DEV Community: Filip Lindqvist The latest articles on DEV Community by Filip Lindqvist (@filip-lindqvist). https://dev.to/filip-lindqvist https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3169292%2F526967ca-1668-46da-bea0-ca0d8fddd8bc.png DEV Community: Filip Lindqvist https://dev.to/filip-lindqvist en Push Images To Artifact Registry Using GitHub Actions & Workload Identity Filip Lindqvist Fri, 16 May 2025 13:15:34 +0000 https://dev.to/filip-lindqvist/google-cloud-artifact-registry-with-github-actions-using-workload-identity-2h8c https://dev.to/filip-lindqvist/google-cloud-artifact-registry-with-github-actions-using-workload-identity-2h8c <p>Day-to-day, I mainly contribute to <a href="https://elva-group.com/" rel="noopener noreferrer">Elva</a>, a powerhouse of AWS experts aiming to help our customers elevate their cloud journeys using serverless.</p> <p>However, sometimes life brings you into other platforms like Google Cloud in this case (which I also like a lot). This time, I wanted to set up container deploys as a part of a GitHub Action workflow to push images to Google Cloud Artifact Registry.</p> <p>In the past, we primarily established our service-to-service (GitHub-to-Google-Cloud) authentication using service accounts with key files. While service account keys are powerful tools, these long-lived keys can present security challenges if not handled with care. The modern way of doing this is using <a href="https://cloud.google.com/iam/docs/workload-identity-federation" rel="noopener noreferrer">Workload Identity Federation</a>, which makes it easier and more secure to use Identity and Access Management (IAM) to grant external identities the necessary IAM roles and rights.</p> <p>Let's look at how to set up the workflow file and the necessary Google Cloud configurations to achieve this.</p> <h3> Step 0: Create The Identity Workpool </h3> <p>Before we even touch the GitHub Actions YAML, we need to configure Google Cloud to trust our GitHub Actions workflow. This will be a secure way to allow our GitHub Actions to access Google Cloud resources without needing to manage long-lived service account keys.</p> <p>Here's a script that sets up everything you need. </p> <p><strong>Important before you start:</strong></p> <ul> <li> Make sure you have the <code>gcloud</code> CLI installed and configured. <ul> <li>You can install it with: <code>brew install google-cloud-sdk</code> </li> </ul> </li> <li> You'll need to replace placeholder values in the script below. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># 1. Setup</span> <span class="c"># --- Input Variables (UPDATE THESE VALUES!) ---</span> <span class="nv">GCLOUD_PROJECT</span><span class="o">=</span><span class="s2">"your-gcp-project-id"</span> <span class="nv">GITHUB_REPO</span><span class="o">=</span><span class="s2">"your-github-username/your-github-repo-name"</span> <span class="c"># --- Naming Variables ---</span> <span class="c"># Name for the new service account, identity pool and identity provider, change if you want/need but make sure to adhere to the kebab-case without special chars. </span> <span class="nv">GCLOUD_SERVICE_ACCOUNT</span><span class="o">=</span><span class="s2">"github-deployer-account"</span> <span class="nv">GCLOUD_IDENTITY_POOL</span><span class="o">=</span><span class="s2">"github-deployer-auth-pool"</span> <span class="nv">GCLOUD_IDENTITY_PROVIDER</span><span class="o">=</span><span class="s2">"github-deployer-auth-provider"</span> <span class="nv">GCLOUD_SERVICE_ACCOUNT_EMAIL</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_SERVICE_ACCOUNT</span><span class="k">}</span><span class="s2">@</span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2">.iam.gserviceaccount.com"</span> <span class="nb">echo</span> <span class="s2">"Starting Workload Identity Federation setup for </span><span class="se">\</span><span class="s2"> project: </span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2"> and repo: </span><span class="k">${</span><span class="nv">GITHUB_REPO</span><span class="k">}</span><span class="s2">"</span> <span class="c"># 2. Enable the IAM Credentials API</span> gcloud services <span class="nb">enable </span>iamcredentials.googleapis.com <span class="se">\</span> <span class="nt">--project</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-ne</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Error enabling IAM Credentials API. Exiting."</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="k">fi</span> <span class="c"># 3. Create a new service account</span> gcloud iam service-accounts create <span class="k">${</span><span class="nv">GCLOUD_SERVICE_ACCOUNT</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--project</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--display-name</span><span class="o">=</span><span class="s2">"GitHub Actions Deployer Account for </span><span class="k">${</span><span class="nv">GITHUB_REPO</span><span class="k">}</span><span class="s2">"</span> <span class="c"># 4. Grant the service account permission to write to Artifact Registry</span> gcloud projects add-iam-policy-binding <span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"serviceAccount:</span><span class="k">${</span><span class="nv">GCLOUD_SERVICE_ACCOUNT_EMAIL</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"roles/artifactregistry.writer"</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-ne</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Error granting Artifact Registry Writer role. Exiting."