Repository files navigation

Thedeploy-cloudrun GitHub Action deploys to GoogleCloud Run. Itcan deploy a container image or from source, and the resulting service URL isavailable as a GitHub Actions output for use in future steps.

This is not an officially supported Google product, and it is not covered by aGoogle Cloud support contract. To report bugs or request features in a GoogleCloud product, please contactGoogle Cloudsupport.

• This action requires Google Cloud credentials that are authorized to accessthe secrets being requested. SeeAuthorization for moreinformation.

• This action runs using Node 24. If you are using self-hosted GitHub Actionsrunners, you must use arunnerversion that supports thisversion or newer.

jobs:job_id:# ...permissions:contents:'read'id-token:'write'steps:    -uses:'actions/checkout@v4'    -uses:'google-github-actions/auth@v3'with:workload_identity_provider:'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'service_account:'my-service-account@my-project.iam.gserviceaccount.com'    -id:'deploy'uses:'google-github-actions/deploy-cloudrun@v3'with:service:'hello-cloud-run'image:'us-docker.pkg.dev/cloudrun/container/hello:latest'    -name:'Use output'run:'curl "${{ steps.deploy.outputs.url }}"'

• service:(Optional) ID of the service or fully-qualified identifier of the service. This isrequired unless providingmetadata orjob.

• job:(Optional) ID of the job or fully-qualified identifier of the job. This is requiredunless providingmetadata orservice.

• metadata:(Optional) YAML service description for the Cloud Run service. This is requiredunless providingservice orjob.

• image:(Optional) (Required, unless providingmetadata orsource) Fully-qualified nameof the container image to deploy. For example:

  us-docker.pkg.dev/cloudrun/container/hello:latest

  or

  us-docker.pkg.dev/my-project/my-container/image:1.2.3

• source:(Optional) (Required, unless providingmetadata,image, orjob) Path to sourceto deploy. If specified, this will deploy the Cloud Run service from thecode specified at the given source directory.

  Learn more about the required permissions inDeploying from sourcecode.

• suffix:(Optional) String suffix to append to the revision name. Revision names always startwith the service name automatically. For example, specifyingv1 for aservice namedhelloworld, would lead to a revision namedhelloworld-v1. This option only applies to services.

• env_vars:(Optional) List of environment variables that should be set in the environment.These are comma-separated or newline-separatedKEY=VALUE. Keys or valuesthat contain separators must be escaped with a backslash (e.g.\, or\\n) unless quoted. Any leading or trailing whitespace is trimmed unlessvalues are quoted.

  env_vars:|-  FRUIT=apple  SENTENCE=" this will retain leading and trailing spaces "

  This value will only be set if the input is a non-empty value. If anon-empty value is given, the field values will be overwritten (notmerged). To remove all values, set the value to the literal string{}.

  If bothenv_vars andenv_vars_file are specified, the keys inenv_vars will take precedence over the keys inenv_vars_file.

• env_vars_update_strategy:(Required, default:merge) Controls how the environment variables are set on the Cloud Run service.If set to "merge", then the environment variables aremerged with anyupstream values. If set to "overwrite", then all environment variables onthe Cloud Run service will be replaced with exactly the values given bythe GitHub Action (making it authoritative).

• secrets:(Optional) List of KEY=VALUE pairs to use as secrets. These are comma-separated ornewline-separatedKEY=VALUE. Keys or values that contain separators mustbe escaped with a backslash (e.g.\, or\\n) unless quoted. Anyleading or trailing whitespace is trimmed unless values are quoted.

  These can either be injected as environment variables or mounted asvolumes. Keys starting with a forward slash '/' are mount paths. All otherkeys correspond to environment variables:

  with:secrets:|-    # As an environment variable:    KEY1=secret-key-1:latest    # As a volume mount:    /secrets/api/key=secret-key-2:latest

  This value will only be set if the input is a non-empty value. If anon-empty value is given, the field values will be overwritten (notmerged). To remove all values, set the value to the literal string{}.

• secrets_update_strategy:(Required, default:merge) Controls how the secrets are set on the Cloud Run service. If set tomerge, then the secrets are merged with any upstream values. If set tooverwrite, then all secrets on the Cloud Run service will be replacedwith exactly the values given by the GitHub Action (making itauthoritative).

• labels:(Optional) List of labels that should be set on the function. These arecomma-separated or newline-separatedKEY=VALUE. Keys or values thatcontain separators must be escaped with a backslash (e.g.\, or\\n)unless quoted. Any leading or trailing whitespace is trimmed unless valuesare quoted.

  labels:|-  labela=my-label  labelb=my-other-label

  This value will only be set if the input is a non-empty value. If anon-empty value is given, the field values will be overwritten (notmerged). To remove all values, set the value to the literal string{}.

  Google Cloud restricts the allowed values and length for labels. Pleasesee the Google Cloud documentation for labels for more information.

• skip_default_labels:(Optional, default:false) Skip applying the special annotation labels that indicate the deploymentcame from GitHub Actions. The GitHub Action will automatically apply thefollowing labels which Cloud Run uses to enhance the user experience:

  managed-by: github-actionscommit-sha: <sha>

  Setting this totrue will skip adding these special labels.

• tag:(Optional) Traffic tag to assign to the newly-created revision. This option onlyapplies to services.

