Git Product home page Git Product logo

deploy-cloud-functions's Introduction

deploy-cloud-functions

This action deploys your function source code to Cloud Functions and makes the URL available to later build steps via outputs.

This GitHub Action is declarative, meaning it will overwrite any values on an existing Cloud Function deployment. If you manually deployed a Cloud Function, you must specify all parameters in this action. Any unspecified values will be reverted to their default value (which is usually "null").

Prerequisites

This action requires:

  • Google Cloud credentials that are authorized to deploy a Cloud Function. See the Authorization section below for more information.

  • Enable the Cloud Functions API

  • This action runs using Node 16. If you are using self-hosted GitHub Actions runners, you must use runner version 2.285.0 or newer.

Usage

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: actions/checkout@v3

    - id: auth
      uses: google-github-actions/auth@v0
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: '[email protected]'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-cloud-functions@v0'
      with:
        name: 'my-function'
        runtime: 'nodejs16'

    # Example of using the output
    - id: 'test'
      run: 'curl "${{ steps.deploy.outputs.url }}"'

Inputs

  • name: (Required) Name of the Cloud Function.

  • runtime: (Required) Runtime to use for the function. Possible options documented here.

  • entry_point: (Optional) Name of a function (as defined in source code) that will be executed. Defaults to the resource name suffix, if not specified.

  • memory_mb: (Optional) The amount of memory in MB available for a function. Defaults to 256MB.

  • region: (Optional) Region in which the function should be deployed. Defaults to us-central1.

  • env_vars: (Optional) List of key-value pairs to set as environment variables in the format: KEY1=VALUE1,KEY2=VALUE2. All existing environment variables will be removed, even if this parameter is not passed.

  • env_vars_file: (Optional) Path to a local YAML file with definitions for all environment variables. An example env_vars_file can be found here. All existing environment variables will be removed, even if this parameter is not passed. If env_vars is also given, values in env_vars take precendence over these values.

  • labels: (Optional) List of key-value pairs to set as function labels in the form label1=VALUE1,label2=VALUE2. All existing labels will be removed, even if this parameter is not passed.

  • source_dir: (Optional) Source directory for the function. Defaults to current directory.

  • project_id: (Optional) ID of the Google Cloud project. If provided, this will override the project configured in the environment.

  • description: (Optional) Description for the Cloud Function.

  • vpc_connector: (Optional) The VPC Access connector that the function can connect to.

  • vpc_connector_egress_settings: (Optional) The egress settings for the connector, controlling what traffic is diverted through it.

  • ingress_settings: (Optional) The ingress settings for the function, controlling what traffic can reach it.

  • secret_environment_variables: (Optional) List of key-value pairs to set as environment variables at runtime of the format KEY1=SECRET_VERSION_REF where SECRET_VERSION_REF is a full resource name of a Google Secret Manager secret of the format "projects/p/secrets/s/versions/v". If the version is omitted, it will default to "latest".

    For example, this mounts version 5 of the api-key secret into $API_KEY inside the function's runtime:

    secret_environment_variables: 'API_KEY=projects/my-project/secrets/api-key/versions/5'

    All existing secrets will be removed, even if this parameter is not passed.

  • secret_volumes: (Optional) List of key-value pairs to mount as volumes at runtime of the format "PATH=SECRET_VERSION_REF" where PATH is the mount path inside the container (e.g. "/etc/secrets/my-secret") and SECRET_VERSION_REF is a full resource name of a Google Secret Manager secret of the format "projects/p/secrets/s/versions/v". If the version is omitted, it will default to "latest".

    For example, this mounts the latest value of the api-key secret at /etc/secrets/api-key inside the function's filesystem:

    secret_volumes: '/etc/secrets/api-key=projects/my-project/secrets/api-key'

    All existing secret volume mounts will be removed, even if this parameter is not passed.

  • service_account_email: (Optional) The email address of the IAM service account associated with the function at runtime.

  • timeout: (Optional) The function execution timeout in seconds. Defaults to 60.

  • min_instances: (Optional) The minimum number of instances for the function.

  • max_instances: (Optional) The maximum number of instances for the function.

  • https_trigger_security_level: (Optional) The security level for an HTTP(s)trigger. If set to "secure_always", the function will only be accessible over the https protocol. If set to "secure_optional", the function will be accessible over the http and https protocols. The default value is "security_level_unspecified", which uses the platform's default value. We recommend setting this value to "secure_always" unless you need your function to be accessible over a non-TLS connection.

