Deploys Action

GitHub Action for Deploys.app

Deploys an already-built image (or a static site) to deploys.app by calling the deployment.deploy API directly. It is a pure bash + curl composite action — no CLI to download — and exposes every argument the deploy API accepts.

Looking to build and push a Dockerfile in the same step, with keyless OIDC auth and pull-request previews? Use deploys-app/build-deploy-action instead. This action just deploys an image/site you already have.

Usage

This action deploys an image you have already pushed to any registry the deploy location can pull from — Docker Hub, GHCR, GCR/Artifact Registry, your own private registry (pass pullSecret), or our built-in registry.deploys.app. Swap the build-and-push steps below for whatever registry you use; only the image you hand to the deploy step matters.

The example uses registry.deploys.app, which is convenient because one service account covers both halves: it logs in to the registry via docker/login-action (the registry takes the account's email/key as the docker login username/password directly) and authenticates the deploy — the same DEPLOYS_AUTH_USER / DEPLOYS_AUTH_PASS. Images live under registry.deploys.app/<project>/<name>, and the account needs registry.push plus deploy permission on the project.

name: Deploy
on:
  push:
    branches: [main]
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to registry.deploys.app
        uses: docker/login-action@v3
        with:
          registry: registry.deploys.app
          username: ${{ secrets.DEPLOYS_AUTH_USER }}
          password: ${{ secrets.DEPLOYS_AUTH_PASS }}
      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@v6
        with:
          push: true
          tags: registry.deploys.app/PROJECT_ID/DEPLOYMENT_NAME:${{ github.sha }}
      - uses: deploys-app/deploys-action@v1
        with:
          project: PROJECT_ID
          location: gke.cluster-rcf2
          name: DEPLOYMENT_NAME
          image: registry.deploys.app/PROJECT_ID/DEPLOYMENT_NAME@${{ steps.docker_build.outputs.digest }}
          type: WebService
          port: 8080
        env:
          DEPLOYS_AUTH_USER: ${{ secrets.DEPLOYS_AUTH_USER }}
          DEPLOYS_AUTH_PASS: ${{ secrets.DEPLOYS_AUTH_PASS }}

Authentication

Provide credentials one of two ways. A token (Bearer) takes precedence over service-account Basic auth.

Env var (back-compat)	Input	Description
DEPLOYS_TOKEN	token	Auth token (Bearer)
DEPLOYS_AUTH_USER	authUser	Service-account email (Basic auth)
DEPLOYS_AUTH_PASS	authPass	Service-account key (Basic auth)

The env-var form (set via the step's env: or at the job level) is supported for backward compatibility. The matching with: inputs are equivalent and override the env vars if both are set:

      - uses: deploys-app/deploys-action@v1
        with:
          project: PROJECT_ID
          location: gke.cluster-rcf2
          name: my-app
          image: ghcr.io/owner/repo@sha256:...
          token: ${{ secrets.DEPLOYS_TOKEN }}

Inputs

Only the inputs you set are sent. Anything left empty is omitted from the request, and the API treats an omitted field as "no change" — so this action is safe for both creating and updating a deployment.

Target (required)

Name	Description
project	Project ID
location	Deploy location ID (e.g. gke.cluster-rcf2)
name	Deployment name

Artifact

Name	Description
image	Container image (e.g. ghcr.io/owner/repo@sha256:...). Required for container deployments.
site	Static site release ref (site://bucket/project/name@<sha>). Required for type: Static.
siteManifestDigest	Digest of the static-site manifest (type: Static).

Type & networking

Name	Description
type	WebService, Worker, CronJob, TCPService, InternalTCPService, or Static. Optional on update.
port	Service port. Required for WebService, TCPService, InternalTCPService.
protocol	http, https, or h2c (WebService only).
internal	Run a WebService as internal-only (true/false).

Scaling

Name	Description
minReplicas	Autoscale minimum replicas (0–20).
maxReplicas	Autoscale maximum replicas (0–20).

Environment

env / addEnv take one KEY=VALUE per line. The list inputs take one item per line or comma-separated.

