From e6e2ea3a9b895050f20ea248e1c804111212c56b Mon Sep 17 00:00:00 2001
From: aga <aga.labonarska@outlook.com>
Date: Thu, 7 May 2026 13:26:34 +0200
Subject: [PATCH 1/2] Update deployment documentation

---
 README.md | 51 ++++++++++-----------------------------------------
 1 file changed, 10 insertions(+), 41 deletions(-)

diff --git a/README.md b/README.md
index 6982595..019fb69 100644
--- a/README.md
+++ b/README.md
@@ -249,48 +249,9 @@ USE student_progress;
 SHOW TABLES;
 ```
 
-### 3. First deployment
+### 3. GitHub Actions Authentication (OIDC)
 
-1. Authenticate Docker with Artifact Registry
-
-```bash
-gcloud auth configure-docker europe-west3-docker.pkg.dev
-```
-
-2. Build and tag the image
-
-```bash
-docker buildx build \
-  --platform linux/amd64 \
-  -t europe-west3-docker.pkg.dev/student-progress-staging/student-progress-api/student-progress-api:latest \
-  .
-```
-
-3. Push to the Artifact Registry
-
-```bash
-docker push europe-west3-docker.pkg.dev/student-progress-staging/student-progress-api/student-progress-api:latest
-```
-
-4. Deploy to Cloud Run (with CloudSQL & Redis)
-
-```bash
-gcloud run deploy student-progress-api \
-  --image europe-west3-docker.pkg.dev/student-progress-staging/student-progress-api/student-progress-api:latest \
-  --region europe-west3 \
-  --service-account=student-progress-app-sa@student-progress-staging.iam.gserviceaccount.com \
-  --network default \
-  --subnet default \
-  --vpc-egress private-ranges-only \
-  --allow-unauthenticated \
-  --set-env-vars "NODE_ENV=production,DB_CONNECTION_TYPE=cloud-sql-iam,DB_INSTANCE_CONNECTION_NAME=student-progress-staging:europe-west3:student-progress-mysql-staging,DB_USER=student-progress-app-sa,DB_NAME=student_progress,REDIS_HOST=<REDIS_HOST>,REDIS_PORT=6379,REDIS_TTL_SECONDS=60"
-```
-
-Note: Replace `<REDIS_HOST>` with the Memorystore private IP.
-
-Subsequent deployments are handled with GitHub Actions.
-
-### 4. GitHub Actions Authentication (OIDC)
+Deployments are handled automatically via GitHub Actions.
 
 GitHub Actions authenticates to GCP using Workload Identity Federation (OIDC) instead of long-lived JSON service account keys.
 
@@ -310,6 +271,14 @@ Add these Terraform outputs as GitHub Actions repository secrets:
 | GCP_WORKLOAD_IDENTITY_PROVIDER | github_workload_identity_provider_name |
 | GCP_SERVICE_ACCOUNT            | github_deployer_service_account_email  |
 
+## Deployment
+
+Deployments are handled automatically via GitHub Actions.
+
+Push to the `dev` branch to deploy to staging.
+
+Push to the `main` branch to deploy to production.
+
 ## One-off Local Development Setup
 
 ### 1. **Install Auth Proxy & update dev script**

From 26ad41d55f7b30345b952ea298e405938ce80e8e Mon Sep 17 00:00:00 2001
From: aga <aga.labonarska@outlook.com>
Date: Thu, 7 May 2026 13:52:16 +0200
Subject: [PATCH 2/2] Update GitHub Actions versions and fix Cloud Run service
 account

---
 .github/workflows/ci.yml             | 6 ++++--
 .github/workflows/deploy-staging.yml | 6 +++---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1f8e3ea..d487ccb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -15,9 +15,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - name: Check out repository
+        uses: actions/checkout@v5
 
-      - uses: actions/setup-node@v6
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: npm
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 1d3a09c..8892330 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Authenticate to Google Cloud
         uses: google-github-actions/auth@v3
@@ -44,7 +44,7 @@ jobs:
         run: gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev --quiet
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push image
         uses: docker/build-push-action@v7
@@ -62,7 +62,6 @@ jobs:
           service: ${{ env.SERVICE }}
           region: ${{ env.REGION }}
           image: ${{ env.IMAGE_URI }}:${{ github.sha }}
-          service_account: ${{ env.CLOUD_RUN_SERVICE_ACCOUNT }}
           env_vars: |
             NODE_ENV=production
             DB_CONNECTION_TYPE=cloud-sql-iam
@@ -73,6 +72,7 @@ jobs:
             REDIS_PORT=6379
             REDIS_TTL_SECONDS=60
           flags: |
+            --service-account=${{ env.CLOUD_RUN_SERVICE_ACCOUNT }}
             --network=default
             --subnet=default
             --vpc-egress=private-ranges-only