  • event_trigger_type: (Optional) Specifies which action should trigger the function. Defaults to creation of http trigger.

  • event_trigger_resource: (Optional) Specifies which resource from eventTrigger is observed.

  • event_trigger_service: (Optional) The hostname of the service that should be observed.

  • event_trigger_retry: (Optional) If true, the event will be retried if the function returns a failure. The default value is false. Note this applies to function invocation from events, not the deployment itself.

  • deploy_timeout: (Optional) The function deployment timeout in seconds. Defaults to 300.

  • build_worker_pool: (Optional) Name of the Cloud Build Custom Worker Pool that should be used to build the function. The format of this field is projects/p/locations/l/workerPools/w.

  • build_environment_variables: (Optional) List of environment variables that should be available while the function is built. Note this is different than runtime environment variables, which should be set with 'env_vars'.

  • build_environment_variables_file: (Optional) Path to a local YAML file containing variables. See 'env_vars_file' for syntax.

  • docker_repository: (Optional) User managed repository created in Artifact Registry optionally with a customer managed encryption key. If specified, deployments will use Artifact Registry and must be of the format projects/p/locations/l/repositories/r. If unspecified and the deployment is eligible to use Artifact Registry, GCF will create and use a repository named 'gcf-artifacts' for every deployed region. This is the repository to which the function docker image will be pushed after it is built by Cloud Build. For more information, please see the documentation.

  • kms_key_name: (Optional) Resource name of a Google Cloud KMS crypto key used to encrypt/decrypt function resources of the format projects/p/locations/l/keyRings/r/cryptoKeys/k. If specified, you must also provide an artifact registry repository using the docker_repository field that was created with the same key.

  • credentials: (Deprecated) This input is deprecated. See auth section for more details. Service account key to use for authentication. This should be the JSON formatted private key which can be exported from the Cloud Console. The value can be raw or base64-encoded.

Allow unauthenticated requests

A Cloud Functions product recommendation is that CI/CD systems not set or change settings for allowing unauthenticated invocations. New deployments are automatically private services, while deploying a revision of a public (unauthenticated) service will preserve the IAM setting of public (unauthenticated). For more information, see Controlling access on an individual service.

Outputs

  • url: The URL of your Cloud Function. Only available with HTTP Trigger.

  • id: The full resource name of the function (e.g. projects/my-project/locations/my-location/functions/my-function.)

  • status: The status of the function (e.g. ACTIVE)

  • version: The version of the function (e.g. 1)

  • runtime: The chosen runtime (e.g. nodejs16)

Authorization

There are a few ways to authenticate this action. A service account will be needed with the following roles:

  • Cloud Functions Admin (cloudfunctions.admin):
    • Can create, update, and delete functions.
    • Can set IAM policies and view source code.

This service account needs to be a member of the App Engine default service account ([email protected]), with role Service Account User (roles/iam.serviceAccountUser). See additional configuration for deployment for further instructions.

Via google-github-actions/auth

Use google-github-actions/auth to authenticate the action. You can use Workload Identity Federation or traditional Service Account Key JSON authentication. by specifying the credentials input. This Action supports both the recommended Workload Identity Federation based authentication and the traditional Service Account Key JSON based auth.

See usage for more details.

Authenticating via Workload Identity Federation

jobs:
  job_id:
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
    - uses: 'actions/checkout@v3'

    - id: 'auth'
      uses: 'google-github-actions/auth@v0'
      with:
        workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
        service_account: '[email protected]'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-cloud-functions@v0'
      with:
        name: 'my-function'
        runtime: 'nodejs16'

Authenticating via Service Account Key JSON

jobs:
  job_id:
    steps:
    - uses: 'actions/checkout@v3'

    - id: 'auth'
      uses: 'google-github-actions/auth@v0'
      with:
        credentials_json: '${{ secrets.gcp_credentials }}'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-cloud-functions@v0'
      with:
        name: 'my-function'
        runtime: 'nodejs16'

Via Application Default Credentials

If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.

jobs:
  job_id:
    steps:
    - uses: 'actions/checkout@v3'

    - id: 'deploy'
      uses: 'google-github-actions/deploy-cloud-functions@v0'
      with:
        name: 'my-function'
        runtime: 'nodejs16'

The action will automatically detect and use the Application Default Credentials.

deploy-cloud-functions's People

Contributors

averikitsch avatar bharathkkb avatar dependabot[bot] avatar doggie52 avatar google-github-actions-bot avatar jlazar avatar peterj avatar sethvargo avatar ushuz avatar vonniklasson avatar xylo04 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.