Merge pull request #1 from digital-wisdom-ai/add-deploy-workflow

Update deployment workflow

Author: MaitreyaBuddha

.firebaserc

@@ -0,0 +1,9 @@
+{
+  "projects": {
+    "default": "hello-wisdom-staging",
+    "staging": "hello-wisdom-staging",
+    "prod": "hello-wisdom-prod"
+  },
+  "targets": {},
+  "etags": {}
+}

.github/workflows/deploy-functions.yml

@@ -0,0 +1,127 @@
+name: Deploy Python Firebase Functions
+
+on:
+  push:
+    branches:
+      - add-deploy-workflow
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to deploy to'
+        required: true
+        default: 'staging'
+        type: choice
+        options:
+          - staging
+          - prod
+      confirm_prod:
+        description: 'Type "yes" to confirm production deployment'
+        required: false
+        type: string
+
+permissions:
+  contents: read
+
+concurrency:
+  group: deploy-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate production deployment
+        if: ${{ github.event.inputs.environment == 'prod' }}
+        run: |
+          if [[ "${{ github.event.inputs.confirm_prod }}" != "yes" ]]; then
+            echo "::error::Production deployment requires explicit confirmation. Please type 'yes' in the confirm_prod field."
+            exit 1
+          fi
+
+      - name: Set up Node.js for Firebase CLI
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20'
+
+      - name: Install Firebase CLI
+        run: |
+          npm install -g firebase-tools
+          firebase --version
+
+      - name: Install uv package manager
+        uses: astral-sh/setup-uv@v5
+        with:
+          version: "0.6.4"
+
+      - name: Install Python 3.11 with uv
+        run: uv python install 3.11
+  
+      - name: Use uv to install dependencies in /functions/venv
+        working-directory: functions
+        run: |
+          uv venv venv --python 3.11
+          source venv/bin/activate
+          uv pip install --upgrade pip
+          uv sync --active
+          uv pip freeze > requirements.txt
+          deactivate
+
+      # Store key in the runner's environment variable to persist across steps
+      - name: Authenticate with GCP service account key
+        env:
+          SERVICE_ACCOUNT_JSON: ${{ github.event.inputs.environment == 'prod' && secrets.FIREBASE_PROD_SERVICE_ACCOUNT || secrets.FIREBASE_STAGING_SERVICE_ACCOUNT }}
+        run: |
+          echo "$SERVICE_ACCOUNT_JSON" > service-account.json
+          echo "GOOGLE_APPLICATION_CREDENTIALS=service-account.json" >> $GITHUB_ENV
+
+      - name: Authenticate GitHub Actions service account
+        run: |
+          gcloud auth activate-service-account --key-file=service-account.json
+
+      - name: Verify service account ADC (Debug)
+        run: |
+          gcloud config get-value account
+          gcloud auth list
+
+      - name: Verify Enabled APIs (Debug)
+        run: |
+          gcloud services list --enabled --project=${{ github.event.inputs.environment == 'prod' && 'hello-wisdom-prod' || 'hello-wisdom-staging' }}
+
+      - name: List Firebase Projects (Debug Mode)
+        run: firebase projects:list --debug
+
+      - name: Verify Service Account IAM Policy (Debug)
+        run: |
+          PROJECT_ID=${{ github.event.inputs.environment == 'prod' && 'hello-wisdom-prod' || 'hello-wisdom-staging' }}
+          echo "Verifying IAM policy for project: $PROJECT_ID"
+          gcloud projects get-iam-policy $PROJECT_ID --format=json
+
+      - name: Select Firebase Project
+        id: select_project
+        run: |
+          if [ "${{ github.event.inputs.environment }}" = "prod" ]; then
+            firebase use prod --non-interactive
+          else
+            firebase use staging --non-interactive
+          fi
+
+      - name: Deploy Firebase Functions (Debug Mode)
+        run: firebase deploy --only functions --debug
+
+      - name: Post-deployment summary
+        env:
+          ENVIRONMENT: ${{ github.event.inputs.environment }}
+          TRIGGER: ${{ github.event_name }}
+          REF_NAME: ${{ github.ref_name }}
+        run: |
+          echo "### Deployment Summary 🚀" >> $GITHUB_STEP_SUMMARY
+          echo "* **Environment**: $ENVIRONMENT" >> $GITHUB_STEP_SUMMARY
+          echo "* **Trigger**: $TRIGGER" >> $GITHUB_STEP_SUMMARY
+          echo "* **Branch/Ref**: $REF_NAME" >> $GITHUB_STEP_SUMMARY
+    
+      - name: Cleanup credentials
+        if: always()
+        run: rm -f service-account.json

.gitignore

@@ -0,0 +1,71 @@
+.DS_Store
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+firebase-debug.log*
+firebase-debug.*.log*
+
+# Firebase cache
+.firebase/
+
+# Firebase config
+
+# Uncomment this if you'd like others to create their own Firebase project.
+# For a team working on the same Firebase project(s), it is recommended to leave
+# it commented so all members can deploy to the same project(s) in .firebaserc.
+# .firebaserc
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (http://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variables file
+.env
+
+# dataconnect generated files
+.dataconnect

