timoschd
diff --git a/‎.env.example‎
Lines changed: 14 additions & 5 deletions b/‎.env.example‎
Lines changed: 14 additions & 5 deletions
diff --git a/‎.github/workflows/README.md‎
Lines changed: 262 additions & 0 deletions b/‎.github/workflows/README.md‎
Lines changed: 262 additions & 0 deletions
diff --git a/‎.github/workflows/SECRETS.md‎
Lines changed: 99 additions & 0 deletions b/‎.github/workflows/SECRETS.md‎
Lines changed: 99 additions & 0 deletions
@@ -4,11 +4,20 @@
 # Port to expose the service on (default: 8085)
 PORT=8085
 
-# BigQuery project ID (default: data-warehouse-414312)
-BIGQUERY_PROJECT=data-warehouse-414312
+# BigQuery project ID
+BIGQUERY_PROJECT=your-project-id
 
-# BigQuery location/region (default: europe-west4)
-BIGQUERY_LOCATION=europe-west4
+# BigQuery location/region (e.g., us-central1, europe-west4)
+BIGQUERY_LOCATION=us-central1
+
+# Transport mode: stdio (default), http, or sse
+# Use 'stdio' for local MCP clients, 'http' or 'sse' for cloud deployments
+MCP_TRANSPORT=http
 
 # Optional: Path to BigQuery service account key file
-# BIGQUERY_KEY_FILE=secrets/data-warehouse-414312-a4116c865c13.json
+# If not provided, Application Default Credentials (ADC) will be used
+# BIGQUERY_KEY_FILE=secrets/service-account-key.json
+
+# Optional: Filter to specific datasets (comma-separated)
+# If not provided, all datasets in the project will be accessible
+# BIGQUERY_DATASETS=dataset1,dataset2,dataset3
@@ -0,0 +1,262 @@
+# GitHub Actions Workflows
+
+This directory contains GitHub Actions workflows for building and deploying the MCP BigQuery server.
+
+## Docker Hub Publishing
+
+The `docker-publish.yml` workflow automatically builds and publishes Docker images to Docker Hub.
+
+### Setup Instructions
+
+1. **Create a Docker Hub account** (if you don't have one):
+   - Go to https://hub.docker.com/signup
+
+2. **Create an access token**:
+   - Log in to Docker Hub
+   - Go to Account Settings → Security → New Access Token
+   - Name: `github-actions`
+   - Permissions: Read, Write, Delete
+   - Copy the token (you won't see it again!)
+
+3. **Configure GitHub Secrets**:
+
+   Go to your GitHub repository → Settings → Secrets and variables → Actions, and add:
+
+   | Secret Name          | Description                    | Example Value      |
+   | -------------------- | ------------------------------ | ------------------ |
+   | `DOCKERHUB_USERNAME` | Your Docker Hub username       | `yourusername`     |
+   | `DOCKERHUB_TOKEN`    | Docker Hub access token        | `dckr_pat_xxx...`  |
+
+4. **Push to trigger build**:
+   ```bash
+   git push origin main
+   ```
+
+### Workflow Features
+
+- ✅ **Multi-architecture builds** (linux/amd64, linux/arm64)
+- ✅ **Automatic tagging** based on git tags and branches
+- ✅ **Pull request builds** (without pushing)
+- ✅ **Build caching** for faster builds
+- ✅ **README sync** to Docker Hub
+- ✅ **Manual trigger** via workflow_dispatch
+
+### Image Tags
+
+The workflow creates the following tags:
+
+- `latest` - Latest build from main branch
+- `main` - Latest build from main branch
+- `v1.2.3` - Semantic version tags (when you push a git tag)
+- `v1.2` - Major.minor version
+- `v1` - Major version
+- `main-abc1234` - Branch name with commit SHA
+- `pr-123` - Pull request number
+
+### Using the Published Image
+
+```bash
+# Pull the latest image
+docker pull yourusername/mcp-server-bigquery:latest
+
+# Pull a specific version
+docker pull yourusername/mcp-server-bigquery:v0.3.0
+
+# Run the container
+docker run -p 8080:8080 \
+  -e BIGQUERY_PROJECT=your-project-id \
+  -e BIGQUERY_LOCATION=us-central1 \
+  -e MCP_TRANSPORT=http \
+  yourusername/mcp-server-bigquery:latest
+```
+
+### Creating a Release
+
+To publish a versioned release:
+
+```bash
+# Tag the release
+git tag -a v0.3.0 -m "Release v0.3.0"
+git push origin v0.3.0
+
+# The workflow will automatically build and push:
+# - yourusername/mcp-server-bigquery:v0.3.0
+# - yourusername/mcp-server-bigquery:v0.3
+# - yourusername/mcp-server-bigquery:v0
+# - yourusername/mcp-server-bigquery:latest
+```
+
+## Cloud Run Deployment
+
+The `deploy-cloud-run.yml.example` file provides an example workflow for deploying to Google Cloud Run.
