Problem
.github/scripts/deploy_cloud_run_candidate.sh currently deploys the staging Cloud Run candidate with --allow-unauthenticated. That flag does more than configure the revision: gcloud run deploy attempts to update the Cloud Run service IAM policy so unauthenticated callers can invoke the service.
That means every CI/CD deploy can attempt to mutate IAM, which is not the right responsibility for the deploy script and can fail if the deploy identity lacks IAM policy update permissions.
Proposed change
Remove --allow-unauthenticated from .github/scripts/deploy_cloud_run_candidate.sh and configure Cloud Run invoker access separately as infrastructure/bootstrap configuration. The Cloud Run service should have allUsers granted roles/run.invoker once, outside the normal deploy path, if public unauthenticated invocation is intended.
Acceptance criteria
deploy_cloud_run_candidate.sh no longer passes --allow-unauthenticated to gcloud run deploy.
- Cloud Run invoker access is documented or configured through the proper infrastructure/bootstrap pathway.
- CI/CD can deploy tagged no-traffic Cloud Run staging candidates without needing IAM policy update permissions.
- The existing Cloud Run staging health/integration checks still work against the tagged candidate URL.
Context
This came up while reviewing the Stage 3 Cloud Run staging deployment path. The deploy script should deploy images, revisions, tags, env vars, and secrets; IAM access should be managed separately.
Problem
.github/scripts/deploy_cloud_run_candidate.shcurrently deploys the staging Cloud Run candidate with--allow-unauthenticated. That flag does more than configure the revision:gcloud run deployattempts to update the Cloud Run service IAM policy so unauthenticated callers can invoke the service.That means every CI/CD deploy can attempt to mutate IAM, which is not the right responsibility for the deploy script and can fail if the deploy identity lacks IAM policy update permissions.
Proposed change
Remove
--allow-unauthenticatedfrom.github/scripts/deploy_cloud_run_candidate.shand configure Cloud Run invoker access separately as infrastructure/bootstrap configuration. The Cloud Run service should haveallUsersgrantedroles/run.invokeronce, outside the normal deploy path, if public unauthenticated invocation is intended.Acceptance criteria
deploy_cloud_run_candidate.shno longer passes--allow-unauthenticatedtogcloud run deploy.Context
This came up while reviewing the Stage 3 Cloud Run staging deployment path. The deploy script should deploy images, revisions, tags, env vars, and secrets; IAM access should be managed separately.