agent-starter-pack 0.9.2__py3-none-any.whl → 0.10.0__py3-none-any.whl

src/base_template/deployment/terraform/github.tf

@@ -0,0 +1,284 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+provider "github" {
+  owner = var.repository_owner
+}
+
+# Try to get existing repo
+data "github_repository" "existing_repo" {
+  count = var.create_repository ? 0 : 1
+  full_name = "${var.repository_owner}/${var.repository_name}"
+}
+
+# Only create GitHub repo if create_repository is true
+resource "github_repository" "repo" {
+  count       = var.create_repository ? 1 : 0
+  name        = var.repository_name
+  description = "Repository created with goo.gle/agent-starter-pack"
+  visibility  = "private"
+
+  has_issues      = true
+  has_wiki        = false
+  has_projects    = false
+  has_downloads   = false
+
+  allow_merge_commit = true
+  allow_squash_merge = true
+  allow_rebase_merge = true
+  
+  auto_init = false
+}
+
+{% if cookiecutter.cicd_runner == 'github_actions' %}
+resource "github_actions_variable" "gcp_project_number" {
+  repository    = var.repository_name
+  variable_name = "GCP_PROJECT_NUMBER"
+  value         = data.google_project.cicd_project.number
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_secret" "wif_pool_id" {
+  repository      = var.repository_name
+  secret_name     = "WIF_POOL_ID"
+  plaintext_value = google_iam_workload_identity_pool.github_pool.workload_identity_pool_id
+  depends_on      = [github_repository.repo, data.github_repository.existing_repo]
+}
+
+resource "github_actions_secret" "wif_provider_id" {
+  repository      = var.repository_name
+  secret_name     = "WIF_PROVIDER_ID"
+  plaintext_value = google_iam_workload_identity_pool_provider.github_provider.workload_identity_pool_provider_id
+  depends_on      = [github_repository.repo, data.github_repository.existing_repo]
+}
+
+resource "github_actions_secret" "gcp_service_account" {
+  repository      = var.repository_name
+  secret_name     = "GCP_SERVICE_ACCOUNT"
+  plaintext_value = google_service_account.cicd_runner_sa.email
+  depends_on      = [github_repository.repo, data.github_repository.existing_repo]
+}
+
+resource "github_actions_variable" "staging_project_id" {
+  repository    = var.repository_name
+  variable_name = "STAGING_PROJECT_ID"
+  value         = var.staging_project_id
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "prod_project_id" {
+  repository    = var.repository_name
+  variable_name = "PROD_PROJECT_ID"
+  value         = var.prod_project_id
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "region" {
+  repository    = var.repository_name
+  variable_name = "REGION"
+  value         = var.region
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "cicd_project_id" {
+  repository    = var.repository_name
+  variable_name = "CICD_PROJECT_ID"
+  value         = var.cicd_runner_project_id
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "bucket_name_load_test_results" {
+  repository    = var.repository_name
+  variable_name = "BUCKET_NAME_LOAD_TEST_RESULTS"
+  value         = google_storage_bucket.bucket_load_test_results.name
+  depends_on    = [github_repository.repo]
+}
+
+{% if cookiecutter.deployment_target == 'cloud_run' %}
+resource "github_actions_variable" "container_name" {
+  repository    = var.repository_name
+  variable_name = "CONTAINER_NAME"
+  value         = var.project_name
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "artifact_registry_repo_name" {
+  repository    = var.repository_name
+  variable_name = "ARTIFACT_REGISTRY_REPO_NAME"
+  value         = google_artifact_registry_repository.repo-artifacts-genai.repository_id
+  depends_on    = [github_repository.repo]
+}
+{% endif %}
+
+{% if cookiecutter.data_ingestion %}
+resource "github_actions_variable" "pipeline_gcs_root_staging" {
+  repository    = var.repository_name
+  variable_name = "PIPELINE_GCS_ROOT_STAGING"
+  value         = "gs://${google_storage_bucket.data_ingestion_pipeline_gcs_root["staging"].name}"
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "pipeline_gcs_root_prod" {
+  repository    = var.repository_name
+  variable_name = "PIPELINE_GCS_ROOT_PROD"
+  value         = "gs://${google_storage_bucket.data_ingestion_pipeline_gcs_root["prod"].name}"
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "pipeline_sa_email_staging" {
+  repository    = var.repository_name
+  variable_name = "PIPELINE_SA_EMAIL_STAGING"
+  value         = google_service_account.vertexai_pipeline_app_sa["staging"].email
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "pipeline_sa_email_prod" {
+  repository    = var.repository_name
+  variable_name = "PIPELINE_SA_EMAIL_PROD"
+  value         = google_service_account.vertexai_pipeline_app_sa["prod"].email
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "pipeline_name" {
