Skip to content

Deploy Cloud Run

Deploy Cloud Run #285

name: Deploy Cloud Run
on:
workflow_run:
workflows: [CI]
types: [completed]
branches: [main]
workflow_dispatch:
env:
GCP_PROJECT_ID: firstradequant
GCP_PROJECT_NUMBER: "1088907247379"
GCP_WORKLOAD_IDENTITY_PROVIDER: projects/1088907247379/locations/global/workloadIdentityPools/github-actions/providers/github-main
GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT: firstrade-platform-deploy@firstradequant.iam.gserviceaccount.com
GCP_RUNTIME_SERVICE_ACCOUNT: firstrade-platform-runtime@firstradequant.iam.gserviceaccount.com
GCP_SCHEDULER_SERVICE_ACCOUNT: firstrade-platform-scheduler@firstradequant.iam.gserviceaccount.com
GCP_ARTIFACT_REGISTRY_HOSTNAME: us-central1-docker.pkg.dev
GCP_ARTIFACT_REGISTRY_REPOSITORY: cloud-run-source-deploy
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: false
jobs:
deploy-cloud-run:
name: Deploy Cloud Run
if: >
github.event_name == 'workflow_dispatch' ||
(
github.event_name == 'workflow_run' &&
github.event.workflow_run.conclusion == 'success' &&
github.event.workflow_run.event == 'push'
)
runs-on: ubuntu-latest
timeout-minutes: 20
permissions:
actions: read
contents: read
id-token: write
env:
ENABLE_GITHUB_CLOUD_RUN_DEPLOY: ${{ vars.ENABLE_GITHUB_CLOUD_RUN_DEPLOY }}
ENABLE_GITHUB_ENV_SYNC: ${{ vars.ENABLE_GITHUB_ENV_SYNC }}
ENABLE_MAIN_PUSH_CLOUD_RUN_AUTOMATION: ${{ vars.ENABLE_MAIN_PUSH_CLOUD_RUN_AUTOMATION }}
QSL_ENABLE_CLOUD_RUN_AUTOMATION: ${{ vars.QSL_ENABLE_CLOUD_RUN_AUTOMATION }}
CLOUD_RUN_REGION: ${{ vars.CLOUD_RUN_REGION }}
CLOUD_RUN_SERVICE: ${{ vars.CLOUD_RUN_SERVICE }}
CLOUD_SCHEDULER_LOCATION: ${{ vars.CLOUD_SCHEDULER_LOCATION }}
CLOUD_SCHEDULER_MAIN_TIME: ${{ vars.CLOUD_SCHEDULER_MAIN_TIME }}
CLOUD_SCHEDULER_PROBE_TIME: ${{ vars.CLOUD_SCHEDULER_PROBE_TIME }}
CLOUD_SCHEDULER_PRECHECK_TIME: ${{ vars.CLOUD_SCHEDULER_PRECHECK_TIME }}
TELEGRAM_TOKEN_SECRET_NAME: ${{ vars.TELEGRAM_TOKEN_SECRET_NAME }}
FIRSTRADE_USERNAME_SECRET_NAME: ${{ vars.FIRSTRADE_USERNAME_SECRET_NAME }}
FIRSTRADE_PASSWORD_SECRET_NAME: ${{ vars.FIRSTRADE_PASSWORD_SECRET_NAME }}
FIRSTRADE_MFA_SECRET_SECRET_NAME: ${{ vars.FIRSTRADE_MFA_SECRET_SECRET_NAME }}
FIRSTRADE_PIN_SECRET_NAME: ${{ vars.FIRSTRADE_PIN_SECRET_NAME }}
FIRSTRADE_MFA_EMAIL_SECRET_NAME: ${{ vars.FIRSTRADE_MFA_EMAIL_SECRET_NAME }}
FIRSTRADE_MFA_PHONE_SECRET_NAME: ${{ vars.FIRSTRADE_MFA_PHONE_SECRET_NAME }}
FIRSTRADE_MFA_CODE_SECRET_NAME: ${{ vars.FIRSTRADE_MFA_CODE_SECRET_NAME }}
RUNTIME_TARGET_JSON: ${{ vars.RUNTIME_TARGET_JSON }}
ACCOUNT_PREFIX: ${{ vars.ACCOUNT_PREFIX }}
ACCOUNT_REGION: ${{ vars.ACCOUNT_REGION }}
FIRSTRADE_ACCOUNT: ${{ vars.FIRSTRADE_ACCOUNT }}
FIRSTRADE_COOKIE_DIR: ${{ vars.FIRSTRADE_COOKIE_DIR }}
FIRSTRADE_DRY_RUN_ONLY: ${{ vars.FIRSTRADE_DRY_RUN_ONLY }}
FIRSTRADE_REUSE_SESSION: ${{ vars.FIRSTRADE_REUSE_SESSION }}
FIRSTRADE_SESSION_CACHE_TTL_SECONDS: ${{ vars.FIRSTRADE_SESSION_CACHE_TTL_SECONDS }}
FIRSTRADE_ENABLE_LIVE_TRADING: ${{ vars.FIRSTRADE_ENABLE_LIVE_TRADING }}
FIRSTRADE_RUN_SMOKE_ON_HTTP: ${{ vars.FIRSTRADE_RUN_SMOKE_ON_HTTP }}
FIRSTRADE_RUN_STRATEGY_ON_HTTP: ${{ vars.FIRSTRADE_RUN_STRATEGY_ON_HTTP }}
FIRSTRADE_LIVE_ORDER_ACK: ${{ vars.FIRSTRADE_LIVE_ORDER_ACK }}
FIRSTRADE_MAX_ORDER_NOTIONAL_USD: ${{ vars.FIRSTRADE_MAX_ORDER_NOTIONAL_USD }}
FIRSTRADE_MIN_RESERVED_CASH_USD: ${{ vars.FIRSTRADE_MIN_RESERVED_CASH_USD }}
FIRSTRADE_RESERVED_CASH_RATIO: ${{ vars.FIRSTRADE_RESERVED_CASH_RATIO }}
FIRSTRADE_SAFE_HAVEN_CASH_SUBSTITUTE_THRESHOLD_USD: ${{ vars.FIRSTRADE_SAFE_HAVEN_CASH_SUBSTITUTE_THRESHOLD_USD }}
FIRSTRADE_SMOKE_SYMBOL: ${{ vars.FIRSTRADE_SMOKE_SYMBOL }}
FIRSTRADE_FEATURE_SNAPSHOT_PATH: ${{ vars.FIRSTRADE_FEATURE_SNAPSHOT_PATH }}
FIRSTRADE_FEATURE_SNAPSHOT_MANIFEST_PATH: ${{ vars.FIRSTRADE_FEATURE_SNAPSHOT_MANIFEST_PATH }}
FIRSTRADE_FEATURE_SNAPSHOT_FALLBACK_MODE: ${{ vars.FIRSTRADE_FEATURE_SNAPSHOT_FALLBACK_MODE }}
FIRSTRADE_FEATURE_SNAPSHOT_FALLBACK_CACHE_DIR: ${{ vars.FIRSTRADE_FEATURE_SNAPSHOT_FALLBACK_CACHE_DIR }}
FIRSTRADE_FEATURE_SNAPSHOT_MAX_STALE_DAYS: ${{ vars.FIRSTRADE_FEATURE_SNAPSHOT_MAX_STALE_DAYS }}
