Google Cloud
- Create a service account for ci/cd (e.g.
github-actions) - Via the
IAM->Service Accountspage, allow this service to operate as the service account for each cloud run instance - In cloud storage, give this service account cloud storage admin to buckets that are deployed via ci/cd:
- frontend (release and sandbox)
- storybook (sandbox)
- docs (sandbox)
- artifacts.project.appspot.com (release and sandbox, created by google - needed for cloud run deployments)
- Also give the github actions service Cloud Run Admin and Cloud Functions Admin permissions
- Also, give the github actions service account user for the AppEngine service account (seems to be required for cloud funcs even w/ cloud func admin)
Generally speaking, the very first deployment (see below) on a brand new project should be done manually via a local account first, before using ci/cd going forward.
In particular, the first cloud function deployment requires hitting "yes" on "Allow unauthenticated invocations"
Github Secrets
- SLACK_BOT_TOKEN (the one that begins "xoxb-")
- GOOGLE_CLOUD_SERVICE_ACCOUNT_JSON_KEY - json key for service account
- GOOGLE_CLOUD_SERVICE_ACCOUNT_JSON_KEY_SANDBOX - same but for dev deployment
- FIREBASE_TOKEN (run firebase login:ci)
The GOOGLE_CLOUD keys must be base64 encoded. Literally, take the json string and run it through a bas64 encoder.
Makefiles and Dockerfiles
Deployment is done via the top-level Makefile.toml as well as Dockerfiles as needed.
The PROJECT_ID and other variables are hardcoded directly in these files as needed (even if that's the process of setting as an env var)
If adjusting, remember to change sandbox vs. release :)
Github Actions
A new github action needs to be created for each frontend wasm project. Simply copy/paste from one of the existing actions