This project demonstrates a complete CI/CD pipeline for deploying a minimal web API to Google Cloud Run. It covers secure containerization, vulnerability scanning, artifact publishing, and automated deployment with GitHub Actions.

Live URL: https://simpleapp-1032571919249.asia-southeast2.run.app

Video Demo: https://drive.google.com/drive/u/0/folders/173cTIBonrnFePc9dsmkv-nmwTI_ItwAF

• Build and test a simple API
• Package in a secure Docker image
• Publish to Google Artifact Registry
• Deploy to Cloud Run (fully managed)
• Automate with GitHub Actions

• Hello World API – returns { "status": "ok" } in under 50 lines
• CI Pipeline – linting, unit tests, multi-stage Docker build, Trivy vulnerability scan
• CD Pipeline – deploys to Cloud Run with 100% traffic on latest revision, rollback supported
• Security – non-root image, secrets managed via GitHub/GCP Secret Manager
• Observability – Cloud Logging enabled, uptime probe added

• Google Cloud Project (free tier)
• gcloud CLI installed and authenticated
• Docker installed locally
• Terraform installed and setup locally

1. Clone the repo
2. Authenticate gcloud CLI using gcloud auth login and gcloud auth configure-docker
3. Put the GCP Service Account key inside the IAC/ directory as key.json (for running terraform)
4. Configure the environment variables (.envrc)
5. If you want to apply the infras, run terraform apply in the IaC/ directory. However, it won't be succeed if you don't build and have the image in the registry first. Instead, code your app with an entry point is server.js, and push the code to the repo, the workflow will be triggered for you.

Follow least-privilege principle:

• roles/run.admin → Deploy to Cloud Run
• roles/artifactregistry.writer → Push images
• roles/iam.serviceAccountUser → GitHub Actions SA impersonation

-> These are all defined in IaC/service_account.tf

• Artifact Registry: Free up to 0.5 GB stored & 0.5 GB egress/month
• Cloud Run: 2 million requests/month, 360,000 GB-s compute free
• Logging/Monitoring: Free basic tier

--> Entire project fits within GCP free tier (if usage is low)

• I choose Nodejs with express because it's more familiar
• I choose Terraform over gcloud CLI because its declarative and easy to apply/destroy
• All the service account, health check, Cloudrun container,.. are declared in IAC/ dir
• The rollback instructions and check list is in the docs/ directory