FIRSTRADE_GCS_STATE_BUCKET: ${{ vars.FIRSTRADE_GCS_STATE_BUCKET }}
FIRSTRADE_PERSIST_ACCOUNT_SNAPSHOT: ${{ vars.FIRSTRADE_PERSIST_ACCOUNT_SNAPSHOT }}
FIRSTRADE_PERSIST_STRATEGY_RUNS: ${{ vars.FIRSTRADE_PERSIST_STRATEGY_RUNS }}
FIRSTRADE_PERSIST_SESSION_CACHE: ${{ vars.FIRSTRADE_PERSIST_SESSION_CACHE }}
FIRSTRADE_RUN_SESSION_CHECK_ON_HTTP: ${{ vars.FIRSTRADE_RUN_SESSION_CHECK_ON_HTTP }}
FIRSTRADE_SESSION_CHECK_INCLUDE_POSITIONS: ${{ vars.FIRSTRADE_SESSION_CHECK_INCLUDE_POSITIONS }}
FIRSTRADE_STATE_PREFIX: ${{ vars.FIRSTRADE_STATE_PREFIX }}
FIRSTRADE_STRATEGY_CONFIG_PATH: ${{ vars.FIRSTRADE_STRATEGY_CONFIG_PATH }}
FIRSTRADE_STRATEGY_PLUGIN_MOUNTS_JSON: ${{ vars.FIRSTRADE_STRATEGY_PLUGIN_MOUNTS_JSON }}
FIRSTRADE_MARKET_SIGNAL_HANDOFF_INDEX_URI: ${{ vars.FIRSTRADE_MARKET_SIGNAL_HANDOFF_INDEX_URI }}
FIRSTRADE_MARKET_SIGNAL_HANDOFF_MANIFEST_URI: ${{ vars.FIRSTRADE_MARKET_SIGNAL_HANDOFF_MANIFEST_URI }}
FIRSTRADE_MARKET_SIGNAL_CONSUMPTION_AUDIT_URI: ${{ vars.FIRSTRADE_MARKET_SIGNAL_CONSUMPTION_AUDIT_URI }}
FIRSTRADE_MARKET_SIGNAL_CACHE_DIR: ${{ vars.FIRSTRADE_MARKET_SIGNAL_CACHE_DIR }}
FIRSTRADE_MARKET_SIGNAL_REQUIRED: ${{ vars.FIRSTRADE_MARKET_SIGNAL_REQUIRED }}
FIRSTRADE_MARKET_SIGNAL_FALLBACK_MODE: ${{ vars.FIRSTRADE_MARKET_SIGNAL_FALLBACK_MODE }}
FIRSTRADE_MARKET_SIGNAL_MAX_STALE_DAYS: ${{ vars.FIRSTRADE_MARKET_SIGNAL_MAX_STALE_DAYS }}
STRATEGY_PLUGIN_ALERT_CHANNELS: ${{ vars.STRATEGY_PLUGIN_ALERT_CHANNELS }}
STRATEGY_PLUGIN_ALERT_EMAIL_RECIPIENTS: ${{ vars.STRATEGY_PLUGIN_ALERT_EMAIL_RECIPIENTS }}
STRATEGY_PLUGIN_ALERT_EMAIL_SENDER_EMAIL: ${{ vars.STRATEGY_PLUGIN_ALERT_EMAIL_SENDER_EMAIL }}
STRATEGY_PLUGIN_ALERT_EMAIL_SENDER_PASSWORD_SECRET_NAME: ${{ vars.STRATEGY_PLUGIN_ALERT_EMAIL_SENDER_PASSWORD_SECRET_NAME }}
STRATEGY_PLUGIN_ALERT_EMAIL_SMTP_HOST: ${{ vars.STRATEGY_PLUGIN_ALERT_EMAIL_SMTP_HOST }}
STRATEGY_PLUGIN_ALERT_EMAIL_SMTP_PORT: ${{ vars.STRATEGY_PLUGIN_ALERT_EMAIL_SMTP_PORT }}
STRATEGY_PLUGIN_ALERT_EMAIL_SMTP_SECURITY: ${{ vars.STRATEGY_PLUGIN_ALERT_EMAIL_SMTP_SECURITY }}
STRATEGY_PLUGIN_ALERT_SMS_RECIPIENTS: ${{ vars.STRATEGY_PLUGIN_ALERT_SMS_RECIPIENTS }}
STRATEGY_PLUGIN_ALERT_SMS_PROVIDER: ${{ vars.STRATEGY_PLUGIN_ALERT_SMS_PROVIDER }}
STRATEGY_PLUGIN_ALERT_SMS_ACCOUNT_ID: ${{ vars.STRATEGY_PLUGIN_ALERT_SMS_ACCOUNT_ID }}
STRATEGY_PLUGIN_ALERT_SMS_AUTH_TOKEN_SECRET_NAME: ${{ vars.STRATEGY_PLUGIN_ALERT_SMS_AUTH_TOKEN_SECRET_NAME }}
STRATEGY_PLUGIN_ALERT_SMS_SENDER: ${{ vars.STRATEGY_PLUGIN_ALERT_SMS_SENDER }}
STRATEGY_PLUGIN_ALERT_SMS_MESSAGING_SERVICE_ID: ${{ vars.STRATEGY_PLUGIN_ALERT_SMS_MESSAGING_SERVICE_ID }}
STRATEGY_PLUGIN_ALERT_SMS_API_BASE_URL: ${{ vars.STRATEGY_PLUGIN_ALERT_SMS_API_BASE_URL }}
STRATEGY_PLUGIN_ALERT_SMS_BODY_MAX_CHARS: ${{ vars.STRATEGY_PLUGIN_ALERT_SMS_BODY_MAX_CHARS }}
STRATEGY_PLUGIN_ALERT_PUSH_RECIPIENTS: ${{ vars.STRATEGY_PLUGIN_ALERT_PUSH_RECIPIENTS }}
STRATEGY_PLUGIN_ALERT_PUSH_PROVIDER: ${{ vars.STRATEGY_PLUGIN_ALERT_PUSH_PROVIDER }}
STRATEGY_PLUGIN_ALERT_PUSH_APP_TOKEN_SECRET_NAME: ${{ vars.STRATEGY_PLUGIN_ALERT_PUSH_APP_TOKEN_SECRET_NAME }}
STRATEGY_PLUGIN_ALERT_PUSH_ACCESS_TOKEN_SECRET_NAME: ${{ vars.STRATEGY_PLUGIN_ALERT_PUSH_ACCESS_TOKEN_SECRET_NAME }}
STRATEGY_PLUGIN_ALERT_PUSH_API_BASE_URL: ${{ vars.STRATEGY_PLUGIN_ALERT_PUSH_API_BASE_URL }}
STRATEGY_PLUGIN_ALERT_PUSH_DEVICE: ${{ vars.STRATEGY_PLUGIN_ALERT_PUSH_DEVICE }}
STRATEGY_PLUGIN_ALERT_PUSH_PRIORITY: ${{ vars.STRATEGY_PLUGIN_ALERT_PUSH_PRIORITY }}
STRATEGY_PLUGIN_ALERT_PUSH_TAGS: ${{ vars.STRATEGY_PLUGIN_ALERT_PUSH_TAGS }}
STRATEGY_PLUGIN_ALERT_PUSH_BODY_MAX_CHARS: ${{ vars.STRATEGY_PLUGIN_ALERT_PUSH_BODY_MAX_CHARS }}
STRATEGY_PLUGIN_ALERT_TELEGRAM_CHAT_IDS: ${{ vars.STRATEGY_PLUGIN_ALERT_TELEGRAM_CHAT_IDS }}
STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME: ${{ vars.STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME }}
STRATEGY_PLUGIN_ALERT_TELEGRAM_API_BASE_URL: ${{ vars.STRATEGY_PLUGIN_ALERT_TELEGRAM_API_BASE_URL }}
STRATEGY_PLUGIN_ALERT_TELEGRAM_PARSE_MODE: ${{ vars.STRATEGY_PLUGIN_ALERT_TELEGRAM_PARSE_MODE }}
