petitviolet blog

    Fix GCP Deployment from GitHub Action

    2020-11-23

    GoogleAppEngineGitHub Actions

    Previously, I posted about how to deploy this blog via GitHub Actions to Google AppEngine.

    Deploy blog via GitHub Actions Deploy automation using GitHub Actions. This blog(https://blog.petitviolet.net) is hosted on Google AppEngine(a.k.a GAE). GAE is super useful not only for dynamic WEB applications but also for static sites. To deploy applications and sites on GAE, it just needs to call gcloud app deploy command. Speaking of GAE deployments, it usuall

    However, because of recent updates, it started failing. This post describes how to update the GitHub Action configurations to fix such issues.

    Update GCP image

    First, updating GCP image to fix the following errors.

    The add-path command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ The set-env command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

    GoogleCloudPlatform/github-actions has been updated and its newer version fixed the above issues. The following diff is what I did to apply the updates.

         - name: setup gcloud environment
-      uses: GoogleCloudPlatform/github-actions@0.1.2
+      uses: GoogleCloudPlatform/github-actions/setup-gcloud@master
       with:
-        version: '281.0.0'
+        version: '290.0.1'
         service_account_email: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}
         service_account_key: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}
+        export_default_credentials: true

    Update ServiceAccount roles

    Second, gcloud app deployment failed due to PERMISSION_DENIED error as following.

    ERROR: (gcloud.app.deploy) PERMISSION_DENIED: You do not have permission to act as '<id>@appspot.gserviceaccount.com'
'@type': type.googleapis.com/google.rpc.ResourceInfo
description: You do not have permission to act as this service account.
resourceName: <id>@appspot.gserviceaccount.com
resourceType: serviceAccount

    As I described in the post(deploy-blog-via-github-actions), it has worked expectedly. However, it seems the newer image requires additional role of the ServiceAccount.

    It has to have Service Account User role in addition to roles that described in the previous post.

    service account user

    Now, the all problems have been fixed!