Deployments

Production map

                        ┌──────────────────────────────┐
                        │       Cloudflare             │
                        │  DNS + Access + Pages + Tunnel │
                        └──────────────┬───────────────┘
                                       │
              ┌────────────────────────┼────────────────────────┐
              │                        │                        │
              ▼                        ▼                        ▼
      docs.tappass.ai           app.tappass.ai          internal-docs.tappass.ai
      (Pages)                   (Cloud Run)             (Pages + Access)
              │                        │                        │
              ▼                        ▼                        ▼
      tappass/docs             tappass/tappass           tappass/docs-internal
      (GitHub Actions →        (GitHub Actions →         (GitHub Actions →
       Pages)                   Artifact Registry →       Pages)
                                Cloud Run)

Per-service reference

Service	Platform	Region	CI/CD	Rollback
Core server (prod)	Cloud Run	`europe-west1`	GH Actions → manual promote	`gcloud run services update-traffic`
Core server (staging)	Cloud Run	`europe-west1`	GH Actions → auto on merge	Same
License server	Self-hosted (Docker)	On-prem	Manual via SSH	Docker image rollback
Assess scanner	Cloud Run	`europe-west1`	GH Actions → auto	Same
docs.tappass.ai	Cloudflare Pages	Global	GH Actions → Pages	CF dashboard → prior deployment → Rollback
internal-docs.tappass.ai	Cloudflare Pages	Global	GH Actions → Pages	Same
tappass.ai	Cloudflare Pages	Global	GH Actions → Pages	Same
trust.tappass.ai	Cloudflare Pages	Global	GH Actions → Pages	Same

Manual fallback paths

When CI is broken or a hotfix can't wait for a PR:

Static sites (tappass.ai, docs, internal-docs, trust) → Deploy static sites manually (npx wrangler pages deploy).
Core server (Cloud Run) → Deploy core server (Cloud Build + crane cp + gcloud run deploy).
Rollback when a deploy goes sideways → Roll back Cloud Run (traffic cutback, no rebuild).

Sentry release trap

gcloud builds submit --tag=… does not pass Docker build-args, so GIT_SHA arrives in the container as the literal string dev and every deploy collapses onto the same Sentry release tag. Always build the core server via gcloud builds submit --config=cloudbuild.yaml (the root of the tappass/tappass repo) — the config threads _GIT_SHA through as a --build-arg. Full explanation in Deploy core server.

Database migrations

Schema changes ship through a separate Cloud Run Job (tappass-migrate) that runs deploy/migrations/runner.sh idempotently against Cloud SQL. See Database migration for the authoring, apply, and rollback flow.

Secrets

All runtime secrets in Google Secret Manager (GCP) or Cloudflare Pages secrets (for static deploys). Mirror in 1Password — TapPass / Engineering vault for human access.

Infrastructure as code

Cloud Run + Postgres + Secret Manager are managed by Terraform in tappass/infra/. Every change is a PR with a terraform plan output in the description.

See Infrastructure for the full IaC map.