STRATEGY_PLUGIN_ALERT_TELEGRAM_DISABLE_WEB_PAGE_PREVIEW: ${{ vars.STRATEGY_PLUGIN_ALERT_TELEGRAM_DISABLE_WEB_PAGE_PREVIEW }}
STRATEGY_PLUGIN_ALERT_TELEGRAM_BODY_MAX_CHARS: ${{ vars.STRATEGY_PLUGIN_ALERT_TELEGRAM_BODY_MAX_CHARS }}
FIRSTRADE_RUNTIME_EXECUTION_WINDOW_TRADING_DAYS: ${{ vars.FIRSTRADE_RUNTIME_EXECUTION_WINDOW_TRADING_DAYS }}
FIRSTRADE_TECH_RUNTIME_EXECUTION_WINDOW_TRADING_DAYS: ${{ vars.FIRSTRADE_TECH_RUNTIME_EXECUTION_WINDOW_TRADING_DAYS }}
INCOME_THRESHOLD_USD: ${{ vars.INCOME_THRESHOLD_USD }}
QQQI_INCOME_RATIO: ${{ vars.QQQI_INCOME_RATIO }}
INCOME_LAYER_ENABLED: ${{ vars.INCOME_LAYER_ENABLED }}
INCOME_LAYER_START_USD: ${{ vars.INCOME_LAYER_START_USD }}
INCOME_LAYER_MAX_RATIO: ${{ vars.INCOME_LAYER_MAX_RATIO }}
FIRSTRADE_CASH_ONLY_EXECUTION: ${{ vars.FIRSTRADE_CASH_ONLY_EXECUTION }}
CASH_ONLY_EXECUTION: ${{ vars.CASH_ONLY_EXECUTION }}
DCA_MODE: ${{ vars.DCA_MODE }}
DCA_BASE_INVESTMENT_USD: ${{ vars.DCA_BASE_INVESTMENT_USD }}
IBIT_ZSCORE_EXIT_ENABLED: ${{ vars.IBIT_ZSCORE_EXIT_ENABLED }}
IBIT_ZSCORE_EXIT_MODE: ${{ vars.IBIT_ZSCORE_EXIT_MODE }}
IBIT_ZSCORE_EXIT_PARKING_SYMBOL: ${{ vars.IBIT_ZSCORE_EXIT_PARKING_SYMBOL }}
IBIT_ZSCORE_EXIT_RISK_REDUCED_EXPOSURE: ${{ vars.IBIT_ZSCORE_EXIT_RISK_REDUCED_EXPOSURE }}
IBIT_ZSCORE_EXIT_RISK_OFF_EXPOSURE: ${{ vars.IBIT_ZSCORE_EXIT_RISK_OFF_EXPOSURE }}
IBIT_ZSCORE_EXIT_ALLOW_OUTSIDE_EXECUTION_WINDOW: ${{ vars.IBIT_ZSCORE_EXIT_ALLOW_OUTSIDE_EXECUTION_WINDOW }}
RUNTIME_TARGET_ENABLED: ${{ vars.RUNTIME_TARGET_ENABLED }}
EXECUTION_REPORT_GCS_URI: ${{ vars.EXECUTION_REPORT_GCS_URI }}
GLOBAL_TELEGRAM_CHAT_ID: ${{ vars.GLOBAL_TELEGRAM_CHAT_ID }}
NOTIFY_LANG: ${{ vars.NOTIFY_LANG }}
TELEGRAM_TOKEN: ${{ secrets.TELEGRAM_TOKEN }}
STRATEGY_PLUGIN_ALERT_EMAIL_SENDER_PASSWORD: ${{ secrets.STRATEGY_PLUGIN_ALERT_EMAIL_SENDER_PASSWORD }}
STRATEGY_PLUGIN_ALERT_SMS_AUTH_TOKEN: ${{ secrets.STRATEGY_PLUGIN_ALERT_SMS_AUTH_TOKEN }}
STRATEGY_PLUGIN_ALERT_PUSH_APP_TOKEN: ${{ secrets.STRATEGY_PLUGIN_ALERT_PUSH_APP_TOKEN }}
STRATEGY_PLUGIN_ALERT_PUSH_ACCESS_TOKEN: ${{ secrets.STRATEGY_PLUGIN_ALERT_PUSH_ACCESS_TOKEN }}
STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN: ${{ secrets.TG_TOKEN }}
FIRSTRADE_USERNAME: ${{ secrets.FIRSTRADE_USERNAME }}
FIRSTRADE_PASSWORD: ${{ secrets.FIRSTRADE_PASSWORD }}
FIRSTRADE_MFA_SECRET: ${{ secrets.FIRSTRADE_MFA_SECRET }}
FIRSTRADE_PIN: ${{ secrets.FIRSTRADE_PIN }}
FIRSTRADE_MFA_EMAIL: ${{ secrets.FIRSTRADE_MFA_EMAIL }}
FIRSTRADE_MFA_PHONE: ${{ secrets.FIRSTRADE_MFA_PHONE }}
FIRSTRADE_MFA_CODE: ${{ secrets.FIRSTRADE_MFA_CODE }}
steps:
- name: Check whether deploy is enabled
id: deploy_config
run: |
set -euo pipefail
# QSL_ENABLE_CLOUD_RUN_AUTOMATION overrides ENABLE_MAIN_PUSH_CLOUD_RUN_AUTOMATION
ENABLE_MAIN_PUSH_CLOUD_RUN_AUTOMATION="${QSL_ENABLE_CLOUD_RUN_AUTOMATION:-$ENABLE_MAIN_PUSH_CLOUD_RUN_AUTOMATION}"
if [ "${GITHUB_EVENT_NAME:-}" = "push" ] && [ "${ENABLE_MAIN_PUSH_CLOUD_RUN_AUTOMATION:-}" != "true" ]; then
echo "enabled=false" >> "$GITHUB_OUTPUT"
echo "Skipping Cloud Run deploy on push because ENABLE_MAIN_PUSH_CLOUD_RUN_AUTOMATION is not true." >&2
exit 0
fi
if [ "${ENABLE_GITHUB_CLOUD_RUN_DEPLOY:-true}" != "true" ]; then
echo "enabled=false" >> "$GITHUB_OUTPUT"
echo "Skipping Cloud Run deploy because ENABLE_GITHUB_CLOUD_RUN_DEPLOY is not true." >&2
exit 0
fi
echo "enabled=true" >> "$GITHUB_OUTPUT"
- name: Checkout repository
if: steps.deploy_config.outputs.enabled == 'true'
uses: actions/checkout@v6
with:
ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
- name: Validate deploy inputs
if: steps.deploy_config.outputs.enabled == 'true'
run: |
set -euo pipefail
missing_vars=()
for var_name in CLOUD_RUN_REGION CLOUD_RUN_SERVICE; do
if [ -z "${!var_name:-}" ]; then
missing_vars+=("${var_name}")
fi
done
if [ "${#missing_vars[@]}" -gt 0 ]; then
echo "Cloud Run deploy is enabled, but these values are missing:" >&2
printf ' - %s\n' "${missing_vars[@]}" >&2
exit 1
fi
- name: Authenticate to Google Cloud
id: auth
if: steps.deploy_config.outputs.enabled == 'true'
uses: google-github-actions/auth@v3
