How to Deploy to Multiple GCP Projects With GitHub Actions
A matrix over projects, each with its own WIF provider and service account, deploys the same workflow to staging and production safely.
Use strategy.matrix to iterate over projects, selecting the right workload_identity_provider and service_account per project so credentials never cross environments.
Steps
- Define a matrix of project entries with provider, SA, and project id.
- Authenticate per matrix leg with the matched provider.
- Deploy with the per-project settings.
Workflow
.github/workflows/deploy.yml
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
strategy:
matrix:
target:
- { project: my-staging, provider: ${{ vars.WIF_STAGING }}, sa: ${{ vars.SA_STAGING }} }
- { project: my-prod, provider: ${{ vars.WIF_PROD }}, sa: ${{ vars.SA_PROD }} }
steps:
- uses: actions/checkout@v4
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ matrix.target.provider }}
service_account: ${{ matrix.target.sa }}
- uses: google-github-actions/deploy-cloudrun@v2
with:
service: api
region: us-central1
project_id: ${{ matrix.target.project }}
image: us-central1-docker.pkg.dev/${{ matrix.target.project }}/app/api:${{ github.sha }}Gotchas
- Give each project a separate service account so a staging compromise cannot touch production.
- For ordered rollouts (staging then prod), drop the matrix and use sequential jobs with
needs.
Related guides
How to Deploy a Cloud Run Service With GitHub ActionsDeploy a prebuilt container image to Google Cloud Run from GitHub Actions using google-github-actions/deploy-…
How to Authenticate to GCP With Workload Identity Federation in GitHub ActionsAuthenticate GitHub Actions to Google Cloud with Workload Identity Federation and OIDC, exchanging the runner…