diff --git a/.github/push-backend-workflow.yml b/.github/push-backend-workflow.yml deleted file mode 100644 index 1b16265..0000000 --- a/.github/push-backend-workflow.yml +++ /dev/null @@ -1,113 +0,0 @@ -# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the "main" branch -# -# Overview: -# -# 1. Authenticate to Google Cloud -# 2. Authenticate Docker to Artifact Registry -# 3. Build a docker container -# 4. Publish it to Google Artifact Registry -# 5. Deploy it to Cloud Run -# -# To configure this workflow: -# -# 1. Ensure the required Google Cloud APIs are enabled: -# -# Cloud Run run.googleapis.com -# Artifact Registry artifactregistry.googleapis.com -# -# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) -# -# 3. Ensure the required IAM permissions are granted -# -# Cloud Run -# roles/run.admin -# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) -# -# Artifact Registry -# roles/artifactregistry.admin (project or repository level) -# -# NOTE: You should always follow the principle of least privilege when assigning IAM roles -# -# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT -# -# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). -# -# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io -# -# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run -# -# Further reading: -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying -# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles -# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege - -name: Build and Deploy to Cloud Run - -on: - push: - branches: [ "main" ] - -env: - PROJECT_ID: cinect-420301 # TODO: update Google Cloud project id - GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location - SERVICE: cinect-api-run # TODO: update Cloud Run service name - REGION: us-east5 # TODO: update Cloud Run service region - -jobs: - deploy: - # Add 'id-token' with the intended permissions for workload identity federation - permissions: - contents: 'read' - id-token: 'write' - - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v2 - - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v2' - with: - token_format: 'access_token' - workload_identity_provider: 'projects/180142082042/locations/global/workloadIdentityPools/github/providers/my-repo' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider - service_account: 'my-service-account@cinect-420301.iam.gserviceaccount.com' # e.g. - my-service-account@my-project.iam.gserviceaccount.com - - # NOTE: Alternative option - authentication via credentials json - # - name: Google Auth - # id: auth - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' - - # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) - - # Authenticate Docker to Google Cloud Artifact Registry - - name: Docker Auth - id: docker-auth - uses: 'docker/login-action@v1' - with: - username: 'oauth2accesstoken' - password: '${{ steps.auth.outputs.access_token }}' - registry: 'gcr.io' - - - name: Build and Push Container - run: |- - docker build -t "gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./frontend - docker push "gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" - - # END - Docker auth and build - - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v2 - with: - service: ${{ env.SERVICE }} - region: ${{ env.REGION }} - # NOTE: If using a pre-built image, update the image name here - image: gcr.io/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} - - # If required, use the Cloud Run url output in later steps - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }}