Skip to content
Latchkey

How to Deploy to Multiple GCP Projects With GitHub Actions

A matrix over projects, each with its own WIF provider and service account, deploys the same workflow to staging and production safely.

Use strategy.matrix to iterate over projects, selecting the right workload_identity_provider and service_account per project so credentials never cross environments.

Steps

  • Define a matrix of project entries with provider, SA, and project id.
  • Authenticate per matrix leg with the matched provider.
  • Deploy with the per-project settings.

Workflow

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        target:
          - { project: my-staging, provider: ${{ vars.WIF_STAGING }}, sa: ${{ vars.SA_STAGING }} }
          - { project: my-prod,    provider: ${{ vars.WIF_PROD }},    sa: ${{ vars.SA_PROD }} }
    steps:
      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: ${{ matrix.target.provider }}
          service_account: ${{ matrix.target.sa }}
      - uses: google-github-actions/deploy-cloudrun@v2
        with:
          service: api
          region: us-central1
          project_id: ${{ matrix.target.project }}
          image: us-central1-docker.pkg.dev/${{ matrix.target.project }}/app/api:${{ github.sha }}

Gotchas

  • Give each project a separate service account so a staging compromise cannot touch production.
  • For ordered rollouts (staging then prod), drop the matrix and use sequential jobs with needs.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →