Ana Villanueva
Home Stats
GitHub Actions TypeScript Docker GCP

Securing and Automating Container Deployment to GCP with GitHub Actions

Building a robust Continuous Integration/Continuous Delivery (CI/CD) pipeline is paramount for modern software development. However, integrating securely with cloud providers like Google Cloud Platform (GCP) often presents unique challenges. How do you securely authenticate your automated build process to GCP, and then efficiently push your containerized application to a registry?

In our learn-cicd-typescript-starter project, which focuses on mastering continuous integration and deployment patterns with TypeScript applications, we recently tackled these very challenges head-on.

Enhancing Continuous Delivery with GCP and Docker

This recent update specifically addressed the need to automate the deployment of our TypeScript application as a Docker container to Google Cloud Platform. The core additions involved two critical steps within our GitHub Actions workflow: establishing secure authentication to GCP and implementing the subsequent process of building and pushing a Docker image to Google Container Registry (GCR).

Secure GCP Authentication in GitHub Actions

The most secure and recommended way to authenticate GitHub Actions to GCP is by using Workload Identity Federation. This method eliminates the need for long-lived service account keys, greatly reducing security risks. Instead, GitHub Actions can assume a GCP service account's identity for the duration of the job.

We leveraged the google-github-actions/auth action to facilitate this. It allows the workflow to exchange GitHub's OIDC token for a short-lived GCP access token, which can then be used by subsequent steps to interact with GCP services.

Building and Pushing Docker Images to GCR

Once authenticated, the process of building and pushing a Docker image becomes straightforward. Our workflow uses standard Docker actions:

  1. docker/setup-buildx-action: Sets up Docker Buildx, an enhanced build engine that provides powerful features like multi-platform builds and caching.
  2. docker/login-action: Authenticates Docker to GCR using the access token obtained from the GCP authentication step.
  3. docker/build-push-action: Builds the Docker image from our application's Dockerfile and pushes it to the specified GCR repository.

Here's a simplified GitHub Actions workflow snippet demonstrating the core steps:

name: Deploy to GCP

on:
  push:
    branches:
      - main

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      contents: 'read'
      id-token: 'write' # Required for Workload Identity Federation

    steps:
      - name: Checkout Repository
        uses: actions/checkout@v4

      - name: Google Auth
        id: auth
        uses: 'google-github-actions/auth@v2'
        with:
          workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_NAME/providers/PROVIDER_NAME'
          service_account: 'your-sa@PROJECT_ID.iam.gserviceaccount.com'

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GCR
        uses: docker/login-action@v3
        with:
          registry: gcr.io
          username: _json_key
          password: ${{ steps.auth.outputs.access_token }} # Use access token

      - name: Build and Push Docker Image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: gcr.io/PROJECT_ID/your-app:latest
          cache-from: type=gha
          cache-to: type=gha,mode=max

This YAML snippet first checks out the repository, then authenticates to GCP using Workload Identity Federation, setting up a temporary access token. Following this, it configures Docker Buildx, logs into Google Container Registry using the obtained access token, and finally builds and pushes the Docker image for the your-app to GCR.

Benefits and Key Takeaways

By implementing this setup, we've achieved a highly automated and secure continuous deployment pipeline:

  • Enhanced Security: Workload Identity Federation removes the need to manage and store long-lived service account keys, significantly reducing the attack surface.
  • Full Automation: The entire process from code push to container image in GCR is automated, ensuring consistent and repeatable deployments.
  • Scalability: This pattern scales well for multiple services and environments within GCP.

This integration allows our learn-cicd-typescript-starter project to truly demonstrate a comprehensive CI/CD pipeline, taking code from commit to a deployable container image on Google Cloud, all managed seamlessly by GitHub Actions.

Generated with Gitvlg.com

Securing and Automating Container Deployment to GCP with GitHub Actions
A

Ana Villanueva

Author

Share:

Related Posts

Streamlining TypeScript Deployments: GitHub Actions to Google Cloud Run

GitHub Actions HTML +2

Enhancing CI/CD Robustness: Eliminating Hardcoded Image Tags

GitHub Actions TypeScript +1

Ensuring Confidence: Fixing Dynamic Badges in CI/CD Workflows

TypeScript CI/CD +2
Back to all posts