Skip to content

feat: deploy to Cloud Run with keyless CI/CD (parallel to Vercel)#48

Merged
riethmayer merged 1 commit into
masterfrom
worktree-gcp
May 25, 2026
Merged

feat: deploy to Cloud Run with keyless CI/CD (parallel to Vercel)#48
riethmayer merged 1 commit into
masterfrom
worktree-gcp

Conversation

@riethmayer

@riethmayer riethmayer commented May 25, 2026

Copy link
Copy Markdown
Owner

What & why

Run Eureka on Google Cloud Run (eureka-362814) in parallel with the existing Vercel deployment — same code, same Supabase DB. This is the migration path off Vercel: verify GCP under real traffic, then flip DNS and retire Vercel. No big-bang cutover.

The parallel deployment is already live and verified: https://eureka-web-369713805962.europe-west1.run.app

What's in this PR

File Purpose
next.config.mjs output: "standalone" + pinned outputFileTracingRoot
Dockerfile / .dockerignore Multi-stage Next.js standalone image (node:24-slim, non-root)
cloudbuild.yaml Build with NEXT_PUBLIC_* build args + Sentry token from Secret Manager
deploy/deploy.sh Idempotent bootstrap + build + deploy; --deploy-only for CI
.github/workflows/deploy-gcp.yml Auto-deploy on push to master via Workload Identity Federation
docs/deployment/ Illustrated docs (overview · pipeline · security · tradeoffs) with mermaid.js

Security: keyless CI

GitHub Actions authenticates via Workload Identity Federation — no service-account key stored in GitHub. The OIDC trust is locked to this repo (assertion.repository == 'riethmayer/eureka') at both the provider condition and the impersonation binding. The github-deployer SA holds only least-privilege deploy roles. Full mechanism in docs/deployment/security.html.

Vercel-safe

output: "standalone" and all new files are inert under Vercel's build pipeline, so one codebase serves both deploys. Merging this activates GCP auto-deploy; Vercel is unaffected.

Already provisioned on GCP (not in this diff)

Artifact Registry repo eureka, Secret Manager secrets (eureka-*), the WIF pool/provider + github-deployer SA, and repo variables WIF_PROVIDER / WIF_SERVICE_ACCOUNT.

Verification

  • All routes 200; /api/highscores reads and POST /api/game writes against live Supabase (test row removed).
  • Deployer SA permissions validated by impersonation: it builds, stages source, and deployed a live revision with the runtime secret mounted.

Follow-ups (not this PR)

Map the production domain to Cloud Run → flip DNS → retire Vercel.

Summary by CodeRabbit

Release Notes

  • New Features

    • Added support for deploying to Google Cloud Run alongside Vercel.
  • Documentation

    • Added comprehensive deployment documentation covering overview, pipeline, security considerations, and architectural trade-offs.
    • Updated README with deployment information and quick reference links.
  • Infrastructure

    • Added Docker containerization configuration for standalone builds.
    • Enabled automated CI/CD workflow for Google Cloud deployments on every push to master.

Review Change Stack

@vercel

vercel Bot commented May 25, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
eureka Ready Ready Preview, Comment May 25, 2026 6:47pm

@supabase

supabase Bot commented May 25, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project lthqyqlislwikgoxmttn because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@coderabbitai

coderabbitai Bot commented May 25, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@riethmayer, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 46 minutes and 59 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9a826cdc-add9-40c8-858b-e3115d4cc293

📥 Commits

Reviewing files that changed from the base of the PR and between 8d8de3f and 96fc28f.

📒 Files selected for processing (14)
  • .dockerignore
  • .github/workflows/deploy-gcp.yml
  • Dockerfile
  • README.md
  • cloudbuild.yaml
  • deploy/README.md
  • deploy/deploy.sh
  • docs/deployment/assets/mermaid-init.js
  • docs/deployment/assets/styles.css
  • docs/deployment/index.html
  • docs/deployment/pipeline.html
  • docs/deployment/security.html
  • docs/deployment/tradeoffs.html
  • next.config.mjs
📝 Walkthrough

Walkthrough

This PR establishes a complete Google Cloud Run deployment infrastructure for an Eureka Next.js application. The changes configure standalone Next.js builds, containerize the application in a multi-stage Dockerfile, set up GCP Cloud Build to handle image building and registry pushes, provide an automation script for orchestrating deployments and secret management, integrate GitHub Actions with Workload Identity Federation for keyless authentication, and document the entire system with interactive runbooks and security models.