</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="k">fi</span> <span class="c"># 5. Create a Workload Identity Pool</span> gcloud iam workload-identity-pools create <span class="k">${</span><span class="nv">GCLOUD_IDENTITY_POOL</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--location</span><span class="o">=</span><span class="s2">"global"</span> <span class="se">\</span> <span class="nt">--display-name</span><span class="o">=</span><span class="s2">"GitHub Actions Auth Pool"</span> <span class="c"># 6. Get the full ID of the Workload Identity Pool</span> <span class="nv">GCLOUD_WORKLOAD_IDENTITY_POOL_ID</span><span class="o">=</span><span class="si">$(</span>gcloud iam workload-identity-pools describe <span class="k">${</span><span class="nv">GCLOUD_IDENTITY_POOL</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--location</span><span class="o">=</span><span class="s2">"global"</span> <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span><span class="s2">"value(name)"</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_WORKLOAD_IDENTITY_POOL_ID</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Error fetching Workload Identity Pool ID. Exiting."</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="k">fi</span> <span class="c"># 7. Create an OIDC Workload Identity Provider in the pool..."</span> gcloud iam workload-identity-pools providers create-oidc <span class="k">${</span><span class="nv">GCLOUD_IDENTITY_PROVIDER</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--location</span><span class="o">=</span><span class="s2">"global"</span> <span class="se">\</span> <span class="nt">--workload-identity-pool</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_IDENTITY_POOL</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--display-name</span><span class="o">=</span><span class="s2">"GitHub Actions Auth Provider"</span> <span class="se">\</span> <span class="nt">--attribute-mapping</span><span class="o">=</span><span class="s2">"google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository"</span> <span class="se">\</span> <span class="nt">--issuer-uri</span><span class="o">=</span><span class="s2">"https://token.actions.githubusercontent.com"</span> <span class="c"># 8. Allow authentications from the GitHub OIDC provider to impersonate the Google Cloud service account</span> <span class="c"># This binds the GitHub repo to the service account via the WIF pool and provider.</span> gcloud iam service-accounts add-iam-policy-binding <span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_SERVICE_ACCOUNT_EMAIL</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--role</span><span class="o">=</span><span class="s2">"roles/iam.workloadIdentityUser"</span> <span class="se">\</span> <span class="nt">--member</span><span class="o">=</span><span class="s2">"principalSet://iam.googleapis.com/</span><span class="k">${</span><span class="nv">GCLOUD_WORKLOAD_IDENTITY_POOL_ID</span><span class="k">}</span><span class="s2">/attribute.repository/</span><span class="k">${</span><span class="nv">GITHUB_REPO</span><span class="k">}</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-ne</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Error binding service account for impersonation. Exiting."</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="k">fi</span> <span class="c"># 9. Get the full ID of the Workload Identity Provider (needed for GitHub Secrets)</span> <span class="nv">GCP_WORKLOAD_IDENTITY_PROVIDER_ID</span><span class="o">=</span><span class="si">$(</span>gcloud iam workload-identity-pools providers describe <span class="k">${</span><span class="nv">GCLOUD_IDENTITY_PROVIDER</span><span class="k">}</span> <span class="se">\</span> <span class="nt">--project</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--location</span><span class="o">=</span><span class="s2">"global"</span> <span class="se">\</span> <span class="nt">--workload-identity-pool</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">GCLOUD_IDENTITY_POOL</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--format</span><span class="o">=</span><span class="s2">"value(name)"</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">GCP_WORKLOAD_IDENTITY_PROVIDER_ID</span><span class="k">}</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Error fetching Workload Identity Provider ID. Exiting."