+  repository    = var.repository_name
+  variable_name = "PIPELINE_NAME"
+  value         = var.project_name
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "pipeline_cron_schedule" {
+  repository    = var.repository_name
+  variable_name = "PIPELINE_CRON_SCHEDULE"
+  value         = var.pipeline_cron_schedule
+  depends_on    = [github_repository.repo]
+}
+
+{% if cookiecutter.datastore_type == "vertex_ai_search" %}
+resource "github_actions_variable" "data_store_id_staging" {
+  repository    = var.repository_name
+  variable_name = "DATA_STORE_ID_STAGING"
+  value         = google_discovery_engine_data_store.data_store_staging.data_store_id
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "data_store_id_prod" {
+  repository    = var.repository_name
+  variable_name = "DATA_STORE_ID_PROD"
+  value         = google_discovery_engine_data_store.data_store_prod.data_store_id
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "data_store_region" {
+  repository    = var.repository_name
+  variable_name = "DATA_STORE_REGION"
+  value         = var.data_store_region
+  depends_on    = [github_repository.repo]
+}
+{% elif cookiecutter.datastore_type == "vertex_ai_vector_search" %}
+resource "github_actions_variable" "vector_search_index_staging" {
+  repository    = var.repository_name
+  variable_name = "VECTOR_SEARCH_INDEX_STAGING"
+  value         = google_vertex_ai_index.vector_search_index_staging.id
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "vector_search_index_prod" {
+  repository    = var.repository_name
+  variable_name = "VECTOR_SEARCH_INDEX_PROD"
+  value         = google_vertex_ai_index.vector_search_index_prod.id
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "vector_search_index_endpoint_staging" {
+  repository    = var.repository_name
+  variable_name = "VECTOR_SEARCH_INDEX_ENDPOINT_STAGING"
+  value         = google_vertex_ai_index_endpoint.vector_search_index_endpoint_staging.id
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "vector_search_index_endpoint_prod" {
+  repository    = var.repository_name
+  variable_name = "VECTOR_SEARCH_INDEX_ENDPOINT_PROD"
+  value         = google_vertex_ai_index_endpoint.vector_search_index_endpoint_prod.id
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "vector_search_bucket_staging" {
+  repository    = var.repository_name
+  variable_name = "VECTOR_SEARCH_BUCKET_STAGING"
+  value         = google_storage_bucket.vector_search_data_bucket["staging"].url
+  depends_on    = [github_repository.repo]
+}
+
+resource "github_actions_variable" "vector_search_bucket_prod" {
+  repository    = var.repository_name
+  variable_name = "VECTOR_SEARCH_BUCKET_PROD"
+  value         = google_storage_bucket.vector_search_data_bucket["prod"].url
+  depends_on    = [github_repository.repo]
+}
+{% endif %}
+{% endif %}
+
+resource "github_repository_environment" "production_environment" {
+  repository  = var.repository_name
+  environment = "production"
+  depends_on  = [github_repository.repo, data.github_repository.existing_repo]
+
+  deployment_branch_policy {
+    protected_branches     = false
+    custom_branch_policies = true
+  }
+}
+{% else %}
+
+# Reference existing GitHub PAT secret created by gcloud CLI
+data "google_secret_manager_secret" "github_pat" {
+  project   = var.cicd_runner_project_id
+  secret_id = var.github_pat_secret_id
+}
+
+# Create the GitHub connection (fallback for manual Terraform usage)
+resource "google_cloudbuildv2_connection" "github_connection" {
+  count      = var.create_cb_connection ? 0 : 1
+  project    = var.cicd_runner_project_id
+  location   = var.region
+  name       = var.host_connection_name
+
+  github_config {
+    app_installation_id = var.github_app_installation_id
+    authorizer_credential {
+      oauth_token_secret_version = "${data.google_secret_manager_secret.github_pat.id}/versions/latest"
+    }
+  }
+  depends_on = [resource.google_project_service.cicd_services, resource.google_project_service.deploy_project_services]
+}
+
+
+resource "google_cloudbuildv2_repository" "repo" {
+  project  = var.cicd_runner_project_id
+  location = var.region
+  name     = var.repository_name
+  
+  # Use existing connection ID when it exists, otherwise use the created connection
+  parent_connection = var.create_cb_connection ? "projects/${var.cicd_runner_project_id}/locations/${var.region}/connections/${var.host_connection_name}" : google_cloudbuildv2_connection.github_connection[0].id
+  remote_uri       = "https://github.com/${var.repository_owner}/${var.repository_name}.git"
+  depends_on = [
+    resource.google_project_service.cicd_services,
+    resource.google_project_service.deploy_project_services,
+    data.github_repository.existing_repo,
+    github_repository.repo,
+    google_cloudbuildv2_connection.github_connection,
+  ]
+}
+{% endif %}