Changes

GCP Cloud Run Deployment

Layer / File(s) Summary
Next.js Standalone Build Mode
next.config.mjs
Enable Next.js standalone output mode and configure outputFileTracingRoot for efficient container builds.
Docker Containerization
.dockerignore, Dockerfile
Multi-stage Dockerfile with Node 24 slim, Yarn 4 immutable installs, builder stage with build-time secrets, and optimized runner stage copying only standalone server/static assets.
GCP Cloud Build Configuration
cloudbuild.yaml
Cloud Build pipeline fetching Next.js and Sentry secrets from Secret Manager, injecting them as build args, tagging images with BUILD_ID and latest, and pushing to Artifact Registry with E2_HIGHCPU_8 machine and 30-minute timeout.
Cloud Run Deployment Orchestration
deploy/deploy.sh, deploy/README.md
Bash script supporting three modes (bootstrap+build+deploy, --seed to seed secrets, --deploy-only), managing Secret Manager lifecycle, granting Cloud Build service-account permissions, submitting builds, and deploying Cloud Run services with runtime env/secret bindings; includes runbook documentation with deploy/rollback/log-tail/secret-rotation commands.
GitHub Actions CI/CD Workflow
.github/workflows/deploy-gcp.yml
Workflow triggered on master push (excluding docs and markdown), authenticating via Workload Identity Federation with OIDC token, and invoking deploy/deploy.sh --deploy-only with serialized deployment concurrency.
Deployment Documentation and Styling
docs/deployment/assets/styles.css, docs/deployment/assets/mermaid-init.js, docs/deployment/index.html, docs/deployment/pipeline.html, docs/deployment/security.html, docs/deployment/tradeoffs.html
Dark-themed deployment console documentation system describing the parallel GCP+Vercel deployment model, CI/CD pipeline flow with build-time/runtime secret injection, keyless auth using GitHub OIDC and Workload Identity Federation with sequence diagrams, and architecture tradeoff decisions; includes custom CSS design, Mermaid diagram initialization, and interactive runbook cards.
Project README Deployment Section
README.md
Added deployment section linking to deployment documentation mini-site and quick-reference guides.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

  • riethmayer/eureka#39: Updates next.config.mjs with withSentryConfig wrapper and Sentry tunnel configuration; this PR adds output: "standalone" and outputFileTracingRoot to the same config file.

Poem

🚀 From Next.js standalone to the cloud we soar,
Docker layers stacked, secrets locked in the door,
Workload ID's dancing, no keys to be worn,
A rabbit's delight—deployment is born! 🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly summarizes the main change: adding Cloud Run deployment with keyless CI/CD as a parallel to the existing Vercel setup.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch worktree-gcp

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Run Eureka on Google Cloud Run (project eureka-362814) alongside the existing
Vercel deployment, both backed by the same Supabase database. This is the
migration path: verify GCP under real traffic, then flip DNS and retire Vercel.

- next.config: standalone output + pinned outputFileTracingRoot
- Dockerfile + .dockerignore: multi-stage Next.js standalone image (node:24-slim, non-root)
- cloudbuild.yaml: build with NEXT_PUBLIC_* build args and the Sentry token pulled
  from Secret Manager (token confined to the discarded builder stage)
- deploy/deploy.sh: idempotent bootstrap + build + deploy; --deploy-only for CI
- .github/workflows/deploy-gcp.yml: auto-deploy on push to master via Workload
  Identity Federation (no service-account key stored in GitHub)
- docs/deployment: illustrated mini-site (overview, pipeline, security, tradeoffs)
  with live mermaid.js diagrams

Vercel-safe: output:"standalone" plus the new files are inert under Vercel's
build pipeline, so a single codebase serves both deployments.
@riethmayer riethmayer merged commit 011d291 into master May 25, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant