF_PROVIDER }} # service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }} - name: Set up Cloud SDK uses: google-github-actions/setup-gcloud@v2 - name: Configure Docker for GCR run: | gcloud auth configure-docker - name: Set productive environment run: | cd gateway if [ -f "${{ env.ENV_FILE }}" ]; then cp ${{ env.ENV_FILE }} .env else echo "Warning: ${{ env.ENV_FILE }} not found, using env_prod.env as fallback" cp env_prod.env .env fi # Clean up other env files (optional, for security) rm -f env_*.env - name: Build and push container image working-directory: ./gateway run: | # Build container image using Cloud Build # If Dockerfile exists, it will be used; otherwise Cloud Buildpacks will be used gcloud builds submit \ --tag gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE_NAME }}:${{ github.sha }} \ --tag gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE_NAME }}:latest \ --project ${{ env.PROJECT_ID }} - name: Deploy to Cloud Run run: | gcloud run deploy ${{ env.SERVICE_NAME }} \ --image gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE_NAME }}:${{ github.sha }} \ --region ${{ env.REGION }} \ --platform managed \ --allow-unauthenticated \ --project ${{ env.PROJECT_ID }} \ --set-env-vars "APP_ENV_TYPE=prod" \ --set-secrets "CONFIG_KEY=CONFIG_KEY:latest" \ --memory 2Gi \ --cpu 2 \ --timeout 300 \ --max-instances 10 \ --min-instances 1 \ --port 8000 \ --service-account ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }} - name: Get service URL id: service-url run: | SERVICE_URL=$(gcloud run services describe ${{ env.SERVICE_NAME }} \ --region ${{ env.REGION }} \ --project ${{ env.PROJECT_ID }} \ --format 'value(status.url)') echo "url=$SERVICE_URL" >> $GITHUB_OUTPUT - name: Output deployment URL run: | echo "🚀 Deployment successful!" echo "Service URL: ${{ steps.service-url.outputs.url }}"