feat: add cloudrun deploy job

[smelchior]

No description provided.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Documentation

  • Added Cloud Run Deployment documentation and reference guide.

• Chores

  • Added automated deployment workflow to support Cloud Run environments.

Walkthrough

Adds a reusable GitHub Actions workflow at .github/workflows/deploy-cloudrun.yaml that validates inputs, authenticates to GCP via Workload Identity, builds an image reference, and conditionally deploys a Cloud Run Job or Service. Also adds a README entry linking to the new workflow.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow /.github/workflows/deploy-cloudrun.yaml	New workflow_call workflow with inputs (job-name, service-name, registry, artifact-repository, artifact-tag, region, flags, container, workload-identity-provider, workload-identity-service-account-mail). Adds deploy_cloudrun job (permissions: id-token, read) and steps: checkout, input validation (require job-name OR service-name), Workload Identity authentication, gcloud setup, compose image registry/artifact-repository:artifact-tag, prepare flags/container, and conditional deployment of a Cloud Run Job or Cloud Run Service. Avoids the standard deploy-cloudrun action due to a known issue.
Documentation README.md	Added "Cloud Run Deployment" reference block linking to the new deploy-cloudrun.yaml workflow template. No runtime code changes.

Sequence Diagram(s)

sequenceDiagram
    participant Caller as Workflow Caller
    participant Reusable as Reusable GHA Workflow
    participant GCP as Google Cloud

    Caller->>Reusable: call(inputs: registry, repo, tag, region, WIF provider, service account, job/service name)
    activate Reusable
    Reusable->>Reusable: validate inputs (require job-name OR service-name)
    Reusable->>Reusable: checkout repo
    Reusable->>GCP: authenticate via Workload Identity (request id-token & read)
    GCP-->>Reusable: short-lived credentials
    Reusable->>Reusable: compose image & prepare flags/container

    alt job-name provided
        Reusable->>GCP: deploy Cloud Run Job (image, region, job name, flags/container)
        GCP-->>Reusable: deployment result
    end

    alt service-name provided
        Reusable->>GCP: deploy Cloud Run Service (image, region, service name, flags/container)
        GCP-->>Reusable: deployment result
    end

    Reusable-->>Caller: complete
    deactivate Reusable

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify input validation enforces at least one of job-name or service-name.
• Confirm Workload Identity authentication uses workload-identity-provider and workload-identity-service-account-mail, and job permissions include id-token and read.
• Check image composition (registry/artifact-repository:artifact-tag) and that region, container, and flags are passed correctly into the deploy command.
• Validate README insertion location and link correctness.

Suggested reviewers

• marek-saji

Poem

🐇 I hop through YAML, swift and spry,
I stitch the tag and lift it high,
Job or service, name and run,
I nudge the cloud — deployment done,
Little rabbit claps — hooray!

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to evaluate whether it relates to the changeset.	Add a pull request description explaining the purpose and context of the Cloud Run deployment workflow.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: add cloudrun deploy job' accurately summarizes the main change: adding a new Cloud Run deployment workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/cloudrun

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ac94dcf and 8996ff3.

📒 Files selected for processing (1)

• README.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

README.md

[uncategorized] ~129-~129: The official name of this software platform is spelled with a capital “H”.
Context: ...ices or jobs. See deploy-cloudrun.yaml for det...

(GITHUB)

🔇 Additional comments (1)

README.md (1)

125-129: LGTM!

The new "Cloud Run Deployment" section is properly formatted and follows the established documentation pattern. The section heading uses correct title-case capitalization, the description accurately names the product as "Google Cloud Run," and the reference link is properly structured.

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b02577a and 30299f4.

📒 Files selected for processing (2)

• .github/workflows/deploy-cloudrun-job.yaml (1 hunks)
• .github/workflows/deploy-cloudrun-service.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: marek-saji
Repo: verkstedt/actions PR: 20
File: .github/workflows/docker-build-push.yaml:236-255
Timestamp: 2025-07-22T12:12:09.068Z
Learning: In GitHub Actions Docker workflows, intentionally using separate docker/build-push-action steps (one with push: false for building, followed by another with push: true) can be a deliberate design choice to provide timing visibility and show how much time is spent on each phase, rather than being a performance oversight.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

Verify gcloud CLI version specification.