src/base_template/deployment/terraform/providers.tf

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+
 terraform {
   required_version = ">= 1.0.0"
   required_providers {
@@ -19,6 +20,10 @@ terraform {
       source  = "hashicorp/google"
       version = "< 7.0.0"
     }
+    github = {
+      source  = "integrations/github"
+      version = "~> 6.5.0"
+    }
   }
 }
 

src/base_template/deployment/terraform/variables.tf

@@ -40,8 +40,9 @@ variable "region" {
 }
 
 variable "host_connection_name" {
-  description = "Name of the host connection you created in Cloud Build"
+  description = "Name of the host connection to create in Cloud Build"
   type        = string
+  default     = "{{ cookiecutter.project_name }}-github-connection"
 }
 
 variable "repository_name" {
@@ -186,3 +187,41 @@ variable "vector_search_machine_type" {
 }
 {% endif %}
 {% endif %}
+variable "repository_owner" {
+  description = "Owner of the Git repository - username or organization"
+  type        = string
+}
+{% if cookiecutter.cicd_runner == "github_actions" %}
+
+
+variable "create_repository" {
+  description = "Flag indicating whether to create a new Git repository"
+  type        = bool
+  default     = false
+}
+{% else %}
+variable "github_app_installation_id" {
+  description = "GitHub App Installation ID for Cloud Build"
+  type        = string
+  default     = null
+}
+
+
+variable "github_pat_secret_id" {
+  description = "GitHub PAT Secret ID created by gcloud CLI"
+  type        = string
+  default     = null
+}
+
+variable "create_cb_connection" {
+  description = "Flag indicating if a Cloud Build connection already exists"
+  type        = bool
+  default     = false
+}
+
+variable "create_repository" {
+  description = "Flag indicating whether to create a new Git repository"
+  type        = bool
+  default     = false
+}
+{% endif %}

src/base_template/deployment/terraform/vars/env.tfvars

@@ -10,11 +10,13 @@ staging_project_id = "your-staging-project-id"
 # Your Google Cloud project ID that will be used to host the Cloud Build pipelines.
 cicd_runner_project_id = "your-cicd-project-id"
 
+{%- if cookiecutter.cicd_runner == "google_cloud_build" %}
 # Name of the host connection you created in Cloud Build
 host_connection_name = "git-{{cookiecutter.project_name}}"
+{%- endif %}
 
 # Name of the repository you added to Cloud Build
-repository_name = "repo-{{cookiecutter.project_name}}"
+repository_name = "{{cookiecutter.project_name}}"
 
