ci: Add Cloud Run deployment workflow#1
Conversation
Automate deployment to Cloud Run on every push to main via WIF auth, Artifact Registry, and gcloud run deploy. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8757b3d8f2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| --set-env-vars "TRANSPORT=streamable-http,HOST=0.0.0.0,PORT=8000,LOG_LEVEL=WARNING,HEADLESS=true" \ | ||
| --set-secrets "OAUTH_PASSWORD=OAUTH_PASSWORD:latest,OAUTH_BASE_URL=OAUTH_BASE_URL:latest,AUTH=AUTH:latest" |
There was a problem hiding this comment.
Provision a LinkedIn profile before starting Cloud Run
This revision will never become ready on a fresh Cloud Run instance because the deploy only injects OAuth secrets; it never provides the required LinkedIn source session under ~/.linkedin-mcp/ (profile/, cookies.json, and source-state.json). The container entrypoint starts linkedin_mcp_server immediately (Dockerfile:35-36), and startup hard-fails in ensure_authentication_ready() / auth_lifespan when get_authentication_source() cannot find those files (linkedin_mcp_server/authentication.py:24-56, linkedin_mcp_server/server.py:41-46). The README’s Docker instructions also require mounting that profile (README.md:190-210), so a Cloud Run deploy without a volume/secret/bootstrap step will crash-loop instead of serving requests.
Useful? React with 👍 / 👎.
Summary
mainvia Workload Identity Federation, Artifact Registry, andgcloud run deployjob-trackerproject's deploy pattern, tuned for this server (port 8000, 2Gi memory for Chromium, single instance for in-memory state)Changes
.github/workflows/deploy.ymlwith SHA-pinned actions matching repo conventionTRANSPORT,HOST,PORT,LOG_LEVEL,HEADLESS) and GCP Secret Manager secrets (OAUTH_PASSWORD,OAUTH_BASE_URL,AUTH)Prerequisites (manual, before first deploy succeeds)
GCP_WORKLOAD_IDENTITY_PROVIDERandGCP_SERVICE_ACCOUNTsecrets to this repostickerdaniel/linkedin-mcp-serverto WIF pool attribute conditiongcloud artifacts repositories create linkedin-mcp-server --repository-format=docker --location=europe-west1 --project=job-tracker-vasudevOAUTH_PASSWORD,OAUTH_BASE_URL,AUTHsecrets exist in GCP Secret ManagerTest plan
gcloud run services describe linkedin-mcp-server --region europe-west1 --project job-tracker-vasudevcurl https://<service-url>/.well-known/oauth-authorization-serverGenerated with Claude Opus 4.6
Prompt:
Implement the following plan: Deploy to Cloud Run on PR Merge