The gcloud version constraint '>= 363.0.0' allows very old versions (from ~2021). Confirm this is intentional for broad compatibility or if a more recent minimum version should be specified to ensure access to newer Cloud Run features and security patches.

---

🌐 Web query:

What is the current stable version of Google Cloud CLI (gcloud)?

💡 Result:

As of November 7, 2025, the current stable Google Cloud CLI (gcloud) version is 545.0.0. [1][2]

Sources:
[1] Google Cloud SDK — gcloud overview.
[2] Google Cloud SDK — Install the gcloud CLI.

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Examine the workflow file for context or comments around gcloud version
cat .github/workflows/deploy-cloudrun-job.yaml

Length of output: 1372

---

Update gcloud CLI version to a more recent minimum.

The current constraint '>= 363.0.0' allows versions from ~2021. The current stable Google Cloud CLI version is 545.0.0 (as of November 2025), indicating a significant version gap. Unless backward compatibility with very old versions is a hard requirement, consider updating the minimum to a more recent version (e.g., 500+) to ensure access to current Cloud Run features and security patches. If the old minimum is intentional, document the compatibility rationale in the workflow.

🤖 Prompt for AI Agents

.github/workflows/deploy-cloudrun-job.yaml lines 40-43: the workflow pins gcloud
CLI minimum to '>= 363.0.0', which is outdated; update the version constraint to
a more recent minimum (for example '>= 500.0.0' or a specific current stable
like '>= 545.0.0') to ensure modern Cloud Run features and security fixes, or if
you must support older CLIs, add a comment in the workflow explaining the
compatibility requirement; make the change by replacing the version string and
commit with a brief justification comment if keeping the old minimum.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.github/workflows/deploy-cloudrun.yaml (1)

46-46: Update gcloud CLI version constraint to a more recent minimum.

Version 363.0.0 is from November 2021 (~4 years old). Modern Cloud Run features and security patches require gcloud SDK 511.0.0 or later. The current constraint is too permissive and allows deployments with versions that lack critical Cloud Run functionality.

Update to '>= 511.0.0' or the current recommended version (545.0.0+) to ensure access to modern Cloud Run features and security patches.

-          version: '>= 363.0.0'
+          version: '>= 511.0.0'

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 30299f4 and ac61512.

📒 Files selected for processing (1)

• .github/workflows/deploy-cloudrun.yaml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.37.1)

.github/workflows/deploy-cloudrun.yaml

[warning] 3-3: truthy value should be one of [false, true]

(truthy)

---

[error] 61-61: too many blank lines (1 > 0)

(empty-lines)

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between dd9dcf7 and 5362830.

📒 Files selected for processing (1)

• .github/workflows/deploy-cloudrun.yaml (1 hunks)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9666519 and e606a4d.

📒 Files selected for processing (1)

• .github/workflows/deploy-cloudrun.yaml (1 hunks)

🔇 Additional comments (1)

.github/workflows/deploy-cloudrun.yaml (1)

1-76: Workflow looks good; all previous issues are resolved.

The reusable workflow is well-structured with proper authentication, conditional deployments, and input validation. All issues from prior reviews (gcloud version constraint, input validation, image format with / separator, indentation, trailing blank lines) have been successfully addressed.

The workflow correctly:

• Ensures at least one deployment target (job or service) via explicit validation (lines 43–48)
• Uses Workload Identity for authentication (lines 49–52)
• Conditionally appends container flags when provided (lines 57–59)
• Deploys either a Cloud Run job or service independently (lines 61–76)

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/deploy-cloudrun.yaml (2)

6-33: Add descriptions to workflow inputs for improved UX.

