Google Cloud

GitHub Actions + GCP CI/CD Complete Guide: Workload Identity, Cloud Run/GKE Deploys

2026-05-24
NicheeLab Editorial Team

GitHub Actions ↔ GCP integration has standardized on keyless authentication via Workload Identity Federation (WIF). This article walks through implementation examples from WIF setup to Cloud Run / GKE / BigQuery deploys, Reusable Workflows, and Cloud Build integration.

Workload Identity Federation Setup

# 1. Workload Identity Pool 作成
gcloud iam workload-identity-pools create github \
  --location=global --display-name="GitHub Actions"

# 2. OIDC Provider 設定
gcloud iam workload-identity-pools providers create-oidc github-provider \
  --location=global --workload-identity-pool=github \
  --issuer-uri="https://token.actions.githubusercontent.com" \
  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \
  --attribute-condition="assertion.repository_owner == 'YOUR_ORG'"

# 3. Service Account 作成
gcloud iam service-accounts create github-actions \
  --display-name="GitHub Actions SA"

# 4. SA に必要な Role 付与
gcloud projects add-iam-policy-binding PROJECT \
  --member="serviceAccount:[email protected]" \
  --role="roles/run.admin"

# 5. WIF Pool ↔ SA 紐づけ
gcloud iam service-accounts add-iam-policy-binding \
  [email protected] \
  --role=roles/iam.workloadIdentityUser \
  --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github/attribute.repository/YOUR_ORG/YOUR_REPO"

Basic Workflow (Cloud Run Deploy)

# .github/workflows/deploy.yml
name: Deploy to Cloud Run

on:
  push:
    branches: [main]

permissions:
  contents: read
  id-token: write   # WIF に必須

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github/providers/github-provider
          service_account: [email protected]

      - uses: google-github-actions/setup-gcloud@v2

      - name: Configure Docker
        run: gcloud auth configure-docker asia-northeast1-docker.pkg.dev

      - name: Build & Push
        run: |
          IMAGE=asia-northeast1-docker.pkg.dev/PROJECT/repo/app:${{ github.sha }}
          docker build -t $IMAGE .
          docker push $IMAGE

      - name: Deploy
        run: |
          gcloud run deploy my-app \
            --image=asia-northeast1-docker.pkg.dev/PROJECT/repo/app:${{ github.sha }} \
            --region=asia-northeast1 \
            --allow-unauthenticated

GKE Deploy Workflow

- uses: google-github-actions/get-gke-credentials@v2
  with:
    cluster_name: my-cluster
    location: asia-northeast1

- name: Helm Deploy
  run: |
    helm upgrade --install my-app ./chart \
      --set image.tag=${{ github.sha }} \
      --namespace=production

Reusable Workflow Pattern

# .github/workflows/reusable-deploy.yml
on:
  workflow_call:
    inputs:
      service:    { required: true, type: string }
      region:     { default: 'asia-northeast1', type: string }
      image_tag:  { required: true, type: string }

permissions: { id-token: write, contents: read }

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: ...
          service_account: ...
      - run: gcloud run deploy ${{ inputs.service }} --image=... --region=${{ inputs.region }}

# 利用側
jobs:
  deploy-api:
    uses: ./.github/workflows/reusable-deploy.yml
    with:
      service:   api
      image_tag: ${{ github.sha }}

Secret Manager Integration

- id: secrets
  uses: google-github-actions/get-secretmanager-secrets@v2
  with:
    secrets: |
      DB_PASSWORD:PROJECT/db-password
      API_KEY:PROJECT/api-key

- run: ./deploy.sh
  env:
    DB_PASSWORD: ${{ steps.secrets.outputs.DB_PASSWORD }}
    API_KEY:     ${{ steps.secrets.outputs.API_KEY }}

Cloud Build Trigger Integration

- name: Trigger Cloud Build
  run: |
    gcloud builds submit --config=cloudbuild.yaml \
      --substitutions=_BRANCH=${{ github.ref_name }},_SHA=${{ github.sha }}

Self-hosted Runner (Inside VPC)

  • Install the GitHub Runner on a GCE VM (Private IP)
  • Reach VPC-internal resources (CloudSQL Private IP / IAP / on-prem DB)
  • Larger Runners + Private Networking (GA in 2024) lets you stay on GitHub-managed runners while connecting to your VPC
  • Security: destroy the VM after each job (Ephemeral)

Typical Flow

  1. PR push → Actions runs lint / test / build
  2. main merge → triggers Cloud Build (Container signing)
  3. Push to Artifact Registry (Binary Authorization applied)
  4. Create a Release in Cloud Deploy
  5. Canary promotion Dev → Staging → Prod
  6. Auto-rollback on SLO violation via Cloud Monitoring

Best Practices

  • Never put SA keys in the repo (WIF is the only option)
  • Approval gates per Environment (e.g. production)
  • Standardize with Reusable Workflows
  • Control concurrent runs with Concurrency settings
  • Minimize OIDC token scope (Attribute Condition)
  • Record build provenance with SLSA Level 3

Should I use GitHub Actions or Cloud Build?

