For Google Cloud Build, you can use project or user access tokens for authenticating your build with Depot. We recommend using project tokens as they are scoped to the specific project and are owned by the organization.
You can inject project access tokens into the Cloud Build environment for depot
CLI authentication. Project tokens are tied to a specific project in your organization and not a user.
You can also inject a user access token into the Cloud Build environment for depot
CLI authentication. User tokens are tied to a specific user and not a project. Therefore, it can be used to build all projects across all organizations that the user has access.
To build a Docker image from Google Cloud Build, you must set the DEPOT_TOKEN
environment variable by injecting it from Secrets Manager.
We publish a container image of the depot
CLI that you can use to run Docker builds from your existing Cloud Build config file.
steps:
- name: ghcr.io/depot/cli:latest
id: Build with Depot
args:
- build
- --project
- <YOUR_PROJECT_ID>
- .
secretEnv: ['DEPOT_TOKEN']
availableSecrets:
secretManager:
- versionName: projects/<your-gcp-project>/secrets/<your-depot-token-secret-name>/versions/latest
env: DEPOT_TOKEN
This example shows how you can use the --platform
flag to build a multi-platform image for Intel and Arm architectures natively without emulation.
steps:
- name: ghcr.io/depot/cli:latest
id: Build with Depot
args:
- build
- --project
- <YOUR_PROJECT_ID>
- --platform
- linux/amd64,linux/arm64
- .
secretEnv: ['DEPOT_TOKEN']
availableSecrets:
secretManager:
- versionName: projects/<your-gcp-project>/secrets/<your-depot-token-secret-name>/versions/latest
env: DEPOT_TOKEN
This example demonstrates how you can use the depot/cli
image inside of Cloud Build to build and push a Docker image to an Artifact Registry in the same GCP project.
steps:
- name: ghcr.io/depot/cli:latest
id: Build with Depot
args:
- build
- --project
- <YOUR_PROJECT_ID>
- -t
- us-docker.pkg.dev/$PROJECT_ID/<your-registry>/<your-image>:$COMMIT_SHA
- --push
- .
secretEnv: ['DEPOT_TOKEN']
availableSecrets:
secretManager:
- versionName: projects/<your-gcp-project>/secrets/<your-depot-token-secret-name>/versions/latest
env: DEPOT_TOKEN
You can use the --load
flag to download the built container image into the workflow.
steps:
- name: ghcr.io/depot/cli:latest
id: Build with Depot
args:
- build
- --project
- <YOUR_PROJECT_ID>
- --load
- .
secretEnv: ['DEPOT_TOKEN']
availableSecrets:
secretManager:
- versionName: projects/<your-gcp-project>/secrets/<your-depot-token-secret-name>/versions/latest
env: DEPOT_TOKEN
You can simultaneously push the built image to a registry and load it back into the CI job by using the --load
and --push
flag together.
steps:
- name: ghcr.io/depot/cli:latest
id: Build with Depot
args:
- build
- --project
- <YOUR_PROJECT_ID>
- -t
- us-docker.pkg.dev/$PROJECT_ID/<your-registry>/<your-image>:$COMMIT_SHA
- --push
- --load
- .
secretEnv: ['DEPOT_TOKEN']
availableSecrets:
secretManager:
- versionName: projects/<your-gcp-project>/secrets/<your-depot-token-secret-name>/versions/latest
env: DEPOT_TOKEN