Input descriptions were flagged in the previous review but are still missing. These help callers understand the expected format and purpose of each parameter.

Apply this diff to add descriptions:

     inputs:
       job-name:
         required: false
+        description: 'Cloud Run Job name (at least one of job-name or service-name required)'
         type: string
       service-name:
         required: false
+        description: 'Cloud Run Service name (at least one of job-name or service-name required)'
         type: string
       registry:
         required: true
+        description: 'Container registry URL (e.g., gcr.io/my-project)'
         type: string
       artifact-repository:
         required: true
+        description: 'Image repository name without registry prefix (e.g., my-image)'
         type: string
       artifact-tag:
         required: true
+        description: 'Image tag (e.g., latest, v1.0.0, ${{ github.sha }})'
         type: string
       region:
         required: true
+        description: 'GCP region for Cloud Run deployment (e.g., us-central1)'
         type: string
       flags:
+        description: 'Additional gcloud flags (optional, e.g., --allow-unauthenticated)'
         type: string
       container:
+        description: 'Container name override within the image (optional)'
         type: string
       workload-identity-provider:
         required: true
+        description: 'GCP Workload Identity Provider resource name'
         type: string
       workload-identity-service-account-mail:
         required: true
+        description: 'GCP service account email for OIDC authentication'
         type: string

---

56-56: Update gcloud version constraint to access modern Cloud Run features and security patches.

Use the latest stable gcloud CLI for Cloud Run deployment to ensure compatibility and access to newest flags and bugfixes. The current version '>= 363.0.0' is from 2021 and misses security fixes and feature updates included in 511.0.0 (released Feb 19, 2025).

Apply this diff:

       - name: 'Set up gcloud CLI'
         uses: 'google-github-actions/setup-gcloud@v3'
         with:
-          version: '>= 363.0.0'
+          version: '>= 511.0.0'

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 0c2369b and 4887ad5.

📒 Files selected for processing (1)

• .github/workflows/deploy-cloudrun.yaml (1 hunks)

🔇 Additional comments (3)

.github/workflows/deploy-cloudrun.yaml (3)

43-48: ✅ Input validation correctly implemented.

The validation step properly ensures at least one deployment target is specified before proceeding. Logic and positioning are sound.

---

67-67: ✅ Image reference construction is explicit and clear.

The addition of explicit / and : separators in the image reference properly addresses the previous formatting concern.

---

71-80: ✅ Conditional deployment logic is sound.

The branching between job and service deployment is correctly implemented with proper use of gcloud beta run jobs deploy vs gcloud run deploy. Note: This section will work correctly once the gcloud config set issue on line 70 is fixed.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/deploy-cloudrun.yaml (1)

6-33: Add descriptions to all workflow inputs for better usability.

Reusable workflows should include input descriptions to help callers understand expected formats and purposes. Currently, all inputs lack description fields, making integration harder and error-prone.

Add clear, concise descriptions with examples to each input:

       inputs:
         job-name:
+          description: 'Cloud Run Job name (mutually exclusive with service-name; at least one required)'
           required: false
           type: string
         service-name:
+          description: 'Cloud Run Service name (mutually exclusive with job-name; at least one required)'
           required: false
           type: string
         registry:
+          description: 'Container registry URL without trailing slash, e.g., gcr.io/my-project'
           required: true
           type: string
         artifact-repository:
+          description: 'Image repository name without leading slash, e.g., my-image'
           required: true
           type: string
         artifact-tag:
+          description: 'Image tag, e.g., latest or v1.0.0'
           required: true
           type: string
         region:
+          description: 'GCP region for Cloud Run deployment, e.g., us-central1'
           required: true
           type: string
         flags:
+          description: 'Optional additional gcloud flags for the deploy command'
           type: string
         container:
+          description: 'Optional Cloud Run container name'
           type: string
         workload-identity-provider:
+          description: 'GCP Workload Identity Provider resource name for GitHub OIDC'
           required: true
           type: string
         workload-identity-service-account-mail:
+          description: 'GCP service account email for Workload Identity authentication'
           required: true
           type: string

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4887ad5 and 33c8e62.

