update GitHub Actions Workflows

Author: mrofisr

.github/workflows/deployment.yaml

@@ -67,6 +67,8 @@ jobs:
           image: us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/cloud-run/cloud-run-back:${{ env.IMAGE_VERSION }}
           region: us-central1
           project_id: ${{ secrets.PROJECT_ID }}
+          env_vars: |-
+            PORT=4000
 
       - name: Deploy to Cloud Run Frontend
         id: deploy-cloud-run-front
@@ -76,8 +78,10 @@ jobs:
           image: us-central1-docker.pkg.dev/${{ secrets.PROJECT_ID }}/cloud-run/cloud-run-front:${{ env.IMAGE_VERSION }}
           region: us-central1
           project_id: ${{ secrets.PROJECT_ID }}
+          env_vars: |-
+            PORT=80
 
-      - name: 'Use output'
+      - name: Test Cloud Run
         run: |
           'curl "${{ steps.deploy-cloud-run-back.outputs.url }}"'
           'curl "${{ steps.deploy-cloud-run-front.outputs.url }}"'

README.md

@@ -6,3 +6,53 @@ minimalistic typescript web app
 - `docker-compose build` build app
 - http://localhost front-end entry
 - http://localhost:4000 back-end api endpoint
+
+## Setup GitHub Actions (Secrets and IAM Google Cloud)
+- Create a new service account in Google Cloud IAM
+
+```bash
+export PROJECT_ID="your-project-id"
+
+gcloud iam service-accounts create \
+    "cloud-run-sa" \
+    --project="${PROJECT_ID}" \
+    --description="Cloud Run Service Account" \
+    --display-name="Cloud Run Service Account"
+
+gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
+    --member="serviceAccount:cloud-run-sa@${PROJECT_ID}.iam.gserviceaccount.com" \
+    --role="roles/artifactregistry.repoAdmin,roles/run.developer"
+```
+
+- Create a new Workload Identity Pool
+
+```bash
+gcloud iam workload-identity-pools create "github" \
+  --project="${PROJECT_ID}" \
+  --location="global" \
+  --display-name="GitHub Actions Pool"
+
+gcloud iam workload-identity-pools describe "github" \
+  --project="${PROJECT_ID}" \
+  --location="global" \
+  --format="value(name)"
+
+gcloud iam workload-identity-pools providers create-oidc "github-repo-provider" \
+  --project="${PROJECT_ID}" \
+  --location="global" \
+  --workload-identity-pool="github" \
+  --display-name="My GitHub repo Provider" \
+  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner,attribute.repository_id=assertion.repository_id" \
+  --issuer-uri="https://token.actions.githubusercontent.com"
+
+export SA_EMAIL="cloud-run-sa@${PROJECT_ID}.iam.gserviceaccount.com"
+export WORKLOAD_POOL=`gcloud iam workload-identity-pools describe "github" \
+  --project="${PROJECT_ID}" \
+  --location="global" \
+  --format="value(name)"`
+
+gcloud iam service-accounts add-iam-policy-binding ${SA_EMAIL} \
+  --project="${PROJECT_ID}" \
+  --role="roles/iam.workloadIdentityUser" \
+  --member="principalSet://iam.googleapis.com/${WORKLOAD_POOL}/attribute.repository/${REPO_OWNER}/${REPO_NAME}"
+```