Add Cloud Run deployment workflow with sidecar support

[MrOrz]

• Created service.template.yaml for multi-container Cloud Run service (Node.js ingress + Python ADK sidecar).
• Added .github/workflows/deploy.yml for CI/CD:
  • Deploys to cofacts-ai service on push to master (100% traffic).
  • Deploys preview revisions on PRs (0% traffic, tagged pr-<number>).
  • Creates GitHub Deployments for PR previews with the generated URL.
• Added .github/workflows/preview-cleanup.yml to remove PR traffic tags and deactivate deployments on PR close.
• Configured Workload Identity Federation and Artifact Registry integration.

---

PR created automatically by Jules for task 3681228675650959013 started by @MrOrz

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Summary of Changes

Hello @MrOrz, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request establishes a robust CI/CD pipeline for deploying a multi-container application to Google Cloud Run. It introduces a templated service definition for a Node.js frontend and a Python backend sidecar, alongside GitHub Actions workflows for automated deployments to production and ephemeral preview environments for pull requests. This significantly streamlines the deployment process and improves developer experience by providing automated previews and cleanup.

Highlights

• Multi-container Cloud Run Service Definition: A new service.template.yaml file has been added to define a multi-container Cloud Run service, featuring a Node.js ingress and a Python ADK sidecar, along with configuration for autoscaling and container dependencies.
• CI/CD Workflow for Deployment: A GitHub Actions workflow (deploy.yml) has been introduced to automate deployments. It deploys to the cofacts-ai service on master branch pushes with 100% traffic and creates preview revisions for pull requests with 0% traffic, generating GitHub Deployments with preview URLs.
• Preview Environment Cleanup: A new workflow (preview-cleanup.yml) has been added to automatically remove PR traffic tags and deactivate GitHub Deployments when a pull request is closed, ensuring clean up of temporary preview environments.
• Cloud Platform Integration: The setup includes configuration for Workload Identity Federation and Artifact Registry integration, enhancing security and artifact management for Cloud Run deployments.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• service.template.yaml
  • Added a new YAML file defining a multi-container Cloud Run service with an ingress container (Node.js) and a backend sidecar (Python ADK).
  • Configured container dependencies, environment variables for both containers, and a startup probe for the backend.
  • Included annotations for execution environment, autoscaling, and a placeholder for traffic management.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/deploy.yml
  • .github/workflows/preview-cleanup.yml

Activity

• The pull request was automatically created by Jules for task 3681228675650959013, initiated by @MrOrz.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a Cloud Run deployment workflow with a multi-container service definition, which is a great step towards automating deployments. The service.template.yaml is well-structured for a sidecar pattern. My review includes suggestions to enhance the service's reliability and configurability by adding resource limits, liveness probes, and making autoscaling settings more flexible for different environments.

[gemini-code-assist]

Consider adding resource limits for the backend container. This helps manage costs and ensures it has enough resources to run effectively, which is especially important for the Python ADK sidecar.

          value: "8000"
        resources:
          limits:
            cpu: "1"
            memory: "1Gi"

[gemini-code-assist]

While the startupProbe is great for ensuring the container starts correctly, consider adding a livenessProbe as well. A liveness probe helps Cloud Run detect if your container has become unresponsive (e.g., due to a deadlock) and needs to be restarted, improving the service's reliability.

        startupProbe:
          tcpSocket:
            port: 8000
        livenessProbe:
          tcpSocket:
            port: 8000
          initialDelaySeconds: 15
          periodSeconds: 30

[MrOrz]

@jules encountered this timeout issue. Is it because our port is hard coded?

STARTUP TCP probe failed 3 times consecutively for container "backend" on port 8000. The instance was not started.
Connection failed with status DEADLINE_EXCEEDED.

[google-labs-jules]

@jules encountered this timeout issue. Is it because our port is hard coded?

STARTUP TCP probe failed 3 times consecutively for container "backend" on port 8000. The instance was not started.
Connection failed with status DEADLINE_EXCEEDED.

No, hardcoding the port (8000) for the sidecar container is correct. Sidecars in Cloud Run run on localhost and need an agreed-upon port to communicate with the main ingress container.

The timeout issue is likely because the backend application crashed on startup due to missing environment variables (which I had previously commented out), causing the tcpSocket probe on port 8000 to never succeed. It's also possible the Python app takes slightly longer than the default probe timeout to initialize.

I have just pushed an update to service.template.yaml to:

1. Uncomment the GOOGLE_API_KEY and inject the LANGFUSE_* keys from Secret Manager.
2. Configure the startupProbe with explicit timeouts (initialDelaySeconds: 10, failureThreshold: 6) to give the backend up to 60 seconds to fully start.

This should resolve the DEADLINE_EXCEEDED error.

[MrOrz]

@jules now I am faced with this when running action:

Ready condition status changed to False for Revision cofacts-ai-00002-hhz with message: spec.template.spec.containers[1].env[1].value_from.secret_key_ref.name: Permission denied on secret: projects/236494820908/secrets/GOOGLE_API_KEY/versions/latest for Revision service account 236494820908-compute@developer.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.\nspec.template.spec.containers[1].env[2].value_from.secret_key_ref.name: Permission denied on secret: projects/236494820908/secrets/LANGFUSE_PUBLIC_KEY/versions/latest for Revision service account 236494820908-compute@developer.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.\nspec.template.spec.containers[1].env[3].value_from.secret_key_ref.name: Permission denied on secret: projects/236494820908/secrets/LANGFUSE_SECRET_KEY/versions/latest for Revision service account 236494820908-compute@developer.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level."

I want to specify the env vars using GitHub repository secrets and specify it on cloudrun deploy.

[google-labs-jules]

@jules now I am faced with this when running action:

Ready condition status changed to False for Revision cofacts-ai-00002-hhz with message: spec.template.spec.containers[1].env[1].value_from.secret_key_ref.name: Permission denied on secret: projects/236494820908/secrets/GOOGLE_API_KEY/versions/latest for Revision service account 236494820908-compute@developer.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.\nspec.template.spec.containers[1].env[2].value_from.secret_key_ref.name: Permission denied on secret: projects/236494820908/secrets/LANGFUSE_PUBLIC_KEY/versions/latest for Revision service account 236494820908-compute@developer.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level.\nspec.template.spec.containers[1].env[3].value_from.secret_key_ref.name: Permission denied on secret: projects/236494820908/secrets/LANGFUSE_SECRET_KEY/versions/latest for Revision service account 236494820908-compute@developer.gserviceaccount.com. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level."

I want to specify the env vars using GitHub repository secrets and specify it on cloudrun deploy.

Understood. The previous setup relied on Google Secret Manager for these variables, which requires granting the Secret Manager Secret Accessor role to the Cloud Run service account.

Since you want to use GitHub repository secrets directly at deployment time instead, I've updated the service.template.yaml to expect plain string interpolation and configured deploy.yml to securely pass ${{ secrets.GOOGLE_API_KEY }}, ${{ secrets.LANGFUSE_PUBLIC_KEY }}, and ${{ secrets.LANGFUSE_SECRET_KEY }} through envsubst during the Generate Service YAML step.

This bypasses Secret Manager entirely for Cloud Run deployment while still keeping the secrets out of the codebase.