📒 Files selected for processing (1)

• .github/workflows/deploy-cloudrun.yaml (1 hunks)

🔇 Additional comments (4)

.github/workflows/deploy-cloudrun.yaml (4)

56-56: ⚠️ Verify: gcloud version constraint remains outdated despite past review.

Line 56 still specifies '>= 363.0.0', a version from November 2021. Past review comments indicated this was addressed (commit 5362830), but the code has not been updated.

Modern Cloud Run features require gcloud SDK 511.0.0 or later. The current constraint is too permissive and may result in deployments with versions lacking critical functionality and security patches.

Recommend updating to '>= 511.0.0' or the current stable version (545.0.0+).

---

43-48: Input validation logic looks solid.

The validation step correctly ensures at least one deployment target (job-name or service-name) is provided, with a clear error message and proper bash syntax.

---

72-81: Verify flag expansion safety and command syntax.

The deployment branches expand ${CONTAINER_FLAG} and ${EXTRA_FLAGS} without quoting. If these variables contain spaces or special characters, word-splitting may cause unexpected parsing.

Consider quoting these variables, or alternatively, ensure callers provide pre-validated flags:

           if [ -n "${{ inputs.job-name }}" ]; then
             gcloud beta run jobs deploy "${{ inputs.job-name }}" \
-              ${CONTAINER_FLAG} \
+              ${CONTAINER_FLAG:+"$CONTAINER_FLAG"} \
               --image "$IMAGE" \
-              ${EXTRA_FLAGS}
+              ${EXTRA_FLAGS:+"$EXTRA_FLAGS"}
           else
             gcloud run deploy "${{ inputs.service-name }}" \
-              ${CONTAINER_FLAG} \
+              ${CONTAINER_FLAG:+"$CONTAINER_FLAG"} \
               --image "$IMAGE" \
-              ${EXTRA_FLAGS}
+              ${EXTRA_FLAGS:+"$EXTRA_FLAGS"}
           fi

Alternatively, document that flags and container inputs must be pre-validated and properly formatted by callers.

---

37-39: Permissions are appropriately scoped.

The job permissions correctly grant only what's needed: read for checkout and write for Workload Identity authentication. No unnecessary permissions are exposed.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/deploy-cloudrun.yaml (1)

63-67: Update the gcloud CLI version constraint to a more recent minimum.

The version '>= 363.0.0' was released in November 2021 (~4 years old). Modern Cloud Run features require gcloud SDK 511.0.0 or later. The current permissive constraint allows deployments with versions that lack critical Cloud Run functionality and security patches.

Consider updating to '>= 511.0.0' or the recommended current release (currently ~546.0.0) to ensure access to current Cloud Run features and security patches.

-          version: '>= 363.0.0'
+          version: '>= 511.0.0'

Note: Past review comments indicated this was addressed, but the code still shows the outdated version. Please verify this is intentional or ensure the fix is applied.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 33c8e62 and 64bdf69.

📒 Files selected for processing (2)

• .github/workflows/deploy-cloudrun.yaml (1 hunks)
• README.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

README.md

[uncategorized] ~183-~183: The official name of this software platform is spelled with a capital “H”.
Context: ...ices or jobs. See deploy-cloudrun.yaml for det...

(GITHUB)

🔇 Additional comments (5)

.github/workflows/deploy-cloudrun.yaml (5)

6-43: Input definitions are well-documented.

All inputs now have clear descriptions with examples and context, making the workflow self-documenting. This is a significant improvement for discoverability and integration.

---

44-50: Job configuration is appropriate.

Permissions are minimal and correct: contents:read for checkout and id-token:write for Workload Identity authentication.

---

51-58: Input validation is correctly implemented.

The validation ensures at least one deployment target (job or service) is specified with a clear error message and appropriate exit code.

---

68-75: Deployment flags preparation is correctly implemented.

