refactor(hosting-cli): use cloudbuild.yaml instead of symlinks for gcp deploy

The Dockerfile no longer touches disk anywhere near the user's source —
it's embedded (base64) as an inline `docker build` step inside a Cloud
Build config written to a tempfile, and the flexgen script's
`gcloud builds submit --tag X .` invocation is rewritten in-memory to
`--config="${REFLEX_CLOUDBUILD_YAML}" --substitutions=_IMAGE="${IMAGE}"`.

The script runs with cwd = the user's source dir, so the user's tree is
the Cloud Build upload context. No temp dir of symlinks, no source-tree
mutation. The cloudbuild.yaml tempfile is removed after the deploy.

If `gcloud builds submit` can't be located in the manifest's script
(format drift on flexgen's side), the rewrite errors out clearly so the
breakage surfaces immediately rather than half-running.

Verified end-to-end against a real GCP project: 1m53s Cloud Build, new
Cloud Run revision deployed and serving traffic, source Dockerfile
timestamp unchanged, tempfile cleaned up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Kastier1

docs/hosting/deploy-to-gcp.md

@@ -4,7 +4,7 @@ import reflex as rx
 
 # Deploy to GCP Cloud Run
 
-The `reflex cloud deploy --gcp` command deploys a Reflex app to your own [Google Cloud Run](https://cloud.google.com/run) service. Reflex Cloud fetches a Cloud Run-ready Dockerfile and a `gcloud` deploy script, writes the Dockerfile into your project, and runs the script against the Google Cloud project you specify. The image is built on Cloud Build (so it works from any host OS, including Apple Silicon) and pushed to Artifact Registry.
+The `reflex cloud deploy --gcp` command deploys a Reflex app to your own [Google Cloud Run](https://cloud.google.com/run) service. Reflex Cloud fetches a Cloud Run-ready Dockerfile and a `gcloud` deploy script, wraps the Dockerfile inside a [Cloud Build config (`cloudbuild.yaml`)](https://cloud.google.com/build/docs/build-config-file-schema), and runs the script against the Google Cloud project you specify. The image is built on Cloud Build (so it works from any host OS, including Apple Silicon) and pushed to Artifact Registry. Your project tree is never modified — the Dockerfile lives only inside the build config that's submitted to Cloud Build.
 
 ```md alert info
 # Enterprise tier only.
@@ -40,9 +40,12 @@ reflex cloud deploy --gcp \
 The CLI will:
 
 1. Authenticate against Reflex Cloud and fetch the deploy manifest (Dockerfile + `gcloud` script).
-2. Print the manifest so you can review it.
-3. Write a `Dockerfile` into your project (after asking, if one already exists).
-4. Ask for confirmation, then run the `gcloud` script: enable the required APIs, create the Artifact Registry repository, build the image on Cloud Build, and deploy a public Cloud Run service.
+2. Generate a `cloudbuild.yaml` that embeds the Dockerfile as a build step, write it to a tempfile, and rewrite the script's `gcloud builds submit` invocation to use `--config="$REFLEX_CLOUDBUILD_YAML"`.
+3. Print the (rewritten) script so you can review it.
+4. Ask for confirmation, then run the script with `cwd=` your source directory: enable the required APIs, create the Artifact Registry repository, build the image on Cloud Build (which materializes the Dockerfile inside the build step from the `cloudbuild.yaml`), and deploy a public Cloud Run service.
+5. Delete the tempfile after the script finishes.
+
+Your source tree is never written to — if you have an existing `Dockerfile` in `--source`, it's left in place and ignored. The flexgen Dockerfile only exists inside the `cloudbuild.yaml` tempfile (and inside the Cloud Build job).
 
 When it's done, you'll get a service URL like `https://my-reflex-app-<project-number>.us-central1.run.app`.
 
@@ -56,11 +59,10 @@ When it's done, you'll get a service URL like `https://my-reflex-app-<project-nu
 | `--service-name` | `reflex-app` | Cloud Run service name. |
 | `--ar-repo` | `reflex` | Artifact Registry repository name (created on first deploy). |
 | `--version` | UTC timestamp (`YYYYMMDD-HHMMSS`) | Image version tag. |
-| `--source` | `.` | Directory containing the Reflex app and into which the Dockerfile is written. |
-| `--overwrite-dockerfile` | _off_ | Overwrite an existing `Dockerfile` without prompting. |
+| `--source` | `.` | Directory containing the Reflex app. Uploaded to Cloud Build as the build context; the source tree itself is not modified. |
 | `--token` | _from `~/.reflex` config_ | Reflex authentication token. |
-| `--interactive / --no-interactive` | `--interactive` | Whether to prompt before overwriting the Dockerfile and running the script. |
-| `--dry-run` | _off_ | Print the manifest without writing the Dockerfile or running the script. |
+| `--interactive / --no-interactive` | `--interactive` | Whether to prompt before running the deploy script. |
+| `--dry-run` | _off_ | Print the manifest, the generated `cloudbuild.yaml`, and the rewritten script without writing the tempfile or running the script. |
 | `--loglevel` | `info` | Log verbosity. |
 
 ## What gets created in your GCP project
@@ -83,7 +85,7 @@ Re-running the command pushes a new image tag and rolls the Cloud Run service fo
 
 The CLI runs the deploy script under a **restricted environment**. Only an explicit allowlist of host variables is forwarded to `bash` — things like `PATH`, `HOME`, `CLOUDSDK_*`, `DOCKER_*`, and proxy/TLS variables. Unrelated host secrets such as `AWS_*`, `GITHUB_TOKEN`, or arbitrary user variables are **not** forwarded, so a tampered or compromised manifest cannot exfiltrate them.
 
-You can preview the exact script and Dockerfile before anything runs by using `--dry-run`:
+You can preview the rewritten script, generated `cloudbuild.yaml`, and Dockerfile before anything runs by using `--dry-run`:
 
