chore: add GCP Cloud Run deployment scripts#1
Merged
Conversation
Add a deploy/gcp toolkit (config-driven, idempotent bash scripts) plus a root cloudbuild.yaml to deploy the app to Google Cloud using Cloud Run, Cloud SQL for PostgreSQL, Artifact Registry and Secret Manager. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
austinw8
approved these changes
Jun 16, 2026
There was a problem hiding this comment.
Pull request overview
Adds a self-contained GCP deployment toolkit to deploy the existing Dockerized app to Cloud Run with Cloud SQL (PostgreSQL), Artifact Registry, Secret Manager, and Cloud Build.
Changes:
- Adds
cloudbuild.yamlto build/push the image usingdocker/Dockerfilefrom repo-root context. - Introduces
deploy/gcp/*idempotent-ish bash scripts to provision prerequisites, database, secrets/IAM, build, deploy, optional migration job, and teardown. - Updates
.gitignoreto prevent committing local GCP config and generated cert/key artifacts.
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| deploy/gcp/README.md | Documents the Cloud Run + Cloud SQL + Secret Manager architecture, script flow, and operational decision points. |
| deploy/gcp/deploy-all.sh | Convenience runner to execute steps 00→04 in order. |
| deploy/gcp/config.example.sh | Template config users copy to config.sh for project/region/runtime sizing and SMTP/signing inputs. |
| deploy/gcp/common.sh | Shared config loading + helper functions (gcloud wrapper, secret helpers, runtime SA resolver). |
| deploy/gcp/00-prerequisites.sh | Enables required GCP APIs and creates Artifact Registry repo. |
| deploy/gcp/01-database.sh | Provisions Cloud SQL instance/db/user and stores DB URL in Secret Manager. |
| deploy/gcp/02-secrets.sh | Creates encryption/auth/signing secrets and binds runtime SA IAM for Secret Manager + Cloud SQL. |
| deploy/gcp/03-build.sh | Submits Cloud Build using cloudbuild.yaml and pushes to Artifact Registry. |
| deploy/gcp/04-deploy.sh | Deploys Cloud Run service wiring Cloud SQL, secrets, and env vars; resolves service URL. |
| deploy/gcp/05-migrate-job.sh | Optional Cloud Run Job to run prisma migrate deploy separately from service rollout. |
| deploy/gcp/99-teardown.sh | Destructive cleanup for all resources created by the toolkit (with confirmation). |
| cloudbuild.yaml | Cloud Build definition for building/pushing the container image from docker/Dockerfile. |
| .gitignore | Ignores deploy/gcp/config.sh and local cert/key artifacts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+54
to
+57
| if [[ -n "${SIGNING_PASSPHRASE:-}" ]]; then | ||
| secret_put "$PASSPHRASE_SECRET" "$SIGNING_PASSPHRASE" | ||
| info "Stored signing passphrase in secret '${PASSPHRASE_SECRET}'." | ||
| fi |
Comment on lines
+59
to
+62
| if [[ -n "${SMTP_PASSWORD:-}" ]]; then | ||
| secret_put "$SMTP_PASSWORD_SECRET" "$SMTP_PASSWORD" | ||
| info "Stored SMTP password in secret '${SMTP_PASSWORD_SECRET}'." | ||
| fi |
Comment on lines
+13
to
+21
| # ─── Environment variables ─────────────────────────────────────────────────── | ||
| # Joined with '|' because some values (email addresses) contain commas/@; '|' | ||
| # never appears in our values, so it's a safe gcloud delimiter. | ||
|
|
||
| env_kv=( | ||
| "NEXT_PUBLIC_UPLOAD_TRANSPORT=${UPLOAD_TRANSPORT}" | ||
| "NEXT_PRIVATE_SIGNING_TRANSPORT=local" | ||
| "NEXT_PRIVATE_SIGNING_LOCAL_FILE_PATH=/opt/documenso/cert.p12" | ||
| ) |
Comment on lines
+41
to
+42
| : "${SMTP_FROM_NAME:=KeepContracts}" | ||
| : "${SIGNING_CERT_CN:=Documenso Self-Signed}" |
Comment on lines
+31
to
+34
| # Optional: deploy under a dedicated runtime service account instead of the | ||
| # default Compute Engine SA. Leave unset to use the default. | ||
| # export RUNTIME_SA="documenso-run@PROJECT_ID.iam.gserviceaccount.com" | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a self-contained toolkit for deploying this app to Google Cloud using
Cloud Run + Cloud SQL (PostgreSQL) + Artifact Registry + Secret Manager —
the natural fit since the app already ships a production
docker/Dockerfile,listens on
$PORT, exposes/api/health, and runs migrations on startup.What's included
cloudbuild.yaml(repo root) — builds the image fromdocker/Dockerfile(which isn't at the root) with the repo as context.
deploy/gcp/— config-driven, idempotent bash scripts:config.example.sh→ copy toconfig.sh(gitignored) and edit00-prerequisites.sh— enable APIs + create Artifact Registry repo01-database.sh— Cloud SQL instance/db/user + connection-string secret02-secrets.sh— encryption/auth secrets, self-signed signing cert, IAM03-build.sh— Cloud Build → Artifact Registry04-deploy.sh—gcloud run deploywith Cloud SQL, secrets, env wired in05-migrate-job.sh— (optional) run migrations as a one-off Cloud Run Jobdeploy-all.sh— runs 00→04 in order99-teardown.sh— destructive cleanup (confirmation required)README.md— architecture, quick start, decision points, troubleshootingNotable choices (documented in the README)
databaseupload transport keeps Cloud Run stateless (docs in Postgres).--min-instances=1 --no-cpu-throttlingso the in-processlocaljobsprovider keeps running scheduled work.
--add-cloudsql-instances); runtime SA getscloudsql.client+secretmanager.secretAccessor.in a real cert or Cloud KMS HSM signing for production.
config.sh,*.p12,*.pemare gitignored).How to use
Notes for reviewers
bash -n; not yet executed against a live GCP project.config.shfor outbound email to work.🤖 Generated with Claude Code