Setting up CI/CD to deploy an application to Yandex Serverless Containers using GitHub Actions

In this tutorial, you will set up a CI/CD process to deploy a containerized application to Serverless Containers from a SourceCraft repository using GitHub Actions. The integration between SourceCraft and Yandex Cloud will be implemented using a service connection.

Warning

To create a service connection, you need the Organization owner (organization-manager.organizations.owner) role.

To set up CI/CD to deploy an application to Serverless Containers from aSourceCraft repository using GitHub Actions:

  1. Create a service account.
  2. Create a registry.
  3. Create a repository.
  4. Create a service connection.
  5. Configure CI/CD.
  6. Test CI/CD.
  7. Make sure the container has been created.

If you no longer need the resources you created, delete them.

The infrastructure support cost includes:

Create a service account

You will use this service account to upload Docker images to registries in Yandex Container Registry and deploy containers to Serverless Containers.

  1. Log in to the Yandex Cloud management console.

  2. On the left side of the screen, click the line with the name of the folder where you want to deploy your container.

  3. In the list of services, select Identity and Access Management.

  4. Click Create service account.

  5. In the Name field, specify github-action.

  6. Click Add role and select these roles:

    • container-registry.images.pusher: To work with Docker images in a registry.
    • serverless-containers.editor: To manage the container.
    • iam.serviceAccounts.user: To enable specifying a service account when creating a container revision. This account will be used to pull the Docker image from the registry.

  7. Click Create.

  1. Create a service account:

    yc iam service-account create \
  --name github-action
  --folder-name <folder_name>

    Result:

    id: ajeab0cnib1p********
folder_id: b0g12ga82bcv********
created_at: "2025-10-03T09:44:35.989446Z"
name: github-action

  2. Assign the service account the following roles for the folder:

    • iam.serviceAccounts.user: To enable specifying a service account when creating a container revision. This account will be used to pull the Docker image from the registry:

      yc resource-manager folder add-access-binding <folder_name> \
  --service-account-name github-action \
  --role iam.serviceAccounts.user \
  --folder-name <folder_name>

    • serverless-containers.editor: To manage the container:

      yc resource-manager folder add-access-binding <folder_name> \
  --service-account-name github-action \
  --role serverless-containers.editor \
  --folder-name <folder_name>

    • container-registry.images.pusher: To work with Docker images in the registry:

      yc resource-manager folder add-access-binding <folder_name> \
  --service-account-name github-action \
  --role container-registry.images.pusher \
  --folder-name <folder_name>

  1. Create a service account named github-action. To do this, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

  2. Assign the service account these roles for the current folder:

    • iam.serviceAccounts.user: To enable specifying a service account when creating a container revision. This account will be used to pull the Docker image from the registry.
    • serverless-containers.editor: To manage the container.
    • container-registry.images.pusher: To work with Docker images in the registry.

    To do this, use the setAccessBindings REST API method for the Folder resource or the FolderService/SetAccessBindings gRPC API call.

Create a registry

The registry in Container Registry will house the application’s Docker image.

  1. In the management console, select Container Registry.
  2. Click Create registry.
  3. Specify github-action as the registry name.
  4. Click Create registry.
  5. Save the new registry’s ID, you will need it later.

Create a registry named github-action:

yc container registry create --name github-action

Result:

id: crpd50616s9a********
folder_id: b1g88tflru0e********
name: github-action
status: ACTIVE
created_at: "2025-10-03T10:34:06.601Z"

Save the new registry’s ID, you will need it later.

Use the create REST API method for the Registry resource or the RegistryService/CreateRegistryRequest gRPC API call.

Save the new registry’s ID, you will need it later.

Create a repository

The repository will be created from the yc-ci-cd-serverless template and store the Dockerfile, auxiliary files for creating the Docker image, and the CI/CD process settings.

  1. Open the service home page.

  2. In the left-hand panel, click Create repository.

  3. In the window that opens, select Blank repository.

  4. Under Your new repository details:

    • In the Owner field, select the organization in which you created the Yandex Cloud service account.

    • In the Name field, specify a name for the repository.

      The name must be unique within the organization. The name may contain the following ASCII characters: lowercase and uppercase Latin letters, numbers, commas, hyphens, and underscores.

      The address to access the repository at is displayed below the name.

