Set up GCP secrets for Cloud Run CI deployment

[MaxGhenis]

Task

Set up GitHub secrets needed for automatic Cloud Run deployment in PR #55.

Required Secrets

Add these to the repository settings (Settings > Secrets and variables > Actions):

1. GCP_WORKLOAD_IDENTITY_PROVIDER

   • Format: projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_NAME/providers/PROVIDER_NAME
   • Or use service account key approach (see alternative below)

2. GCP_SERVICE_ACCOUNT

   • Service account email with these roles:
     • Cloud Run Admin
     • Artifact Registry Writer
     • Service Account User

3. GCP_PROJECT_ID

   • The GCP project ID (from Cloud Run URL: 578039519715)

Setup Steps

Option A: Workload Identity Federation (recommended)

1. Create a Workload Identity Pool for GitHub Actions
2. Create a provider in the pool for this repo
3. Grant the service account roles/iam.workloadIdentityUser for the pool

Option B: Service Account Key (simpler)

1. Create a service account with the roles above
2. Generate a JSON key
3. Add the entire JSON as GCP_SERVICE_ACCOUNT_KEY secret
4. Update .github/workflows/deploy.yml to use key-based auth instead

Also Needed

• Create Artifact Registry repository givecalc in europe-west1 if not exists:

  gcloud artifacts repositories create givecalc \
    --repository-format=docker \
    --location=europe-west1

Reference

• PR Add federal/state tax breakdown table to results #55 adds the deployment workflow
• Current Cloud Run service: https://givecalc-578039519715.europe-west1.run.app/