name: deploy-cloudflare on: push: branches: [main] workflow_dispatch: {} concurrency: group: cloudflare-deploy-${{ forgejo.ref }} cancel-in-progress: true jobs: checks: if: ${{ github.server_url != 'https://codeberg.org' }} runs-on: namespace-profile-linux-medium steps: - name: Fetch Source (no git required) env: GITHUB_TOKEN: ${{ github.token }} shell: bash run: | set -euo pipefail if [[ -z "${GITHUB_TOKEN:-}" ]]; then echo "error: missing github.token" exit 2 fi if ! command -v curl >/dev/null 2>&1; then echo "error: curl is required" exit 2 fi if ! command -v tar >/dev/null 2>&1; then echo "error: tar is required" exit 2 fi if [[ -z "${GITHUB_SHA:-}" ]]; then echo "error: missing GITHUB_SHA" exit 2 fi if [[ -z "${GITHUB_SERVER_URL:-}" ]]; then echo "error: missing GITHUB_SERVER_URL" exit 2 fi if [[ -z "${GITHUB_REPOSITORY:-}" ]]; then echo "error: missing GITHUB_REPOSITORY" exit 2 fi rm -rf .repo mkdir -p .repo curl -fsSL -H "Authorization: token ${GITHUB_TOKEN}" \ "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/archive/${GITHUB_SHA}.tar.gz?rev=${GITHUB_SHA}" \ -o .repo/src.tgz tar -xzf .repo/src.tgz -C .repo --strip-components=1 rm -f .repo/src.tgz - name: Check Nix toolchain shell: bash run: | set -euo pipefail cd .repo nix develop --accept-flake-config -c cargo --version nix develop --accept-flake-config -c rustc --version nix develop --accept-flake-config -c trunk --version - name: ECP lint shell: bash run: | set -euo pipefail cd .repo export EVERY_CHANNEL_ECP_LINT_MIN_ID=120 nix develop --accept-flake-config -c bash ./scripts/ecp-lint.sh - name: Rust tests (core subset) shell: bash run: | set -euo pipefail cd .repo nix develop --accept-flake-config -c cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv - name: Build site (web) shell: bash run: | set -euo pipefail cd .repo nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /' deploy: if: ${{ github.server_url != 'https://codeberg.org' }} needs: checks runs-on: namespace-profile-linux-medium steps: - name: Fetch Source (no git required) env: GITHUB_TOKEN: ${{ github.token }} shell: bash run: | set -euo pipefail if [[ -z "${GITHUB_TOKEN:-}" ]]; then echo "error: missing github.token" exit 2 fi if ! command -v curl >/dev/null 2>&1; then echo "error: curl is required" exit 2 fi if ! command -v tar >/dev/null 2>&1; then echo "error: tar is required" exit 2 fi if [[ -z "${GITHUB_SHA:-}" ]]; then echo "error: missing GITHUB_SHA" exit 2 fi if [[ -z "${GITHUB_SERVER_URL:-}" ]]; then echo "error: missing GITHUB_SERVER_URL" exit 2 fi if [[ -z "${GITHUB_REPOSITORY:-}" ]]; then echo "error: missing GITHUB_REPOSITORY" exit 2 fi rm -rf .repo mkdir -p .repo # Use the authenticated API archive endpoint (works for private repos). curl -fsSL -H "Authorization: token ${GITHUB_TOKEN}" \ "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/archive/${GITHUB_SHA}.tar.gz?rev=${GITHUB_SHA}" \ -o .repo/src.tgz tar -xzf .repo/src.tgz -C .repo --strip-components=1 rm -f .repo/src.tgz - name: Check Nix deploy toolchain shell: bash run: | set -euo pipefail cd .repo nix develop --accept-flake-config -c age --version nix develop --accept-flake-config -c node --version nix develop --accept-flake-config -c npm --version nix develop --accept-flake-config -c wrangler --version - name: CI Breadcrumb (bootstrap ok) env: GITHUB_TOKEN: ${{ github.token }} shell: bash run: | set -euo pipefail cd .repo curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \ -H "content-type: application/json" \ "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \ -d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"bootstrap ok"}' >/dev/null - name: Configure CI Age identity env: AGE_FORGE_SSH_KEY: ${{ secrets.AGE_FORGE_SSH_KEY }} GITHUB_TOKEN: ${{ github.token }} shell: bash run: | set -euo pipefail cd .repo if [[ -z "${AGE_FORGE_SSH_KEY:-}" ]]; then echo "error: missing Actions secret AGE_FORGE_SSH_KEY" exit 2 fi install -d -m 700 "$HOME/.ssh" if [[ "${AGE_FORGE_SSH_KEY}" == "-----BEGIN OPENSSH PRIVATE KEY-----"* ]]; then printf '%s\n' "${AGE_FORGE_SSH_KEY}" > "$HOME/.ssh/age_forge_ed25519" else printf '%s' "${AGE_FORGE_SSH_KEY}" | base64 -d > "$HOME/.ssh/age_forge_ed25519" fi chmod 600 "$HOME/.ssh/age_forge_ed25519" curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \ -H "content-type: application/json" \ "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \ -d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"age key ok"}' >/dev/null - name: Decrypt CI secrets from repo env: GITHUB_TOKEN: ${{ github.token }} shell: bash run: | set -euo pipefail cd .repo key_file="$HOME/.ssh/age_forge_ed25519" secret_file="secrets/cloudflare-api-token.age" if [[ ! -f "$secret_file" ]]; then echo "error: missing ${secret_file}" exit 2 fi CLOUDFLARE_API_TOKEN="$(nix develop --accept-flake-config -c age -d -i "$key_file" "$secret_file")" if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then echo "error: decrypted CLOUDFLARE_API_TOKEN is empty" exit 2 fi echo "::add-mask::${CLOUDFLARE_API_TOKEN}" echo "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" >> "$GITHUB_ENV" curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \ -H "content-type: application/json" \ "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \ -d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"decrypt ok"}' >/dev/null - name: Build site (web) env: GITHUB_TOKEN: ${{ github.token }} shell: bash run: | set -euo pipefail cd .repo nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /' curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \ -H "content-type: application/json" \ "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \ -d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"build ok"}' >/dev/null - name: Deploy worker env: GITHUB_TOKEN: ${{ github.token }} shell: bash run: | set -euo pipefail cd .repo nix develop --accept-flake-config -c bash -c 'cd deploy/cloudflare-worker && npm ci && wrangler deploy' curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \ -H "content-type: application/json" \ "${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \ -d '{"context":"deploy-cloudflare/breadcrumb","state":"success","description":"deploy ok"}' >/dev/null