+
+### Setup Instructions
+
+1. **Copy the example file:**
+   ```bash
+   cp .github/workflows/deploy-cloud-run.yml.example .github/workflows/deploy-cloud-run.yml
+   ```
+
+2. **Create an Artifact Registry repository:**
+   ```bash
+   gcloud artifacts repositories create mcp-server-bigquery \
+     --repository-format=docker \
+     --location=us-central1 \
+     --description="MCP BigQuery Server Docker images"
+   ```
+
+3. **Set up Workload Identity Federation (Recommended):**
+
+   This is the secure, keyless authentication method for GitHub Actions.
+
+   ```bash
+   # Set variables
+   export PROJECT_ID="your-gcp-project-id"
+   export POOL_NAME="github-actions-pool"
+   export PROVIDER_NAME="github-provider"
+   export SERVICE_ACCOUNT_NAME="github-actions-sa"
+   export REPO="your-github-username/mcp-server-bigquery"
+
+   # Create Workload Identity Pool
+   gcloud iam workload-identity-pools create $POOL_NAME \
+     --location="global" \
+     --display-name="GitHub Actions Pool"
+
+   # Create Workload Identity Provider
+   gcloud iam workload-identity-pools providers create-oidc $PROVIDER_NAME \
+     --location="global" \
+     --workload-identity-pool=$POOL_NAME \
+     --display-name="GitHub Provider" \
+     --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \
+     --issuer-uri="https://token.actions.githubusercontent.com"
+
+   # Create Service Account
+   gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME \
+     --display-name="GitHub Actions Service Account"
+
+   # Grant permissions to the service account
+   gcloud projects add-iam-policy-binding $PROJECT_ID \
+     --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
+     --role="roles/run.admin"
+
+   gcloud projects add-iam-policy-binding $PROJECT_ID \
+     --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
+     --role="roles/artifactregistry.writer"
+
+   gcloud projects add-iam-policy-binding $PROJECT_ID \
+     --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
+     --role="roles/iam.serviceAccountUser"
+
+   # Allow GitHub Actions to impersonate the service account
+   gcloud iam service-accounts add-iam-policy-binding \
+     $SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com \
+     --role="roles/iam.workloadIdentityUser" \
+     --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_NAME/attribute.repository/$REPO"
+   ```
+
+   Note: Replace `PROJECT_NUMBER` with your actual GCP project number (find it with `gcloud projects describe $PROJECT_ID --format="value(projectNumber)"`).
+
+4. **Configure GitHub Secrets:**
+
+   Go to your GitHub repository → Settings → Secrets and variables → Actions, and add:
+
+   | Secret Name              | Description                                                           | Example Value                                                                                          |
+   | ------------------------ | --------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
+   | `GCP_PROJECT_ID`         | Your GCP project ID                                                   | `my-project-123`                                                                                       |
+   | `WIF_PROVIDER`           | Workload Identity Federation provider resource name                   | `projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github-actions-pool/providers/github-provider` |
+   | `WIF_SERVICE_ACCOUNT`    | Service account email for Workload Identity Federation               | `[email protected]`                                             |
+   | `BIGQUERY_PROJECT`       | BigQuery project ID (can be same as GCP_PROJECT_ID or different)     | `my-data-project`                                                                                      |
+   | `BIGQUERY_LOCATION`      | BigQuery location/region                                              | `us-central1` or `europe-west4`                                                                        |
+
+5. **Optional: Service Account Key (Alternative to Workload Identity Federation):**
+
+   If you prefer using a service account key instead of Workload Identity Federation:
+
+   ```bash
+   # Create service account
+   gcloud iam service-accounts create github-actions \
+     --display-name="GitHub Actions"
+
+   # Grant permissions
+   gcloud projects add-iam-policy-binding $PROJECT_ID \
+     --member="serviceAccount:github-actions@$PROJECT_ID.iam.gserviceaccount.com" \
+     --role="roles/run.admin"
+
+   gcloud projects add-iam-policy-binding $PROJECT_ID \
+     --member="serviceAccount:github-actions@$PROJECT_ID.iam.gserviceaccount.com" \
+     --role="roles/artifactregistry.writer"
+
+   # Create and download key
+   gcloud iam service-accounts keys create key.json \
+     --iam-account=github-actions@$PROJECT_ID.iam.gserviceaccount.com
+   ```
+
+   Then update the workflow to use `google-github-actions/auth@v2` with `credentials_json` instead of Workload Identity Federation.