Name	Description
env	Environment variables (KEY=VALUE per line). Replaces the whole set.
addEnv	Env vars to add to the previous revision.
removeEnv	Env var keys to remove.
envGroups	Env groups to attach (replaces the set). Each must already exist in the project.
addEnvGroups	Env groups to add.
removeEnvGroups	Env groups to remove.

Container

command / args take one token per line (commas and spaces are preserved within a token).

Name	Description
command	Entrypoint override (one token per line).
args	Arguments override (one token per line).
workloadIdentity	Workload identity name to bind.
pullSecret	Pull secret name for a private registry.

Scheduling

Name	Description
schedule	Cron schedule, 5 fields (CronJob only), e.g. 0 2 * * *.
ttl	Auto-delete TTL: integer seconds or <n>s|m|h|d (e.g. 7d). 0 clears it; empty keeps it unchanged.

Storage

Name	Description
diskName	Persistent volume name to attach.
diskMountPath	Absolute container mount path (required with diskName).
diskSubPath	Sub-path within the volume (optional, relative).
mountData	Config/data files as a JSON object of { "absolute/path": "contents" }.

Resources

Name	Description
cpuRequest	CPU request (e.g. 100m, 0.5).
memoryRequest	Memory request (e.g. 128Mi).
cpuLimit	CPU limit (e.g. 500m, 1).
memoryLimit	Memory limit (e.g. 512Mi).

Access control

Name	Description
accessRequireGoogleLogin	Require Google login (true/false). Empty keeps the current policy; false makes it public.
accessAllowedEmails	Allowed emails (one per line or comma-separated).
accessAllowedDomains	Allowed email domains. Empty + requireGoogleLogin=true allows any Google user.

Sidecar (Cloud SQL Proxy)

Name	Description
cloudSqlProxyInstance	Cloud SQL instance connection name (enables the sidecar).
cloudSqlProxyPort	Port the proxy listens on (default 3300).
cloudSqlProxyCredentials	Service-account JSON credentials for the proxy.

Escape hatch & config

Name	Description	Default
extraArgs	Advanced: a JSON object recursively merged into the request (and overriding the inputs above). For any field not yet exposed.	''
apiEndpoint	Deploys.app API endpoint.	https://api.deploys.app

Outputs

Name	Description
url	The deployed URL (best-effort; empty if it could not be resolved).
deployment	The deployed deployment name.

Examples

Worker with env and resources

      - uses: deploys-app/deploys-action@v1
        with:
          project: my-project
          location: gke.cluster-rcf2
          name: my-worker
          image: ghcr.io/owner/repo@sha256:...
          type: Worker
          env: |
            LOG_LEVEL=info
            QUEUE=jobs
          envGroups: shared-secrets
          cpuRequest: 100m
          memoryRequest: 256Mi
        env:
          DEPLOYS_TOKEN: ${{ secrets.DEPLOYS_TOKEN }}

CronJob

      - uses: deploys-app/deploys-action@v1
        with:
          project: my-project
          location: gke.cluster-rcf2
          name: nightly-cleanup
          image: ghcr.io/owner/repo@sha256:...
          type: CronJob
          schedule: "0 2 * * *"
          command: |
            /app/cleanup
          args: |
            --older-than=30d
        env:
          DEPLOYS_TOKEN: ${{ secrets.DEPLOYS_TOKEN }}

Static site

      - uses: deploys-app/deploys-action@v1
        with:
          project: my-project
          location: gke.cluster-rcf2
          name: website
          type: Static
          site: site://deploys-static/my-project/website@<release-sha>
        env:
          DEPLOYS_TOKEN: ${{ secrets.DEPLOYS_TOKEN }}

Restricted access (Google login)

      - uses: deploys-app/deploys-action@v1
        with:
          project: my-project
          location: gke.cluster-rcf2
          name: internal-tool
          image: ghcr.io/owner/repo@sha256:...
          type: WebService
          port: 8080
          accessRequireGoogleLogin: "true"
          accessAllowedDomains: example.com
        env:
          DEPLOYS_TOKEN: ${{ secrets.DEPLOYS_TOKEN }}

Requirements

Runs on any runner with bash, curl, and jq available — all preinstalled on GitHub-hosted Ubuntu runners.

License

MIT