with:
workload_identity_provider: ${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ env.GCP_WORKLOAD_IDENTITY_SERVICE_ACCOUNT }}
- name: Set up gcloud
if: steps.deploy_config.outputs.enabled == 'true'
uses: google-github-actions/setup-gcloud@v3
with:
project_id: ${{ env.GCP_PROJECT_ID }}
version: ">= 416.0.0"
- name: Build, push, and deploy Cloud Run image
if: steps.deploy_config.outputs.enabled == 'true'
run: |
set -euo pipefail
image_repo="${GCP_ARTIFACT_REGISTRY_HOSTNAME}/${GCP_PROJECT_ID}/${GCP_ARTIFACT_REGISTRY_REPOSITORY}/firstradeplatform/${CLOUD_RUN_SERVICE}"
image="${image_repo}:${GITHUB_SHA}"
gcloud auth configure-docker "${GCP_ARTIFACT_REGISTRY_HOSTNAME}" --quiet
docker build --pull -t "${image}" .
docker push "${image}"
gcloud run deploy "${CLOUD_RUN_SERVICE}" \
--project="${GCP_PROJECT_ID}" \
--region="${CLOUD_RUN_REGION}" \
--platform=managed \
--image="${image}" \
--service-account="${GCP_RUNTIME_SERVICE_ACCOUNT}" \
--ingress=internal \
--max-instances=1 \
--concurrency=80 \
--memory=512Mi \
--cpu=1 \
--timeout=300s \
--labels="managed-by=github-actions,commit-sha=${GITHUB_SHA},github-run-id=${GITHUB_RUN_ID}" \
--quiet
- name: Check whether env sync is enabled
id: env_sync_config
if: steps.deploy_config.outputs.enabled == 'true'
run: |
set -euo pipefail
if [ "${ENABLE_GITHUB_ENV_SYNC:-}" != "true" ]; then
echo "enabled=false" >> "$GITHUB_OUTPUT"
echo "Skipping Cloud Run env sync because ENABLE_GITHUB_ENV_SYNC is not true." >&2
exit 0
fi
echo "enabled=true" >> "$GITHUB_OUTPUT"
- name: Set up Python for strategy requirement resolution
if: steps.env_sync_config.outputs.enabled == 'true'
uses: actions/setup-python@v6
with:
python-version: "3.12"
- name: Install strategy status dependencies
if: steps.env_sync_config.outputs.enabled == 'true'
run: |
set -euo pipefail
python -m pip install --upgrade pip uv
uv sync --frozen --no-dev
- name: Resolve Cloud Run sync targets
id: strategy_requirements
if: steps.env_sync_config.outputs.enabled == 'true'
run: |
set -euo pipefail
sync_plan_json="$(uv run --no-sync python scripts/build_cloud_run_env_sync_plan.py --json)"
{
echo "sync_plan_json<<__SYNC_PLAN_JSON__"
printf '%s\n' "${sync_plan_json}"
echo "__SYNC_PLAN_JSON__"
} >> "$GITHUB_OUTPUT"
- name: Validate env sync inputs
if: steps.env_sync_config.outputs.enabled == 'true'
env:
SYNC_PLAN_JSON: ${{ steps.strategy_requirements.outputs.sync_plan_json }}
run: |
set -euo pipefail
required_vars=(
CLOUD_RUN_REGION
CLOUD_RUN_SERVICE
)
if [ -z "${NOTIFY_LANG:-}" ]; then
required_vars+=(NOTIFY_LANG)
fi
if [ "${FIRSTRADE_RUN_STRATEGY_ON_HTTP:-}" = "true" ] || [ "${FIRSTRADE_RUN_SMOKE_ON_HTTP:-}" = "true" ]; then
if [ -z "${FIRSTRADE_USERNAME_SECRET_NAME:-}" ] && [ -z "${FIRSTRADE_USERNAME:-}" ]; then
required_vars+=("FIRSTRADE_USERNAME_SECRET_NAME or FIRSTRADE_USERNAME")
fi
if [ -z "${FIRSTRADE_PASSWORD_SECRET_NAME:-}" ] && [ -z "${FIRSTRADE_PASSWORD:-}" ]; then
required_vars+=("FIRSTRADE_PASSWORD_SECRET_NAME or FIRSTRADE_PASSWORD")
fi
fi
if [ -n "${GLOBAL_TELEGRAM_CHAT_ID:-}" ] \
&& [ -z "${TELEGRAM_TOKEN_SECRET_NAME:-}" ] \
&& [ -z "${TELEGRAM_TOKEN:-}" ]; then
required_vars+=("TELEGRAM_TOKEN_SECRET_NAME or TELEGRAM_TOKEN")
fi
if [ -n "${TELEGRAM_TOKEN_SECRET_NAME:-}${TELEGRAM_TOKEN:-}" ] \
&& [ -z "${GLOBAL_TELEGRAM_CHAT_ID:-}" ]; then
required_vars+=(GLOBAL_TELEGRAM_CHAT_ID)
fi
missing_vars=()
for var_name in "${required_vars[@]}"; do
if [[ "${var_name}" == *" or "* ]]; then
missing_vars+=("${var_name}")
elif [ -z "${!var_name:-}" ]; then
missing_vars+=("${var_name}")
fi
done
python - <<'PY'
import json
import os
plan = json.loads(os.environ["SYNC_PLAN_JSON"])
targets = plan.get("targets") or []
if not targets:
raise SystemExit("Cloud Run env sync did not resolve any targets")
for target in targets:
service_name = str(target.get("service_name") or "").strip()
if not service_name:
raise SystemExit("Cloud Run sync target is missing service_name")
if not isinstance(target.get("env"), dict):
raise SystemExit(f"Cloud Run sync target {service_name} is missing env")