 # The Google Cloud region you will use to deploy the infrastructure
 region = "us-central1"
@@ -32,3 +34,7 @@ vector_search_min_replica_count = 1
 vector_search_max_replica_count = 1
 {%- endif %}
 {%- endif %}
+{%- if cookiecutter.cicd_runner == "github_actions" %}
+
+repository_owner = "Your GitHub organization or username."
+{%- endif %}

src/base_template/deployment/terraform/{% if cookiecutter.cicd_runner == 'github_actions' %}wif.tf{% else %}unused_wif.tf{% endif %}

@@ -0,0 +1,43 @@
+
+data "google_project" "cicd_project" {
+  project_id = var.cicd_runner_project_id
+}
+
+resource "google_service_account_iam_member" "github_oidc_access" {
+  service_account_id = resource.google_service_account.cicd_runner_sa.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.cicd_project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github_pool.workload_identity_pool_id}/attribute.repository/${var.repository_owner}/${var.repository_name}"
+  depends_on         = [resource.google_project_service.cicd_services, resource.google_project_service.deploy_project_services]
+}
+
+# Allow the GitHub Actions principal to impersonate the CICD runner service account
+resource "google_service_account_iam_member" "github_sa_impersonation" {
+  service_account_id = resource.google_service_account.cicd_runner_sa.name
+  role               = "roles/iam.serviceAccountTokenCreator"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.cicd_project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github_pool.workload_identity_pool_id}/attribute.repository/${var.repository_owner}/${var.repository_name}"
+  depends_on         = [resource.google_project_service.cicd_services, resource.google_project_service.deploy_project_services]
+}
+
+resource "google_iam_workload_identity_pool" "github_pool" {
+  workload_identity_pool_id = "${var.project_name}-pool"
+  project                   = var.cicd_runner_project_id
+  display_name              = "GitHub Actions Pool"
+  depends_on         = [resource.google_project_service.cicd_services, resource.google_project_service.deploy_project_services]
+}
+
+resource "google_iam_workload_identity_pool_provider" "github_provider" {
+  workload_identity_pool_provider_id = "${var.project_name}-oidc"
+  project                            = var.cicd_runner_project_id
+  workload_identity_pool_id          = google_iam_workload_identity_pool.github_pool.workload_identity_pool_id
+  display_name                       = "GitHub OIDC Provider"
+  oidc {
+    issuer_uri = "https://token.actions.githubusercontent.com"
+  }
+  attribute_mapping = {
+    "google.subject"         = "assertion.sub"
+    "attribute.repository"       = "assertion.repository"
+    "attribute.repository_owner" = "assertion.repository_owner"
+  }
+  attribute_condition = "attribute.repository == '${var.repository_owner}/${var.repository_name}'"
+  depends_on          = [resource.google_project_service.cicd_services, resource.google_project_service.deploy_project_services]
+}

src/base_template/deployment/terraform/{build_triggers.tf → {% if cookiecutter.cicd_runner == 'google_cloud_build' %}build_triggers.tf{% else %}unused_build_triggers.tf{% endif %} }

@@ -27,7 +27,7 @@ resource "google_cloudbuild_trigger" "pr_checks" {
     }
   }
 
-  filename = "deployment/ci/pr_checks.yaml"
+  filename = ".cloudbuild/pr_checks.yaml"
   included_files = [
     "app/**",
     "data_ingestion/**",
@@ -39,7 +39,12 @@ resource "google_cloudbuild_trigger" "pr_checks" {
   {% endif %}
   ]
   include_build_logs = "INCLUDE_BUILD_LOGS_WITH_STATUS"
-  depends_on = [resource.google_project_service.cicd_services, resource.google_project_service.deploy_project_services]
+  depends_on = [
+    resource.google_project_service.cicd_services, 
+    resource.google_project_service.deploy_project_services, 
+    google_cloudbuildv2_connection.github_connection, 
+    google_cloudbuildv2_repository.repo
+  ]
 }
 
