- Status: approved
- Last Updated: 2021-05
- Objective: Determine the platform for ops automation.
We need an environment for continuous delivery and other Cloud resource management.
- Needs IAM privileges to access Cloud resources
- Needs to support PR checks and nightly builds
- Has two critical roles:
- Automated testing for project maintenance
- Including CI/CD in complex demos
- Option 1: Cloud Build
- Option 2: GitHub Actions
- Option 3: Internal Google CI tooling
Chosen option [Option 1: Cloud Build]
Cloud Build has the least overhead and security risk in gaining IAM access to other Google Cloud resources. There is no need to export service account keys.
It has GitHub integration, PR checks, & nightly builds.
It is a product that external contributors can use.
- Cloud Build's integration with GitHub means untrusted contributors cannot view build logs
- Cloud Build's identity implementation does not allow easy invocation of authentication-only Cloud Run services or HTTP Cloud Functions
- The Cloud Build UI assumes workload operations are self-contained in a single build, so our plans around orchestrating some operations across multiple builds will have some extra visibility challenges.