#17123: Add Cloud Run deployment guide and Bun version pinning

## Summary - **Problem**: OpenClaw lacked a serverless deployment option on GCP and Bun installation was unpinned, creating reproducibility and security concerns. - **Why it matters**: Cloud Run enables cost-effective, managed deployments without VM overhead; pinned Bun versions ensure deterministic builds and safer upgrades. - **What changed**: Added Cloud Run deployment guide, Cloud Build pipeline, GCS FUSE persistence setup, Bun version pinning with checksum verification, health checks, and logging improvements. - **What did NOT change**: Core gateway logic, authentication, or channel integrations remain unchanged. ## Change Type - [x] Feature - [x] Docs - [x] Security hardening - [x] Chore/infra ## Scope - [x] Gateway / orchestration - [x] CI/CD / infra - [x] Auth / tokens ## Linked Issue/PR - Related: GCP deployment options ## User-visible / Behavior Changes **New deployment option:** - Cloud Run deployment with managed HTTPS, Secret Manager integration, and GCS FUSE persistence - Estimated cost: ~$50–70/mo for always-on instance (2 vCPU, 2 GB RAM) **Build/deployment changes:** - Bun now pinned to `1.3.9` (configurable via `BUN_VERSION` arg) - Bun installation validates checksums against GitHub release `SHASUMS256.txt` - Docker Compose and Dockerfile now include health checks - GCP Compute Engine deployment updated with Bun pinning and binary checksum verification **Logging:** - JSON logs now include GCP Cloud Logging severity levels (DEBUG, INFO, WARNING, ERROR, CRITICAL) ## Security Impact - **New permissions/capabilities?** Yes — Cloud Run service account requires `storage.objectAdmin` on GCS bucket for SQLite persistence. - **Secrets/tokens handling changed?** Yes — Secrets now managed via GCP Secret Manager instead of env files; mapped to Cloud Run via `--set-secrets`. - **New/changed network calls?** Yes — Bun installation now downloads from GitHub releases with checksum verification (mitigates supply-chain risk). - **Command/tool execution surface changed?** No. - **Data access scope changed?** Yes — SQLite database now persists on GCS FUSE mount instead of ephemeral container storage. **Risk mitigation:** - Checksum verification prevents tampering with Bun binaries. - GCS bucket access restricted to Cloud Run service account via IAM. - Single instance (`max-instances=1`) enforces SQLite file-level locking; prevents corruption from concurrent writes. - Secret Manager keeps tokens out of container images and env files. ## Repro + Verification ### Environment - GCP project with Cloud Run, Secret Manager, Artifact Registry, and Cloud Storage APIs enabled - `gcloud` CLI v1.0+ - Docker 20.10+ ### Steps 1. Create GCP project and enable APIs: ```bash gcloud projects create my-openclaw gcloud config set project my-openclaw gcloud services enable run.googleapis.com cloudbuild.googleapis.com \ artifactregistry.googleapis.com secretmanager.googleapis.com storage.googleapis.com ``` 2. Create Artifact Registry and GCS bucket: ```bash gcloud artifacts repositories create openclaw --repository-format=docker --location=us-central1 gcloud storage buckets create gs://my-openclaw-openclaw-data --location=us-central1 ``` 3. Set up secrets: ```bash ./scripts/gcp/setup-secrets.sh my-openclaw openssl rand -hex 32 | gcloud secrets versions add openclaw-gateway-token --data-file=- ``` 4. Deploy via Cloud Build: ```bash gcloud builds submit --config cloudbuild.yaml \ --substitutions=_BUCKET_NAME=my-openclaw-openclaw-data ``` 5. Verify deployment: ```bash gcloud run services describe openclaw-gateway --region=us-central1 --format="value https://claude.ai/code/session_01EjdXWCwVCE1HhzgEyJFz6m <!-- greptile_comment --> <h3>Greptile Summary</h3> Added Cloud Run deployment support with GCS FUSE persistence, Secret Manager integration, and Bun version pinning (1.3.9) with checksum verification. The implementation includes multi-stage Docker builds, health probes, and GCP Cloud Logging severity mapping. All core gateway logic remains unchanged. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with the recommended style improvements applied - The PR implements robust security practices including Bun checksum verification, Secret Manager integration, non-root container execution, and proper health checks. The infrastructure-as-code is well-documented. The three style suggestions are minor optimizations that don't affect functionality. No logical errors or security vulnerabilities were found beyond what was already noted in previous review threads. - Review the style suggestions in `Dockerfile.cloudrun`, `scripts/cloud-run-entrypoint.sh`, and `src/logging/subsystem.ts` for potential optimizations _{Last reviewed commit: 8a9d8fa} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->