From 040bfb9a72f4d2e630c3146a5b02f6c9622a9f1e Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 15 May 2026 22:28:20 +0000 Subject: [PATCH] ci(release): deploy to Cloudflare Workers via wrangler on release tags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the branch-promotion approach (promote-release.yml) added in #124. Promoting a `release` branch only works if Workers Builds' Git integration deploys that branch — but production needs to ship via an explicit deploy command instead. This workflow runs on every `v*` tag (the tags release-please cuts when its release PR is merged), builds with the cloudflare_module preset and deploys with `wrangler deploy`. Nitro's cloudflare_module preset with deployConfig:true emits wrangler.json plus the worker entry into .output/, so the cloudflare/wrangler-action runs `deploy` from that directory with no extra flags; the D1 binding and vars come from the generated config. One-time setup (documented in the PR): - Pause/disable the Workers Builds Git integration so it does not also deploy on every push to main. - Add repo secrets CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID. Net flow unchanged from the intent of #124: push to main -> preview only; merge release PR -> tag -> this workflow builds and deploys production. Only the deploy mechanism changes (wrangler deploy instead of a branch Cloudflare watches). --- .github/workflows/deploy-release.yml | 53 +++++++++++++++++++++++++++ .github/workflows/promote-release.yml | 36 ------------------ 2 files changed, 53 insertions(+), 36 deletions(-) create mode 100644 .github/workflows/deploy-release.yml delete mode 100644 .github/workflows/promote-release.yml diff --git a/.github/workflows/deploy-release.yml b/.github/workflows/deploy-release.yml new file mode 100644 index 0000000..6d5a9f9 --- /dev/null +++ b/.github/workflows/deploy-release.yml @@ -0,0 +1,53 @@ +name: Deploy release to Cloudflare Workers + +# Production deploys are gated on release-please tags. Cloudflare Workers +# Builds' Git integration only watches branches, so instead of letting it +# auto-deploy main we build here and ship with `wrangler deploy` whenever +# release-please cuts a `v*` tag (i.e. when its release PR is merged). +# +# Prerequisites (one-time, see PR description): +# - Disable / pause the Workers Builds Git integration so it does not +# also deploy on every push to main. +# - Add repo secrets CLOUDFLARE_API_TOKEN (Workers Scripts:Edit + the +# account's D1 scope) and CLOUDFLARE_ACCOUNT_ID. +on: + push: + tags: + - 'v*' + +concurrency: + group: deploy-release + cancel-in-progress: false + +jobs: + deploy: + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - uses: actions/checkout@v4 + + - uses: pnpm/action-setup@v4 + + - uses: actions/setup-node@v4 + with: + node-version: 22 + cache: pnpm + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Build (cloudflare_module preset) + run: pnpm build + env: + NODE_ENV: production + + # Nitro's cloudflare_module preset with deployConfig:true writes + # wrangler.json plus the worker entry into .output/, so wrangler + # deploy runs from there with no extra flags. + - name: Deploy with Wrangler + uses: cloudflare/wrangler-action@v3 + with: + apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} + accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} + command: deploy + workingDirectory: .output diff --git a/.github/workflows/promote-release.yml b/.github/workflows/promote-release.yml deleted file mode 100644 index d925df7..0000000 --- a/.github/workflows/promote-release.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: Promote release tag to deploy branch - -# Cloudflare Workers Builds' Git integration only watches branches, never -# tags. To get tag-gated production deploys we keep `main` as a -# preview-only branch in the Workers Build branch control and point the -# Workers production branch at `release`. This workflow fast-forwards -# `release` to every `v*` tag release-please publishes, which is what -# actually triggers the Cloudflare Workers production build. -on: - push: - tags: - - 'v*' - -permissions: - contents: write - -concurrency: - group: promote-release-branch - cancel-in-progress: false - -jobs: - promote: - runs-on: ubuntu-latest - timeout-minutes: 5 - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Fast-forward release branch to the tagged commit - run: | - set -euo pipefail - echo "Promoting ${GITHUB_REF_NAME} ($(git rev-parse --short HEAD)) to release" - # release-please tags always sit on main's linear history, so the - # release branch only ever moves forward. No force push. - git push origin "HEAD:refs/heads/release"