 ```bash
 reflex cloud deploy --gcp \
@@ -93,18 +95,17 @@ reflex cloud deploy --gcp \
 
 ## Non-interactive use (CI)
 
-For automated pipelines, pass `--no-interactive`, an explicit `--token`, and `--overwrite-dockerfile`:
+For automated pipelines, pass `--no-interactive` and an explicit `--token`:
 
 ```bash
 reflex cloud deploy --gcp \
     --gcp-project "$GCP_PROJECT_ID" \
     --service-name my-reflex-app \
     --token "$REFLEX_TOKEN" \
-    --no-interactive \
-    --overwrite-dockerfile
+    --no-interactive
 ```
 
-In non-interactive mode the CLI will not prompt — it will refuse to overwrite an existing `Dockerfile` unless `--overwrite-dockerfile` is set, and it will exit non-zero if a token cannot be resolved.
+In non-interactive mode the CLI will not prompt, and it will exit non-zero if a token cannot be resolved.
 
 ## Troubleshooting
 

packages/reflex-hosting-cli/src/reflex_cli/v2/gcp.py

@@ -1,18 +1,24 @@
 """GCP Cloud Run deploy commands for the Reflex Cloud CLI.
 
-Fetches a Dockerfile + bash deploy script from flexgen, writes the Dockerfile
-into the user's project, prints the script, and runs it via bash after the
-user confirms. The script reads its parameters from environment variables
-(GCP_PROJECT, GCP_REGION, SERVICE_NAME, AR_REPO, VERSION).
+Fetches a Dockerfile + bash deploy script from flexgen and runs the script
+against the user's source directory. The Dockerfile is materialized inside
+a Cloud Build job (via a ``cloudbuild.yaml`` written to a tempfile and
+referenced with ``gcloud builds submit --config=...``) — the user's project
+tree is never modified. The script reads its parameters from environment
+variables (GCP_PROJECT, GCP_REGION, SERVICE_NAME, AR_REPO, VERSION,
+REFLEX_CLOUDBUILD_YAML).
 """
 