The conditional logic properly handles both multi-container and single-container deployments, storing the appropriate flag in the step output for use in deployment commands.

---

76-94: Deployment logic is correctly implemented.

The workflow properly:

• Constructs the image reference with explicit slash separator
• Sets the region via gcloud config with quoted variable
• Deploys conditionally to either Cloud Run Job or Service
• Integrates container and extra flags appropriately
• Includes a comment explaining why the standard deploy-cloudrun action is not used

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 64bdf69 and 80e6d85.

📒 Files selected for processing (2)

• .github/workflows/deploy-cloudrun.yaml (1 hunks)
• README.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

README.md

[uncategorized] ~180-~180: The official name of this software platform is spelled with a capital “H”.
Context: ...ices or jobs. See deploy-cloudrun.yaml for det...

(GITHUB)

🔇 Additional comments (2)

.github/workflows/deploy-cloudrun.yaml (1)

1-92: Overall: solid reusable workflow with all major issues resolved.

The workflow is well-structured and addresses all previous critical issues:

• ✅ Input descriptions added (lines 7, 11, 15, 19, 23, 27, 31, 34, 37, 41)
• ✅ Validation step with ::error:: format (lines 53–58)
• ✅ Correct gcloud command for region (gcloud config set run/region, line 81)
• ✅ Explicit / separator in image reference (line 79)
• ✅ Workload Identity authentication configured (lines 59–62)
• ✅ Conditional deployment logic for Job vs Service (lines 82–91)

The comment explaining why the official google-github-actions/deploy-cloudrun action is avoided (lines 68–69) is helpful context.

README.md (1)

176-181: Documentation section is well-integrated.

The new "Cloud Run Deployment" section fits naturally into the workflow templates documentation, provides a clear description, and links directly to the implementation. The reference to the reusable workflow at ./.github/workflows/deploy-cloudrun.yaml is correct and helpful.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Improve shell robustness: quote variable assignments to prevent word-splitting issues.

The deployment step constructs flag strings that could be vulnerable to word-splitting if inputs contain spaces or special characters. While container names and flags typically don't have such characters in practice, shell best practices suggest explicit quoting.

Current approach:

CONTAINER_FLAG="--container $CONTAINER"
# Later used as: ${CONTAINER_FLAG}

If inputs.container contains unexpected characters, the construction could fail.

Consider refactoring to apply the env var directly and quote the variable value:

  env:
    CONTAINER: ${{ inputs.container }}
  run: |
    if [ -n "$CONTAINER" ]; then
-     CONTAINER_FLAG="--container $CONTAINER"
+     CONTAINER_FLAG="--container \"$CONTAINER\""
    else
      CONTAINER_FLAG=""
    fi
    IMAGE="${{ inputs.registry }}/${{ inputs.artifact-repository }}:${{ inputs.artifact-tag }}"
-   EXTRA_FLAGS="${{ inputs.flags }}"
+   EXTRA_FLAGS="${{ inputs.flags }}"

Alternatively, conditionally inject the flag directly into the gcloud command to avoid intermediate variable construction.

This aligns with the previous review suggestion to guard against weird characters in inputs.

🤖 Prompt for AI Agents

.github/workflows/deploy-cloudrun.yaml lines 71-91: the script builds flag
strings with unquoted variable expansions (e.g., CONTAINER_FLAG="--container
$CONTAINER" and later ${CONTAINER_FLAG}), which can cause word-splitting if
inputs contain spaces/special chars; change to either (a) avoid intermediate
flag concatenation and inject the flag directly into the gcloud call using a
conditional that passes "--container" "$CONTAINER" when CONTAINER is non-empty,
or (b) quote expansions when building and expanding the variables (e.g.,
CONTAINER_FLAG="--container \"$CONTAINER\"" and use "${CONTAINER_FLAG}" ), and
also quote IMAGE and EXTRA_FLAGS usages in the gcloud commands to ensure robust
handling of spaces/special characters.

[marek-saji]

One suggestion, but overall good to go.