github.com/derat/nup@v0.0.0-20230418113745-15592ba7c620/build/README.md

github.com/derat/nup@v0.0.0-20230418113745-15592ba7c620/build/README.md (about)

     1  # build
     2  
     3  This directory contains [Cloud Build configuration files] for deploying the App
     4  Engine app and running tests using Google's [Cloud Build] service.
     5  
     6  [Cloud Build configuration files]: https://cloud.google.com/build/docs/build-config-file-schema
     7  [Cloud Build]: https://cloud.google.com/build
     8  
     9  ## Deploying
    10  
    11  [deploy_app.yaml](./deploy_app.yaml) and
    12  [deploy_indexes.yaml](./deploy_indexes.yaml) deploy the App Engine app and
    13  update Datastore indexes, respectively.
    14  
    15  Through a painful process of trial and error, I've found that the following
    16  steps seem to allow Cloud Build triggers in one GCP project (e.g. `my-build`
    17  with a `123@cloudbuild.gserviceaccount.com` service account) to deploy the App
    18  Engine app in a second GCP project (e.g. `my-app`):
    19  
    20  On the `my-app@appspot.gserviceaccount.com` service account page, add
    21  `123@cloudbuild.gserviceaccount.com` as a principal with the `Service Account
    22  User` role.
    23  
    24  On the `my-app` IAM page, grant the `123@cloudbuild.gserviceaccount.com`
    25  principal the following roles:
    26  
    27  *   App Engine Admin
    28  *   Cloud Build Editor
    29  *   Cloud Datastore Index Admin
    30  *   Container Registry Service Account
    31  
    32  On the `foo.appspot.com` and `staging.foo.appspot.com` Cloud Storage bucket
    33  permission pages, grant `123@cloudbuild.gserviceaccount.com` the `Storage Object
    34  Admin` role.
    35  
    36  I couldn't get [service account impersonation] to work at all.
    37  
    38  [service account impersonation]: https://cloud.google.com/iam/docs/impersonating-service-accounts
    39  
    40  ## Testing
    41  
    42  [test.yaml](./test.yaml) runs `go test ./...`.
    43  
    44  [Dockerfile](./Dockerfile) is used to build a [Docker] container image with Go,
    45  Chrome, the Google Cloud SDK, and related dependencies preinstalled for running
    46  tests. When executed in this directory, the following command uses Cloud Build
    47  to build a container and submit it to the [Container Registry].
    48  
    49  ```
    50  gcloud --project ${PROJECT_ID} builds submit \
    51    --tag gcr.io/${PROJECT_ID}/nup-test --timeout=20m
    52  ```
    53  
    54  [Docker]: https://www.docker.com/
    55  [Container Registry]: https://cloud.google.com/container-registry