feat: deploy to Cloud Run with keyless CI/CD (parallel to Vercel)#48
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
|
Warning Review limit reached
Your plan includes 1 review of capacity. Refill in 46 minutes and 59 seconds. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more review capacity refills, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (14)
📝 WalkthroughWalkthroughThis PR establishes a complete Google Cloud Run deployment infrastructure for an Eureka Next.js application. The changes configure standalone Next.js builds, containerize the application in a multi-stage Dockerfile, set up GCP Cloud Build to handle image building and registry pushes, provide an automation script for orchestrating deployments and secret management, integrate GitHub Actions with Workload Identity Federation for keyless authentication, and document the entire system with interactive runbooks and security models. ChangesGCP Cloud Run Deployment
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Run Eureka on Google Cloud Run (project eureka-362814) alongside the existing Vercel deployment, both backed by the same Supabase database. This is the migration path: verify GCP under real traffic, then flip DNS and retire Vercel. - next.config: standalone output + pinned outputFileTracingRoot - Dockerfile + .dockerignore: multi-stage Next.js standalone image (node:24-slim, non-root) - cloudbuild.yaml: build with NEXT_PUBLIC_* build args and the Sentry token pulled from Secret Manager (token confined to the discarded builder stage) - deploy/deploy.sh: idempotent bootstrap + build + deploy; --deploy-only for CI - .github/workflows/deploy-gcp.yml: auto-deploy on push to master via Workload Identity Federation (no service-account key stored in GitHub) - docs/deployment: illustrated mini-site (overview, pipeline, security, tradeoffs) with live mermaid.js diagrams Vercel-safe: output:"standalone" plus the new files are inert under Vercel's build pipeline, so a single codebase serves both deployments.
What & why
Run Eureka on Google Cloud Run (
eureka-362814) in parallel with the existing Vercel deployment — same code, same Supabase DB. This is the migration path off Vercel: verify GCP under real traffic, then flip DNS and retire Vercel. No big-bang cutover.The parallel deployment is already live and verified: https://eureka-web-369713805962.europe-west1.run.app
What's in this PR
next.config.mjsoutput: "standalone"+ pinnedoutputFileTracingRootDockerfile/.dockerignorenode:24-slim, non-root)cloudbuild.yamlNEXT_PUBLIC_*build args + Sentry token from Secret Managerdeploy/deploy.sh--deploy-onlyfor CI.github/workflows/deploy-gcp.ymlmastervia Workload Identity Federationdocs/deployment/Security: keyless CI
GitHub Actions authenticates via Workload Identity Federation — no service-account key stored in GitHub. The OIDC trust is locked to this repo (
assertion.repository == 'riethmayer/eureka') at both the provider condition and the impersonation binding. Thegithub-deployerSA holds only least-privilege deploy roles. Full mechanism indocs/deployment/security.html.Vercel-safe
output: "standalone"and all new files are inert under Vercel's build pipeline, so one codebase serves both deploys. Merging this activates GCP auto-deploy; Vercel is unaffected.Already provisioned on GCP (not in this diff)
Artifact Registry repo
eureka, Secret Manager secrets (eureka-*), the WIF pool/provider +github-deployerSA, and repo variablesWIF_PROVIDER/WIF_SERVICE_ACCOUNT.Verification
/api/highscoresreads andPOST /api/gamewrites against live Supabase (test row removed).Follow-ups (not this PR)
Map the production domain to Cloud Run → flip DNS → retire Vercel.
Summary by CodeRabbit
Release Notes
New Features
Documentation
Infrastructure
master.