</span><span class="p">;</span> <span class="nb">exit </span>1<span class="p">;</span> <span class="k">fi </span><span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"--- GitHub Secrets ---"</span> <span class="nb">echo</span> <span class="s2">"Add these to your GitHub repository secrets:"</span> <span class="nb">echo</span> <span class="s2">"GCP_PROJECT_ID: </span><span class="k">${</span><span class="nv">GCLOUD_PROJECT</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"GCP_WORKLOAD_IDENTITY_PROVIDER_ID: </span><span class="k">${</span><span class="nv">GCP_WORKLOAD_IDENTITY_PROVIDER_ID</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">"GCP_SERVICE_ACCOUNT_EMAIL: </span><span class="k">${</span><span class="nv">GCLOUD_SERVICE_ACCOUNT_EMAIL</span><span class="k">}</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Setup complete!"</span> </code></pre> </div> <p><strong>What this script does:</strong></p> <ol> <li> <strong>Setup</strong> <ul> <li> <code>GCLOUD_PROJECT</code>: You <strong>must</strong> set this to your Google Cloud Project ID.</li> <li> <code>GITHUB_REPO</code>: You <strong>must</strong> set this to your GitHub repository in the format <code>username/repository-name</code> (e.g., <code>my-cool-user/my-awesome-app</code>).</li> </ul> </li> <li> <strong>Enables IAM Credentials API</strong> <ul> <li> This API is necessary for your GitHub Action to mint short-lived credentials for the service account.</li> </ul> </li> <li> <strong>Creates a Service Account</strong> <ul> <li> This is the Google Cloud identity that your GitHub Action will impersonate. It's like a robot user for your automation.</li> </ul> </li> <li> <strong>Grants Artifact Registry Permissions</strong> <ul> <li> This gives the newly created service account permission to push images to Google Cloud Artifact Registry.</li> </ul> </li> <li> <strong>Creates a Workload Identity Pool</strong> <ul> <li> This pool is a container for identity providers. It helps organize how external identities (like those from GitHub) are managed.</li> </ul> </li> <li> <strong>Gets the Workload Identity Pool ID</strong> <ul> <li> This retrieves the unique identifier for the pool, which is needed in later steps.</li> </ul> </li> <li> <strong>Creates an OIDC Workload Identity Provider</strong> <ul> <li> This is the key part. It tells Google Cloud to trust OIDC tokens issued by GitHub Actions (<code>https://token.actions.githubusercontent.com</code>).</li> <li> The attribute-mapping tells Google Cloud how to map information from the GitHub OIDC token (like the repository name) to attributes Google Cloud can understand. This allows you to restrict which GitHub repositories can use this identity provider.</li> </ul> </li> <li> <strong>Allows GitHub to Impersonate the Service Account</strong> <ul> <li> This crucial step links everything together. It says that principals (in this case, your GitHub Action running in the specified <code>GITHUB_REPO</code>) that authenticate through the OIDC provider are allowed to impersonate the service account we created. The <code>principalSet</code> specifically targets your repository.</li> </ul> </li> <li> <strong>Outputs IDs for GitHub Secrets</strong> <ul> <li> The script will print out the <code>GCP_PROJECT_ID</code>, <code>GCP_WORKLOAD_IDENTITY_PROVIDER_ID</code> (this will be the full path like <code>projects/your-gcp-project-id/locations/global/workloadIdentityPools/github-deployer-auth-pool/providers/github-deployer-auth-provider</code>), and <code>GCP_SERVICE_ACCOUNT_EMAIL</code>. You must add these as secrets in your GitHub repository settings so the Action workflow can use them. You do this by going to your Github repo, then <code>Settings &gt; Secrets and variables &gt; Actions &gt; New repository secret</code>. </li> </ul> </li> </ol> <p>After running this script successfully and setting up the GitHub secrets accordingly, Google Cloud will be ready for your GitHub Action to authenticate by itself. </p> <p>Now, let's look at the GitHub Actions workflow YAML.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Build Container</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="c1"># Permissions are important for the worklaod identity federation to work</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s1">'</span><span class="s">read'</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s1">'</span><span class="s">write'</span> <span class="na">steps</span><span class="pi">:</span> <span class="c1"># ... our steps will go here</span> </code></pre> </div> <p>This initial block defines the basic triggers (when the workflow runs) and the environment (Ubuntu) for our job. It will run when we push to the main branch or when a pull request that targets the main branch.</p> <p>The important part to note is the permissions block. We need contents: 'read' to allow the action to read your repository's content (which <code>actions/checkout</code> does). More importantly, <code>id-token: 'write'</code> is crucial. This permission allows the GitHub Actions runner to request an OIDC (OpenID Connect) token, which we'll use to securely authenticate with Google Cloud, thanks to the Workload Identity Federation setup we just did.</p> <p>Now for the actual steps involved in the job.</p> <h3> <strong>Step 1: Checkout Code And Set Up Docker</strong> </h3> <p>First things first, we need to get our code and prepare Docker for building our image.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v3</span> </code></pre> </div> <p>This initial part combines two actions:</p> <ol> <li> <code>actions/checkout@v4</code>: This action checks out your repository.</li> <li> <code>docker/setup-buildx-action@v3</code>: This action installs and configures Docker.</li> </ol> <h3> <strong>Step 2: Authenticate to Google Cloud</strong> </h3> <p>To push our Docker image to Google Cloud Artifact Registry, our GitHub Action needs to authenticate with Google Cloud. <br> This step uses the Workload Identity Federation we configured in Step 0.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s1">'</span><span class="s">google-github-actions/auth@v2'</span> <span class="na">id</span><span class="pi">:</span> <span class="s">auth</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token_format</span><span class="pi">:</span> <span class="s">access_token</span> <span class="na">project_id</span><span class="pi">:</span> <span class="s">${{ secrets.GCP_PROJECT_ID }}</span> <span class="na">workload_identity_provider</span><span class="pi">:</span> <span class="s">${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER_ID }}</span> <span class="na">service_account</span><span class="pi">:</span> <span class="s">${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}</span> </code></pre> </div> <p>Parameters:</p> <ul> <li> <code>id: auth</code>: We give this step an ID, auth. This is useful because this action outputs an access token that we can use in subsequent steps. See <code>steps.auth.outputs.*</code> in the next step. </li> <li> <code>project_id</code>: Your Google Cloud Project ID. This comes from the <code>GCP_PROJECT_ID</code> secret you created from the script's output.</li> <li> <code>workload_identity_provider</code>: The full identifier of your Workload Identity Provider. This comes from the <code>WORKLOAD_IDENTITY_PROVIDER_ID</code> secret.</li> <li> <code>service_account</code>: The email address of the Google Cloud service account that GitHub Actions will impersonate. This comes from the <code>GCP_SERVICE_ACCOUNT_EMAIL</code> secret.</li> </ul> <h3> <strong>Step 3: Log in to Google Cloud Artifact Registry</strong> </h3> <p>Now that we have an access token from Google Cloud, we can use it to log in to Artifact Registry. <br> Artifact Registry uses standard Docker authentication mechanisms.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/login-action@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">registry</span><span class="pi">:</span> <span class="s">europe-docker.pkg.dev</span> <span class="na">username</span><span class="pi">:</span> <span class="s">oauth2accesstoken</span> <span class="na">password</span><span class="pi">:</span> <span class="s1">'</span><span class="s">${{</span><span class="nv"> </span><span class="s">steps.auth.outputs.access_token</span><span class="nv"> </span><span class="s">}}'</span> </code></pre> </div> <p>Parameters:</p> <ul> <li> <code>registry</code>: This is the hostname of the Artifact Registry you want to push to. For example, if your images are in the europe region, it would be <code>europe-docker.pkg.dev</code>. Adjust this based on your registry's region.</li> <li> <code>username</code>: When using an OAuth2 access token with Google Artifact Registry, the username is always <code>oauth2accesstoken</code>.</li> <li> <code>password</code>: This is where we use the access token obtained in the previous step. <code>${{ steps.auth.outputs.access_token }}</code> refers to the output named <code>access_token</code> from the step with the ID <code>auth</code>.</li> </ul> <h3> <strong>Step 4: Build and Push Docker Image</strong> </h3> <p>Finally, we get to the part where we build our Docker image and push it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push Docker image</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v6</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">platforms</span><span class="pi">:</span> <span class="s">linux/amd64,linux/arm64</span> <span class="na">push</span><span class="pi">:</span> <span class="s">${{ github.ref == 'refs/heads/main' &amp;&amp; github.event_name != 'pull_request' }}</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">europe-docker.pkg.dev/${{secrets.GCP_PROJECT_ID }}/images/my-container-name:latest</span> </code></pre> </div> <p>Parameters:</p> <ul> <li> <code>platforms: linux/amd64,linux/arm64</code>: This is an example of building for multiple platforms. Buildx makes this easy. You can adjust this to the platforms you need.</li> <li> <code>push: ${{ github.ref == 'refs/heads/main' &amp;&amp; github.event_name != 'pull_request' }}</code>: This is a crucial part for controlling when the image is actually pushed. We only want to push if the current Git reference is <code>refs/heads/main</code> (i.e., we're on the main branch) AND the event that triggered the workflow is <em>not</em> a pull_request. This prevents pushing images for every commit on a pull request branch, but still builds them (which can be useful for testing).