From fed2a5b85e03c994f53acbc6cb44e0d4a05608d0 Mon Sep 17 00:00:00 2001 From: Preston Cabe Date: Thu, 26 Feb 2026 18:26:40 -0500 Subject: [PATCH 1/3] Automate library sync when new version is pushed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git push origin library-api-vX.X.X ↓ deploy — builds library-api, pushes Docker image, deploys to Cloud Run — waits until new revision is healthy ↓ sync-metadata — calls load-library-metadata.yml (workflow_call) ├─ sync — fetches OpenAPI spec, uploads check metadata to Firebase Storage/Firestore └─ restart — redeploys builder-api:latest to Cloud Run (no rebuild, ~30-60s) — new revision starts, @PostConstruct reads updated metadata Manual trigger (workflow_dispatch) also runs both sync + restart automatically. --- .github/workflows/deploy-library-api.yml | 5 ++++ .github/workflows/load-library-metadata.yml | 26 +++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/.github/workflows/deploy-library-api.yml b/.github/workflows/deploy-library-api.yml index 5f88b8f7..ec391169 100644 --- a/.github/workflows/deploy-library-api.yml +++ b/.github/workflows/deploy-library-api.yml @@ -122,3 +122,8 @@ jobs: echo "Service URL: ${{ steps.deploy.outputs.url }}" echo "Version: v${{ steps.extract_version.outputs.version }}" echo "Revision: ${{ env.API_NAME }}-v${{ steps.extract_version.outputs.revision_version }}" + + sync-metadata: + needs: deploy + uses: ./.github/workflows/load-library-metadata.yml + secrets: inherit diff --git a/.github/workflows/load-library-metadata.yml b/.github/workflows/load-library-metadata.yml index 6df235e4..244d911d 100644 --- a/.github/workflows/load-library-metadata.yml +++ b/.github/workflows/load-library-metadata.yml @@ -2,10 +2,20 @@ name: Load Library API Metadata on: workflow_dispatch: + workflow_call: + +env: + PROJECT_ID: benefit-decision-toolkit-play + REGION: us-central1 + SERVICE: benefit-decision-toolkit-play + WORKLOAD_IDENTITY_PROVIDER: projects/1034049717668/locations/global/workloadIdentityPools/github-actions-google-cloud/providers/github jobs: run-script: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Checkout repo @@ -30,3 +40,19 @@ jobs: - name: Cleanup credentials run: rm bin/library/gcp-key.json + + - name: Authenticate to Google Cloud + uses: google-github-actions/auth@v2 + with: + workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }} + service_account: cicd-build-deploy-api@${{ env.PROJECT_ID }}.iam.gserviceaccount.com + project_id: ${{ env.PROJECT_ID }} + + - name: Set up Cloud SDK + uses: google-github-actions/setup-gcloud@v2 + + - name: Restart builder-api with updated library metadata + run: | + gcloud run deploy builder-api \ + --image us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}/builder-api:latest \ + --region ${{ env.REGION }} From 79a02405be44d47a443e2f687c3c1acd14396b34 Mon Sep 17 00:00:00 2001 From: Preston Cabe Date: Wed, 4 Mar 2026 15:36:45 -0500 Subject: [PATCH 2/3] Add notes to clarify separate GCP steps for syncing library metadata --- .github/workflows/load-library-metadata.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/load-library-metadata.yml b/.github/workflows/load-library-metadata.yml index 244d911d..2ea3e00f 100644 --- a/.github/workflows/load-library-metadata.yml +++ b/.github/workflows/load-library-metadata.yml @@ -26,7 +26,8 @@ jobs: with: python-version: "3.11" - - name: Create GCP credentials file + # use a specific service account for sync script + - name: Create GCP credentials file (for sync script) run: | echo '${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}' > bin/library/gcp-key.json @@ -41,7 +42,8 @@ jobs: - name: Cleanup credentials run: rm bin/library/gcp-key.json - - name: Authenticate to Google Cloud + # Use a different service account with permissions to restart builder-api + - name: Authenticate to Google Cloud (for restarting builder-api) uses: google-github-actions/auth@v2 with: workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_PROVIDER }} From 35d5e962089aab18072c4d2a3adb728e8aec6d27 Mon Sep 17 00:00:00 2001 From: Preston Cabe Date: Wed, 4 Mar 2026 16:01:21 -0500 Subject: [PATCH 3/3] Refactor how builder-api is restarted upon library sync - redeploys the same image instead of relying on `:latest` - adds a timestamp so we know that the sync happened and when --- .github/workflows/load-library-metadata.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/load-library-metadata.yml b/.github/workflows/load-library-metadata.yml index 2ea3e00f..bf2f6071 100644 --- a/.github/workflows/load-library-metadata.yml +++ b/.github/workflows/load-library-metadata.yml @@ -7,7 +7,6 @@ on: env: PROJECT_ID: benefit-decision-toolkit-play REGION: us-central1 - SERVICE: benefit-decision-toolkit-play WORKLOAD_IDENTITY_PROVIDER: projects/1034049717668/locations/global/workloadIdentityPools/github-actions-google-cloud/providers/github jobs: @@ -55,6 +54,6 @@ jobs: - name: Restart builder-api with updated library metadata run: | - gcloud run deploy builder-api \ - --image us-central1-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}/builder-api:latest \ - --region ${{ env.REGION }} + gcloud run services update builder-api \ + --region ${{ env.REGION }} \ + --update-env-vars LIBRARY_SYNC_TIMESTAMP=$(date -u +%Y%m%dT%H%M%SZ)