This page describes how to configure Cloud Build to build and test your Python applications, upload your artifacts to Artifact Registry, generate provenance information, and save your test logs in Cloud Storage.
Cloud Build enables you to use any publicly available container image
to execute your tasks. The public
python image from Docker Hub 
comes preinstalled with python and pip tools. You can configure Cloud Build
use these tools to install dependencies, build, and run unit tests using these tools.
Before you begin
The instructions on this page assume that you are familiar with Python. In addition:
- 
  
    
    
      
    
  
    
    
      
    
  
  
  
  
    
      Enable the Cloud Build, Artifact Registry, and Cloud Storage APIs. Roles required to enable APIs To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.
- To run the gcloudcommands on this page, install Google Cloud CLI.
- Have your Python project handy.
- Have a Python repository in Artifact Registry. If you don't have one, then create a new repository.
- If you want to store test logs in Cloud Storage, create a bucket in Cloud Storage.
Required IAM permissions
- To store test logs in Logging, grant the Storage Object Creator ( - roles/storage.objectCreator) role for the Cloud Storage bucket to your build service account.
- To store built images in Artifact Registry, grant the Artifact Registry Writer ( - roles/artifactregistry.writer) role to the your build service account.
For instructions on granting these roles see Granting a role using the IAM page.
Configuring Python builds
This section walks through an example build config file for a Python app. It has build steps to manage installation requirements, add unit tests, and after the tests pass, to build and deploy the app.
- In your project root directory, create Cloud Build config file named - cloudbuild.yaml.
- Install requirements: The - pythonimage from Docker Hub comes preinstalled with- pip. To install dependencies from- pip, add a build step with the following fields:- name: Set the value of this field to- pythonor- python:<tag>to use the python image from Docker Hub for this task. To see a list of available tags for other Python images, see the Docker Hub reference for the python image.
- entrypoint: Setting this field overrides the default entrypoint of the image referenced in- name. Set the value of this field to- pipto invoke- pipas the entrypoint of the build step and run- pipcommands.
- args: The- argsfield of a build step takes a list of arguments and passes them to the image referenced by the- namefield. Pass the arguments to run the- pip installcommand in this field.- --userflag in the- pip installcommand ensures that the subsequent build steps can access the modules installed in this build step.
 - The following build step adds arguments to install requirements: - steps: - name: 'python' entrypoint: 'python' args: ['-m', 'pip', 'install', '--upgrade', 'pip'] - name: python entrypoint: python args: ['-m', 'pip', 'install', 'build', 'pytest', 'Flask', '--user']
- Add unit tests: If you've defined unit tests in your application using a testing framework such as - pytest, you can configure Cloud Build to run the tests by adding the following fields in a build step:- name: Set the value of this field to- pythonto use the python image from Docker Hub for your task.
- entrypoint: Set the value of this field to- pythonto run- pythoncommands.
- args: Add the arguments for running the- python pytestcommand.
 - The following build step saves the - pytestlog output to a JUNIT XML file. The name of this file is constructed using- $SHORT_SHA, the short version of the commit ID associated with your build. A subsequent build step will save the logs in this file to Cloud Storage.- - name: 'python' entrypoint: 'python' args: ['-m', 'pytest', '--junitxml=${SHORT_SHA}_test_log.xml']
- Build: In your build config file, define the builder and the - argsto build your application:- name: Set the value of this field to- pythonto use the python image from Docker Hub for your task.
- entrypoint: Set the value of this field to- pythonto run- pythoncommands.
- args: Add the arguments for executing your build.
 - The following build step starts the build: - - name: 'python' entrypoint: 'python' args: ['-m', 'build']
- Upload to Artifact Registry: - In your config file, add the - pythonPackagesfield and specify your Python repository in Artifact Registry:- artifacts: pythonPackages: - repository: 'https://LOCATION-python.pkg.dev/PROJECT-ID/REPOSITORY' paths: ['dist/*']- Replace the following values: - PROJECT-ID is the ID of the Google Cloud project that contains your Artifact Registry repository.
- REPOSITORY is the ID of the repository.
- LOCATION is the regional or multi-regional location for the repository.
 
- Optional: Enable provenance generation - Cloud Build can generate verifiable Supply chain Levels for Software Artifacts (SLSA) build provenance metadata to help secure your continuous integration pipeline. - To enable provenance generation, add - requestedVerifyOption: VERIFIEDto the- optionssection in your config file.
- Save test logs to Cloud Storage: You can configure Cloud Build to store any test logs in Cloud Storage by specifying an existing bucket location and path to the test logs. The following build step stores the test logs that you saved in the JUNIT XML file to a Cloud Storage bucket: - artifacts: objects: location: 'gs://${_BUCKET_NAME}/' paths: - '${SHORT_SHA}_test_log.xml'
- Start your build: manually or using build triggers. - Once your build completes, you can view repository details in Artifact Registry. - You can also view build provenance metadata and validate provenance. 
What's next
- Learn how to view build results.
- Learn how to safeguard builds.
- Learn how to build and containerize Python applications.
- Learn how to use private dependencies.
- Learn how to perform blue/green deployments on Compute Engine.
- Learn how to troubleshoot build errors.