Cloud Build — CI/CD pipelines
Google's built-in build service: on every git push, it fetches your code, builds a container, runs tests, pushes to Artifact Registry, and can deploy to Cloud Run.
Cloud Build is a managed CI/CD platform that executes build pipelines defined in cloudbuild.yaml (or Dockerfile-only auto-detection). Each build runs in an ephemeral isolated worker VM with configurable machine type and disk.
A build is a list of steps. Each step declares a `name` (a container image — gcr.io/cloud-builders/docker, golang, node, …), `args`, optional `env`, `secretEnv`, `dir`, and `waitFor` to express a DAG. Steps share a mounted /workspace containing the source.
Triggers connect a source (GitHub, GitLab, Cloud Source Repositories, Bitbucket) to a build. Trigger conditions: branch push, tag push, pull request, manual. You can use different cloudbuild.yaml files per trigger or per branch.
Substitutions inject variables into the pipeline ($PROJECT_ID, $COMMIT_SHA, $BRANCH_NAME, plus user-defined _MY_VAR). Secrets are retrieved from Secret Manager and exposed to steps via secretEnv — never hardcode credentials in cloudbuild.yaml.
Parallelism: steps run sequentially by default; use waitFor: ['-'] to run at the start, or waitFor: [stepA, stepB] to express dependencies. Useful for parallel test/lint + build, then deploy after both succeed.
: the build runs as the Cloud Build service account (by default), which must have roles on the target resources (Artifact Registry writer, Cloud Run admin, Secret Manager accessor). Prefer a dedicated service account with least privilege for production pipelines.
Diagram
Grounded on https://cloud.google.com/build/docs/overview
Next up
Artifact Registry — Container & package storage
A private Docker registry (and npm, Maven, Python) hosted by Google. Cloud Build pushes images here, Cloud Run pulls them from here.