Django Migration from Github actions

Question

Hello I have a database in Google Cloud Platform and I am trying to figure out how to run a django migration from github actions once I have deployed my app to GCP's App engine.

I have tried using cloud_sql_proxy, but cannot get it to connect to my database. I would whitelist github actions ip address but I am not really sure what the ip addresses is either.

Here is the config I currently have:

name: deploy-app-to-gcp
on:
  push:
    branches: [ main]
    paths:
      - '**'
jobs:
  migrate:
    name: Migrate Database
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - name: get env file
        run: echo "${{secrets.ENV_FILE}}" | base64 --decode > ./env_variables.yaml
      - name: Set up Python 3.9
        uses: actions/setup-python@v2
        with:
          python-version: 3.9
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt
      - name: Get Cloud SQL Proxy
        run: |
          wget https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 -O cloud_sql_proxy
          chmod +x cloud_sql_proxy
      - name: migrate Database
        env:
          DATABASE_CONNECTION_ADDRESS: 127.0.0.1
        run: |
          pip install ruamel.yaml
          set -a; eval $(python -c 'from pathlib import Path;from ruamel.yaml import YAML; print( "".join( [f"{k}={v!r}\n" for k, v in YAML().load(Path("env_variables.yaml"))["env_variables"].items() if not k.__eq__("DATABASE_CONNECTION_ADDRESS")] ) )'); set +a
          ./cloud_sql_proxy -instances=com-cjoshmartin:us-central1:cms-db=tcp:5432 &
          python manage.py migrate
          exit 0;

Answer 1

To make the Cloud SQL Proxy work from GitHub actions, you'll need some form of credentials present in the environment. See the README for details.

Another option would be to enable Workload Identity Federation and use the auth action, although this approach requires a lot more setup.

Answer 2

Based on @enocom's answer I was able to perform the migrations I wanted by using the Cloud SQL Proxy and setting the path to the credentials file.

Here is what I changed:

Saving the GCloud credentials to a json file

#...
      - name: get env file
        run: |
          echo "${{secrets.ENV_FILE}}" | base64 --decode > ./env_variables.yaml
          echo "${{secrets.GCLOUD_GITHUB_CREDENTIALS}}" | base64 --decode > ./secrets.json

#...

using the cloud sql proxy with the secret file

./cloud_sql_proxy -instances=com-cjoshmartin:us-central1:cms-db=tcp:5432 -credential_file secrets.json &