</li> <li> <code>tags</code>: This specifies the tag for your Docker image.</li> </ul> <h3> <strong>Optimizing Builds with Caching</strong> </h3> <p>Docker builds can sometimes be slow, especially if you have a large image or many dependencies. Caching can significantly speed up this process by reusing layers from previous builds. The <code>docker/build-push-action</code> supports caching with GitHub Actions cache.</p> <p>Let's update our step to include GitHub-powered caching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push Docker image</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v6</span> <span class="na">with</span><span class="pi">:</span> <span class="c1"># ... add these lines</span> <span class="na">cache-from</span><span class="pi">:</span> <span class="s">type=gha</span> <span class="na">cache-to</span><span class="pi">:</span> <span class="s">type=gha,mode=max</span> </code></pre> </div> <p>What is means:</p> <ul> <li> <code>cache-from: type=gha</code>: This tells the action to attempt to pull cache layers from the GitHub Actions cache.</li> <li> <code>cache-to: type=gha,mode=max</code>: This tells the action to save the build cache to the GitHub Actions cache. Additionally, <code>mode=max</code> adds it will include all layers, which provides the best potential for cache hits on subsequent runs.</li> </ul> <p>Using <code>type=gha</code> is convenient because it uses the built-in GitHub Actions caching mechanism.</p> <h3> <strong>Wrapping Up: The Complete Workflow</strong> </h3> <p>So, putting it all together, here's our final YAML for the GitHub Action:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Build Container</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s1">'</span><span class="s">read'</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s1">'</span><span class="s">write'</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/setup-buildx-action@v3</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s1">'</span><span class="s">google-github-actions/auth@v2'</span> <span class="na">id</span><span class="pi">:</span> <span class="s">auth</span> <span class="na">with</span><span class="pi">:</span> <span class="na">token_format</span><span class="pi">:</span> <span class="s">access_token</span> <span class="na">project_id</span><span class="pi">:</span> <span class="s">${{secrets.GCP_PROJECT_ID }}</span> <span class="na">workload_identity_provider</span><span class="pi">:</span> <span class="s">${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER_ID }}</span> <span class="na">service_account</span><span class="pi">:</span> <span class="s">${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/login-action@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">registry</span><span class="pi">:</span> <span class="s">europe-docker.pkg.dev</span> <span class="na">username</span><span class="pi">:</span> <span class="s">oauth2accesstoken</span> <span class="na">password</span><span class="pi">:</span> <span class="s1">'</span><span class="s">${{</span><span class="nv"> </span><span class="s">steps.auth.outputs.access_token</span><span class="nv"> </span><span class="s">}}'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build and push Docker image</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">docker/build-push-action@v6</span> <span class="na">with</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="s">.</span> <span class="na">platforms</span><span class="pi">:</span> <span class="s">linux/amd64,linux/arm64</span> <span class="na">push</span><span class="pi">:</span> <span class="s">${{ github.ref == 'refs/heads/main' &amp;&amp; github.event_name != 'pull_request' }}</span> <span class="na">tags</span><span class="pi">:</span> <span class="s">europe-docker.pkg.dev/${{secrets.GCP_PROJECT_ID }}/images/my-container-name:latest</span> <span class="na">cache-from</span><span class="pi">:</span> <span class="s">type=gha</span> <span class="na">cache-to</span><span class="pi">:</span> <span class="s">type=gha,mode=max</span> </code></pre> </div> <p>And there you have it! </p> <p>First, ensure you've run the setup script (Step 0) in your Google Cloud environment and configured the necessary GitHub secrets. </p> <p>Then, this workflow will check out your code, authenticate to Google Cloud, log in to Artifact Registry, and then build and push your Docker image, complete with caching to speed things up. </p> <p>Remember to replace placeholder values like <code>europe-docker.pkg.dev</code> and <code>my-container-name</code> with your own values.<br> You'll also need to ensure your Dockerfile is in the root of your repository (<code>context: .</code>) or adjust the path accordingly.</p> <p>This setup provides a secure and efficient way to manage your Docker image deployments to Google Cloud.</p> googlecloud githubactions devops workloadidentity