Feature/buildpack workflow (#7)

<!--
Thank you for proposing a pull request! Please note that SOME TESTS WILL
LIKELY FAIL due to how GitHub exposes secrets in Pull Requests from
forks.
Someone from the team will review your Pull Request and respond.

Please describe your change and any implementation details below.
- Adding a new example for building and publishing a container image
with buildpacks.
-->

Author: chasinandrew

properties/cloudrun-buildpacks.properties.json

@@ -0,0 +1,7 @@
+{
+  "name": "Build and Deploy to Cloud Run",
+  "description": "Build a container image with Buildpacks, publish it to Google Artifact Registry, and deploy to Google Cloud Run.",
+  "creator": "Google Cloud",
+  "iconName": "google-cloud",
+  "categories": ["Deployment", "Containers", "Buildpacks", "Cloud Run", "Serverless"]
+}

workflow.config.json

@@ -23,6 +23,12 @@
     "workflowPath": "workflows/deploy-cloudrun/cloudrun-source.yml",
     "propertiesPath": "properties/cloudrun-source.properties.json"
   },
+  "cloudrun-buildpacks": {
+    "starter": true,
+    "type": "deployments",
+    "workflowPath": "workflows/deploy-cloudrun/cloudrun-buildpacks.yml",
+    "propertiesPath": "properties/cloudrun-buildpacks.properties.json"
+  },
   "gke-build-deploy": {
     "starter": true,
     "type": "deployments",

workflows/deploy-cloudrun/cloudrun-buildpacks.yml

@@ -0,0 +1,136 @@
+# This workflow builds source code with buildpacks and deploys the resulting container image to Cloud Run when a commit is pushed to the $default-branch branch
+#
+# Overview:
+#
+# 1. Authenticate to Google Cloud
+# 2. Authenticate Docker to Artifact Registry
+# 3. Download Buildpack CLI
+# 4. Build code with Buildpacks
+# 5. Publish image to Google Artifact Registry
+# 6. Deploy it to Cloud Run
+#
+# To configure this workflow:
+#
+# 1. Ensure the required Google Cloud APIs are enabled:
+#
+#    Cloud Run            run.googleapis.com
+#    Artifact Registry    artifactregistry.googleapis.com
+#
+# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation)
+#
+# 3. Ensure the required IAM permissions are granted
+#
+#    Cloud Run
+#      roles/run.admin
+#      roles/iam.serviceAccountUser     (to act as the Cloud Run runtime service account)
+#
+#    Artifact Registry
+#      roles/artifactregistry.admin     (project or repository level)
+#
+#    NOTE: You should always follow the principle of least privilege when assigning IAM roles
+#
+# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT
+#
+# 5. Change the values for the PROJECT_ID, GAR_LOCATION, REPOSITORY, SERVICE, SOURCE_DIRECTORY and REGION environment variables (below).
+#
+# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io
+#
+# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run
+#
+# Further reading:
+#   Cloud Run IAM permissions                 - https://cloud.google.com/run/docs/deploying
+#   Artifact Registry IAM permissions         - https://cloud.google.com/artifact-registry/docs/access-control#roles
+#   Container Registry vs Artifact Registry   - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry
+#   Principle of least privilege              - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
+#   Buildpacks Overview                       - https://cloud.google.com/docs/buildpacks/overview
+#   Build an Application with Buildpacks      - https://cloud.google.com/docs/buildpacks/build-application
+
+name: Build and Deploy to Cloud Run
+
+on:
+  push:
+    branches:
+      - $default-branch
+
+env:
+  PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id
+  GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location
+  REPOSITORY: YOUR_REPOSITORY_NAME # TODO: update Artifact Registry repository name
+  SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name
+  REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region
+  SOURCE_DIRECTORY: YOUR_SOURCE_DIRECTORY #TODO: update source code directory 
+
+jobs:
+  deploy:
+    # Add 'id-token' with the intended permissions for workload identity federation
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Google Auth
+        id: auth
+        uses: 'google-github-actions/auth@v0'
+        with:
+          token_format: 'access_token'
+          workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider
+          service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - [email protected]
+
+      # NOTE: Alternative option - authentication via credentials json
+      # - name: Google Auth
+      #   id: auth
+      #   uses: 'google-github-actions/auth@v0'
+      #   with:
+      #     credentials_json: '${{ secrets.GCP_CREDENTIALS }}'
+
+      # BEGIN - Docker auth
+
+      # Authenticate Docker to Google Cloud Artifact Registry
+      - name: Docker Auth
+        id: docker-auth
+        uses: 'docker/login-action@v1'
+        with:
+          username: 'oauth2accesstoken'
+          password: '${{ steps.auth.outputs.access_token }}'
+          registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'
+          
+      # NOTE: Alternative option - authentication via credentials json
+      # - name: Docker Auth
+      # id: docker-auth
+      # uses: 'docker/login-action@v1'
+      # with:
+      #   registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
+      #   username: _json_key
+      #   password: ${{ secrets.GCP_CREDENTIALS }}
+
+      # BEGIN - Pack download, build and publish 
+
+      # Build and publish image to Artifact Registry
+      - name: Build and Publish with Buildpacks
+        uses: buildpacks/github-actions/[email protected]
+        run: |-
+          pack config default-builder gcr.io/buildpacks.builder:v1
+          pack build ${{ env.SOURCE_CODE_DIRECTORY }}
+          pack --publish  ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}
+
+      # END - Docker auth, pack download, buildpack build and publish
+
+      - name: Deploy to Cloud Run
+        id: deploy
+        uses: google-github-actions/deploy-cloudrun@v0
+        with:
+          service: ${{ env.SERVICE }}
+          region: ${{ env.REGION }}
+          image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}
+          # NOTE: You can also set env variables here:
+          #  env_vars: |
+          #  NODE_ENV=production
+          #  TOKEN_EXPIRE=6400
+
+      # If required, use the Cloud Run url output in later steps
+      - name: Show Output
+        run: echo ${{ steps.deploy.outputs.url }}

workflows/deploy-cloudrun/cloudrun-declarative.yml

@@ -107,7 +107,7 @@ jobs:
         run: |-
           export IMAGE="${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}"
           export SERVICE="${{ env.SERVICE }}"
-          envsubst < service.template.yaml > service.yaml
+          envsubst < ./workflows/deploy-cloudrun/service.template.yaml > service.yaml
 
       # Deploy Cloud Run Service from the YAML Service specification
       - name: Deploy to Cloud Run