Add update_strategy for envvars and secrets (#523)

The default behavior remains to merge (--update), but setting the
update_strategy to "overwrite" will set all values.

Closes #522

Author: sethvargo

.github/workflows/integration.yml

@@ -21,7 +21,6 @@ permissions:
 
 jobs:
   deploy:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
     runs-on: 'ubuntu-latest'
 
     strategy:
@@ -44,7 +43,7 @@ jobs:
 
       - uses: 'actions/setup-node@v4'
         with:
-          node-version: '20.x'
+          node-version: '20.12.x' # https://github.com/nodejs/node/issues/53033
 
       - run: 'npm ci && npm run build'
 
@@ -111,7 +110,9 @@ jobs:
           env_vars: |-
             ABC=123
             DEF=456
+          env_vars_update_strategy: 'overwrite'
           secrets: /api/secrets/my-secret=${{ vars.SECRET_NAME }}:latest
+          secrets_update_strategy: 'overwrite'
 
       - name: 'Run re-deploy tests'
         run: 'npm run e2e-tests'
@@ -120,18 +121,11 @@ jobs:
           SERVICE: '${{ env.SERVICE_NAME }}'
           ENV: |-
             {
-              "FOO": "bar",
-              "ZIP": "zap,with|separators,and&stuff",
-              "TEXT_FOO": "bar",
-              "TEXT_ZIP": "zap,with|separators,and&stuff",
               "ABC": "123",
               "DEF": "456"
             }
           SECRET_ENV: |-
-            {
-              "MY_SECRET": "${{ vars.SECRET_NAME }}:latest",
-              "MY_SECOND_SECRET": "${{ vars.SECRET_NAME }}:1"
-            }
+            {}
           SECRET_VOLUMES: |-
             {
               "/api/secrets/my-secret": "${{ vars.SECRET_NAME }}:latest"
@@ -151,7 +145,6 @@ jobs:
           REVISION_COUNT: 2
 
   metadata:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
     runs-on: 'ubuntu-latest'
 
     steps:
@@ -167,7 +160,7 @@ jobs:
 
       - uses: 'actions/setup-node@v4'
         with:
-          node-version: '20.x'
+          node-version: '20.12.x' # https://github.com/nodejs/node/issues/53033
 
       - run: 'npm ci && npm run build'
 
@@ -227,7 +220,6 @@ jobs:
           REVISION_COUNT: 2
 
   jobs:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
     runs-on: 'ubuntu-latest'
 
     steps:
@@ -239,7 +231,7 @@ jobs:
 
       - uses: 'actions/setup-node@v4'
         with:
-          node-version: '20.x'
+          node-version: '20.12.x' # https://github.com/nodejs/node/issues/53033
 
       - run: 'npm ci && npm run build'
 
@@ -299,6 +291,7 @@ jobs:
           env_vars: |-
             ABC=123
             DEF=456
+          env_vars_update_strategy: 'overwrite'
           secrets: /api/secrets/my-secret=${{ vars.SECRET_NAME }}:latest
 
       - name: 'Run re-deploy tests'
@@ -308,10 +301,6 @@ jobs:
           JOB: '${{ env.JOB_NAME }}'
           ENV: |-
             {
-              "FOO": "bar",
-              "ZIP": "zap,with|separators,and&stuff",
-              "TEXT_FOO": "bar",
-              "TEXT_ZIP": "zap,with|separators,and&stuff",
               "ABC": "123",
               "DEF": "456"
             }

README.md

@@ -92,61 +92,46 @@ jobs:
     specifying 'v1' for a service named 'helloworld', would lead to a revision
     named 'helloworld-v1'. The default value is no suffix.
 
--   `env_vars`: (Optional) List of key=value pairs to set as environment
-    variables. All existing environment variables will be retained. If both
-    `env_vars` and `env_vars_file` are specified, the keys in `env_vars` will take
-    precendence over the keys in `env_vars_files`.
+-   `env_vars`, `env_vars_file`, and `env_vars_update_strategy`: (Optional)
+    These values define environment variables and their update strategy.
 
-    ```yaml
-    with:
-      env_vars: |
-        FOO=bar
-        ZIP=zap
-    ```
-
-    Entries are separated by commas (`,`) and newline characters. Keys and
-    values are separated by `=`. To use `,`, `=`, or newline characters, escape
-    them with a backslash:
+    `env_vars` is specified as comma-separated or newline-separated key-value
+    pairs, with special characters escaped using a backslash.
 