• timeout:(Optional) Maximum request execution time, specified as a duration like "10m5s" forten minutes and 5 seconds.

• flags:(Optional) Space separate list of additional Cloud Run flags to pass to the deploycommand. This can be used to apply advanced features that are not exposedvia this GitHub Action. For Cloud Run services, this command will begcloud run deploy. For Cloud Run jobs, this command will begcloud jobs deploy.

  with:flags:'--add-cloudsql-instances=...'

  Flags that include other flags must quote theentire outer flag value. Forexample, to pass--args=-X=123:

  with:flags:'--add-cloudsql-instances=... "--args=-X=123"'

  See thecomplete list offlags formore information.

  Please note, this GitHub Action does not parse or validate the flags. Youare responsible for making sure the flags are available on the gcloudversion and subcommand.

• no_traffic:(Optional, default:false) If true, the newly deployed revision will not receive traffic. This optiononly applies to services.

• wait:(Optional, default:false) If true, the action will execute and wait for the job to complete beforeexiting. This option only applies to jobs.

• revision_traffic:(Optional) Comma-separated list of revision traffic assignments.

  with:revision_traffic:'my-revision=10'# percentage

  To update traffic to the latest revision, use the special tag "LATEST":

  with:revision_traffic:'LATEST=100'

  This is mutually-exclusive withtag_traffic. This option only appliesto services.

• tag_traffic:(Optional) Comma-separated list of tag traffic assignments.

  with:tag_traffic:'my-tag=10'# percentage

  This is mutually-exclusive withrevision_traffic. This option onlyapplies to services.

• update_traffic_flags:(Optional) Space separate list of additional Cloud Run flags to pass to thegcloud run services update-traffic command. This can be used to apply advancedfeatures that are not exposed via this GitHub Action. This flag onlyapplies whenrevision_traffic ortag_traffic is set.

  with:traffic_flags:'--set-tags=...'

  Flags that include other flags must quote theentire outer flag value. Forexample, to pass--args=-X=123:

  with:flags:'--set-tags=... "--args=-X=123"'

  See thecomplete list offlagsfor more information.

  Please note, this GitHub Action does not parse or validate the flags. Youare responsible for making sure the flags are available on the gcloudversion and subcommand.

• project_id:(Optional) ID of the Google Cloud project in which to deploy the service.

• region:(Optional, default:us-central1) Region in which the Cloud Run services are deployed.

• gcloud_version:(Optional) Version of the Cloud SDK to install. If unspecified or set to "latest",the latest available gcloud SDK version for the target platform will beinstalled. Example: "290.0.1".

• gcloud_component:(Optional) Version of the Cloud SDK components to install and use.

For advanced use cases, you can define a custom Cloud Run metadata file. This isa YAML description of the Cloud Run service or job. This allows you to customize yourservice configuration, such asmemorylimits,CPUallocation,maxinstances, andmore.

⚠️ When using a custom metadata YAML file, all other inputs are ignored!

• metadata: (Optional) The path to a Cloud Run service or job metadata file.

Todeploying a new serviceto create a new YAML service definition:

apiVersion:serving.knative.dev/v1kind:Servicemetadata:name:SERVICEspec:template:spec:containers:      -image:IMAGE

To update a revision or todeploy a new revision of an existing service, download and modify the YAML service definition:

gcloud run services describe SERVICE --format yaml> service.yaml

A Cloud Run product recommendation is that CI/CD systems not set or changesettings for allowing unauthenticated invocations. New deployments areautomatically private services, while deploying a revision of a public(unauthenticated) service will preserve the IAM setting of public(unauthenticated). For more information, seeControlling access on an individual service.

• url: The URL of the Cloud Run service.

There are a few ways to authenticate this action. The caller must havepermissions to access the secrets being requested.

You will need to authenticate to Google Cloud as a service account with thefollowing roles:

• Cloud Run Admin (roles/run.admin):
  • Can create, update, and delete services.
  • Can get and set IAM policies.

This service account needs to be a member of theCompute Engine default service account,(PROJECT_NUMBER-compute@developer.gserviceaccount.com), with roleService Account User. To grant a user permissions for a service account, useone of the methods found inConfiguring Ownership and access to a service account.

Usegoogle-github-actions/authto authenticate the action. You can useWorkload Identity Federation ortraditionalService Account Key JSON authentication.

jobs:job_id:permissions:contents:'read'id-token:'write'steps:# ...    -uses:'google-github-actions/auth@v3'with:workload_identity_provider:'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'service_account:'my-service-account@my-project.iam.gserviceaccount.com'    -uses:'google-github-actions/deploy-cloudrun@v3'with:image:'us-docker.pkg.dev/cloudrun/container/hello:latest'service:'hello-cloud-run'

If you are hosting your own runners,and those runners are on Google Cloud,you can leverage the Application Default Credentials of the instance. This willauthenticate requests as the service account attached to the instance.Thisonly works using a custom runner hosted on GCP.

jobs:job_id:steps:# ...    -uses:'google-github-actions/deploy-cloudrun@v3'with:image:'us-docker.pkg.dev/cloudrun/container/hello:latest'service:'hello-cloud-run'

The action will automatically detect and use the Application DefaultCredentials.

• Deploy from source

• Build and deploy a container