Add GitHub Actions workflow for Cloud Run deploy

promominali · promominali · commit 8a2b5e08d28e · 2026-06-07T23:44:34.000+05:30
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,49 @@
+name: Deploy to Cloud Run
+
+on:
+  push:
+    branches: [deploy-github]
+  workflow_dispatch:
+
+env:
+  PROJECT_ID: fullstackpro-python
+  REGION: us-central1
+  SERVICE: fastapi-hello
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write   # required for Workload Identity Federation
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WIF_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Set up gcloud
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Deploy to Cloud Run
+        run: |
+          gcloud run deploy "$SERVICE" \
+            --source . \
+            --project "$PROJECT_ID" \
+            --region "$REGION" \
+            --platform managed \
+            --allow-unauthenticated \
+            --quiet
+
+      - name: Show service URL
+        run: |
+          gcloud run services describe "$SERVICE" \
+            --project "$PROJECT_ID" \
+            --region "$REGION" \
+            --format="value(status.url)"
diff --git a/README.md b/README.md
@@ -2,10 +2,7 @@
 
 A minimal FastAPI "Hello, World!" service, managed with [uv](https://docs.astral.sh/uv/).
 
-This `main` branch contains only the app and local dev setup. Deployment is demonstrated on two separate branches:
-
-- **[`deploy-script`](../../tree/deploy-script)** — deploy with a local `gcloud` script ([deploy.sh](deploy.sh)).
-- **[`deploy-github`](../../tree/deploy-github)** — deploy from GitHub via a GitHub Actions workflow.
+**Branch: `deploy-github`** — deploys to Google Cloud Run automatically when you push to this branch, using a GitHub Actions workflow with Workload Identity Federation for keyless auth.
 
 ## Stack
 
@@ -23,7 +20,9 @@ This `main` branch contains only the app and local dev setup. Deployment is demo
 ├── uv.lock             # locked dependency graph
 ├── .python-version     # pins Python 3.13 for uv
 ├── Dockerfile          # uv-based container build
-└── .dockerignore
+├── .dockerignore
+└── .github/workflows/
+    └── deploy.yml      # GitHub Actions → Cloud Run
 ```
 
 ## Endpoints
@@ -73,12 +72,89 @@ docker run --rm -p 8080:8080 fastapi-basic
 
 The image installs deps with `uv sync --frozen --no-dev` against `uv.lock`, so the container matches local exactly.
 
-## Deploying
+## Deploy to Google Cloud Run (via GitHub Actions)
+
+A push to the `deploy-github` branch triggers [.github/workflows/deploy.yml](.github/workflows/deploy.yml), which builds and deploys the service with `gcloud run deploy --source .`.
 
-Check out one of the deploy branches:
+### One-time GCP setup
+
+You only need to do this once per project. Replace `PROJECT_ID` and `GITHUB_REPO` (e.g. `your-org/your-repo`) with your values.
 
 ```bash
-git checkout deploy-script    # local gcloud-based deploy
-# or
-git checkout deploy-github    # GitHub Actions deploy
+PROJECT_ID="fullstackpro-python"
+GITHUB_REPO="OWNER/REPO"
+SA_NAME="github-deployer"
+POOL="github-pool"
+PROVIDER="github-provider"
+
+gcloud config set project "$PROJECT_ID"
+PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" --format="value(projectNumber)")
+
+# 1. Enable APIs
+gcloud services enable \
+  run.googleapis.com \
+  cloudbuild.googleapis.com \
+  artifactregistry.googleapis.com \
+  iamcredentials.googleapis.com
+
+# 2. Create deployer service account
+gcloud iam service-accounts create "$SA_NAME" \
+  --display-name="GitHub Actions Cloud Run deployer"
+SA_EMAIL="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
+
+# 3. Grant it the roles it needs
+for role in roles/run.admin roles/iam.serviceAccountUser roles/cloudbuild.builds.editor roles/artifactregistry.writer roles/storage.admin; do
+  gcloud projects add-iam-policy-binding "$PROJECT_ID" \
+    --member="serviceAccount:${SA_EMAIL}" --role="$role"
+done
+
+# 4. Create a Workload Identity Pool + GitHub OIDC provider
+gcloud iam workload-identity-pools create "$POOL" \
+  --location=global --display-name="GitHub Pool"
+
+gcloud iam workload-identity-pools providers create-oidc "$PROVIDER" \
+  --location=global --workload-identity-pool="$POOL" \
+  --display-name="GitHub OIDC" \
+  --attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository" \
+  --attribute-condition="assertion.repository=='${GITHUB_REPO}'" \
+  --issuer-uri="https://token.actions.githubusercontent.com"
+
+# 5. Let the GitHub repo impersonate the service account
+gcloud iam service-accounts add-iam-policy-binding "$SA_EMAIL" \
+  --role=roles/iam.workloadIdentityUser \
+  --member="principalSet://iam.googleapis.com/projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL}/attribute.repository/${GITHUB_REPO}"
+
+# 6. Print the values to put in GitHub secrets
+echo "GCP_WIF_PROVIDER = projects/${PROJECT_NUMBER}/locations/global/workloadIdentityPools/${POOL}/providers/${PROVIDER}"
+echo "GCP_SERVICE_ACCOUNT = ${SA_EMAIL}"
 ```
+
+### Add GitHub repo secrets
+
+In your GitHub repo → **Settings → Secrets and variables → Actions → New repository secret**, add:
+
+| Name                  | Value                                                                                 |
+| --------------------- | ------------------------------------------------------------------------------------- |
+| `GCP_WIF_PROVIDER`    | `projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool/providers/github-provider` |
+| `GCP_SERVICE_ACCOUNT` | `github-deployer@PROJECT_ID.iam.gserviceaccount.com`                                  |
+
+(The previous step's `echo` lines print the exact values.)
+
+### Trigger a deploy
+
+```bash
+git checkout deploy-github
+# make a change…
+git commit -am "trigger deploy"
+git push origin deploy-github
+```
+
+Watch the run under the repo's **Actions** tab. The final step prints the Cloud Run service URL.
+
+### Customising
+
+- Change `PROJECT_ID`, `REGION`, or `SERVICE` in [.github/workflows/deploy.yml](.github/workflows/deploy.yml).
+- To deploy on pushes to a different branch, edit the `on.push.branches` list.
+- For a private service, drop `--allow-unauthenticated` and add IAM bindings.
+
+For a manual, local deploy instead, see the [`deploy-script`](../../tree/deploy-script) branch.