+
+6. **Customize the workflow:**
+
+   Edit `.github/workflows/deploy-cloud-run.yml` and adjust:
+   - `REGION`: Your preferred Cloud Run region
+   - `SERVICE_NAME`: Your service name
+   - Resource limits (memory, CPU, instances)
+   - Environment variables
+
+7. **Push to trigger deployment:**
+   ```bash
+   git add .github/workflows/deploy-cloud-run.yml
+   git commit -m "Add Cloud Run deployment workflow"
+   git push origin main
+   ```
+
+### Workflow Features
+
+- ✅ **Keyless authentication** using Workload Identity Federation
+- ✅ **Multi-architecture support** (builds for linux/amd64)
+- ✅ **Image tagging** with both commit SHA and `latest`
+- ✅ **Automatic deployment** on push to main branch
+- ✅ **Manual trigger** via workflow_dispatch
+- ✅ **Secure secrets management** via GitHub Secrets
+- ✅ **Auto-scaling** with configurable min/max instances
+
+### Testing the Deployment
+
+After deployment, test your Cloud Run service:
+
+```bash
+# Get the service URL
+SERVICE_URL=$(gcloud run services describe mcp-server-bigquery \
+  --region us-central1 \
+  --format 'value(status.url)')
+
+# Test health endpoint
+curl $SERVICE_URL/health
+
+# Expected response:
+# {"status":"healthy","service":"bigquery-mcp-server"}
+```
+
+### Troubleshooting
+
+**Build fails:**
+- Check that Artifact Registry repository exists
+- Verify service account has `artifactregistry.writer` role
+
+**Deployment fails:**
+- Verify service account has `run.admin` role
+- Check that all required secrets are set in GitHub
+- Review Cloud Run logs: `gcloud run services logs read mcp-server-bigquery --region us-central1`
+
+**Service fails to start:**
+- Check environment variables are set correctly
+- Verify BigQuery permissions for the Cloud Run service account
+- Review logs for authentication errors
+
+### Cost Optimization
+
+The example workflow configures:
+- `--min-instances 0`: Scales to zero when not in use (no cost when idle)
+- `--max-instances 10`: Limits maximum concurrent instances
+- `--memory 512Mi`: Minimal memory allocation
+- `--cpu 1`: Single CPU core
+
+Adjust these based on your usage patterns and budget.
@@ -0,0 +1,99 @@
+# GitHub Secrets Configuration
+
+This document lists all the secrets needed for the GitHub Actions workflows.
