Scope
This runbook covers thegcp_backend.yml workflow for prod backend deploys. It exists to prevent wedged Cloud Run services where spec.traffic points at a failed revision while status.traffic still serves an older good revision.
Product hotfix code changes are separate from deploy-process fixes. Land deploy hardening on main first; branch product fixes from current main, not stale hotfix forks.
Workflows
Dispatch Deploy Backend to Cloud RUN with:| Input | Values | When to use |
|---|---|---|
mode | deploy (default) | Normal image build + rollout |
mode | repair-traffic-only | Restore spec.traffic to the currently serving revision without deploying |
deploy_targets | all (default) | Cloud Run + GKE (backend-secrets, backend-listen) |
deploy_targets | cloud-run-only | REST/MCP/OAuth router changes that do not touch backend-listen or WebSocket protocol |
Pre-deploy checklist (prod)
Run hermetic checks locally or in CI before dispatch:gcloud auth:
- Confirm the last deploy did not wedge traffic. If unsure, run
mode: repair-traffic-onlyfirst. - Verify runtime env locally:
- For secret bindings in
backend/deploy/runtime_env.yaml, preflight checks Secret Manager before creating revisions:
Deploy flow (mode: deploy)
Prod deploys auto-repairspec.traffic != status.traffic before creating revisions. Traffic shifts only after new revisions are Ready=True.
Traffic repair
If a deploy fails after creating a non-ready revision:- Run
mode: repair-traffic-onlyto alignspec.trafficwithstatus.traffic. - Inspect the workflow summary Cloud Run status report for the exact serving revision and repair command.
- Retry
mode: deployonly after repair succeeds and preflight passes.
Cloud Run-only hotfixes
Usedeploy_targets: cloud-run-only when the change only affects Cloud Run REST services (backend, backend-sync, backend-integration) and does not require:
backend-listenHelm chart changesbackend-secretsExternalSecret changes- WebSocket / listen pipeline changes
gcp_backend_listen_helm.yml instead.
Runtime env source of truth
Cloud Run env and secret bindings are declared inbackend/deploy/runtime_env.yaml and rendered by backend/scripts/render_backend_runtime_env.py. After changing the manifest, run ./scripts/pre-deploy-check.sh.
Prod Cloud Run intentionally omits SERVICE_ACCOUNT_JSON and POSTHOG_PROJECT_API_KEY bindings (#9164): those secrets are absent in prod Secret Manager and the runtime falls back to ADC / disables PostHog telemetry.