GCP Workflows
Two workflows are dedicated to Google Cloud Platform: one for deploying containers to Cloud Run with rollback support, and one for security scanning GCP projects with Prowler.
cloudrun-rollback
Deploy container images to Google Cloud Run with rollback capability — authenticates with GCP, pulls the specified image, deploys it to Cloud Run, and can roll back to a previous revision if needed.
When to use: Deploying containerized applications to Cloud Run from your CI/CD pipeline, especially when you want an automated rollback path.
jobs:
deploy:
uses: clouddrove/github-shared-workflows/.github/workflows/cloudrun-rollback.yml@master
with:
gcp_registry_host: us-central1-docker.pkg.dev
IMAGE_NAME: my-app
IMAGE_TAG: ${{ github.sha }}
GCP_REPOSITORY: my-project/my-repo
SERVICE_NAME: my-cloudrun-service
REGION: us-central1
secrets:
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
| Input | Required | Description |
|---|---|---|
gcp_registry_host | Yes | Artifact Registry host (e.g., us-central1-docker.pkg.dev) |
IMAGE_NAME | Yes | Container image name |
IMAGE_TAG | Yes | Image tag to deploy |
GCP_REPOSITORY | Yes | Artifact Registry repository path (project/repo) |
SERVICE_NAME | Yes | Cloud Run service name |
REGION | Yes | GCP region (e.g., us-central1) |
Typical pipeline with build → deploy:
jobs:
build:
uses: clouddrove/github-shared-workflows/.github/workflows/docker-build-push.yml@master
with:
provider: ecr # or build to Artifact Registry directly
IMAGE_TAG: ${{ github.sha }}
secrets: ...
deploy:
needs: build
uses: clouddrove/github-shared-workflows/.github/workflows/cloudrun-rollback.yml@master
with:
IMAGE_TAG: ${{ github.sha }}
SERVICE_NAME: my-service
REGION: us-central1
secrets:
GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
gcp-prowler
GCP security scanning with Prowler and GCS storage — runs Prowler against one or more GCP projects, optionally uploads findings to a GCS bucket, and sends a Slack notification when complete.
When to use: Scheduled security audits of GCP projects. Pair with a cron schedule to run weekly or after infrastructure changes.
on:
schedule:
- cron: '0 8 * * 1' # every Monday at 8 AM UTC
jobs:
gcp-security-scan:
uses: clouddrove/github-shared-workflows/.github/workflows/gcp-prowler.yml@master
with:
cloud_provider: gcp
gcp_project_ids: my-project-id,another-project-id
enable_gcs_upload: true
enable_slack_notification: true
enable_gcp_key_auth: false # use Workload Identity (recommended)
secrets:
WIP: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}
GCS_BUCKET_NAME: ${{ secrets.GCS_BUCKET_NAME }}
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
| Input | Required | Default | Description |
|---|---|---|---|
cloud_provider | No | gcp | Cloud provider (must be gcp) |
gcp_project_ids | No | — | Comma-separated GCP project IDs to scan |
enable_gcs_upload | No | false | Upload findings to GCS bucket |
enable_slack_notification | No | false | Send Slack notification on completion |
enable_gcp_key_auth | No | false | Use service account key instead of Workload Identity |
Set enable_gcp_key_auth: false and use WIP (Workload Identity Provider) + SERVICE_ACCOUNT secrets for keyless authentication. This avoids storing long-lived JSON keys as secrets.