+
+## Required Secrets
+
+Configure these in your GitHub repository: **Settings → Secrets and variables → Actions**
+
+### For Docker Hub Publishing
+
+Required for the `docker-publish.yml` workflow:
+
+| Secret Name          | Description                    | How to Get                                                                                      |
+| -------------------- | ------------------------------ | ----------------------------------------------------------------------------------------------- |
+| `DOCKERHUB_USERNAME` | Your Docker Hub username       | Your Docker Hub account username                                                                |
+| `DOCKERHUB_TOKEN`    | Docker Hub access token        | Docker Hub → Account Settings → Security → New Access Token (with Read, Write, Delete permissions) |
+
+### For Cloud Run Deployment (Workload Identity Federation - Recommended)
+
+| Secret Name           | Description                                              | How to Get                                                                                                                           |
+| --------------------- | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| `GCP_PROJECT_ID`      | Your GCP project ID                                      | `gcloud config get-value project`                                                                                                    |
+| `WIF_PROVIDER`        | Workload Identity Federation provider resource name     | Format: `projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_NAME/providers/PROVIDER_NAME`                           |
+| `WIF_SERVICE_ACCOUNT` | Service account email for Workload Identity Federation  | Format: `SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com`                                                                    |
+| `BIGQUERY_PROJECT`    | BigQuery project ID (can be same or different from GCP) | Your BigQuery project ID                                                                                                             |
+| `BIGQUERY_LOCATION`   | BigQuery location/region                                 | e.g., `us-central1`, `europe-west4`, `asia-northeast1`                                                                               |
+
+### For Service Account Key (Alternative)
+
+If not using Workload Identity Federation, use these instead:
+
+| Secret Name         | Description                          | How to Get                                                                                      |
+| ------------------- | ------------------------------------ | ----------------------------------------------------------------------------------------------- |
+| `GCP_PROJECT_ID`    | Your GCP project ID                  | `gcloud config get-value project`                                                               |
+| `GCP_SA_KEY`        | Service account JSON key (base64)   | Create key, then: `cat key.json \| base64`                                                      |
+| `BIGQUERY_PROJECT`  | BigQuery project ID                  | Your BigQuery project ID                                                                        |
+| `BIGQUERY_LOCATION` | BigQuery location/region             | e.g., `us-central1`, `europe-west4`                                                             |
+
+## Optional Secrets
+
+| Secret Name           | Description                                    | Example                                  |
+| --------------------- | ---------------------------------------------- | ---------------------------------------- |
+| `BIGQUERY_DATASETS`   | Comma-separated list of datasets to filter    | `analytics,marketing,sales`              |
+| `SLACK_WEBHOOK_URL`   | Slack webhook for deployment notifications     | `https://hooks.slack.com/services/...`   |
+
+## Getting Your Project Number
+
+You'll need your GCP project number (not project ID) for Workload Identity Federation:
+
+```bash
+gcloud projects describe YOUR_PROJECT_ID --format="value(projectNumber)"
+```
+
+## Example Values
+
+Here's what your secrets might look like (with fake values):
+
+```
+GCP_PROJECT_ID=my-bigquery-project
+WIF_PROVIDER=projects/123456789/locations/global/workloadIdentityPools/github-pool/providers/github
+WIF_SERVICE_ACCOUNT=github-actions@my-bigquery-project.iam.gserviceaccount.com
+BIGQUERY_PROJECT=my-bigquery-project
+BIGQUERY_LOCATION=us-central1
+```
+
+## Security Best Practices
+
+1. ✅ **Use Workload Identity Federation** instead of service account keys when possible
+2. ✅ **Limit service account permissions** to only what's needed (run.admin, artifactregistry.writer)
+3. ✅ **Rotate service account keys** regularly if using key-based auth
+4. ✅ **Use separate service accounts** for different environments (dev, staging, prod)
+5. ✅ **Enable audit logging** for service account usage
+6. ✅ **Use GitHub environment protection rules** for production deployments
+
+## Verifying Secrets
+
+After adding secrets, you can verify they're set correctly:
+
+1. Go to your repository on GitHub
+2. Navigate to **Settings → Secrets and variables → Actions**
+3. You should see all required secrets listed (values are hidden)
+4. Trigger the workflow manually to test: **Actions → Deploy to Google Cloud Run → Run workflow**
+
+## Troubleshooting
+
+**"Secret not found" error:**
+- Ensure secret names match exactly (case-sensitive)
+- Verify secrets are added to the correct repository
+- Check if using organization-level secrets vs repository-level secrets
+
+**Authentication fails:**
+- Verify WIF_PROVIDER format is correct
+- Ensure service account has necessary IAM roles
+- Check that Workload Identity binding is configured correctly
+
+**Deployment succeeds but service fails:**
+- Check Cloud Run logs for runtime errors
+- Verify BIGQUERY_PROJECT and BIGQUERY_LOCATION are correct
+- Ensure Cloud Run service account has BigQuery permissions