This guide describes the intended GCP deployment model for the public version of the project.
The reference deployment uses:
- Cloud Run for execution
- Cloud Scheduler for daily triggering
- Secret Manager for GitHub token storage
- BigQuery for storage and reporting
The deployment scripts support the following variables:
| Variable | Required | Description | Example |
|---|---|---|---|
PROJECT_ID |
yes | GCP project ID | example-gcp-project |
REGION |
yes | Cloud Run, Scheduler, and BigQuery location | us-central1 |
DATASET |
yes | BigQuery dataset name | github_access_audit |
ORG |
yes | GitHub organization to export | example-org |
SERVICE_NAME |
no | Cloud Run service name | github-access-sync |
SECRET_NAME |
no | Secret Manager secret holding the GitHub token | github-access-token |
RUNTIME_SA_NAME |
no | Cloud Run runtime service account name | github-access-sync-sa |
SCHEDULER_SA_NAME |
no | Cloud Scheduler caller service account name | github-access-sync-scheduler |
SCHEDULER_JOB_NAME |
no | Scheduler job name | github-access-sync-daily |
SCHEDULER_TIMEZONE |
no | Scheduler timezone | Etc/UTC |
SCHEDULER_SCHEDULE |
no | Scheduler cron | 0 8 * * * |
GH_PAT |
conditionally | GitHub PAT to seed Secret Manager | github_pat_xxx |
The Cloud Run runtime service account needs:
roles/bigquery.jobUseron the project- dataset write access on the target dataset
roles/logging.logWriteron the projectroles/secretmanager.secretAccessoron the GitHub token secret
The Cloud Scheduler caller service account needs:
roles/run.invokeron the Cloud Run service
The Cloud Scheduler service agent needs:
roles/iam.serviceAccountTokenCreatoron the scheduler caller service account
This is required so Scheduler can mint the OIDC token used to call the private Cloud Run service.
gcloud auth login
gcloud config set project "${PROJECT_ID}"export PROJECT_ID='example-gcp-project'
export REGION='us-central1'
export DATASET='github_access_audit'
export ORG='example-org'
export SERVICE_NAME='github-access-sync'
export SECRET_NAME='github-access-token'
export GH_PAT='your_pat'cd <repo-dir>
bash scripts/deploy.shThe deployment flow:
- enables required GCP services
- creates the BigQuery dataset if it does not exist
- creates service accounts if they do not exist
- creates or updates the GitHub token secret
- grants required IAM bindings
- deploys the Cloud Run service from source
- creates or updates the Cloud Scheduler job
After deployment, validate the service and job configuration.
gcloud run services describe "${SERVICE_NAME}" \
--project "${PROJECT_ID}" \
--region "${REGION}"SERVICE_URL="$(gcloud run services describe "${SERVICE_NAME}" \
--project "${PROJECT_ID}" \
--region "${REGION}" \
--format='value(status.url)')"
curl -X POST "${SERVICE_URL}/sync"For a private service, use an authenticated call path rather than an anonymous request.
gcloud scheduler jobs describe "${SCHEDULER_JOB_NAME}" \
--project "${PROJECT_ID}" \
--location "${REGION}"bq ls "${PROJECT_ID}:${DATASET}"
bq query --use_legacy_sql=false "SELECT * FROM \`${PROJECT_ID}.${DATASET}.sync_runs\` ORDER BY started_at DESC LIMIT 5"- keep the service private
- use a dedicated GitHub token for this workload
- review
sync_skipped_itemsafter failures or unusual volume changes - monitor
sync_runs.status,loaded_rows, andskipped_items - start with a test organization or non-sensitive dataset before production rollout
Symptoms:
- exporter fails during token validation
- no CSV outputs are produced
Action:
- rotate the token
- update the secret
- rerun the sync
Symptoms:
- load job errors
- view refresh errors
Action:
- verify runtime service account IAM
- verify dataset-level access entries
Symptoms:
- job exists but sync never starts
- HTTP auth errors in Scheduler execution logs
Action:
- verify
roles/run.invokeron the Cloud Run service - verify the scheduler service agent has token-creator access on the caller service account
Symptoms:
- many skipped items
- partial loads
Action:
- inspect
sync_skipped_items - verify token scope and rate limits
- reduce concurrency only if you later redesign the exporter