ci: add optional Cloud Run deploy job gated on repo variables

The deploy job is skipped unless GCP_PROJECT_ID is set as a repository
variable, so it is a no-op for the public repo and forks. A downstream
mirror that sets the required variables (GCP_PROJECT_ID,
GCP_WIF_PROVIDER, CLOUD_RUN_SERVICE, CLOUD_RUN_REGION, BASE_URI,
CLOUD_RUN_VPC_CONNECTOR, CLOUD_RUN_SERVICE_ACCOUNT) gets automatic
deploys on push to main without carrying a workflow diff.

Sets --memory=1Gi since the default 512Mi was running at 95-98%
utilization under typical load.

Author: ochafik

.github/workflows/main.yml

@@ -24,3 +24,40 @@ jobs:
       - run: npm test
 
       - run: npm run lint
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.ref == 'refs/heads/main' && vars.GCP_PROJECT_ID != ''
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: google-github-actions/auth@v2
+        with:
+          project_id: ${{ vars.GCP_PROJECT_ID }}
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+
+      - id: deploy
+        uses: google-github-actions/deploy-cloudrun@v2
+        with:
+          service: ${{ vars.CLOUD_RUN_SERVICE }}
+          region: ${{ vars.CLOUD_RUN_REGION }}
+          source: .
+          env_vars: |-
+            BASE_URI=${{ vars.BASE_URI }}
+            NODE_ENV=production
+            REDIS_TLS=0
+          secrets: |-
+            REDIS_URL=REDIS_URL:latest
+          flags: |-
+            --vpc-connector=${{ vars.CLOUD_RUN_VPC_CONNECTOR }}
+            --service-account=${{ vars.CLOUD_RUN_SERVICE_ACCOUNT }}
+            --allow-unauthenticated
+            --min-instances=1
+            --max-instances=20
+            --concurrency=250
+            --memory=1Gi