---
id: wiki-2026-0508-g-stack-integration-guide
title: G Stack Integration Guide
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [G-Stack, G Stack Integration, GitHub-Gemini-Google Stack]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [integration, devops, ci-cd, ai, google]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
  language: python
  framework: github-actions
---

# G-Stack Integration Guide

## 매 한 줄
> **"매 GitHub + Gemini + Google Cloud 를 single coherent dev stack 으로 묶는다"**. 매 G-Stack은 source control(GitHub), AI assist(Gemini Code Assist), cloud runtime(GCP/Cloud Run/Vertex AI) 의 통합 — 2026 Google ecosystem 의 매 default flow. GitHub Actions ↔ Cloud Build ↔ Vertex AI ↔ Gemini API.

## 매 핵심

### 매 G-Stack 구성
- **G**itHub: source, Actions CI/CD, Codespaces, Copilot 대안 = Gemini Code Assist
- **G**emini: API (Gemini 2.5 Pro, Flash), Code Assist IDE plugin, Vertex AI
- **G**oogle Cloud: Cloud Run, GKE, Cloud Build, Artifact Registry, Vertex AI

### 매 핵심 integration points
- **OIDC**: 매 GitHub Actions → GCP keyless auth (no JSON key)
- **Workload Identity Federation**: 매 short-lived token
- **Cloud Build trigger**: 매 GitHub push → automated build
- **Vertex AI agent**: 매 Gemini 모델 + custom data RAG

### 매 응용
1. CI/CD: GitHub Actions deploy to Cloud Run.
2. AI-assisted dev: Gemini Code Assist in VSCode.
3. Custom RAG: Vertex AI Agent Builder + GitHub repo source.
4. Production LLM: Gemini API + Cloud Run wrapper.

## 💻 패턴

### GitHub Actions → Cloud Run (OIDC, no key)
```yaml
# .github/workflows/deploy.yml
name: Deploy to Cloud Run

on:
  push:
    branches: [main]

permissions:
  contents: read
  id-token: write  # 매 OIDC token 발급

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    
    - id: auth
      uses: google-github-actions/auth@v2
      with:
        workload_identity_provider: projects/123456/locations/global/workloadIdentityPools/github/providers/github
        service_account: deploy@my-project.iam.gserviceaccount.com
    
    - uses: google-github-actions/setup-gcloud@v2
    
    - name: Build and Deploy
      run: |
        gcloud builds submit --tag us-central1-docker.pkg.dev/my-project/repo/app
        gcloud run deploy app \
          --image us-central1-docker.pkg.dev/my-project/repo/app \
          --region us-central1 \
          --allow-unauthenticated
```

### Workload Identity Federation 설정 (Terraform)
```hcl
resource "google_iam_workload_identity_pool" "github" {
  workload_identity_pool_id = "github"
}

resource "google_iam_workload_identity_pool_provider" "github" {
  workload_identity_pool_id          = google_iam_workload_identity_pool.github.workload_identity_pool_id
  workload_identity_pool_provider_id = "github"
  attribute_mapping = {
    "google.subject"       = "assertion.sub"
    "attribute.repository" = "assertion.repository"
  }
  attribute_condition = "assertion.repository_owner == 'myorg'"
  oidc {
    issuer_uri = "https://token.actions.githubusercontent.com"
  }
}

resource "google_service_account_iam_member" "github_act_as" {
  service_account_id = google_service_account.deploy.name
  role               = "roles/iam.workloadIdentityUser"
  member             = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.github.name}/attribute.repository/myorg/myrepo"
}
```

### Gemini API (Python, Cloud Run)
```python
import os
from google import genai
from fastapi import FastAPI

client = genai.Client(api_key=os.environ["GEMINI_API_KEY"])
app = FastAPI()

@app.post("/chat")
async def chat(prompt: str):
    response = client.models.generate_content(
        model="gemini-2.5-pro",
        contents=prompt,
        config={
            "temperature": 0.7,
            "max_output_tokens": 2048,
        }
    )
    return {"text": response.text}
```