README.md

@@ -1 +1,65 @@
-# firebase_deploy_python
+# Deploy Python Firebase Functions with GitHub Actions
+This project contains a sample workflow for automating the deployment of a Python Firebase Function with GitHub Actions. The Firebase files and Python code deploy a simple hello world function with Flask as a Firebase serverless Function. Note that Python 3.11 is the latest version supported by Python Firebase Functions v2 as of April 2025.
+
+# GitHub Actions Trigger
+The action is triggered from any push to the feature branch `add-deploy-workflow` or a manual trigger. The default for the feature branch is `staging`. The manual trigger allows the user to select a GitHub branch and Firebase alias `staging`/`prod`.
+
+# Python package manager
+The project uses `uv`, a modern package manager, which creates a virtual environment named `.venv`. Firebase expects a virtual environment named `venv` with `pip` installed. We can use `uv` commands to do so. Note that we are running `uv sync` with the `--active` flag because we need to maintain two virtual environments: `venv` for Firebase and the default `.venv` for uv.
+
+# GCP Service Account
+Deployment depends upon a Google Cloud service account for authentication. Set this up in the GCP console by creating a dedicated service account for GitHub Actions. You'll need to do this for each Firebase project.
+
+GCP console > IAM & Admin > Service Accounts > Create Service Account
+Name: github-actions-deploy-staging
+Description: Deploy to Firebase with GitHub Actions
+Roles:
+- Firebase Admin SDK Admin
+- Cloud Functions Admin
+- Service Account User
+Skip granting users access and click Done.
+
+Alternatively, use `gcloud` CLI for each project:
+
+`gcloud config set project PROJECT_ID`
+
+`gcloud iam service-accounts create github-actions-deploy \`
+`  --description="Deploy to Firebase project with GitHub Actions" \`
+
+`gcloud projects add-iam-policy-binding $(gcloud config get-value project) \`
+`  --member="serviceAccount:github-actions-deploy@$(gcloud config get-value project).iam.gserviceaccount.com" \`
+`  --role="roles/firebase.admin"`
+
+`gcloud projects add-iam-policy-binding $(gcloud config get-value project) \`
+`  --member="serviceAccount:github-actions-deploy@$(gcloud config get-value project).iam.gserviceaccount.com" \`
+`  --role="roles/cloudfunctions.admin"`
+
+`gcloud projects add-iam-policy-binding $(gcloud config get-value project) \`
+`  --member="serviceAccount:github-actions-deploy@$(gcloud config get-value project).iam.gserviceaccount.com" \`
+`  --role="roles/iam.serviceAccountUser"`
+
+`gcloud projects add-iam-policy-binding $(gcloud config get-value project) \`
+`  --member="serviceAccount:github-actions-deploy@$(gcloud config get-value project).iam.gserviceaccount.com" \`
+`  --role="roles/serviceusage.serviceUsageConsumer"`
+
+`gcloud projects add-iam-policy-binding $(gcloud config get-value project) \`
+`  --member="serviceAccount:github-actions-deploy@$(gcloud config get-value project).iam.gserviceaccount.com" \`
+`  --role="roles/cloudruntimeconfig.admin"`
+
+# GCP Authentication Keys
+Each Firebase project requires a service account key. Download keys from Google and remember to exclude them from version control.
+
+Store the keys as secrets in your repo:
+GitHub repo → Settings → Secrets and variables → Actions
+FIREBASE_PROD_SERVICE_ACCOUNT
+FIREBASE_STAGING_SERVICE_ACCOUNT
+
+Alternatively, use GitHub CLI:
+`gh secret set FIREBASE_STAGING_SERVICE_ACCOUNT --repo user/repo-name < key-staging.json`
+`gh secret set FIREBASE_PROD_SERVICE_ACCOUNT --repo user/repo-name < key-prod.json`
+
+# Firebase CLI
+It’s important to use the latest version of `firebase-tools`, which will automatically enable the correct APIs for the Python Firebase Function in the corresponding GCP project.
+
+# Debugging and Credential Verification
+The steps labeled (Debug) are for debugging, verifying credentials, and checking settings, so they can be omitted. The `firebase deploy` command uses a `--debug` flag that isn't strictly necessary. The GitHub Actions workflow would run faster without the debugging steps and flags.

firebase.json

@@ -0,0 +1,21 @@
+{
+  "functions": [
+    {
+      "source": "functions",
+      "runtime": "python311",
+      "codebase": "default"
+    }
+  ],
+  "emulators": {
+    "functions": {
+      "port": 5001
+    },
+    "auth": {
+      "port": 9099
+    },
+    "ui": {
+      "enabled": true
+    },
+    "singleProjectMode": true
+  }
+}

functions/.gitignore

@@ -0,0 +1,34 @@
+*.local
+.python-version
+
+# Python
+*.pyc
+*.pyo
+__pycache__/
+venv/
+
+# pyproject.toml is the source of truth
+requirements.txt
+
+# uv
+.uv/
+.venv/
+
+# Firebase
+firebase-debug.log
+firebase-debug.*.log
+.runtimeconfig.json
+.firebase/
+
+*.log
+.DS_Store
+Thumbs.db
+.vscode/
+.idea/
+dist/
+build/
+node_modules/
+
+# As a failsafe
+.env
+service-account.json

functions/main.py

@@ -0,0 +1,20 @@
+# Welcome to Cloud Functions for Firebase for Python!
+# Deploy with `firebase deploy`
+
+from firebase_functions import https_fn #version 0.1.2
+from flask import Flask #version 3.1.0
+
+app = Flask(__name__)
+
+@app.route('/')
+def hello_dw():
+    return "Hello, Digital Wisdom!"
+
+@https_fn.on_request(
+    memory=512,
+    timeout_sec=60,
+    max_instances=1
+)
+def simple_function(req: https_fn.Request) -> https_fn.Response:
+    with app.request_context(req.environ):
+        return app.full_dispatch_request()

functions/pyproject.toml

@@ -0,0 +1,9 @@
+[project]
+name = "functions"
+version = "0.1.0"
+requires-python = ">=3.10,<3.12"  # Firebase Functions support 3.10 and 3.11
+dependencies = [
+    "firebase-admin>=6.7.0",
+    "firebase-functions>=0.1.2",
+    "flask>=3.1.0",
+]