From 53aecc6a5d12988458d4b32236c851b7432dcf59 Mon Sep 17 00:00:00 2001 From: Rozen Date: Wed, 20 May 2026 08:54:22 -0300 Subject: [PATCH] chore: fetch secrets at deploy time to reduce Secret Manager costs Resolves an issue where Cloud Run cold starts incur excessive Secret Manager API costs by resolving secrets continuously. This delegates fetching the secrets to GitHub Actions using `google-github-actions/get-secretmanager-secrets` and passes them securely to `gcloud run` as environment variables instead of using `--set-secrets`. --- .github/workflows/google-cloudrun-docker.yml | 55 ++++++++++++++------ 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/.github/workflows/google-cloudrun-docker.yml b/.github/workflows/google-cloudrun-docker.yml index 294c424..1b52cfa 100644 --- a/.github/workflows/google-cloudrun-docker.yml +++ b/.github/workflows/google-cloudrun-docker.yml @@ -72,7 +72,28 @@ jobs: id: get_url run: echo "URL=$(gcloud run services describe ${{ env.SERVICE_NAME }} --platform managed --region ${{ env.PROJECT_REGION }} --format 'value(status.url)')" >> $GITHUB_ENV + - name: Get Secrets from Secret Manager + id: secrets + uses: 'google-github-actions/get-secretmanager-secrets@v2' + with: + secrets: |- + TELEGRAM_BOT_TOKEN:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_TG_BOT_TOKEN }} + DB_USER:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_DB_USER }} + DB_PASSWORD:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_DB_PASSWORD }} + DB_URL:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_DB_URL }} + S3_ACCESS_ID:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_S3_ACCESS_ID }} + S3_ACCESS_SECRET:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_S3_ACCESS_SECRET }} + S3_HOST:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_S3_HOST }} + - name: Deploy to Cloud Run + env: + TELEGRAM_BOT_TOKEN: ${{ steps.secrets.outputs.TELEGRAM_BOT_TOKEN }} + DB_USER: ${{ steps.secrets.outputs.DB_USER }} + DB_PASSWORD: ${{ steps.secrets.outputs.DB_PASSWORD }} + DB_URL: ${{ steps.secrets.outputs.DB_URL }} + S3_ACCESS_ID: ${{ steps.secrets.outputs.S3_ACCESS_ID }} + S3_ACCESS_SECRET: ${{ steps.secrets.outputs.S3_ACCESS_SECRET }} + S3_HOST: ${{ steps.secrets.outputs.S3_HOST }} run: |- gcloud run deploy ${{ env.SERVICE_NAME }} \ --image $TAG \ @@ -80,16 +101,8 @@ jobs: --service-account ${{ vars.GCP_SA_EMAIL }} \ --memory=256Mi \ --max-instances=${{ vars.GCP_SERVICE_API_MAX_INSTANCES }} \ - --set-secrets=TELEGRAM_BOT_TOKEN=${{ vars.GCP_SECRET_TG_BOT_TOKEN }}:latest \ - --set-secrets=DB_USER=${{ vars.GCP_SECRET_DB_USER }}:latest \ - --set-secrets=DB_PASSWORD=${{ vars.GCP_SECRET_DB_PASSWORD }}:latest \ - --set-secrets=DB_URL=${{ vars.GCP_SECRET_DB_URL }}:latest \ - --set-env-vars=DB_PORT=${{ vars.GCP_DB_PORT }} \ - --set-secrets=S3_ACCESS_ID=${{ vars.GCP_SECRET_S3_ACCESS_ID }}:latest \ - --set-secrets=S3_ACCESS_SECRET=${{ vars.GCP_SECRET_S3_ACCESS_SECRET }}:latest \ - --set-secrets=S3_HOST=${{ vars.GCP_SECRET_S3_HOST }}:latest \ - --set-env-vars=S3_BUCKET=${{ vars.GCP_S3_BUCKET }} \ - --set-env-vars=WEBHOOK_URL=${{ env.URL }} \ + --clear-secrets \ + --set-env-vars "^@^TELEGRAM_BOT_TOKEN=$TELEGRAM_BOT_TOKEN@DB_USER=$DB_USER@DB_PASSWORD=$DB_PASSWORD@DB_URL=$DB_URL@DB_PORT=${{ vars.GCP_DB_PORT }}@S3_ACCESS_ID=$S3_ACCESS_ID@S3_ACCESS_SECRET=$S3_ACCESS_SECRET@S3_HOST=$S3_HOST@S3_BUCKET=${{ vars.GCP_S3_BUCKET }}@WEBHOOK_URL=${{ env.URL }}" \ --platform managed \ --allow-unauthenticated @@ -115,7 +128,22 @@ jobs: - name: Define image tag for deployment run: echo "TAG=${{ env.PROJECT_REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.ARTIFACT_REGISTRY }}/${{ env.SERVICE_NAME }}:${{ github.sha }}" >> $GITHUB_ENV + - name: Get Secrets from Secret Manager + id: secrets + uses: 'google-github-actions/get-secretmanager-secrets@v2' + with: + secrets: |- + TELEGRAM_BOT_TOKEN:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_TG_BOT_TOKEN }} + DB_USER:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_DB_USER }} + DB_PASSWORD:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_DB_PASSWORD }} + DB_URL:${{ env.PROJECT_ID }}/${{ vars.GCP_SECRET_DB_URL }} + - name: Deploy Cloud Run Job + env: + TELEGRAM_BOT_TOKEN: ${{ steps.secrets.outputs.TELEGRAM_BOT_TOKEN }} + DB_USER: ${{ steps.secrets.outputs.DB_USER }} + DB_PASSWORD: ${{ steps.secrets.outputs.DB_PASSWORD }} + DB_URL: ${{ steps.secrets.outputs.DB_URL }} run: |- gcloud run jobs deploy ${{ env.JOB_NAME }} \ --image $TAG \ @@ -123,11 +151,8 @@ jobs: --command=python \ --args=cron.py \ --service-account ${{ vars.GCP_SA_EMAIL }} \ - --set-secrets=TELEGRAM_BOT_TOKEN=${{ vars.GCP_SECRET_TG_BOT_TOKEN }}:latest \ - --set-secrets=DB_USER=${{ vars.GCP_SECRET_DB_USER }}:latest \ - --set-secrets=DB_PASSWORD=${{ vars.GCP_SECRET_DB_PASSWORD }}:latest \ - --set-secrets=DB_URL=${{ vars.GCP_SECRET_DB_URL }}:latest \ - --set-env-vars=DB_PORT=${{ vars.GCP_DB_PORT }} + --clear-secrets \ + --set-env-vars "^@^TELEGRAM_BOT_TOKEN=$TELEGRAM_BOT_TOKEN@DB_USER=$DB_USER@DB_PASSWORD=$DB_PASSWORD@DB_URL=$DB_URL@DB_PORT=${{ vars.GCP_DB_PORT }}" - name: Create or Update Cloud Scheduler Job run: |