 # b. Create CD pipeline trigger
@@ -57,7 +62,7 @@ resource "google_cloudbuild_trigger" "cd_pipeline" {
     }
   }
 
-  filename = "deployment/cd/staging.yaml"
+  filename = ".cloudbuild/staging.yaml"
   included_files = [
     "app/**",
     "data_ingestion/**",
@@ -76,22 +81,27 @@ resource "google_cloudbuild_trigger" "cd_pipeline" {
     _CLOUD_RUN_APP_SA_EMAIL         = resource.google_service_account.cloud_run_app_sa["staging"].email
 {% endif %}
 {% if cookiecutter.data_ingestion %}
-    _PIPELINE_GCS_ROOT             = "gs://${resource.google_storage_bucket.data_ingestion_pipeline_gcs_root["staging"].name}"
-    _PIPELINE_SA_EMAIL             = resource.google_service_account.vertexai_pipeline_app_sa["staging"].email
+    _PIPELINE_GCS_ROOT_STAGING     = "gs://${resource.google_storage_bucket.data_ingestion_pipeline_gcs_root["staging"].name}"
+    _PIPELINE_SA_EMAIL_STAGING             = resource.google_service_account.vertexai_pipeline_app_sa["staging"].email
     _PIPELINE_CRON_SCHEDULE        = var.pipeline_cron_schedule
 {% if cookiecutter.datastore_type == "vertex_ai_search" %}
-    _DATA_STORE_ID                 = resource.google_discovery_engine_data_store.data_store_staging.data_store_id
+    _DATA_STORE_ID_STAGING         = resource.google_discovery_engine_data_store.data_store_staging.data_store_id
     _DATA_STORE_REGION             = var.data_store_region
 {% elif cookiecutter.datastore_type == "vertex_ai_vector_search" %}
-    _VECTOR_SEARCH_INDEX           = resource.google_vertex_ai_index.vector_search_index_staging.id
-    _VECTOR_SEARCH_INDEX_ENDPOINT  = resource.google_vertex_ai_index_endpoint.vector_search_index_endpoint_staging.id
-    _VECTOR_SEARCH_BUCKET          = resource.google_storage_bucket.vector_search_data_bucket["staging"].url
+    _VECTOR_SEARCH_INDEX_STAGING   = resource.google_vertex_ai_index.vector_search_index_staging.id
+    _VECTOR_SEARCH_INDEX_ENDPOINT_STAGING = resource.google_vertex_ai_index_endpoint.vector_search_index_endpoint_staging.id
+    _VECTOR_SEARCH_BUCKET_STAGING  = resource.google_storage_bucket.vector_search_data_bucket["staging"].url
 
 {% endif %}
 {% endif %}
     # Your other CD Pipeline substitutions
   }
-  depends_on = [resource.google_project_service.cicd_services, resource.google_project_service.deploy_project_services]
+  depends_on = [
+    resource.google_project_service.cicd_services, 
+    resource.google_project_service.deploy_project_services, 
+    google_cloudbuildv2_connection.github_connection, 
+    google_cloudbuildv2_repository.repo
+  ]
 
