feat(backend): add Cloud Run deployment #284
Conversation
Hardcoded values: - GCP Project: atomify-ee7b5 - Region: europe-west1 - Database: SQLite at /data/atomify.db - GCS Bucket: atomify-user-files - CORS: localhost:3000, andeplane.github.io Only 2 secrets needed: - GCP_SA_KEY - GCP_SERVICE_ACCOUNT_EMAIL
Summary of ChangesHello @andeplane, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request establishes an automated deployment pipeline for the backend service to Google Cloud Run. It streamlines the process of getting backend changes into production by integrating with GitHub Actions, and provides essential documentation and development tools to support this new infrastructure. The changes ensure a consistent and efficient deployment experience for the backend. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://waps.l3s.uni-hannover.de/live/im_/https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a detailed deployment guide for setting up the backend on Google Cloud Run. The guide is a great addition for developers. However, my review has identified several significant issues that need to be addressed. These include critical security concerns due to overly permissive IAM roles being recommended, a high risk of data loss because of an incomplete and misleading configuration for SQLite persistence, and multiple correctness errors related to inconsistent region settings across commands. Addressing these points is crucial for a secure and reliable deployment.
CORS_ORIGINS was causing pydantic-settings to fail during tests because it tried to parse the comma-separated string as JSON.
Contains non-secret configuration values. Service account keys are gitignored.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Uses Cloud Storage FUSE to mount gs://atomify-db at /data for persistent SQLite storage on Cloud Run.
- Fix region inconsistencies (us-central1 → europe-west1) - Update service account roles (Storage Admin → Storage Object Admin) - Remove unnecessary Firebase role (token verification uses public keys) - Document GCS FUSE mount for SQLite persistence - Add volume mount flags to manual deploy command
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces configuration and documentation for deploying the backend to Google Cloud Run. The changes are centered around a new .env file, modifications to .gitignore, and a comprehensive DEPLOYMENT.md guide. My review highlights a critical security and configuration management issue with committing the .env file and suggests adhering to best practices by ignoring it and using a template instead. Additionally, I've pointed out several inconsistencies and a potentially misleading instruction in the new deployment documentation to improve its accuracy and usability.
|
|
||
| # Environment | ||
| .env | ||
| # .env.local # Use for local overrides if needed |
There was a problem hiding this comment.
Committing .env files is a security risk and a configuration management anti-pattern. These files often contain sensitive data or environment-specific values that should not be in version control. The standard practice is to ignore .env files and commit a template like .env.example instead. Both .env and any local overrides like .env.local should be added to .gitignore.
.env
.env.local
pydantic-settings parses list fields as JSON, not comma-separated.
CORS_ORIGINS needs JSON array format for pydantic-settings.
Remove leading spaces from heredoc that made YAML invalid.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces automated deployment to Cloud Run, complete with configuration files and a detailed deployment guide. The documentation is thorough and the setup is well-considered. However, there are a few important points to address. The most critical issue is a security risk introduced by tracking the .env file in version control. Additionally, there's a significant architectural concern regarding the use of SQLite with GCS FUSE, which could lead to data corruption if the service scales. I've also included some suggestions to improve the clarity and usability of the new deployment documentation.
|
|
||
| ### 4. Create Database Bucket (for SQLite persistence) | ||
|
|
||
| SQLite is persisted via GCS FUSE mount: |
There was a problem hiding this comment.
Using SQLite with GCS FUSE on Cloud Run is a risky approach, especially if the service might scale to more than one instance. SQLite is not designed for concurrent write access from multiple processes, which is what would happen with multiple Cloud Run instances. This can lead to database corruption. It is crucial to either configure Cloud Run to have a maximum of 1 instance or to prominently document this limitation and its risks. For a scalable service, consider using a managed database service like Cloud SQL.
| - **Service Name**: `atomify-api` | ||
| - **Database URL**: `sqlite+aiosqlite:////data/atomify.db` (SQLite file path) | ||
| - **GCS Bucket Name**: `atomify-user-files` | ||
| - **CORS Origins**: `http://localhost:3000,https://andeplane.github.io` |
There was a problem hiding this comment.
The CORS origins listed here (and also in the manual deployment command on line 141) are inconsistent with the backend/.env file, which also includes http://localhost:5173. To avoid potential CORS issues during development and ensure the documentation is accurate, it's best to keep these consistent.
| - **CORS Origins**: `http://localhost:3000,https://andeplane.github.io` | |
| - **CORS Origins**: `http://localhost:3000,http://localhost:5173,https://andeplane.github.io` |
| docker run --rm \ | ||
| -e DATABASE_URL="$DATABASE_URL" \ | ||
| atomify-api:migrate \ | ||
| alembic upgrade head |
There was a problem hiding this comment.
This command relies on the DATABASE_URL environment variable being exported in the shell. To make this more convenient and less error-prone for developers, you could use Docker's --env-file flag to load variables directly from a local .env file (which should be git-ignored).
| docker run --rm \ | |
| -e DATABASE_URL="$DATABASE_URL" \ | |
| atomify-api:migrate \ | |
| alembic upgrade head | |
| docker run --rm \ | |
| --env-file ./backend/.env \ | |
| atomify-api:migrate \ | |
| alembic upgrade head |
| gcloud run jobs create atomify-api-migrate \ | ||
| --image=gcr.io/atomify-ee7b5/atomify-api:latest \ | ||
| --region=europe-west1 \ | ||
| --set-env-vars="DATABASE_URL=$DATABASE_URL" \ |
There was a problem hiding this comment.
This command requires the DATABASE_URL variable to be set in the shell. It would be helpful to add a note for developers on how to provide this value, for instance by sourcing it from their local .env file, to make the command easier to use.
| --execution-environment=gen2 \ | ||
| --allow-unauthenticated \ | ||
| --service-account=atomify-api@atomify-ee7b5.iam.gserviceaccount.com \ | ||
| --set-env-vars="DATABASE_URL=sqlite+aiosqlite:////data/atomify.db,FIREBASE_PROJECT_ID=atomify-ee7b5,GCS_BUCKET_NAME=atomify-user-files,CORS_ORIGINS=http://localhost:3000,https://andeplane.github.io" \ |
There was a problem hiding this comment.
The CORS_ORIGINS value here is inconsistent with backend/.env as it's missing http://localhost:5173. To ensure the manual deployment command works as expected for all documented local development setups, this should be updated.
| --set-env-vars="DATABASE_URL=sqlite+aiosqlite:////data/atomify.db,FIREBASE_PROJECT_ID=atomify-ee7b5,GCS_BUCKET_NAME=atomify-user-files,CORS_ORIGINS=http://localhost:3000,https://andeplane.github.io" \ | |
| --set-env-vars="DATABASE_URL=sqlite+aiosqlite:////data/atomify.db,FIREBASE_PROJECT_ID=atomify-ee7b5,GCS_BUCKET_NAME=atomify-user-files,CORS_ORIGINS=http://localhost:3000,http://localhost:5173,https://andeplane.github.io" \ |
Adds automated deployment to Cloud Run when pushing to main.
Hardcoded in workflow:
Secrets (already added):
Also includes: