Skip to content
Latchkey

How to Deploy to Google Cloud Run With GitHub Actions

Authenticate with Workload Identity Federation, then call deploy-cloudrun with your image to roll out a new Cloud Run revision.

Use google-github-actions/auth with a workload identity provider (no JSON key), then google-github-actions/deploy-cloudrun to deploy an image and shift traffic to the new revision.

Steps

  • Configure a Workload Identity Pool and provider trusting your repo.
  • Add permissions: id-token: write to the job.
  • Authenticate with google-github-actions/auth.
  • Deploy the image with deploy-cloudrun, setting the service and region.

Workflow

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gh/providers/gh
          service_account: deployer@my-project.iam.gserviceaccount.com
      - uses: google-github-actions/deploy-cloudrun@v2
        with:
          service: my-api
          region: us-central1
          image: us-docker.pkg.dev/my-project/app/api:${{ github.sha }}

Common pitfalls

  • The deploying service account needs roles/run.admin and roles/iam.serviceAccountUser on the runtime account, or deploy fails with a permission error.
  • Without id-token: write the auth step cannot exchange the OIDC token and the run fails before deploy.
  • Deploying an image from a different region or registry than Cloud Run expects can add cold-start latency; keep Artifact Registry near the service region.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →