Set up a Cloud Build private pool to access the database through a static external IP address. Configure the database to only allow connections from this IP address. Execute the schema migration script in the private pool.

Create a service account that has permission to access the database. Configure Cloud Build to use this service account and execute the schema migration script in a private pool.

Add the database username and password to Secret Manager. When running the schema migration script, retrieve the username and password from Secret Manager.

Add the database username and encrypted password to the application configuration file. Use these credentials in Cloud Build to execute the schema migration script.