### Vertex AI RAG (GitHub repo as source)
```python
from google.cloud import aiplatform
from vertexai.preview import rag

aiplatform.init(project="my-project", location="us-central1")

corpus = rag.create_corpus(
    display_name="github-repo-rag",
    embedding_model_config=rag.EmbeddingModelConfig(
        publisher_model="publishers/google/models/text-embedding-005"
    )
)

# 매 GitHub mirror → GCS → Vertex
rag.import_files(
    corpus_name=corpus.name,
    paths=["gs://my-bucket/github-mirror/"],
    chunk_size=1024,
)

# 매 query
response = rag.retrieval_query(
    rag_resources=[rag.RagResource(rag_corpus=corpus.name)],
    text="How does the auth module work?",
    similarity_top_k=5,
)
```

### Gemini Code Assist (VSCode settings)
```json
{
  "geminicodeassist.project": "my-gcp-project",
  "geminicodeassist.enableInlineCompletions": true,
  "geminicodeassist.enableTelemetry": false,
  "github.copilot.enable": { "*": false }
}
```

### Cloud Build trigger (GitHub push)
```yaml
# cloudbuild.yaml
steps:
- name: 'gcr.io/cloud-builders/docker'
  args: ['build', '-t', 'us-central1-docker.pkg.dev/$PROJECT_ID/repo/app:$COMMIT_SHA', '.']
- name: 'gcr.io/cloud-builders/docker'
  args: ['push', 'us-central1-docker.pkg.dev/$PROJECT_ID/repo/app:$COMMIT_SHA']
- name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
  entrypoint: gcloud
  args:
  - run
  - deploy
  - app
  - --image=us-central1-docker.pkg.dev/$PROJECT_ID/repo/app:$COMMIT_SHA
  - --region=us-central1
options:
  logging: CLOUD_LOGGING_ONLY
```

### Secret Manager → Cloud Run
```bash
# 매 secret 생성
echo -n "$GEMINI_KEY" | gcloud secrets create gemini-api-key --data-file=-

# 매 Cloud Run 에 마운트
gcloud run deploy app \
  --image=... \
  --update-secrets=GEMINI_API_KEY=gemini-api-key:latest \
  --service-account=deploy@my-project.iam.gserviceaccount.com
```

### Monitoring (Cloud Logging + Sentry)
```python
import google.cloud.logging
import sentry_sdk

google.cloud.logging.Client().setup_logging()
sentry_sdk.init(dsn=os.environ["SENTRY_DSN"], traces_sample_rate=0.1)

import logging
logging.info("매 structured log to Cloud Logging")
```

## 매 결정 기준
| 상황 | G-Stack tool |
|---|---|
| Solo prototype | GitHub + Gemini Code Assist + Cloud Run |
| Production API | + Vertex AI + Secret Manager + Cloud Build |
| ML/LLM heavy | Vertex AI Agent Builder + RAG |
| Enterprise | + WIF + Org policy + VPC-SC |
| Multi-cloud | GitHub Actions abstraction layer |

**기본값**: 매 OIDC (no JSON key), Cloud Run (serverless), Gemini 2.5 Flash (cheap default).

## 🔗 Graph
- 부모: [[DevOps]]
- 응용: [[GitHub Actions]]
- Adjacent: [[OIDC]] · [[Infrastructure as Code]]

## 🤖 LLM 활용
**언제**: 매 GCP+GitHub 통합 troubleshooting, OIDC 설정 검증, Vertex AI agent 설계.
**언제 X**: 매 multi-cloud agnostic — G-Stack 은 GCP-tied.

## ❌ 안티패턴
- **JSON service account key**: 매 long-lived key — leak risk. OIDC 로 교체.
- **Hardcoded Gemini key in repo**: 매 obvious leak. Secret Manager 사용.
- **Public Cloud Run**: 매 `--allow-unauthenticated` 인데 매 sensitive endpoint → 매 IAM/IAP.
- **No budget alert**: 매 Vertex AI 무한 query → 매 unexpected bill.

## 🧪 검증 / 중복
- Verified (GitHub Docs, "Configuring OpenID Connect in Google Cloud Platform").
- Verified (Google Cloud Docs, Workload Identity Federation, 2024).
- Verified (Vertex AI RAG Engine GA, 2024).
- 신뢰도 A.

## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — GitHub+Gemini+GCP integration patterns |