 from __future__ import annotations
 
+import base64
 import contextlib
 import os
+import re
 import shutil
 import subprocess
 import sys
+import tempfile
 from datetime import datetime, timezone
 from pathlib import Path
 from urllib.parse import urljoin
@@ -32,6 +38,18 @@
 ENV_SERVICE_NAME = "SERVICE_NAME"
 ENV_AR_REPO = "AR_REPO"
 ENV_VERSION = "VERSION"
+# Path to the Cloud Build config file written by the CLI. The rewritten
+# deploy script references it as ``--config="${REFLEX_CLOUDBUILD_YAML}"``.
+ENV_REFLEX_CLOUDBUILD_YAML = "REFLEX_CLOUDBUILD_YAML"
+
+# Pattern for the start of the `gcloud builds submit` invocation in the
+# flexgen deploy script. We rewrite that whole multi-line command to use
+# `--config=` so the Dockerfile lives inside a cloudbuild.yaml instead of
+# being staged on disk next to the user's source.
+_BUILDS_SUBMIT_PATTERN = re.compile(
+    r"(?P<indent>^[ \t]*)gcloud[ \t]+builds[ \t]+submit\b",
+    re.MULTILINE,
+)
 
 # Manifest response field names from flexgen.
 FIELD_DOCKERFILE = "dockerfile"
@@ -125,26 +143,20 @@
     default=".",
     show_default=True,
     type=click.Path(file_okay=False, dir_okay=True),
-    help="The directory containing the Reflex app and into which the Dockerfile is written.",
-)
-@click.option(
-    "--overwrite-dockerfile/--no-overwrite-dockerfile",
-    default=False,
-    show_default=True,
-    help="Overwrite an existing Dockerfile without prompting.",
+    help="The directory containing the Reflex app. Staged into an ephemeral build context; the source tree itself is not modified.",
 )
 @click.option("--token", help="The Reflex authentication token.")
 @click.option(
     "--interactive/--no-interactive",
     is_flag=True,
     default=True,
-    help="Whether to prompt before overwriting the Dockerfile and running the script.",
+    help="Whether to prompt before running the deploy script.",
 )
 @click.option(
     "--dry-run",
     is_flag=True,
     default=False,
-    help="Print the manifest without writing the Dockerfile or running the script.",
+    help="Print the manifest without staging the build context or running the script.",
 )
 @click.option(
     "--loglevel",
@@ -160,17 +172,17 @@ def deploy_command(
     ar_repo: str,
     version_tag: str | None,
     source_dir: str,
-    overwrite_dockerfile: bool,
     token: str | None,
     interactive: bool,
     dry_run: bool,
     loglevel: str,
 ):
     """Deploy a Reflex app to a cloud target.
 
-    Currently the only supported target is GCP Cloud Run via --gcp. The command
-    fetches a Dockerfile and bash deploy script from flexgen, writes the
-    Dockerfile into the source directory, then asks before running the script.
+    Currently the only supported target is GCP Cloud Run via --gcp. The
+    command fetches a Dockerfile and bash deploy script from flexgen, stages
+    them in an ephemeral build context alongside symlinked source entries
+    (your project tree is never modified), and runs the script from there.
     """
     from reflex_cli.utils import hosting
 
@@ -224,7 +236,13 @@ def deploy_command(
     if not source_path.is_dir():
         console.error(f"Source directory does not exist: {source_path}")
         raise click.exceptions.Exit(1)
-    dockerfile_path = source_path / DOCKERFILE_NAME
+
+    cloudbuild_yaml = _build_cloudbuild_yaml(dockerfile)
+    try:
+        deploy_script = _rewrite_builds_submit(deploy_script)
+    except ValueError as ex:
+        console.error(str(ex))
+        raise click.exceptions.Exit(1) from ex
 