Use Actions for GitHub-native, multi-cloud workflows; use Cloud Build for GCP-only with fine-grained control. Actions gives you a generous 2000 min/month free tier, and using both together is also common.

Is Workload Identity Federation required?

Storing Service Account keys in a repository is strictly forbidden. WIF enables secure GitHub Actions ↔ GCP authentication, and it only needs to be set up once.

Which GCP resources are supported?

google-github-actions/setup-gcloud gives you gcloud, kubectl, helm, terraform, and other major tools. Cloud Run, GKE, GAE, Cloud Functions, and BigQuery are all supported.

How do I access VPC resources from a Self-hosted Runner?

Place a GitHub Self-hosted Runner on a GCE VM inside the VPC and you can reach Private DBs and IAP-protected resources. Larger Runners + Private Networking (GA since 2024) is another option.

What is a Reusable Workflow?

Workflows triggered via <code>workflow_call</code> can be reused from other repositories, letting you share standard pipelines across the organization.

What is the OIDC token expiry?

Typically 1 hour. For long-running jobs, extend with <code>refresh_token: true</code> or re-authenticate periodically.

How should I manage Secrets?

Use GitHub Secrets (Actions Secrets), Environment Secrets (per environment), and Organization Secrets (shared across the org). The standard pattern is to combine them with Google Secret Manager and fetch values inside the pipeline.

How do I combine with ArgoCD / Cloud Deploy?

The common split is Actions for build + test, and ArgoCD / Cloud Deploy for deployment management. Pick ArgoCD for GitOps and Cloud Deploy for Canary management.

Related Articles / CI/CD

Terraform on GCP 完全ガイド|IaC・Provider・Workload Identity・GitHub Actions (2026)

Google Cloud で Terraform を使う IaC 完全ガイド。Google Cloud Provider / Beta、State 管理 (gcs バックエンド)、Workload Identity Federation、Module 設計、GitHub Actions CI、Infracost、Config Connector を 2026 年最新版で網羅。

GCP Professional Cloud Developer (PCD) 完全ガイド|Cloud Run・GKE・CI/CD・APM

Google Cloud Professional Cloud Developer の試験範囲、Cloud Run / GKE / Cloud Build / Cloud Trace、AWS DVA / Azure AZ-204 比較、学習ロードマップを徹底解説。

Cloud Build 完全ガイド|CI/CD・cloudbuild.yaml・Private Pool・GitHub 連携 (GCP)

Google Cloud Cloud Build の全機能解説。cloudbuild.yaml、トリガー設定、Private Pool、Workload Identity、Build Approvals、Cloud Deploy 連携、AWS CodeBuild / Azure DevOps 比較を網羅。

GCP Professional Cloud DevOps Engineer (PCDOE) 完全ガイド|SRE・GKE・CI/CD・SLO

Google Cloud Professional Cloud DevOps Engineer の試験範囲、SRE / SLI / SLO / Error Budget、GKE / Cloud Build / Cloud Deploy、AWS DOP・Azure AZ-400 比較を徹底解説。

Note: Google Cloud is a trademark of Google LLC and GitHub is a registered trademark of GitHub, Inc. For the latest details, see the google-github-actions official repository.

Check what you learned with practice questions

Practice with certification-focused question sets

View GCP Exam Prep Page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Google Cloud

Google Cloud Certification Roadmap (2026)

Choose your GCP certification path — Foundational, Associate...

Google Cloud

CDL Cloud Digital Leader: Complete Exam Guide (2026)

Pass the Cloud Digital Leader exam — cloud business value, G...

Google Cloud

GAIL Generative AI Leader: Complete Exam Guide (2026)

Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...

Google Cloud

Vertex AI Fundamentals for GCP Certs (2026)

Vertex AI basics every cert candidate needs — Workbench, Pip...

Google Cloud

Associate Cloud Engineer (ACE): Complete Guide (2026)

Pass the Associate Cloud Engineer exam — Console, gcloud, pr...

Browse all Google Cloud articles (103)
© 2026 NicheeLab All rights reserved.