    • Optionally, in the Description field, enter a description for the repository.

  5. Under Repository template, click Browse templates, select the yc-ci-cd-serverless template, and click Use template.

    To view the template contents, click Preview.

    The template contains:

    • .sourcecraft/ci.yaml file with a pre-installed configuration of the CI/CD process that runs when a commit is created and does the following:
      • Obtains a Yandex Cloud IAM token using a service connection named default-service-connection.
      • Installs Docker Buildx in the worker environment using the Docker Setup Buildx GitHub Action.
      • Authenticates with Container Registry using the Docker Login GitHub Action and the Yandex Cloud IAM token.
      • Builds a Docker image from the Dockerfile located at the repository root and pushes it to Container Registry using the Build and Push Docker images GitHub Action.
      • Deploys a container in Serverless Containers from the built Docker image.
    • Dockerfile, index.html, and docker/nginx/conf.d/default.conf with the configuration of a container with a static web app based on Nginx.

  6. Click Create repository.

Create a service connection

  1. Open the SourceCraft home page.

  2. Navigate to the Organizations tab.

  3. Select the organization where you created the Yandex Cloud service account.

  4. On the organization page, in the Settings section, go to the Service connections section.

  5. Click New service connection.

  6. Under Basic information, specify the service connection name, default-service-connection.

  7. Under Scope, select the repository you created earlier.

  8. Under Yandex Cloud settings, select:

    • Folder where you previously deployed the cloud infrastructure and assigned a role to the service account.

    • github-action service account.

      Tip

      To re-request the list of clouds, folders, and service accounts from Yandex Cloud, click Synchronize. This can be of use if alongside creating a service connection you also created a folder or service account.

  9. Click Create service connection.

    Wait for the operation to complete. The page that opens will display the service connection details.

    A Yandex Identity and Access Management workload identity federation will be automatically created in Yandex Cloud.

    To view the parameters of the new OIDC provider, click the federation name under Workload identity federation.

Configure CI/CD

  1. Open the SourceCraft home page.

  2. On the Home tab, under Your craftspace, navigate to Repositories.

  3. Select the repository you created earlier.

  4. Select .sourcecraft/ci.yaml.

  5. In the top-right corner, click Edit.

  6. In the YC_DOCKER_REGISTRY_URI parameter, specify the ID of the registry you previously created:

    YC_DOCKER_REGISTRY_URI: cr.yandex/<registry_ID>

  7. In the top-right corner, click Commit changes.

  8. Commit:

    1. Enter a message about the changes.
    2. Under Commit branch, select Commit directly to the branch: main.
    3. Under After commit action, select Just commit.
    4. Click Commit changes.

After saving the changes, demo-service-connection-workflow will start.

Test CI/CD

  1. Open the SourceCraft home page.
  2. On the Home tab, under Your craftspace, navigate to Repositories.
  3. Select the repository you created earlier.
  4. Under Code on the repository page, go to CI/CD.
  5. In the list of automation executions, you will see a new execution. Wait for the status to change to Success.

Make sure the container has been created

  1. In the management console, select Serverless Containers.

  2. In the list, you should see demo-serverless-container1; select it.

    Under Revisions, you should now see the container revision with the same timestamp as the CI/CD process execution.

Run this command:

yc serverless container revision list \
  --container-name demo-serverless-container1

Where --container-name is the container name specified in .sourcecraft/ci.yaml.

Result:

+----------------------+----------------------+--------------------------------------------------------+---------------------+
|          ID          |     CONTAINER ID     |                 IMAGE                                  |     CREATED AT      |
+----------------------+----------------------+--------------------------------------------------------+---------------------+
| bba27hejd69a******** | bba83i1mrb5s******** | cr.yandex/yc/serverless/demo-serverless-container1     | 2025-10-04 09:38:14 |
+----------------------+----------------------+--------------------------------------------------------+---------------------+

Use the listRevisions REST API method for the Container resource or the RegistryService/CreateRegistryRequest gRPC API call.

Delete the resources you created

To stop paying for the resources you created:

  1. Delete the container.
  2. Delete the Docker image.
  3. Delete the registry.

See also

Previous
Configuring CI/CD with Yandex Cloud Functions
Next
Hosting a static website using SourceCraft Sites