Skip to content
Latchkey

GitHub Actions Workflow for Deploy to GCP via WIF

Deploy to GCP with keyless Workload Identity Federation.

This workflow authenticates to Google Cloud via WIF and deploys to Cloud Run without a downloaded key file.

The workflow

.github/workflows/deploy.yml
name: Deploy
on:
  push:
    branches: [main]
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gh/providers/gh
          service_account: deployer@my-project.iam.gserviceaccount.com
      - uses: google-github-actions/setup-gcloud@v2
      - run: gcloud run deploy my-svc --image gcr.io/my-project/my-svc --region us-central1

Notes

  • Needs id-token: write for the OIDC exchange.
  • Configure a workload identity pool/provider bound to your repo.
  • No service-account JSON key is stored in secrets.

Run it cheaper

Point runs-on: at a Latchkey label to run this workflow at roughly 69% lower per-minute cost, with self-healing for transient failures.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →