GitHub Workflows Overview

This repository uses GitHub Actions for continuous integration and deployment. The workflows orchestrate building, testing, and deploying the Backstage application to Google Cloud Run.

Workflow Summary

Workflow	Trigger	Purpose
`ci.yml`	Push to `main`	Full CI/CD pipeline
`ci-pr.yml`	Pull request	PR validation
`ci-deploy.yml`	Called by ci.yml	Reusable deployment

Pipeline Overview

Push to Main Pipeline

When code is pushed to main, the full CI/CD pipeline executes:

1. Version Job

Calculates semantic version using conventional commits
Outputs: version (e.g., 1.2.3-sha.abc123)

2. Terraform Apply

Applies infrastructure changes to non-production
Uses Terraform Cloud workspace wrkspc-np-devex-backstage
Outputs: Terraform outputs artifact

3. Build Package

Installs dependencies with yarn install --immutable
Runs TypeScript compilation with yarn tsc
Builds backend with yarn build:backend
Uploads artifacts for deployment

4. Deploy

Downloads Terraform outputs and build artifacts
Builds Docker image and pushes to Artifact Registry
Deploys to Cloud Run with secrets from GCP Secret Manager

Pull Request Pipeline

When a PR is opened or updated:

1. Terraform Plan

Generates execution plan for review
Comments plan on PR for visibility

2. Build Validation

Runs full build to catch compilation errors
Does not deploy

Authentication

Workload Identity Federation

The workflows use OIDC authentication with GCP - no stored credentials:

- uses: google-github-actions/auth@v2
  with:
    workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
    service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}

Required Secrets

Secret	Purpose
`GCP_PROJECT_ID`	GCP project identifier
`WIF_PROVIDER`	Workload Identity Federation provider
`WIF_SERVICE_ACCOUNT`	GCP service account for OIDC
`AUTH_GITHUB_*`	GitHub OAuth credentials
`AUTH_GOOGLE_*`	Google OAuth credentials
`BASE_URL_FRONTEND`	Backstage frontend URL
`BASE_URL_BACKEND`	Backstage backend URL

Deployment Configuration

Cloud Run Settings

Setting	Value
Region	`northamerica-northeast1`
Port	`7007`
Memory	`4Gi`
CPU	`4000m` (4 cores)
Timeout	`300s`
Concurrency	`80`
Min Instances	`1`
Max Instances	`1`

Mounted Secrets

Mount Path	Source
`/etc/ssl/certs/vault-ca.crt`	GCP Secret Manager
`/etc/backstage/jwt-private/key`	GCP Secret Manager
`/etc/backstage/jwt-public/key`	GCP Secret Manager

Concurrency Control

The ci.yml workflow uses concurrency groups to prevent parallel runs:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

This ensures only one deployment runs at a time per branch.

Caching

Yarn Cache

- uses: actions/setup-node@v4
  with:
    node-version: 22
    cache: yarn
    cache-dependency-path: backstage/yarn.lock

Docker Layer Cache

- uses: docker/build-push-action@v6
  with:
    cache-from: type=gha
    cache-to: type=gha,mode=max

Node.js Configuration

All build jobs use:

Node.js 22
NODE_OPTIONS: --max-old-space-size=8192 for large builds
Yarn with immutable lockfile

ci.yml Details - Main CI pipeline
ci-pr.yml Details - PR validation
ci-deploy.yml Details - Deployment workflow
Infrastructure - Terraform resources

Workflow Summary​

Pipeline Overview​

Push to Main Pipeline​

1. Version Job​

2. Terraform Apply​

3. Build Package​

4. Deploy​

Pull Request Pipeline​

1. Terraform Plan​

2. Build Validation​

Authentication​

Workload Identity Federation​

Required Secrets​

Deployment Configuration​

Cloud Run Settings​

Mounted Secrets​

Concurrency Control​

Caching​

Yarn Cache​

Docker Layer Cache​

Node.js Configuration​

Related Documentation​