PY
if [ "${#missing_vars[@]}" -gt 0 ]; then
echo "Cloud Run env sync is enabled, but these values are missing:" >&2
printf ' - %s\n' "${missing_vars[@]}" >&2
exit 1
fi
- name: Wait for Cloud Run deployment of current commit
if: steps.env_sync_config.outputs.enabled == 'true'
run: |
set -euo pipefail
target_sha="${GITHUB_SHA}"
deadline=$((SECONDS + 1800))
while true; do
deployed_sha="$(gcloud run services describe "${CLOUD_RUN_SERVICE}" --region "${CLOUD_RUN_REGION}" --format='value(spec.template.metadata.labels.commit-sha)' 2>/dev/null || true)"
if [ -n "${deployed_sha}" ] && [ "${deployed_sha}" = "${target_sha}" ]; then
echo "Cloud Run service ${CLOUD_RUN_SERVICE} is on commit ${deployed_sha}."
break
fi
if [ "${SECONDS}" -ge "${deadline}" ]; then
echo "Timed out waiting for Cloud Run service ${CLOUD_RUN_SERVICE} to deploy commit ${target_sha}. Last seen commit: ${deployed_sha:-<none>}" >&2
exit 1
fi
echo "Waiting for Cloud Run service ${CLOUD_RUN_SERVICE} to deploy commit ${target_sha}. Last seen commit: ${deployed_sha:-<none>}" >&2
sleep 10
done
- name: Sync Cloud Run environment
if: steps.env_sync_config.outputs.enabled == 'true'
env:
SYNC_PLAN_JSON: ${{ steps.strategy_requirements.outputs.sync_plan_json }}
run: |
set -euo pipefail
mapfile -t target_env_pairs < <(python - <<'PY'
import json
import os
plan = json.loads(os.environ["SYNC_PLAN_JSON"])
target = plan["targets"][0]
for key, value in sorted(target["env"].items()):
print(f"{key}={value}")
PY
)
mapfile -t target_remove_env_vars < <(python - <<'PY'
import json
import os
plan = json.loads(os.environ["SYNC_PLAN_JSON"])
target = plan["targets"][0]
for key in sorted(target.get("remove_env_vars") or []):
print(key)
PY
)
join_by_delimiter() {
local delimiter="$1"
shift
local output=""
local item
for item in "$@"; do
if [ -z "${output}" ]; then
output="${item}"
else
output="${output}${delimiter}${item}"
fi
done
printf '%s' "${output}"
}
env_pairs=("${target_env_pairs[@]}")
env_pairs+=("GOOGLE_CLOUD_PROJECT=${GCP_PROJECT_ID}")
secret_pairs=()
remove_env_vars=("${target_remove_env_vars[@]}")
remove_env_vars+=(
"TELEGRAM_CHAT_ID"
"CRISIS_ALERT_GOOGLE_VOICE_TO"
"CRISIS_ALERT_GOOGLE_VOICE_GATEWAY"
"CRISIS_ALERT_GOOGLE_VOICE_GMAIL_USER"
"CRISIS_ALERT_GOOGLE_VOICE_GMAIL_APP_PASSWORD"
"CRISIS_ALERT_GOOGLE_VOICE_RECIPIENTS"
"CRISIS_ALERT_GOOGLE_VOICE_SENDER_EMAIL"
"CRISIS_ALERT_GOOGLE_VOICE_SENDER_PASSWORD"
"CRISIS_ALERT_GOOGLE_VOICE_SMTP_HOST"
"CRISIS_ALERT_GOOGLE_VOICE_SMTP_PORT"
"CRISIS_ALERT_GOOGLE_VOICE_SMTP_SECURITY"
"CRISIS_ALERT_SMTP_FROM"
"CRISIS_ALERT_SMTP_HOST"
"CRISIS_ALERT_SMTP_PORT"
"CRISIS_ALERT_SMTP_USERNAME"
"CRISIS_ALERT_SMTP_PASSWORD"
"CRISIS_ALERT_SMTP_STARTTLS"
"CRISIS_ALERT_SMTP_SSL"
"CRISIS_ALERT_CHANNELS"
"CRISIS_ALERT_EMAIL_RECIPIENTS"
"CRISIS_ALERT_EMAIL_SENDER_EMAIL"
"CRISIS_ALERT_EMAIL_SENDER_PASSWORD"
"CRISIS_ALERT_EMAIL_SMTP_HOST"
"CRISIS_ALERT_EMAIL_SMTP_PORT"
"CRISIS_ALERT_EMAIL_SMTP_SECURITY"
"CRISIS_ALERT_SMS_RECIPIENTS"
"CRISIS_ALERT_SMS_PROVIDER"
"CRISIS_ALERT_SMS_ACCOUNT_ID"
"CRISIS_ALERT_SMS_AUTH_TOKEN"
"CRISIS_ALERT_SMS_SENDER"
"CRISIS_ALERT_SMS_MESSAGING_SERVICE_ID"
"CRISIS_ALERT_SMS_API_BASE_URL"
"CRISIS_ALERT_SMS_BODY_MAX_CHARS"
"CRISIS_ALERT_PUSH_RECIPIENTS"
"CRISIS_ALERT_PUSH_PROVIDER"
"CRISIS_ALERT_PUSH_APP_TOKEN"
"CRISIS_ALERT_PUSH_ACCESS_TOKEN"
"CRISIS_ALERT_PUSH_API_BASE_URL"
"CRISIS_ALERT_PUSH_DEVICE"
"CRISIS_ALERT_PUSH_PRIORITY"
"CRISIS_ALERT_PUSH_TAGS"
"CRISIS_ALERT_PUSH_BODY_MAX_CHARS"
"CRISIS_ALERT_TELEGRAM_CHAT_IDS"
"CRISIS_ALERT_TELEGRAM_BOT_TOKEN"
"CRISIS_ALERT_TELEGRAM_API_BASE_URL"
"CRISIS_ALERT_TELEGRAM_PARSE_MODE"
"CRISIS_ALERT_TELEGRAM_DISABLE_WEB_PAGE_PREVIEW"
"CRISIS_ALERT_TELEGRAM_BODY_MAX_CHARS"
)
remove_secret_vars=(
"CRISIS_ALERT_SMTP_PASSWORD"
"CRISIS_ALERT_GOOGLE_VOICE_GMAIL_APP_PASSWORD"
"CRISIS_ALERT_GOOGLE_VOICE_SENDER_PASSWORD"
"CRISIS_ALERT_EMAIL_SENDER_PASSWORD"
"CRISIS_ALERT_SMS_AUTH_TOKEN"
"CRISIS_ALERT_PUSH_APP_TOKEN"
"CRISIS_ALERT_PUSH_ACCESS_TOKEN"
"CRISIS_ALERT_TELEGRAM_BOT_TOKEN"
)
add_optional_secret() {
local env_name="$1"
local secret_var_name="$2"
local secret_value_var_name="$3"
local secret_name="${!secret_var_name:-}"
local plain_value="${!secret_value_var_name:-}"
if [ -n "${secret_name}" ]; then
secret_pairs+=("${env_name}=${secret_name}:latest")
remove_env_vars+=("${env_name}")
elif [ -n "${plain_value}" ]; then
env_pairs+=("${env_name}=${plain_value}")
remove_secret_vars+=("${env_name}")
else
remove_env_vars+=("${env_name}")
remove_secret_vars+=("${env_name}")
fi
}
add_optional_secret TELEGRAM_TOKEN TELEGRAM_TOKEN_SECRET_NAME TELEGRAM_TOKEN
add_optional_secret STRATEGY_PLUGIN_ALERT_EMAIL_SENDER_PASSWORD STRATEGY_PLUGIN_ALERT_EMAIL_SENDER_PASSWORD_SECRET_NAME STRATEGY_PLUGIN_ALERT_EMAIL_SENDER_PASSWORD
add_optional_secret STRATEGY_PLUGIN_ALERT_SMS_AUTH_TOKEN STRATEGY_PLUGIN_ALERT_SMS_AUTH_TOKEN_SECRET_NAME STRATEGY_PLUGIN_ALERT_SMS_AUTH_TOKEN
add_optional_secret STRATEGY_PLUGIN_ALERT_PUSH_APP_TOKEN STRATEGY_PLUGIN_ALERT_PUSH_APP_TOKEN_SECRET_NAME STRATEGY_PLUGIN_ALERT_PUSH_APP_TOKEN
add_optional_secret STRATEGY_PLUGIN_ALERT_PUSH_ACCESS_TOKEN STRATEGY_PLUGIN_ALERT_PUSH_ACCESS_TOKEN_SECRET_NAME STRATEGY_PLUGIN_ALERT_PUSH_ACCESS_TOKEN
add_optional_secret STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN_SECRET_NAME STRATEGY_PLUGIN_ALERT_TELEGRAM_BOT_TOKEN
add_optional_secret FIRSTRADE_USERNAME FIRSTRADE_USERNAME_SECRET_NAME FIRSTRADE_USERNAME
add_optional_secret FIRSTRADE_PASSWORD FIRSTRADE_PASSWORD_SECRET_NAME FIRSTRADE_PASSWORD
add_optional_secret FIRSTRADE_MFA_SECRET FIRSTRADE_MFA_SECRET_SECRET_NAME FIRSTRADE_MFA_SECRET
add_optional_secret FIRSTRADE_PIN FIRSTRADE_PIN_SECRET_NAME FIRSTRADE_PIN
add_optional_secret FIRSTRADE_MFA_EMAIL FIRSTRADE_MFA_EMAIL_SECRET_NAME FIRSTRADE_MFA_EMAIL
add_optional_secret FIRSTRADE_MFA_PHONE FIRSTRADE_MFA_PHONE_SECRET_NAME FIRSTRADE_MFA_PHONE
add_optional_secret FIRSTRADE_MFA_CODE FIRSTRADE_MFA_CODE_SECRET_NAME FIRSTRADE_MFA_CODE
service_url="$(gcloud run services describe "${CLOUD_RUN_SERVICE}" \
--project="${GCP_PROJECT_ID}" \
--region="${CLOUD_RUN_REGION}" \
--format='value(status.url)' 2>/dev/null || true)"
if [ -z "${service_url}" ]; then
echo "Unable to resolve Cloud Run service URL for ${CLOUD_RUN_SERVICE}; cannot sync monitor dispatcher targets." >&2
exit 1
fi
monitor_targets_json="$(
SERVICE_URL="${service_url}" python - <<'PY'
import json
import os
plan = json.loads(os.environ["SYNC_PLAN_JSON"])
target = plan["targets"][0]
env = target.get("env") or {}
runtime_target = json.loads(env.get("RUNTIME_TARGET_JSON") or "{}")
payload = {
"service_name": target.get("service_name") or os.environ.get("CLOUD_RUN_SERVICE"),
"service_url": os.environ.get("SERVICE_URL"),
"strategy_profile": target.get("strategy_profile") or env.get("STRATEGY_PROFILE"),
"account_scope": runtime_target.get("account_scope"),
"runtime_target_enabled": env.get("RUNTIME_TARGET_ENABLED", "true"),
"scheduler": target.get("scheduler") or {},
}
print(json.dumps({"targets": [payload]}, separators=(",", ":")))
PY
)"
env_pairs+=("MONITOR_DISPATCH_TARGETS_JSON=${monitor_targets_json}")
gcloud_args=(
run services update "${CLOUD_RUN_SERVICE}"
--region "${CLOUD_RUN_REGION}"
--remove-env-vars "$(IFS=,; echo "${remove_env_vars[*]}")"
--update-env-vars "^|^$(join_by_delimiter "|" "${env_pairs[@]}")"
)
if [ "${#remove_secret_vars[@]}" -gt 0 ]; then
gcloud_args+=(--remove-secrets "$(IFS=,; echo "${remove_secret_vars[*]}")")
fi
if [ "${#secret_pairs[@]}" -gt 0 ]; then
gcloud_args+=(--update-secrets "$(IFS=,; echo "${secret_pairs[*]}")")
fi
gcloud "${gcloud_args[@]}"
- name: Reconcile Cloud Run traffic
if: steps.env_sync_config.outputs.enabled == 'true'
env:
SYNC_PLAN_JSON: ${{ steps.strategy_requirements.outputs.sync_plan_json }}
run: |
set -euo pipefail
python scripts/reconcile_cloud_runtime.py traffic
- name: Sync Cloud Scheduler schedule
if: steps.env_sync_config.outputs.enabled == 'true'
env:
SYNC_PLAN_JSON: ${{ steps.strategy_requirements.outputs.sync_plan_json }}
run: |
set -euo pipefail
scheduler_location="${CLOUD_SCHEDULER_LOCATION:-${CLOUD_RUN_REGION}}"
