feat: add docker-build and cloudrun-deploy composite actions#5
Open
gamechanger1s wants to merge 9 commits into
Open
feat: add docker-build and cloudrun-deploy composite actions#5gamechanger1s wants to merge 9 commits into
gamechanger1s wants to merge 9 commits into
Conversation
docker-build: WIF auth → Secret Manager → .env.production → buildx build+push to Artifact Registry cloudrun-deploy: WIF auth → Secret Manager → format env_vars → deploy-cloudrun Both actions eliminate the need for separate publish jobs or inter-job Docker caches. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add Docker build+push path to build@v2 (activated by image-name input) and Cloud Run deploy path to deploy@v2 (activated by cloudrun-service input). Existing static-site callers are unaffected — new inputs default to empty and all new steps are gated behind their respective discriminator inputs. Remove standalone docker-build and cloudrun-deploy actions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ments GitHub's YAML parser rejected inputs from both actions because UTF-8 multi-byte characters (U+2500, U+2014) in comment lines caused silent parse failure, making all inputs appear undefined.
Replaces mutable version tags with pinned commit SHAs in the Docker and Cloud Run steps of build and deploy actions to prevent supply chain attacks. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The --maintained-version CLI flag expects a semver constraint (e.g. 1)
not a prerelease identifier. Writing maintainedVersion to .semrelrc matches
how go-semantic-release expects the config, producing v{major}.x.y-rc.N tags.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add ghcr-image input to actions/build/action.yml. When set the action pulls a pre-built image from GHCR, re-tags it for GCP Artifact Registry (SHA + latest tags), and pushes it -- no Dockerfile or build-time secrets required. All existing Docker build+push and static-build paths are unaffected; each path is guarded by its own discriminator condition. Update README with GHCR pull+retag usage example and runner-contract note. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extends the reusable
buildanddeployactions inactions/build/action.ymlandactions/deploy/action.ymlto support GCP Artifact Registry + Cloud Run deployments alongside the existing static-build path. A third path — GHCR pull+retag — is also added to support services whose image is pre-built externally.Changes
actions/build/action.ymlimage-name): authenticates via WIF, optionally fetches build-time env vars from Secret Manager into.env.production, builds with Buildx, and pushes SHA + latest tags to Artifact Registryghcr-image): pulls a pre-built image from GHCR, re-tags it for Artifact Registry (SHA + latest), and pushes it — no Dockerfile or build-time secrets required; takes priority over the Docker build pathactions/deploy/action.ymlcloudrun-service): fetches runtime env vars from Secret Manager, formats them asKEY=VAL,..., and deploys viagoogle-github-actions/deploy-cloudrunwithoverwritestrategycloudrun-flagsinput (e.g. VPC connector, ingress settings)README.mdSHA-pinned actions (all verified against GitHub)
get-secretmanager-secrets2b5f97c5a4b9c105e64646762ad4fc3f5128e6f5setup-buildx-action8d2750c68a42422c14e847fe6c8ac0403b4cbd6fbuild-push-action10e90e3645eae34f1e60eeb005ba3a3d33f178e8deploy-cloudrun251330ba9a8a34bfbc1622895f42e1d53fd14522🤖 Generated with Claude Code