 }
 
@@ -105,7 +115,7 @@ resource "google_cloudbuild_trigger" "deploy_to_prod_pipeline" {
   repository_event_config {
     repository = "projects/${var.cicd_runner_project_id}/locations/${var.region}/connections/${var.host_connection_name}/repositories/${var.repository_name}"
   }
-  filename = "deployment/cd/deploy-to-prod.yaml"
+  filename = ".cloudbuild/deploy-to-prod.yaml"
   include_build_logs = "INCLUDE_BUILD_LOGS_WITH_STATUS"
   approval_config {
     approval_required = true
@@ -119,20 +129,25 @@ resource "google_cloudbuild_trigger" "deploy_to_prod_pipeline" {
     _CLOUD_RUN_APP_SA_EMAIL       = resource.google_service_account.cloud_run_app_sa["prod"].email
 {% endif %}
 {% if cookiecutter.data_ingestion %}
-    _PIPELINE_GCS_ROOT             = "gs://${resource.google_storage_bucket.data_ingestion_pipeline_gcs_root["prod"].name}"
-    _PIPELINE_SA_EMAIL             = resource.google_service_account.vertexai_pipeline_app_sa["prod"].email
+    _PIPELINE_GCS_ROOT_PROD        = "gs://${resource.google_storage_bucket.data_ingestion_pipeline_gcs_root["prod"].name}"
+    _PIPELINE_SA_EMAIL_PROD             = resource.google_service_account.vertexai_pipeline_app_sa["prod"].email
     _PIPELINE_CRON_SCHEDULE        = var.pipeline_cron_schedule
 {% if cookiecutter.datastore_type == "vertex_ai_search" %}
-    _DATA_STORE_ID                 = resource.google_discovery_engine_data_store.data_store_prod.data_store_id
+    _DATA_STORE_ID_PROD            = resource.google_discovery_engine_data_store.data_store_prod.data_store_id
     _DATA_STORE_REGION             = var.data_store_region
 {% elif cookiecutter.datastore_type == "vertex_ai_vector_search" %}
-    _VECTOR_SEARCH_INDEX           = resource.google_vertex_ai_index.vector_search_index_prod.id
-    _VECTOR_SEARCH_INDEX_ENDPOINT  = resource.google_vertex_ai_index_endpoint.vector_search_index_endpoint_prod.id
-    _VECTOR_SEARCH_BUCKET          = resource.google_storage_bucket.vector_search_data_bucket["prod"].url
+    _VECTOR_SEARCH_INDEX_PROD      = resource.google_vertex_ai_index.vector_search_index_prod.id
+    _VECTOR_SEARCH_INDEX_ENDPOINT_PROD = resource.google_vertex_ai_index_endpoint.vector_search_index_endpoint_prod.id
+    _VECTOR_SEARCH_BUCKET_PROD     = resource.google_storage_bucket.vector_search_data_bucket["prod"].url
 {% endif %}
 {% endif %}
     # Your other Deploy to Prod Pipeline substitutions
   }
-  depends_on = [resource.google_project_service.cicd_services, resource.google_project_service.deploy_project_services]
+  depends_on = [
+    resource.google_project_service.cicd_services, 
+    resource.google_project_service.deploy_project_services, 
+    google_cloudbuildv2_connection.github_connection, 
+    google_cloudbuildv2_repository.repo
+  ]
 
 }

src/base_template/{% if cookiecutter.cicd_runner == 'github_actions' %}.github{% else %}unused_github{% endif %}/workflows/deploy-to-prod.yaml

@@ -0,0 +1,114 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Deploy to Production
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    # This job targets the 'production' environment, which is automatically
+    # created by the Terraform setup in `deployment/terraform/github.tf`.
+    # To enable manual approval for deployments, you must add a protection
+    # rule to this environment in your GitHub repository settings.
+    #
+    # 1. Go to your repository's Settings > Environments.
+    # 2. Select the 'production' environment.
+    # 3. Under 'Protection rules', check the 'Required reviewers' box.
+    # 4. Add the specific users or teams who must approve the deployment.
+    #
+    # Once configured, the workflow will pause at this step and wait for an
+    # authorized user to approve it before proceeding.
+    environment:
+      name: production
+    concurrency: production
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - id: 'auth'
+        name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          workload_identity_provider: 'projects/{% raw %}${{ vars.GCP_PROJECT_NUMBER }}{% endraw %}/locations/global/workloadIdentityPools/{% raw %}${{ secrets.WIF_POOL_ID }}{% endraw %}/providers/{% raw %}${{ secrets.WIF_PROVIDER_ID }}{% endraw %}'
+          service_account: '{% raw %}${{ secrets.GCP_SERVICE_ACCOUNT }}{% endraw %}'
+          create_credentials_file: true
+          project_id: {% raw %}${{ vars.CICD_PROJECT_ID }}{% endraw %}
+
+{%- if cookiecutter.deployment_target == 'cloud_run' %}
+
+      - name: Set up Cloud SDK
+        uses: 'google-github-actions/setup-gcloud@v2'
+{%- endif %}
+
+      - name: Install uv and dependencies
+        run: |
+          pip install uv==0.6.12
+          uv sync --locked
+
+{%- if cookiecutter.data_ingestion %}
+      - name: Deploy data ingestion pipeline (Production)
+        run: |
+          cd data_ingestion && pip install uv==0.6.12 && cd data_ingestion_pipeline && \
+          uv sync --locked && uv run python submit_pipeline.py
+        env:
+          PIPELINE_ROOT: {% raw %}${{ vars.PIPELINE_GCS_ROOT_PROD }}{% endraw %}
+          REGION: {% raw %}${{ vars.REGION }}{% endraw %}
+          {%- if cookiecutter.datastore_type == "vertex_ai_search" %}
+          DATA_STORE_REGION: {% raw %}${{ vars.DATA_STORE_REGION }}{% endraw %}
+          DATA_STORE_ID: {% raw %}${{ vars.DATA_STORE_ID_PROD }}{% endraw %}
+          {%- elif cookiecutter.datastore_type == "vertex_ai_vector_search" %}
+          VECTOR_SEARCH_INDEX: {% raw %}${{ vars.VECTOR_SEARCH_INDEX_PROD }}{% endraw %}
+          VECTOR_SEARCH_INDEX_ENDPOINT: {% raw %}${{ vars.VECTOR_SEARCH_INDEX_ENDPOINT_PROD }}{% endraw %}
+          VECTOR_SEARCH_BUCKET: {% raw %}${{ vars.VECTOR_SEARCH_BUCKET_PROD }}{% endraw %}
+          {%- endif %}
+          PROJECT_ID: {% raw %}${{ vars.PROD_PROJECT_ID }}{% endraw %}
+          SERVICE_ACCOUNT: {% raw %}${{ vars.PIPELINE_SA_EMAIL_PROD }}{% endraw %}
+          PIPELINE_NAME: {% raw %}${{ vars.PIPELINE_NAME }}{% endraw %}
+          CRON_SCHEDULE: {% raw %}${{ vars.PIPELINE_CRON_SCHEDULE }}{% endraw %}
+          DISABLE_CACHING: "TRUE"
+{%- endif %}
+
+{%- if cookiecutter.deployment_target == 'cloud_run' %}
+
+      - name: Deploy to Production (Cloud Run)
+        run: |
+          gcloud run deploy {{cookiecutter.project_name}} \
+            --image {% raw %}${{ vars.REGION }}{% endraw %}-docker.pkg.dev/{% raw %}${{ vars.CICD_PROJECT_ID }}{% endraw %}/{% raw %}${{ vars.ARTIFACT_REGISTRY_REPO_NAME }}{% endraw %}/{% raw %}${{ vars.CONTAINER_NAME }}{% endraw %} \
+            --region {% raw %}${{ vars.REGION }}{% endraw %} \
+            --project {% raw %}${{ vars.PROD_PROJECT_ID }}{% endraw %}
+
+{%- elif cookiecutter.deployment_target == 'agent_engine' %}
+
+      - name: Deploy to Production (Agent Engine)
+        run: |
+          uv export --no-hashes --no-sources --no-header --no-dev --no-emit-project --no-annotate --locked > .requirements.txt
+          uv run app/agent_engine_app.py \
+            --project {% raw %}${{ vars.PROD_PROJECT_ID }}{% endraw %} \
+            --location {% raw %}${{ vars.REGION }}{% endraw %} \
+            --set-env-vars="COMMIT_SHA={% raw %}${{ github.sha }}{% endraw %}{%- if cookiecutter.data_ingestion %}{%- if cookiecutter.datastore_type == "vertex_ai_search" %},DATA_STORE_ID={% raw %}${{ vars.DATA_STORE_ID_PROD }}{% endraw %},DATA_STORE_REGION={% raw %}${{ vars.DATA_STORE_REGION }}{% endraw %}{%- elif cookiecutter.datastore_type == "vertex_ai_vector_search" %},VECTOR_SEARCH_INDEX={% raw %}${{ vars.VECTOR_SEARCH_INDEX_PROD }}{% endraw %},VECTOR_SEARCH_INDEX_ENDPOINT={% raw %}${{ vars.VECTOR_SEARCH_INDEX_ENDPOINT_PROD }}{% endraw %},VECTOR_SEARCH_BUCKET={% raw %}${{ vars.VECTOR_SEARCH_BUCKET_PROD }}{% endraw %}{%- endif %}{%- endif %}"
+{%- endif %}
+