This page describes how to configure Cloud Build to build and test your Python applications, upload your artifacts to Artifact Registry, generate provenance information, and save your test logs in Cloud Storage.

Cloud Build enables you to use any publicly available container imageto execute your tasks. The publicpython image from Docker Hub comes preinstalled withpython andpip tools. You can configure Cloud Builduse these tools to install dependencies, build, and run unit tests using these tools.

Before you begin

The instructions on this page assume that you are familiar with Python. In addition:

• Enable the Cloud Build, Artifact Registry, and Cloud Storage APIs.

  Roles required to enable APIs

  To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

  Enable the APIs

• To run thegcloud commands on this page, installGoogle Cloud CLI.
• Have your Python project handy.
• Have a Python repository in Artifact Registry. If you don't have one, thencreate a new repository.
• If you want to store test logs in Cloud Storage,create a bucket in Cloud Storage.

Required IAM permissions

• To store test logs in Logging, grant theStorage Object Creator (roles/storage.objectCreator)role for the Cloud Storage bucket to your build service account.

• To store built images in Artifact Registry, grant theArtifact Registry Writer(roles/artifactregistry.writer) roleto the your build service account.

For instructions on granting these roles seeGranting a role using the IAM page.

Configuring Python builds

This section walks through an example build config file for a Python app. It hasbuild steps to manage installation requirements, add unit tests, and after the tests pass, to build and deploy the app.

1. In your project root directory, createCloud Build config filenamedcloudbuild.yaml.

2. Install requirements: Thepython image from Docker Hub comes preinstalledwithpip. To install dependencies frompip, add a build step with thefollowing fields:

   • name: Set the value of this field topython orpython:<tag> to use the python image from Docker Hub for this task. To see a list of available tags for other Python images, see theDocker Hub reference for the python image.
   • entrypoint: Setting this field overrides the default entrypoint of the imagereferenced inname. Set the value of this field topip to invokepipas the entrypoint of the build step and runpip commands.
   • args: Theargs field of a build step takes a list of arguments andpasses them to the image referenced by thename field. Pass the argumentsto run thepip install command in this field.--user flag in thepip installcommand ensures that the subsequent build steps can access the modulesinstalled in this build step.

   The following build step adds arguments to install requirements:

   steps:-name:'python'entrypoint:'python'args:['-m','pip','install','--upgrade','pip']-name:pythonentrypoint:pythonargs:['-m','pip','install','build','pytest','Flask','--user']

3. Add unit tests: If you've defined unit tests in your application using atesting framework such aspytest, you can configure Cloud Buildto run the tests by adding the following fields in a build step:

   • name: Set the value of this field topython to use the python image fromDocker Hub for your task.
   • entrypoint: Set the value of this field topython to runpython commands.
   • args: Add the arguments for running thepython pytest command.

   The following build step saves thepytest log output to a JUNIT XML file.The name of this file is constructed using$SHORT_SHA,the short version of the commit ID associatedwith your build.A subsequent build step will save the logs in this file to Cloud Storage.

   -name:'python'entrypoint:'python'args:['-m','pytest','--junitxml=${SHORT_SHA}_test_log.xml']

4. Build: In your build config file, define the builder and theargs to build your application:

   • name: Set the value of this field topython to use the python image fromDocker Hub for your task.
   • entrypoint: Set the value of this field topython to runpython commands.
   • args: Add the arguments for executing your build.

   The following build step starts the build:

   -name:'python'entrypoint:'python'args:['-m','build']

5. Upload to Artifact Registry:

   In your config file, add thepythonPackages field and specify your Python repository in Artifact Registry:

   artifacts:pythonPackages:-repository:'https://LOCATION-python.pkg.dev/PROJECT-ID/REPOSITORY'paths:['dist/*']

   Replace the following values:

   • PROJECT-ID is the ID of the Google Cloud project that contains your Artifact Registry repository.
   • REPOSITORY is the ID of the repository.
   • LOCATION is the regional or multi-regionallocation for the repository.

6. Optional: Enable provenance generation

   Cloud Build can generate verifiableSupply chain Levels for Software Artifacts (SLSA) buildprovenance metadata to help secure your continuous integration pipeline.

   To enable provenance generation, addrequestedVerifyOption: VERIFIEDto theoptions section in your config file.

7. Save test logs to Cloud Storage: You can configure Cloud Buildto store any test logs in Cloud Storage by specifying an existing bucketlocation and path to the test logs.The following build step stores the test logs that you saved in the JUNIT XMLfile to a Cloud Storage bucket:

   artifacts:objects:location:'gs://${_BUCKET_NAME}/'paths:-'${SHORT_SHA}_test_log.xml'

8. Start your build:manually orusing build triggers.

   Once your build completes, you canview repository detailsin Artifact Registry.

   You can alsoview build provenance metadata andvalidate provenance.

What's next

• Learn how toview build results.
• Learn how tosafeguard builds.
• Learn how tobuild and containerize Python applications.
• Learn how touse private dependencies.
• Learn how toperform blue/green deployments on Compute Engine.
• Learn how totroubleshoot build errors.