We use cookies to understand how people use Depot.
Container Builds

Google Cloud Build

Authentication

For Google Cloud Build, you can use project or user access tokens for authenticating your build with Depot. We recommend using project tokens as they are scoped to the specific project and are owned by the organization.

Project token

You can inject project access tokens into the Cloud Build environment for depot CLI authentication. Project tokens are tied to a specific project in your organization and not a user.

User access token

You can also inject a user access token into the Cloud Build environment for depot CLI authentication. User tokens are tied to a specific user and not a project. Therefore, it can be used to build all projects across all organizations that the user has access.

Configuration

To build a Docker image from Google Cloud Build, you must set the DEPOT_TOKEN environment variable by injecting it from Secrets Manager.

We publish a container image of the depot CLI that you can use to run Docker builds from your existing Cloud Build config file.

steps:
  - name: ghcr.io/depot/cli:latest
    id: Build with Depot
    args:
      - build
      - --project
      - <YOUR_PROJECT_ID>
      - .
    secretEnv: ['DEPOT_TOKEN']
availableSecrets:
  secretManager:
    - versionName: projects/<your-gcp-project>/secrets/<your-depot-token-secret-name>/versions/latest
      env: DEPOT_TOKEN

Examples

Build multi-platform images natively without emulation

This example shows how you can use the --platform flag to build a multi-platform image for Intel and Arm architectures natively without emulation.

steps:
  - name: ghcr.io/depot/cli:latest
    id: Build with Depot
    args:
      - build
      - --project
      - <YOUR_PROJECT_ID>
      - --platform
      - linux/amd64,linux/arm64
      - .
    secretEnv: ['DEPOT_TOKEN']
availableSecrets:
  secretManager:
    - versionName: projects/<your-gcp-project>/secrets/<your-depot-token-secret-name>/versions/latest
      env: DEPOT_TOKEN

Build and push to Artifact Registry

This example demonstrates how you can use the depot/cli image inside of Cloud Build to build and push a Docker image to an Artifact Registry in the same GCP project.

steps:
  - name: ghcr.io/depot/cli:latest
    id: Build with Depot
    args:
      - build
      - --project
      - <YOUR_PROJECT_ID>
      - -t
      - us-docker.pkg.dev/$PROJECT_ID/<your-registry>/<your-image>:$COMMIT_SHA
      - --push
      - .
    secretEnv: ['DEPOT_TOKEN']
availableSecrets:
  secretManager:
    - versionName: projects/<your-gcp-project>/secrets/<your-depot-token-secret-name>/versions/latest
      env: DEPOT_TOKEN

Build and load the image back for testing

You can use the --load flag to download the built container image into the workflow.

steps:
  - name: ghcr.io/depot/cli:latest
    id: Build with Depot
    args:
      - build
      - --project
      - <YOUR_PROJECT_ID>
      - --load
      - .
    secretEnv: ['DEPOT_TOKEN']
availableSecrets:
  secretManager:
    - versionName: projects/<your-gcp-project>/secrets/<your-depot-token-secret-name>/versions/latest
      env: DEPOT_TOKEN

Build, push, and load the image back in one command

You can simultaneously push the built image to a registry and load it back into the CI job by using the --load and --push flag together.

steps:
  - name: ghcr.io/depot/cli:latest
    id: Build with Depot
    args:
      - build
      - --project
      - <YOUR_PROJECT_ID>
      - -t
      - us-docker.pkg.dev/$PROJECT_ID/<your-registry>/<your-image>:$COMMIT_SHA
      - --push
      - --load
      - .
    secretEnv: ['DEPOT_TOKEN']
availableSecrets:
  secretManager:
    - versionName: projects/<your-gcp-project>/secrets/<your-depot-token-secret-name>/versions/latest
      env: DEPOT_TOKEN