Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docs: Added artifact register reader permission required for ci/cd pipeline #356

Merged
merged 1 commit into from
Mar 12, 2024

Conversation

hawkeye-sama
Copy link
Contributor

Hi maintainers. This PR is based on #354

Found an issue that when deploying to App engine via github actions for standard environment, you get logs with this error reason: generic::permission_denied: failed to fetch manifest: generic::permission_denied which is due to Artifact Registry Reader Permission missing from service account used. I did not encounter this issue for flexible environment.
Tested with following configurations
deploy.yaml ( github workflow )

name: Deploy to GAE

on:
  # Triggers the workflow on push or pull request events but only for the main branch
  push:
    branches: [ main ]

jobs:
  deploy:
    name: Deploying to Google Cloud
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout
      uses: actions/checkout@v4

    - name: 'Auth GCP'
      uses: 'google-github-actions/auth@v2'
      with:
        credentials_json: '${{ secrets.GCP_DEPLOY }}'

    - id: deploy
      name: Deploy to App Engine
      uses: google-github-actions/deploy-appengine@v2
      with:
        deliverables: app.yaml
        project_id: ${{ secrets.GCP_PROJECT }}

    - name: Test output
      run: 'curl "${{ steps.deploy.outputs.version_url }}"'

app.yaml

service: default
runtime: nodejs18
env: standard
instance_class: F1

env_variables:
  NODE_ENV: production
  PORT: 8080

inbound_services:
- warmup

automatic_scaling:
  min_instances: 1
  max_instances: 2
  target_cpu_utilization: 0.75


handlers:
- url: /.*
  script: auto
  secure: always
  redirect_http_response_code: 301

@hawkeye-sama hawkeye-sama requested a review from a team as a code owner March 12, 2024 01:59
Copy link

google-cla bot commented Mar 12, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@hawkeye-sama hawkeye-sama changed the title Docs: Added register reader permission required for ci/cd pipeline Docs: Added artifact register reader permission required for ci/cd pipeline Mar 12, 2024
@verbanicm verbanicm merged commit bfb3ff0 into google-github-actions:main Mar 12, 2024
5 checks passed
@verbanicm
Copy link
Member

@hawkeye-sama Thanks for fixing!

sethvargo pushed a commit that referenced this pull request Apr 29, 2024
## What's Changed
* security: bump undici from 5.28.2 to 5.28.3 by @dependabot in
#352
* Docs: Added artifact register reader permission required for ci/cd
pipeline by @hawkeye-sama in
#356
* build(deps): bump express from 4.18.2 to 4.19.2 in /example-app by
@dependabot in
#357
* security: bump undici from 5.28.3 to 5.28.4 by @dependabot in
#358
* Default "promote" to true by @sethvargo in
#362

## New Contributors
* @hawkeye-sama made their first contribution in
#356

**Full Changelog**:
v2.1.0...693d553
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants