Skip to content

Update functions CLI to support deploying onGraphRequest functions. #9612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rosalyntan merged 17 commits into from
Jan 3, 2026
Merged

Update functions CLI to support deploying onGraphRequest functions. #9612

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
3efaec8
Data Connect deploys should lock down the function to the FDC P4SA.
rosalyntan Dec 11, 2025
1e2b1e7
Some style nits.
rosalyntan Dec 11, 2025
2ecde62
Handle the dataConnectHttpsTrigger type.
rosalyntan Dec 16, 2025
8b16849
More handling of dataConnectHttpsTrigger.
rosalyntan Dec 18, 2025
1ff1d50
remove todo
rosalyntan Dec 18, 2025
2c26143
Add some unit tests.
rosalyntan Dec 19, 2025
f708775
One more unit test.
rosalyntan Dec 19, 2025
ee525ed
Merge branch 'main' into rosalyntan.resolver
rosalyntan Dec 19, 2025
7d93199
s/dataConnectHttpsTrigger/dataConnectGraphqlTrigger.
rosalyntan Dec 19, 2025
a0b6516
Fix redeploys.
rosalyntan Dec 23, 2025
7ca533c
Support `schemaFilePath`.
rosalyntan Dec 24, 2025
4d2605a
Merge branch 'main' into rosalyntan.resolver
rosalyntan Dec 30, 2025
55ca05c
Add validation around schemaFilePath.
rosalyntan Dec 30, 2025
694023b
Fixed some of the invoker logic.
rosalyntan Jan 2, 2026
e97399c
Address review comments.
rosalyntan Jan 3, 2026
496c182
Merge branch 'main' into rosalyntan.resolver
rosalyntan Jan 3, 2026
8f9c530
Update changelog.
rosalyntan Jan 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/deploy/functions/prepare.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@
let runtimeConfig: Record<string, unknown> = { firebase: firebaseConfig };
const allowFunctionsConfig = experiments.isEnabled("legacyRuntimeConfigCommands");

const targetedCodebaseConfigs = context.config!.filter((cfg) => codebases.includes(cfg.codebase));

Check warning on line 100 in src/deploy/functions/prepare.ts

View workflow job for this annotation

GitHub Actions / lint (20) 

Forbidden non-null assertion

Check warning on line 100 in src/deploy/functions/prepare.ts

View workflow job for this annotation

GitHub Actions / lint (20) 

This assertion is unnecessary since it does not change the type of the expression

// Load runtime config if API is enabled and at least one targeted codebase uses it
if (
Expand All @@ -112,6 +112,7 @@
// This drives GA4 metric `has_runtime_config` in the functions deploy reporter.
context.hasRuntimeConfig = Object.keys(runtimeConfig).some((k) => k !== "firebase");

// TODO: Modify to also load dataconnect schema if `onGraphRequest` is used with `schemaFilePath`?
Comment thread
rosalyntan marked this conversation as resolved.
Outdated
const wantBuilds = await loadCodebases(
context.config,
options,
Expand Down Expand Up @@ -395,7 +396,7 @@
.filter(
(ep) =>
backend.isBlockingTriggered(ep) &&
AUTH_BLOCKING_EVENTS.includes(ep.blockingTrigger.eventType as any),

Check warning on line 399 in src/deploy/functions/prepare.ts

View workflow job for this annotation

GitHub Actions / lint (20) 

Unexpected any. Specify a different type

Check warning on line 399 in src/deploy/functions/prepare.ts

View workflow job for this annotation

GitHub Actions / lint (20) 

Unsafe argument of type `any` assigned to a parameter of type `"providers/cloud.auth/eventTypes/user.beforeCreate" | "providers/cloud.auth/eventTypes/user.beforeSignIn" | "providers/cloud.auth/eventTypes/user.beforeSendEmail" | "providers/cloud.auth/eventTypes/user.beforeSendSms"`
) as (backend.Endpoint & backend.BlockingTriggered)[];

if (authBlockingEndpoints.length === 0) {
Expand Down Expand Up @@ -516,7 +517,7 @@
// Genkit almost always requires an API key, so warn if the customer is about to deploy
// a function and doesn't have one. To avoid repetitive nagging, only warn on the first
// deploy of the function.
export async function warnIfNewGenkitFunctionIsMissingSecrets(

Check warning on line 520 in src/deploy/functions/prepare.ts

View workflow job for this annotation

GitHub Actions / lint (20) 

Missing JSDoc comment

Check warning on line 520 in src/deploy/functions/prepare.ts

View workflow job for this annotation

GitHub Actions / lint (20) 

Missing return type on function
have: backend.Backend,
want: backend.Backend,
options: DeployOptions,
Expand Down Expand Up @@ -550,7 +551,7 @@

