GitHub Actions ↔ GCP integration has standardized on keyless authentication via Workload Identity Federation (WIF). This article walks through implementation examples from WIF setup to Cloud Run / GKE / BigQuery deploys, Reusable Workflows, and Cloud Build integration.
# 1. Workload Identity Pool 作成 gcloud iam workload-identity-pools create github \ --location=global --display-name="GitHub Actions" # 2. OIDC Provider 設定 gcloud iam workload-identity-pools providers create-oidc github-provider \ --location=global --workload-identity-pool=github \ --issuer-uri="https://token.actions.githubusercontent.com" \ --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \ --attribute-condition="assertion.repository_owner == 'YOUR_ORG'" # 3. Service Account 作成 gcloud iam service-accounts create github-actions \ --display-name="GitHub Actions SA" # 4. SA に必要な Role 付与 gcloud projects add-iam-policy-binding PROJECT \ --member="serviceAccount:[email protected]" \ --role="roles/run.admin" # 5. WIF Pool ↔ SA 紐づけ gcloud iam service-accounts add-iam-policy-binding \ [email protected] \ --role=roles/iam.workloadIdentityUser \ --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github/attribute.repository/YOUR_ORG/YOUR_REPO"
# .github/workflows/deploy.yml
name: Deploy to Cloud Run
on:
push:
branches: [main]
permissions:
contents: read
id-token: write # WIF に必須
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/github/providers/github-provider
service_account: [email protected]
- uses: google-github-actions/setup-gcloud@v2
- name: Configure Docker
run: gcloud auth configure-docker asia-northeast1-docker.pkg.dev
- name: Build & Push
run: |
IMAGE=asia-northeast1-docker.pkg.dev/PROJECT/repo/app:${{ github.sha }}
docker build -t $IMAGE .
docker push $IMAGE
- name: Deploy
run: |
gcloud run deploy my-app \
--image=asia-northeast1-docker.pkg.dev/PROJECT/repo/app:${{ github.sha }} \
--region=asia-northeast1 \
--allow-unauthenticated- uses: google-github-actions/get-gke-credentials@v2
with:
cluster_name: my-cluster
location: asia-northeast1
- name: Helm Deploy
run: |
helm upgrade --install my-app ./chart \
--set image.tag=${{ github.sha }} \
--namespace=production# .github/workflows/reusable-deploy.yml
on:
workflow_call:
inputs:
service: { required: true, type: string }
region: { default: 'asia-northeast1', type: string }
image_tag: { required: true, type: string }
permissions: { id-token: write, contents: read }
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: ...
service_account: ...
- run: gcloud run deploy ${{ inputs.service }} --image=... --region=${{ inputs.region }}
# 利用側
jobs:
deploy-api:
uses: ./.github/workflows/reusable-deploy.yml
with:
service: api
image_tag: ${{ github.sha }}- id: secrets
uses: google-github-actions/get-secretmanager-secrets@v2
with:
secrets: |
DB_PASSWORD:PROJECT/db-password
API_KEY:PROJECT/api-key
- run: ./deploy.sh
env:
DB_PASSWORD: ${{ steps.secrets.outputs.DB_PASSWORD }}
API_KEY: ${{ steps.secrets.outputs.API_KEY }}- name: Trigger Cloud Build
run: |
gcloud builds submit --config=cloudbuild.yaml \
--substitutions=_BRANCH=${{ github.ref_name }},_SHA=${{ github.sha }}Should I use GitHub Actions or Cloud Build?
Use Actions for GitHub-native, multi-cloud workflows; use Cloud Build for GCP-only with fine-grained control. Actions gives you a generous 2000 min/month free tier, and using both together is also common.
Is Workload Identity Federation required?
Storing Service Account keys in a repository is strictly forbidden. WIF enables secure GitHub Actions ↔ GCP authentication, and it only needs to be set up once.
Which GCP resources are supported?
google-github-actions/setup-gcloud gives you gcloud, kubectl, helm, terraform, and other major tools. Cloud Run, GKE, GAE, Cloud Functions, and BigQuery are all supported.
How do I access VPC resources from a Self-hosted Runner?
Place a GitHub Self-hosted Runner on a GCE VM inside the VPC and you can reach Private DBs and IAP-protected resources. Larger Runners + Private Networking (GA since 2024) is another option.
What is a Reusable Workflow?
Workflows triggered via <code>workflow_call</code> can be reused from other repositories, letting you share standard pipelines across the organization.
What is the OIDC token expiry?
Typically 1 hour. For long-running jobs, extend with <code>refresh_token: true</code> or re-authenticate periodically.
How should I manage Secrets?
Use GitHub Secrets (Actions Secrets), Environment Secrets (per environment), and Organization Secrets (shared across the org). The standard pattern is to combine them with Google Secret Manager and fetch values inside the pipeline.
How do I combine with ArgoCD / Cloud Deploy?
The common split is Actions for build + test, and ArgoCD / Cloud Deploy for deployment management. Pick ArgoCD for GitOps and Cloud Deploy for Canary management.
Related Articles / CI/CD
Terraform on GCP 完全ガイド|IaC・Provider・Workload Identity・GitHub Actions (2026)
Google Cloud で Terraform を使う IaC 完全ガイド。Google Cloud Provider / Beta、State 管理 (gcs バックエンド)、Workload Identity Federation、Module 設計、GitHub Actions CI、Infracost、Config Connector を 2026 年最新版で網羅。
GCP Professional Cloud Developer (PCD) 完全ガイド|Cloud Run・GKE・CI/CD・APM
Google Cloud Professional Cloud Developer の試験範囲、Cloud Run / GKE / Cloud Build / Cloud Trace、AWS DVA / Azure AZ-204 比較、学習ロードマップを徹底解説。
Cloud Build 完全ガイド|CI/CD・cloudbuild.yaml・Private Pool・GitHub 連携 (GCP)
Google Cloud Cloud Build の全機能解説。cloudbuild.yaml、トリガー設定、Private Pool、Workload Identity、Build Approvals、Cloud Deploy 連携、AWS CodeBuild / Azure DevOps 比較を網羅。
GCP Professional Cloud DevOps Engineer (PCDOE) 完全ガイド|SRE・GKE・CI/CD・SLO
Google Cloud Professional Cloud DevOps Engineer の試験範囲、SRE / SLI / SLO / Error Budget、GKE / Cloud Build / Cloud Deploy、AWS DOP・Azure AZ-400 比較を徹底解説。
Note: Google Cloud is a trademark of Google LLC and GitHub is a registered trademark of GitHub, Inc. For the latest details, see the google-github-actions official repository.
Practice with certification-focused question sets
View GCP Exam Prep PageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Google Cloud Certification Roadmap (2026)
Choose your GCP certification path — Foundational, Associate...
CDL Cloud Digital Leader: Complete Exam Guide (2026)
Pass the Cloud Digital Leader exam — cloud business value, G...
GAIL Generative AI Leader: Complete Exam Guide (2026)
Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...
Vertex AI Fundamentals for GCP Certs (2026)
Vertex AI basics every cert candidate needs — Workbench, Pip...
Associate Cloud Engineer (ACE): Complete Guide (2026)
Pass the Associate Cloud Engineer exam — Console, gcloud, pr...