GCP deployment¶
Guidance for repositories deployed to Google Cloud Platform.
Detection evidence¶
The detector recognizes GCP when it finds:
cloudbuild.yamlorcloudbuild.ymlapp.yaml(App Engine)Dockerfileplus a workflow usinggcloud.github/workflows/*.ymlmentioning:gcloudgoogle-github-actionscloud runcloud functionsapp engineartifact registryworkload identity
Recommended profile¶
GCP projects are typically python-service or typescript-app depending on language. The detector recommends based on language evidence, not GCP-specific profiles.
python3 /path/to/repo-standards/scripts/detect_repo_standard.py --repo .
What should remain repo-specific¶
GCP deployment should usually be repo-specific initially:
- Cloud Build configuration (
cloudbuild.yaml) - Cloud Run / Cloud Functions / App Engine service definitions
- Artifact Registry image names and tags
- Workload Identity Federation or service account setup
- Environment-specific deploy workflows and approval gates
- Infrastructure-as-code (Terraform, Pulumi) if present
This standards repo does not ship full GCP deployment templates. Detect and document the deploy path; do not replace it during first migration.
What standards still apply¶
.repo-policy.ymlwith the appropriate language profile- AI/editor rules via Rulesync
- Semantic PR, AI rules check, docs check, secret scan workflows
- Dependabot
- CI workflows for lint, test, and build (separate from deploy)
.env.exampledocumenting non-secret configuration only
First migration PR — do not change¶
- Do not replace Cloud Build or
gclouddeploy workflows - Do not change service account permissions or WIF configuration
- Do not modify
cloudbuild.yamlfor standards adoption - Do not commit GCP service account keys or JSON key files
Secrets¶
Store secrets in:
- GitHub Actions environments and secrets
- GCP Secret Manager
- Workload Identity Federation (preferred over long-lived keys)
Never commit service account JSON keys to the repository.
Suggested follow-up improvements¶
After the first migration PR merges:
- Document the deploy path in
README.md(Cloud Run vs Functions vs App Engine) - Add deploy workflow to
.repo-policy.ymldeploysection as reference-only - Ensure CI builds the same artifact the deploy workflow uses
- Review IAM least-privilege for CI deploy roles
- Consider pinning
google-github-actions/*versions in workflows