if [ -z "${scheduler_location}" ]; then
echo "Cloud Scheduler schedule sync requires CLOUD_RUN_REGION or CLOUD_SCHEDULER_LOCATION." >&2
exit 1
fi
mapfile -t scheduler_config < <(python - <<'PY'
import json
import os
plan = json.loads(os.environ["SYNC_PLAN_JSON"])
target = plan["targets"][0]
scheduler = target.get("scheduler") or {}
print(str(scheduler.get("timezone") or "America/New_York").strip())
print(str(scheduler.get("main_time") or os.environ.get("CLOUD_SCHEDULER_MAIN_TIME", "").strip() or "45 15"))
print(str(scheduler.get("probe_time") or os.environ.get("CLOUD_SCHEDULER_PROBE_TIME", "").strip() or "35 9,15"))
print(str(scheduler.get("precheck_time") or os.environ.get("CLOUD_SCHEDULER_PRECHECK_TIME", "").strip() or "45 9"))
PY
)
market_timezone="${scheduler_config[0]}"
main_time="${scheduler_config[1]}"
probe_time="${scheduler_config[2]}"
precheck_time="${scheduler_config[3]}"
# Keep probe/precheck parsed for runtime-target schema parity; this step only syncs the main scheduler.
: "${probe_time}" "${precheck_time}"
service_url="$(gcloud run services describe "${CLOUD_RUN_SERVICE}" \
--project="${GCP_PROJECT_ID}" \
--region="${CLOUD_RUN_REGION}" \
--format='value(status.url)' 2>/dev/null || true)"
if [ -z "${service_url}" ]; then
echo "Unable to resolve Cloud Run service URL for ${CLOUD_RUN_SERVICE}; cannot sync scheduler URI." >&2
exit 1
fi
gcloud run services add-iam-policy-binding "${CLOUD_RUN_SERVICE}" \
--project="${GCP_PROJECT_ID}" \
--region="${CLOUD_RUN_REGION}" \
--member="serviceAccount:${GCP_SCHEDULER_SERVICE_ACCOUNT}" \
--role="roles/run.invoker" \
--quiet
gcloud run services add-iam-policy-binding "${CLOUD_RUN_SERVICE}" \
--project="${GCP_PROJECT_ID}" \
--region="${CLOUD_RUN_REGION}" \
--member="serviceAccount:${GCP_RUNTIME_SERVICE_ACCOUNT}" \
--role="roles/run.invoker" \
--quiet
scheduler_job_candidates=("${CLOUD_RUN_SERVICE}-scheduler")
if [[ "${CLOUD_RUN_SERVICE}" == *-service ]]; then
scheduler_job_candidates+=("${CLOUD_RUN_SERVICE%-service}-scheduler")
fi
job_name=""
current_schedule=""
for candidate_job in "${scheduler_job_candidates[@]}"; do
current_schedule="$(gcloud scheduler jobs describe "${candidate_job}" \
--project="${GCP_PROJECT_ID}" \
--location="${scheduler_location}" \
--format='value(schedule)' 2>/dev/null || true)"
if [ -n "${current_schedule}" ]; then
job_name="${candidate_job}"
break
fi
done
if [ -z "${job_name}" ]; then
job_name="${scheduler_job_candidates[0]}"
fi
if [ -n "${current_schedule}" ]; then
desired_schedule="$(CURRENT_SCHEDULE="${current_schedule}" SCHEDULE_TIME="${main_time}" python - <<'PY'
import os
current_fields = os.environ["CURRENT_SCHEDULE"].split()
time_fields = os.environ["SCHEDULE_TIME"].split()
if len(current_fields) != 5:
raise SystemExit(f"Cloud Scheduler schedule must have 5 fields: {os.environ['CURRENT_SCHEDULE']!r}")
if len(time_fields) == 5:
print(" ".join(time_fields))
elif len(time_fields) == 2:
print(" ".join([*time_fields, *current_fields[2:]]))
else:
raise SystemExit(
f"Cloud Scheduler override must have 2 time fields or 5 cron fields: {os.environ['SCHEDULE_TIME']!r}"
)
PY
)"
else
desired_schedule="$(SCHEDULE_TIME="${main_time}" python - <<'PY'
import os
fields = os.environ["SCHEDULE_TIME"].split()
if len(fields) == 5:
print(" ".join(fields))
elif len(fields) == 2:
print(" ".join([*fields, "*", "*", "*"]))
else:
raise SystemExit(
f"Cloud Scheduler override must have 2 time fields or 5 cron fields: {os.environ['SCHEDULE_TIME']!r}"
)
PY
)"
fi
scheduler_uri="${service_url}/run"
if [ -n "${current_schedule}" ]; then
echo "Updating Cloud Scheduler job ${job_name} schedule to ${desired_schedule}, timezone to ${market_timezone}, and URI to ${scheduler_uri}."
gcloud scheduler jobs update http "${job_name}" \
--project="${GCP_PROJECT_ID}" \
--location="${scheduler_location}" \
--uri="${scheduler_uri}" \
--schedule="${desired_schedule}" \
--time-zone="${market_timezone}" \
--quiet
else
echo "Creating Cloud Scheduler job ${job_name} schedule ${desired_schedule}, timezone ${market_timezone}, and URI ${scheduler_uri}."