     ```yaml
     with:
       env_vars: |
+        NAME=person
         EMAILS=foo@bar.com\,zip@zap.com
     ```
 
--   `env_vars_file`: (Optional) Path to a file on disk, relative to the
-    workspace, that defines environment variables. The file can be
-    newline-separated KEY=VALUE pairs, JSON, or YAML format. If both `env_vars`
-    and `env_vars_file` are specified, the keys in env_vars will take
-    precendence over the keys in env_vars_files.
+    `env_vars_file` is the path to a file on disk relative to the workspace that
+    defines newline-separated KEY=VALUE pairs, JSON, or YAML.
 
     ```text
-    FOO=bar
-    ZIP=zap
+    NAME=person
+    EMAILS=foo@bar.com\,zip@zap.com
     ```
 
-    or
-
-    ```json
-    {
-      "FOO": "bar",
-      "ZIP": "zap"
-    }
-    ```
+    If both `env_vars` and `env_vars_file` are specified, they are merged and
+    the values from `env_vars` will take precedence on conflict.
 
-    or
+    `env_vars_update_strategy` controls how the environment variables are set on
+    the Cloud Run service. If `env_vars_update_strategy` is set to "merge", then
+    the environment variables are _merged_ with any upstream values. If set to
+    "overwrite", then all environment variables on the Cloud Run service will be
+    replaced with exactly the values given by the GitHub Action (making it
+    authoritative). The default value is "merge".
 
     ```yaml
-    FOO: 'bar'
-    ZIP: 'zap'
+    with:
+      env_vars_update_strategy: 'overwrite'
     ```
 
-    When specified as KEY=VALUE pairs, the same escaping rules apply as
-    described in `env_vars`. You do not have to escape YAML or JSON.
-
--   `secrets`: (Optional) List of key=value pairs to use as secrets. These can
-    either be injected as environment variables or mounted as volumes. All
-    existing environment secrets and volume mounts will be retained.
+-   `secrets`, `secrets_update_strategy`: (Optional) List of key=value pairs to
+    use as secrets. These can either be injected as environment variables or
+    mounted as volumes. All existing environment secrets and volume mounts will
+    be retained.
 
     ```yaml
     with:
@@ -161,6 +146,18 @@ jobs:
     The same rules apply for escaping entries as from `env_vars`, but Cloud Run
     is more restrictive with allowed keys and names for secrets.
 
+    `secrets_update_strategy` controls how the secrets are set on the Cloud Run
+    service. If `secrets_update_strategy` is set to "merge", then the secrets
+    are _merged_ with any upstream values. If set to "overwrite", then all
+    secrets on the Cloud Run service will be replaced with exactly the values
+    given by the GitHub Action (making it authoritative). The default value is
+    "merge".
+
+    ```yaml
+    with:
+      secrets_update_strategy: 'overwrite'
+    ```
+
 -   `labels`: (Optional) List of key=value pairs to set as labels on the Cloud
     Run service. Existing labels will be overwritten.
 

action.yml

@@ -111,6 +111,16 @@ inputs:
       described in `env_vars`. You do not have to escape YAML or JSON.
     required: false
 
+  env_vars_update_strategy:
+    description: |-
+      (Optional) Controls how the environment variables are set on the Cloud Run
+      service. If set to "merge", then the environment variables are merged with
+      any upstream values. If set to "overwrite", then all environment variables
+      on the Cloud Run service will be replaced with exactly the values given by
+      the GitHub Action (making it authoritative).
+    required: true
+    default: 'merge'
+
   secrets:
     description: |-
       (Optional) List of key=value pairs to use as secrets. These can either be
@@ -129,6 +139,16 @@ inputs:
       Run is more restrictive with allowed keys and names for secrets.
     required: false
 
+  secrets_update_strategy:
+    description: |-
+      (Optional) Controls how the secrets are set on the Cloud Run service. If
+      set to "merge", then the secrets are merged with any upstream values. If
+      set to "overwrite", then all secrets on the Cloud Run service will be
+      replaced with exactly the values given by the GitHub Action (making it
+      authoritative).
+    required: true
+    default: 'merge'
+
   labels:
     description: |-
       (Optional) List of key=value pairs to set as labels on the Cloud