Skip to content
Build and Deploy to Cloud Run

chore: add project scaffolding, docs, UI components, and env examples #25

Sign in to view logs

chore: add project scaffolding, docs, UI components, and env examples

chore: add project scaffolding, docs, UI components, and env examples #25

Workflow file for this run

.github/workflows/docker-build.yml at 5783126
name: Build and Deploy to Cloud Run
on:
push:
branches:
- main
paths:
- 'backend/**'
- '.github/workflows/docker-build.yml'
workflow_dispatch:
env:
PROJECT_ID: cheatcode-prod
REGION: asia-south1
REGISTRY: asia-south1-docker.pkg.dev
REPOSITORY: cheatcode
jobs:
build-and-deploy:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
- name: authenticate to google cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SA_KEY }}
- name: set up cloud sdk
uses: google-github-actions/setup-gcloud@v2
- name: configure docker for artifact registry
run: gcloud auth configure-docker ${{ env.REGISTRY }} --quiet
- name: set up docker buildx
uses: docker/setup-buildx-action@v3
- name: build and push api image
uses: docker/build-push-action@v5
with:
context: ./backend
file: ./backend/Dockerfile
push: true
platforms: linux/amd64
tags: ${{ env.REGISTRY }}/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/api:latest
cache-from: type=gha
cache-to: type=gha,mode=max
- name: deploy api to cloud run
run: |
# --allow-unauthenticated is intentional:
# Traffic flows CF Worker proxy -> Cloud Run. App-layer JWT auth (Clerk)
# handles user authentication. Cloud Run IAM auth would require the
# CF Worker to carry a service account key, adding complexity without
# security benefit since every endpoint already validates JWTs.
gcloud run deploy cheatcode-api \
--project=${{ env.PROJECT_ID }} \
--region=${{ env.REGION }} \
--image=${{ env.REGISTRY }}/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/api:latest \
--platform=managed \
--allow-unauthenticated \
--cpu=2 \
--memory=4Gi \
--timeout=3500 \
--min-instances=0 \
--max-instances=10 \
--no-cpu-throttling \
--cpu-boost \
--network=default \
--subnet=default \
--vpc-egress=private-ranges-only \
--service-account=cheatcode-api@${{ env.PROJECT_ID }}.iam.gserviceaccount.com \
--set-secrets="REDIS_URL=REDIS_URL:latest,ANTHROPIC_API_KEY=ANTHROPIC_API_KEY:latest,OPENAI_API_KEY=OPENAI_API_KEY:latest,OPENROUTER_API_KEY=OPENROUTER_API_KEY:latest,SUPABASE_URL=SUPABASE_URL:latest,SUPABASE_ANON_KEY=SUPABASE_ANON_KEY:latest,SUPABASE_SERVICE_ROLE_KEY=SUPABASE_SERVICE_ROLE_KEY:latest,CLERK_SECRET_KEY=CLERK_SECRET_KEY:latest,CLERK_DOMAIN=CLERK_DOMAIN:latest,POLAR_ACCESS_TOKEN=POLAR_ACCESS_TOKEN:latest,POLAR_ORGANIZATION_ID=POLAR_ORGANIZATION_ID:latest,POLAR_PRODUCT_ID_PRO=POLAR_PRODUCT_ID_PRO:latest,POLAR_PRODUCT_ID_PREMIUM=POLAR_PRODUCT_ID_PREMIUM:latest,POLAR_PRODUCT_ID_BYOK=POLAR_PRODUCT_ID_BYOK:latest,POLAR_WEBHOOK_SECRET=POLAR_WEBHOOK_SECRET:latest,DAYTONA_API_KEY=DAYTONA_API_KEY:latest,DAYTONA_SERVER_URL=DAYTONA_SERVER_URL:latest,TAVILY_API_KEY=TAVILY_API_KEY:latest,FIRECRAWL_API_KEY=FIRECRAWL_API_KEY:latest,LANGFUSE_PUBLIC_KEY=LANGFUSE_PUBLIC_KEY:latest,LANGFUSE_SECRET_KEY=LANGFUSE_SECRET_KEY:latest,MCP_CREDENTIAL_ENCRYPTION_KEY=MCP_CREDENTIAL_ENCRYPTION_KEY:latest,COMPOSIO_API_KEY=COMPOSIO_API_KEY:latest,VERCEL_BEARER_TOKEN=VERCEL_BEARER_TOKEN:latest,GOOGLE_API_KEY=GOOGLE_API_KEY:latest,RELACE_API_KEY=RELACE_API_KEY:latest,INNGEST_EVENT_KEY=INNGEST_EVENT_KEY:latest,INNGEST_SIGNING_KEY=INNGEST_SIGNING_KEY:latest" \
--set-env-vars="ENV_MODE=production,LOG_LEVEL=INFO,LANGFUSE_HOST=https://us.cloud.langfuse.com,MODEL_TO_USE=openrouter/anthropic/claude-sonnet-4,FIRECRAWL_URL=https://api.firecrawl.dev,DAYTONA_TARGET=us"