// Enable required APIs. This may come implicitly from triggers (e.g. scheduled triggers
// require cloudscheduler and, in v1, require pub/sub), use of features (secrets), or explicit dependencies.
export async function ensureAllRequiredAPIsEnabled(

Check warning on line 554 in src/deploy/functions/prepare.ts

View workflow job for this annotation

GitHub Actions / lint (20) 

Missing JSDoc comment
projectNumber: string,
wantBackend: backend.Backend,
): Promise<void> {
Expand Down
29 changes: 29 additions & 0 deletions src/deploy/functions/services/dataconnect.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
import * as backend from "../backend";
import { dataconnectOrigin } from "../../../api";
import { FirebaseError } from "../../../error";
import { iam } from "../../../gcp";

const CLOUD_RUN_INVOKER_ROLE = "roles/cloudrun.invoker";

/**
* Sets a Firebase Data Connect event trigger's region to the function region.
Expand All @@ -18,3 +22,28 @@ export function ensureDataConnectTriggerRegion(
}
return Promise.resolve();
}

function getServiceAccount(projectNumber: string): string {
if (dataconnectOrigin().includes("autopush")) {
return `service-${projectNumber}@gcp-sa-autopush-dataconnect.iam.gserviceaccount.com`;
}
if (dataconnectOrigin().includes("staging")) {
return `service-${projectNumber}@gcp-sa-staging-dataconnect.iam.gserviceaccount.com`;
}
return `service-${projectNumber}@gcp-sa-firebasedataconnect.iam.gserviceaccount.com`;
}
Comment thread
rosalyntan marked this conversation as resolved.
Outdated

/**
* Finds the required project level IAM bindings for the Firebase Data Connect service agent
* @param projectNumber project identifier
*/
export async function obtainDataConnectBindings(
projectNumber: string,
): Promise<Array<iam.Binding>> {
const dataConnectServiceAgent = `serviceAccount:${getServiceAccount(projectNumber)}`;
const cloudRunInvokerBinding = {
role: CLOUD_RUN_INVOKER_ROLE,
members: [dataConnectServiceAgent],
};
Comment thread
rosalyntan marked this conversation as resolved.
Outdated
return [cloudRunInvokerBinding];
}
Comment thread
rosalyntan marked this conversation as resolved.
Outdated
4 changes: 2 additions & 2 deletions src/deploy/functions/services/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
import { ensureRemoteConfigTriggerRegion } from "./remoteConfig";
import { ensureTestLabTriggerRegion } from "./testLab";
import { ensureFirestoreTriggerRegion } from "./firestore";
import { ensureDataConnectTriggerRegion } from "./dataconnect";
import { ensureDataConnectTriggerRegion, obtainDataConnectBindings } from "./dataconnect";

/** A standard void No Op */
export const noop = (): Promise<void> => Promise.resolve();
Expand Down Expand Up @@ -47,7 +47,7 @@
name: "noop",
api: "",
ensureTriggerRegion: noop,
validateTrigger: noop,

Check warning on line 50 in src/deploy/functions/services/index.ts

View workflow job for this annotation

GitHub Actions / lint (20) 

Promise-returning function provided to property where a void return was expected
registerTrigger: noop,
unregisterTrigger: noop,
};
Expand All @@ -58,7 +58,7 @@
api: "pubsub.googleapis.com",
requiredProjectBindings: noopProjectBindings,
ensureTriggerRegion: noop,
validateTrigger: noop,

Check warning on line 61 in src/deploy/functions/services/index.ts

View workflow job for this annotation

GitHub Actions / lint (20) 

Promise-returning function provided to property where a void return was expected
registerTrigger: noop,
unregisterTrigger: noop,
};
Expand All @@ -69,7 +69,7 @@
api: "storage.googleapis.com",
requiredProjectBindings: obtainStorageBindings,
ensureTriggerRegion: ensureStorageTriggerRegion,
validateTrigger: noop,

Check warning on line 72 in src/deploy/functions/services/index.ts

View workflow job for this annotation

GitHub Actions / lint (20) 

Promise-returning function provided to property where a void return was expected
registerTrigger: noop,
unregisterTrigger: noop,
};
Expand Down Expand Up @@ -136,7 +136,7 @@
const dataconnectService: Service = {
name: "dataconnect",
api: "firebasedataconnect.googleapis.com",
requiredProjectBindings: noopProjectBindings,
requiredProjectBindings: obtainDataConnectBindings,
ensureTriggerRegion: ensureDataConnectTriggerRegion,
validateTrigger: noop,
registerTrigger: noop,
Expand Down
Loading