Connecting GitHub Actions to Google App Engine

Over the past few weekends, outside of work, I’ve been working on personal projects. One such project is a website that I’ve written in Node.js and is hosted on Google App Engine.

For a while, I’ve been deploying the project to App Engine from my computer. However, I’ve been added to the beta for GitHub Actions, a new tool that should allow me to generate workflows to automatically run based on GitHub events.

I started to create a workflow to push to App Engine every time I create a new commit. However, during my development process I ran into a few issues that I want to document.

This isn’t a really interesting workflow by itself. I have four actions, each executing sequentially.

The first runs npm install. The second runs npm build.

Connecting to App Engine was a little more elaborate. First, I couldn’t just run the Deploy action. If I tried, I’d quickly run into an authorization issue. As this is running remotely, there’s no way for me to open a browser to login.

I needed to find the Google Cloud Authentication action further down in the list and run that first.

In this action, I need to create a secret called GCLOUD_AUTH and give it a token.

Creating a token isn’t too difficult. I opened the Service accounts page for my project and generated a new service account for GitHub.

Then I downloaded a JSON file that acts as my key.

I needed to use my command line to generate a base64 version of my key and paste that into GitHub’s editor:

base64 /path/to/service-account-key.json

Once that’s done, I could add a final step for deployment, which uses the Google Cloud action to run gcloud app deploy. As we already authenticated, we wouldn’t need to use the secret again.

I figured this was everything I needed, but I ran into some additional permission issues.

First, I needed to enable the App Engine Admin API for my project, which I guess I didn’t need before since it was from my computer.

Next, I needed to spend several iterations revisiting my service account permissions. Errors appeared several times telling me that my service account key didn’t have permission to do something. I’d need to revisit the IAM settings, add a permission, and try again.

It wasn’t very easy to iteratively test, as my GitHub action did not support a re-run option. So I’d need to create a tiny change in a file, such as updating the labels of my workflow, so that GitHub would kick off another run.

I finally managed to get my workflow to run with these roles:

  • App Engine Deployer
  • App Engine Service Admin
  • Cloud Build Service Account
  • Storage Object Creator
  • Storage Object Viewer

So far I’m liking GitHub actions. There’s a lot of potential here for complex, powerful automation and in-depth analysis of each commit. I’ll probably revisit my article in the future if I try automating additional projects.