gcloud scheduler jobs create http "${job_name}" \
--project="${GCP_PROJECT_ID}" \
--location="${scheduler_location}" \
--uri="${scheduler_uri}" \
--http-method=POST \
--oidc-service-account-email="${GCP_SCHEDULER_SERVICE_ACCOUNT}" \
--oidc-token-audience="${service_url}" \
--schedule="${desired_schedule}" \
--time-zone="${market_timezone}" \
--attempt-deadline=600s \
--quiet
fi
monitor_job_name="firstrade-monitor-dispatcher-scheduler"
monitor_uri="${service_url}/monitor-dispatch"
if gcloud scheduler jobs describe "${monitor_job_name}" \
--project="${GCP_PROJECT_ID}" \
--location="${scheduler_location}" >/dev/null 2>&1; then
echo "Updating Cloud Scheduler job ${monitor_job_name} to ${monitor_uri}."
gcloud scheduler jobs update http "${monitor_job_name}" \
--project="${GCP_PROJECT_ID}" \
--location="${scheduler_location}" \
--uri="${monitor_uri}" \
--http-method=POST \
--oidc-service-account-email="${GCP_SCHEDULER_SERVICE_ACCOUNT}" \
--oidc-token-audience="${service_url}" \
--schedule="*/5 * * * *" \
--time-zone="UTC" \
--attempt-deadline=180s \
--quiet
else
echo "Creating Cloud Scheduler job ${monitor_job_name} at ${monitor_uri}."
gcloud scheduler jobs create http "${monitor_job_name}" \
--project="${GCP_PROJECT_ID}" \
--location="${scheduler_location}" \
--uri="${monitor_uri}" \
--http-method=POST \
--oidc-service-account-email="${GCP_SCHEDULER_SERVICE_ACCOUNT}" \
--oidc-token-audience="${service_url}" \
--schedule="*/5 * * * *" \
--time-zone="UTC" \
--attempt-deadline=180s \
--quiet
fi
invoke_bridge_jobs=(
"${CLOUD_RUN_SERVICE}-probe-scheduler|${service_url}/probe"
"${CLOUD_RUN_SERVICE}-precheck-scheduler|${service_url}/dry-run"
)
if [[ "${CLOUD_RUN_SERVICE}" == *-service ]]; then
invoke_bridge_jobs+=(
"${CLOUD_RUN_SERVICE%-service}-probe-scheduler|${service_url}/probe"
"${CLOUD_RUN_SERVICE%-service}-precheck-scheduler|${service_url}/dry-run"
)
fi
for bridge_entry in "${invoke_bridge_jobs[@]}"; do
bridge_job="${bridge_entry%%|*}"
bridge_uri="${bridge_entry#*|}"
if gcloud scheduler jobs describe "${bridge_job}" \
--project="${GCP_PROJECT_ID}" \
--location="${scheduler_location}" >/dev/null 2>&1; then
echo "Updating invoke-bridge Cloud Scheduler job ${bridge_job} to ${bridge_uri}."
gcloud scheduler jobs update http "${bridge_job}" \
--project="${GCP_PROJECT_ID}" \
--location="${scheduler_location}" \
--uri="${bridge_uri}" \
--http-method=POST \
--oidc-service-account-email="${GCP_SCHEDULER_SERVICE_ACCOUNT}" \
--oidc-token-audience="${service_url}" \
--quiet
else
echo "Creating invoke-bridge Cloud Scheduler job ${bridge_job} at ${bridge_uri}."
gcloud scheduler jobs create http "${bridge_job}" \
--project="${GCP_PROJECT_ID}" \
--location="${scheduler_location}" \
--uri="${bridge_uri}" \
--http-method=POST \
--oidc-service-account-email="${GCP_SCHEDULER_SERVICE_ACCOUNT}" \
--oidc-token-audience="${service_url}" \
--schedule="0 0 1 1 *" \
--time-zone="UTC" \
--attempt-deadline=600s \
--quiet
fi
done
- name: Reconcile legacy Cloud Scheduler jobs
if: steps.env_sync_config.outputs.enabled == 'true'
run: |
set -euo pipefail
python scripts/reconcile_cloud_runtime.py scheduler-cleanup
- name: Clean up old Cloud Run revisions and images
if: steps.deploy_config.outputs.enabled == 'true'
run: |
set -euo pipefail
service_json="$(gcloud run services describe "${CLOUD_RUN_SERVICE}" \
--project="${GCP_PROJECT_ID}" \
--region="${CLOUD_RUN_REGION}" \
--format=json)"
latest_revision="$(python -c 'import json,sys; print(json.load(sys.stdin)["status"]["latestReadyRevisionName"])' <<< "${service_json}")"
traffic_revisions="$(python -c 'import json,sys; svc=json.load(sys.stdin); print("\n".join(t.get("revisionName","") for t in svc.get("status",{}).get("traffic",[]) if t.get("revisionName") and int(t.get("percent",0)) > 0))' <<< "${service_json}")"
keep_revision() {
local revision="$1"
if [ "${revision}" = "${latest_revision}" ]; then
return 0
fi
if printf '%s\n' "${traffic_revisions}" | grep -Fxq "${revision}"; then
return 0
fi
return 1
}
while IFS= read -r revision; do
if [ -z "${revision}" ] || keep_revision "${revision}"; then
continue
fi
gcloud run revisions delete "${revision}" \
--project="${GCP_PROJECT_ID}" \
--region="${CLOUD_RUN_REGION}" \
--quiet 2>&1 || true
done < <(gcloud run revisions list \
--project="${GCP_PROJECT_ID}" \
--region="${CLOUD_RUN_REGION}" \
--service="${CLOUD_RUN_SERVICE}" \
--format='value(metadata.name)')
image_repo="${GCP_ARTIFACT_REGISTRY_HOSTNAME}/${GCP_PROJECT_ID}/${GCP_ARTIFACT_REGISTRY_REPOSITORY}/firstradeplatform/${CLOUD_RUN_SERVICE}"
old_digests="$(gcloud artifacts docker images list "${image_repo}" \
--project="${GCP_PROJECT_ID}" \
--include-tags \
--format=json \
| python -c 'import json,os,sys; keep=os.environ["GITHUB_SHA"]; rows=json.load(sys.stdin); print("\n".join(row["version"] for row in rows if keep not in set(row.get("tags") or [])))')"
while IFS= read -r digest; do
if [ -z "${digest}" ]; then
continue
fi
gcloud artifacts docker images delete "${image_repo}@${digest}" \
--project="${GCP_PROJECT_ID}" \
--delete-tags \
--async \
--quiet
done <<< "${old_digests}"