feat(hosting-cli): add reflex cloud gcp deploy for Cloud Run (#6450)

* feat(hosting-cli): add `reflex cloud gcp deploy` for Cloud Run

Fetches a Dockerfile and bash deploy script from flexgen
(`GET /api/v1/cli/gcp-cloud-run-manifest`), writes the Dockerfile into the
user's source directory, prints the script, and runs it via bash after the
user confirms. Pre-flights `bash`/`gcloud`/`docker` on PATH and an active
gcloud account, and surfaces a clear message on 403 (Enterprise tier
required). Deploy parameters (project, region, service name, AR repo,
version) are passed via env vars to the script.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix(hosting-cli): restrict gcp deploy env, add --no-interactive, extract constants

Address PR feedback:

- Restrict the deploy script's environment to an allowlist of host vars
  (PATH, HOME, gcloud/docker config, proxy/TLS) plus the explicit deploy
  overrides. Prevents a tampered or compromised flexgen manifest from
  exfiltrating unrelated host secrets like AWS_*/GITHUB_TOKEN.
- Add --interactive/--no-interactive (default true) so the command works
  in CI. In non-interactive mode the run prompt is skipped, and an
  existing Dockerfile errors out unless --overwrite-dockerfile is set.
- Extract env-var keys and manifest field names into module-level
  constants per project convention.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* refactor(hosting-cli): rename gcp deploy to `reflex cloud deploy --gcp`, add docs

Flatten the `gcp` group into a single `deploy` command with a `--gcp`
target flag so the surface can grow to other targets without nesting.
`--gcp-project` becomes optional at the Click level and is validated
in-function so the missing-target error fires first.

Add a hosting doc (with Enterprise-only callout) covering prerequisites,
options, what gets created in the GCP project, the env-allowlist
security model, CI usage, and troubleshooting. Wire it into the
sidebar's Self Hosting section and add `Gcp` -> `GCP` to the sidebar
acronym map.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor(hosting-cli): use cloudbuild.yaml instead of symlinks for gcp deploy

The Dockerfile no longer touches disk anywhere near the user's source —
it's embedded (base64) as an inline `docker build` step inside a Cloud
Build config written to a tempfile, and the flexgen script's
`gcloud builds submit --tag X .` invocation is rewritten in-memory to
`--config="${REFLEX_CLOUDBUILD_YAML}" --substitutions=_IMAGE="${IMAGE}"`.

The script runs with cwd = the user's source dir, so the user's tree is
the Cloud Build upload context. No temp dir of symlinks, no source-tree
mutation. The cloudbuild.yaml tempfile is removed after the deploy.

If `gcloud builds submit` can't be located in the manifest's script
(format drift on flexgen's side), the rewrite errors out clearly so the
breakage surfaces immediately rather than half-running.

Verified end-to-end against a real GCP project: 1m53s Cloud Build, new
Cloud Run revision deployed and serving traffic, source Dockerfile
timestamp unchanged, tempfile cleaned up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* update to not overwrite users dockerfile

* update docs

* pre commit

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: Kastier1

docs/app/reflex_docs/pages/docs/__init__.py

@@ -149,6 +149,7 @@ def get_previews_from_frontmatter(filepath: str) -> dict[str, str]:
     "docs/events/special_events.md": "Special Events Docs",
     "docs/library/graphing/general/tooltip.md": "Graphing Tooltip",
     "docs/recipes/content/grid.md": "Grid Recipe",
+    "docs/hosting/deploy-to-gcp.md": "Deploy to GCP",
 }
 
 

docs/app/reflex_docs/templates/docpage/sidebar/sidebar_items/item.py

@@ -13,7 +13,14 @@ def create_item(route: Route, children=None):
         # For "Overview", we want to keep the qualifier prefix ("Components overview")
         alt_name_for_next_prev = name if name.endswith("Overview") else ""
         # Capitalize acronyms
-        acronyms = {"Api": "API", "Cli": "CLI", "Ide": "IDE", "Mcp": "MCP", "Ai": "AI"}
+        acronyms = {
+            "Api": "API",
+            "Cli": "CLI",
+            "Ide": "IDE",
+            "Mcp": "MCP",
+            "Ai": "AI",
+            "Gcp": "GCP",
+        }
         name = re.sub(
             r"\b(" + "|".join(acronyms.keys()) + r")\b",
             lambda m: acronyms[m.group(0)],

docs/app/reflex_docs/templates/docpage/sidebar/sidebar_items/learn.py

@@ -250,6 +250,7 @@ def get_sidebar_items_hosting():
             children=[
                 hosting.self_hosting,
                 hosting.databricks,
+                hosting.deploy_to_gcp,
             ],
         ),
     ]

