GitHub Actions Workflow for Deploy to GCP via WIF
Deploy to GCP with keyless Workload Identity Federation.
This workflow authenticates to Google Cloud via WIF and deploys to Cloud Run without a downloaded key file.
The workflow
.github/workflows/deploy.yml
name: Deploy
on:
push:
branches: [main]
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gh/providers/gh
service_account: deployer@my-project.iam.gserviceaccount.com
- uses: google-github-actions/setup-gcloud@v2
- run: gcloud run deploy my-svc --image gcr.io/my-project/my-svc --region us-central1Notes
- Needs
id-token: writefor the OIDC exchange. - Configure a workload identity pool/provider bound to your repo.
- No service-account JSON key is stored in secrets.
Run it cheaper
Point runs-on: at a Latchkey label to run this workflow at roughly 69% lower per-minute cost, with self-healing for transient failures.
Related guides
How to Use OIDC to Authenticate GitHub Actions to AWSAuthenticate GitHub Actions to AWS with OIDC - no long-lived secrets. Set up the IAM role, trust policy, and…
How to Speed Up GitHub Actions: 9 High-Impact TacticsMake GitHub Actions faster: caching, parallelization, test splitting, Docker layer caching, slimmer images, a…