     version_value = version_tag or datetime.now(timezone.utc).strftime("%Y%m%d-%H%M%S")
     deploy_env = {
@@ -237,50 +255,56 @@ def deploy_command(
 
     console.info("Received deploy manifest from flexgen.")
     console.print("")
-    console.print(f"Dockerfile target: {dockerfile_path}")
+    console.print(f"Source: {source_path}")
     console.print("Deploy environment:")
     for key, value in deploy_env.items():
         console.print(f"  {key}={value}")
     console.print("")
-    console.print("Deploy script:")
+    console.print("Deploy script (rewritten to use cloudbuild.yaml):")
     console.print("─" * 60)
     console.print(deploy_script)
     console.print("─" * 60)
     console.info(
         f"The script runs with a restricted env (only {len(DEPLOY_ENV_ALLOWLIST)} "
         "allowlisted host variables forwarded plus the deploy variables above)."
     )
+    console.info(
+        "The Dockerfile is embedded in a Cloud Build config written to a "
+        "tempfile; your source directory is not modified."
+    )
 
     if dry_run:
         console.print("")
-        console.print("Dockerfile contents:")
+        console.print("cloudbuild.yaml contents:")
+        console.print("─" * 60)
+        console.print(cloudbuild_yaml)
+        console.print("─" * 60)
+        console.print("")
+        console.print("Dockerfile contents (embedded in the build step):")
         console.print("─" * 60)
         console.print(dockerfile)
         console.print("─" * 60)
-        console.info("Dry run — nothing written or executed.")
+        console.info("Dry run — nothing staged or executed.")
         return
 
-    if not _write_dockerfile(
-        dockerfile_path, dockerfile, overwrite_dockerfile, interactive
-    ):
-        raise click.exceptions.Exit(1)
-
     if interactive:
         answer = console.ask(
             "Run the deploy script now?", choices=["y", "n"], default="y"
         )
         if answer != "y":
-            console.warn(
-                "Aborted by user. The Dockerfile has been written for later use."
-            )
+            console.warn("Aborted by user.")
             raise click.exceptions.Exit(1)
 
-    exit_code = _run_deploy_script(
-        bash_path=bash_path,
-        script=deploy_script,
-        cwd=source_path,
-        env_overrides=deploy_env,
-    )
+    with _temp_cloudbuild_yaml(cloudbuild_yaml) as cloudbuild_path:
+        exit_code = _run_deploy_script(
+            bash_path=bash_path,
+            script=deploy_script,
+            cwd=source_path,
+            env_overrides={
+                **deploy_env,
+                ENV_REFLEX_CLOUDBUILD_YAML: str(cloudbuild_path),
+            },
+        )
     if exit_code != 0:
         console.error(f"Deploy script exited with status {exit_code}.")
         raise click.exceptions.Exit(exit_code)
@@ -385,44 +409,106 @@ def _request_manifest(token: str) -> tuple[str, str]:
     return dockerfile, deploy_command
 
 
-def _write_dockerfile(
-    path: Path, contents: str, overwrite: bool, interactive: bool
-) -> bool:
-    """Write the Dockerfile to disk, prompting before overwriting in interactive mode.
+def _build_cloudbuild_yaml(dockerfile_contents: str) -> str:
+    """Generate a Cloud Build config that materializes the Dockerfile inline.
+
+    The Dockerfile body is embedded as a single base64 line so we don't have
+    to worry about YAML literal-block indentation, bash here-doc markers, or
+    shell-meta characters in the Dockerfile leaking into the config. The
+    resulting build does ``docker build`` + ``docker push`` against the
+    user's source as the build context.
 
     Args:
-        path: Where to write the Dockerfile.
-        contents: The Dockerfile body.
-        overwrite: If True, overwrite without prompting.
-        interactive: If False, never prompt; require `overwrite` when the file exists.
+        dockerfile_contents: The Dockerfile body from flexgen.
 
     Returns:
-        True on success, False if the user declined to overwrite or write failed.
+        A complete ``cloudbuild.yaml`` body, ready to write to disk.
 
     """
-    if path.exists() and not overwrite:
-        if not interactive:
-            console.error(
-                f"{path} already exists. Pass --overwrite-dockerfile to replace it "
-                "in non-interactive mode."
-            )
-            return False
-        answer = console.ask(
-            f"{path} already exists. Overwrite?", choices=["y", "n"], default="n"
+    b64 = base64.b64encode(dockerfile_contents.encode("utf-8")).decode("ascii")
+    return (
+        "steps:\n"
+        "- name: gcr.io/cloud-builders/docker\n"
+        "  entrypoint: bash\n"
+        "  args:\n"
+        "    - -c\n"
+        "    - |\n"
+        f"      printf '%s' '{b64}' | base64 -d > Dockerfile\n"
+        '      docker build -t "$_IMAGE" .\n'
+        '      docker push "$_IMAGE"\n'
+        "images:\n"
+        "  - $_IMAGE\n"
+    )
+
+
+def _rewrite_builds_submit(script: str) -> str:
+    """Rewrite the flexgen script's `gcloud builds submit` invocation to use --config=.
+
+    Replaces the (possibly multi-line) ``gcloud builds submit --tag X .``
+    command with one that references our generated cloudbuild.yaml via the
+    ``REFLEX_CLOUDBUILD_YAML`` environment variable and passes the image tag
+    through ``--substitutions=_IMAGE=...``.
+
+    Args:
+        script: The flexgen deploy script body.
+
+    Returns:
+        The script with the build-submit step rewritten.
+
+    Raises:
+        ValueError: If `gcloud builds submit` cannot be located in the script.
+
+    """
+    match = _BUILDS_SUBMIT_PATTERN.search(script)
+    if not match:
+        raise ValueError(
+            "Couldn't find `gcloud builds submit` in the deploy script. The "
+            "flexgen manifest format may have changed; the CLI needs updating."
         )
-        if answer != "y":
-            console.warn(
-                f"Keeping the existing {path.name}. Re-run with --overwrite-dockerfile "
-                "or move the file aside to use the flexgen Dockerfile."
-            )
-            return False
+    indent = match.group("indent")
+    line_start = script.rfind("\n", 0, match.start()) + 1
+    # Consume continuation lines (trailing backslash) until we hit a final line.
+    cursor = match.end()
+    while True:
+        nl = script.find("\n", cursor)
+        if nl == -1:
+            cmd_end = len(script)
+            break
+        if not script[cursor:nl].rstrip().endswith("\\"):
+            cmd_end = nl
+            break
+        cursor = nl + 1
+
+    replacement = (
+        f"{indent}gcloud builds submit \\\n"
+        f'{indent}    --config="${{{ENV_REFLEX_CLOUDBUILD_YAML}}}" \\\n'
+        f'{indent}    --substitutions=_IMAGE="${{IMAGE}}" \\\n'
+        f'{indent}    --project "${{GCP_PROJECT}}" \\\n'
+        f"{indent}    ."
+    )
+    return script[:line_start] + replacement + script[cmd_end:]
+
+
+@contextlib.contextmanager
+def _temp_cloudbuild_yaml(contents: str):
+    """Write a cloudbuild.yaml to a tempfile and yield its path; always clean up.
+
+    Args:
+        contents: The cloudbuild.yaml body to write.
+
+    Yields:
+        The path to the written tempfile.
+
+    """
+    fd, path_str = tempfile.mkstemp(prefix="reflex-cloudbuild-", suffix=".yaml")
+    path = Path(path_str)
     try:
-        path.write_text(contents)
-    except OSError as ex:
-        console.error(f"Failed to write {path}: {ex}")
-        return False
-    console.info(f"Wrote {path}.")
-    return True
+        with os.fdopen(fd, "w") as fh:
+            fh.write(contents)
+        yield path
+    finally:
+        with contextlib.suppress(FileNotFoundError):
+            path.unlink()
 
 
 def _run_deploy_script(