docs/hosting/deploy-to-gcp.md

@@ -0,0 +1,149 @@
+```python exec
+import reflex as rx
+```
+
+# Deploy to GCP Cloud Run
+
+The `reflex cloud deploy --gcp` command deploys a Reflex app to your own [Google Cloud Run](https://cloud.google.com/run) service. Reflex Cloud fetches a Cloud Run-ready Dockerfile and a `gcloud` deploy script, wraps the Dockerfile inside a [Cloud Build config (`cloudbuild.yaml`)](https://cloud.google.com/build/docs/build-config-file-schema), and runs the script against the Google Cloud project you specify. The image is built on Cloud Build (so it works from any host OS, including Apple Silicon) and pushed to Artifact Registry. Your project tree is never modified — the Dockerfile lives only inside the build config that's submitted to Cloud Build.
+
+```md alert info
+# Enterprise tier only.
+
+Self-deploying to GCP Cloud Run is part of the **Enterprise tier** of Reflex Cloud. The control plane will return `403` to non-Enterprise tokens, and the CLI surfaces a clear error pointing at this. Contact [sales@reflex.dev](mailto:sales@reflex.dev) to upgrade.
+```
+
+## Prerequisites
+
+Before running the command, install and authenticate the local tools the deploy script invokes:
+
+- `gcloud` — install from the [Google Cloud SDK docs](https://cloud.google.com/sdk/docs/install), then run:
+  - `gcloud auth login`
+  - `gcloud auth application-default login`
+- `docker` — required by `gcloud builds submit` for source upload.
+- `bash` — used to run the deploy script.
+
+You also need:
+
+- A GCP project with **billing enabled**. Without it, `gcloud services enable` fails with `UREQ_PROJECT_BILLING_NOT_FOUND`.
+- An Enterprise-tier Reflex Cloud subscription and a logged-in Reflex CLI (`reflex login`).
+
+## Quick start
+
+From the root of your Reflex app:
+
+```bash
+reflex cloud deploy --gcp \
+    --gcp-project my-gcp-project-id \
+    --service-name my-reflex-app
+```
+
+The CLI will:
+
+1. Authenticate against Reflex Cloud and fetch the deploy manifest (Dockerfile + `gcloud` script).
+2. Generate a `cloudbuild.yaml` that embeds the Dockerfile as a build step, write it to a tempfile, and rewrite the script's `gcloud builds submit` invocation to use `--config="$REFLEX_CLOUDBUILD_YAML"`.
+3. Print the (rewritten) script so you can review it.
+4. Ask for confirmation, then run the script with `cwd=` your source directory: enable the required APIs, create the Artifact Registry repository, build the image on Cloud Build (which materializes the Dockerfile inside the build step from the `cloudbuild.yaml`), and deploy a public Cloud Run service.
+5. Delete the tempfile after the script finishes.
+
+Your source tree is never written to — if you have an existing `Dockerfile` in `--source`, it's left in place and ignored. The Reflex-provided Dockerfile only exists inside the `cloudbuild.yaml` tempfile (and inside the Cloud Build job).
+
+When it's done, you'll get a service URL like `https://my-reflex-app-<project-number>.us-central1.run.app`.
+
+## Options
+
+| Option | Default | Description |
+| --- | --- | --- |
+| `--gcp` | _(required)_ | Selects the GCP Cloud Run target. |
+| `--gcp-project` | _(required)_ | The GCP **project ID** to deploy into. Project numbers are **not** accepted by `gcloud artifacts repositories`; use the project ID. |
+| `--region` | `us-central1` | Cloud Run region. |
+| `--service-name` | `reflex-app` | Cloud Run service name. |
+| `--ar-repo` | `reflex` | Artifact Registry repository name (created on first deploy). |
+| `--version` | UTC timestamp (`YYYYMMDD-HHMMSS`) | Image version tag. |
+| `--source` | `.` | Directory containing the Reflex app. Uploaded to Cloud Build as the build context; the source tree itself is not modified. |
+| `--token` | _from `~/.reflex` config_ | Reflex authentication token. |
+| `--interactive / --no-interactive` | `--interactive` | Whether to prompt before running the deploy script. |
+| `--dry-run` | _off_ | Print the manifest, the generated `cloudbuild.yaml`, and the rewritten script without writing the tempfile or running the script. |
+| `--loglevel` | `info` | Log verbosity. |
+
+## What gets created in your GCP project
+
+The deploy script enables these APIs (if not already enabled):
+
+- `cloudbuild.googleapis.com`
+- `run.googleapis.com`
+- `artifactregistry.googleapis.com`
+
+It then creates (idempotently) and uses:
+
+- An Artifact Registry Docker repository at `${REGION}-docker.pkg.dev/${GCP_PROJECT}/${AR_REPO}`.
+- A Cloud Build job that builds and pushes the image.
+- A Cloud Run service named `${SERVICE_NAME}`, deployed with `--allow-unauthenticated`, port 8080, 1 vCPU, 1 GiB memory, `--min-instances 1`, and `--session-affinity`.
+
+Re-running the command pushes a new image tag and rolls the Cloud Run service forward.
+
+## How the build runs
+
+The generated `cloudbuild.yaml` is a single Cloud Build step that:
+
+1. Writes the Dockerfile into the build workspace via a single-quoted heredoc:
+    ```yaml
+    - |
+      cat > Dockerfile <<'REFLEX_DOCKERFILE_EOF'
+      FROM python:3.13-slim
+      ...
+      REFLEX_DOCKERFILE_EOF
+      docker build -t "$_IMAGE" .
+      docker push "$_IMAGE"
+    ```
+2. Builds and pushes the image, tagging it with `_IMAGE` (passed to `gcloud builds submit` as `--substitutions=_IMAGE=...`).
+
+Because Cloud Build runs its own substitution pass over `args`, every literal `$` in the Dockerfile is doubled to `$$` before embedding (e.g. `ENV PATH="${UV_PROJECT_ENVIRONMENT}/bin:$PATH"` becomes `ENV PATH="$${UV_PROJECT_ENVIRONMENT}/bin:$$PATH"` in the YAML). Cloud Build's parser converts `$$` back to `$` before bash runs, so the Dockerfile written into the workspace contains the original characters.
+
+## Security model
+
+The CLI runs the deploy script under a **restricted environment**. Only an explicit allowlist of host variables is forwarded to `bash` — things like `PATH`, `HOME`, `CLOUDSDK_*`, `DOCKER_*`, and proxy/TLS variables. Unrelated host secrets such as `AWS_*`, `GITHUB_TOKEN`, or arbitrary user variables are **not** forwarded, so a tampered or compromised manifest cannot exfiltrate them.
+
+You can preview the rewritten script, generated `cloudbuild.yaml`, and Dockerfile before anything runs by using `--dry-run`:
+
+```bash
+reflex cloud deploy --gcp \
+    --gcp-project my-gcp-project-id \
+    --dry-run
+```
+
+## Non-interactive use (CI)
+
+For automated pipelines, pass `--no-interactive` and an explicit `--token`:
+
+```bash
+reflex cloud deploy --gcp \
+    --gcp-project "$GCP_PROJECT_ID" \
+    --service-name my-reflex-app \
+    --token "$REFLEX_TOKEN" \
+    --no-interactive
+```
+
+In non-interactive mode the CLI will not prompt, and it will exit non-zero if a token cannot be resolved.
+
+## Troubleshooting
+
+**`Reflex denied the request (403). GCP Cloud Run deploys require an Enterprise tier subscription.`**
+Your account is not on the Enterprise tier. Contact [sales@reflex.dev](mailto:sales@reflex.dev).
+
+**`Billing must be enabled for activation of service(s) ...` (`UREQ_PROJECT_BILLING_NOT_FOUND`)**
+Attach a billing account to the GCP project, or use a different `--gcp-project`.
+
+**`The value of '--project' flag was set to Project number. To use this command, set it to PROJECT ID instead.`**
+Pass the project ID (e.g. `my-app-123456`), not the numeric project number.
+
+**`No active GCP account found.`**
+Run `gcloud auth login` and `gcloud auth application-default login`.
+
+**`The 'gcloud' / 'docker' / 'bash' CLI was not found on PATH.`**
+Install the missing tool and ensure it's on `PATH` for the shell you're invoking the CLI from.
+
+**`Dockerfile content contains the reserved heredoc marker 'REFLEX_DOCKERFILE_EOF'.`**
+Vanishingly unlikely — the Dockerfile from Reflex Cloud happens to contain a line that exactly matches the heredoc terminator the CLI uses to embed it. Re-run after the next CLI release, or open an issue.
+
+**`Couldn't find 'gcloud builds submit' in the deploy script.`**
+The CLI rewrites the `gcloud builds submit` block in the Reflex-supplied deploy script to use `--config=`. If Reflex Cloud changes the shape of that script before the CLI is updated to match, you'll see this error — upgrade `reflex-hosting-cli` (`uv tool upgrade reflex-hosting-cli` or `pip install -U reflex-hosting-cli`).

packages/reflex-hosting-cli/src/reflex_cli/v2/deployments.py

@@ -12,6 +12,7 @@
 from reflex_cli import constants
 from reflex_cli.utils import console
 from reflex_cli.v2.apps import apps_cli
+from reflex_cli.v2.gcp import deploy_command as gcp_deploy_command
 from reflex_cli.v2.project import project_cli
 from reflex_cli.v2.secrets import secrets_cli
 from reflex_cli.v2.vmtypes_regions import vm_types_regions_cli
@@ -64,6 +65,10 @@ def hosting_cli(ctx: click.Context) -> None:
     secrets_cli,
     name="secrets",
 )
+hosting_cli.add_command(
+    gcp_deploy_command,
+    name="deploy",
+)
 for name, command in vm_types_regions_cli.commands.items():
     # Add the command to the hosting CLI
     hosting_cli.add_command(command, name=name)