name: deploy-cloudflare on: push: branches: [main] workflow_dispatch: {} concurrency: group: cloudflare-deploy-${{ forgejo.ref }} cancel-in-progress: true jobs: deploy: runs-on: codeberg-medium steps: - name: Checkout uses: https://code.forgejo.org/actions/checkout@v4 with: token: ${{ github.token }} fetch-depth: 0 lfs: false - name: Bootstrap runner deps shell: bash run: | set -euo pipefail install -d -m 755 "$HOME/.local/bin" echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV" export PATH="$HOME/.local/bin:$PATH" if ! command -v curl >/dev/null 2>&1; then echo "error: curl is required" exit 2 fi if ! command -v age >/dev/null 2>&1; then age_version="1.2.1" arch="$(uname -m)" case "${arch}" in x86_64|amd64) age_arch="amd64" ;; aarch64|arm64) age_arch="arm64" ;; *) echo "error: unsupported runner arch for age prebuilt binary: ${arch}" exit 2 ;; esac curl -fsSL "https://github.com/FiloSottile/age/releases/download/v${age_version}/age-v${age_version}-linux-${age_arch}.tar.gz" \ | tar -xz -C "$HOME/.local/bin" --strip-components=1 age/age age/age-keygen fi required_node_major=20 node_major=0 if command -v node >/dev/null 2>&1; then node_major="$(node -p 'parseInt(process.versions.node.split(\".\")[0], 10)' || echo 0)" fi if [[ "${node_major}" -lt "${required_node_major}" ]]; then node_version="22.16.0" arch="$(uname -m)" case "${arch}" in x86_64|amd64) node_arch="x64" ;; aarch64|arm64) node_arch="arm64" ;; *) echo "error: unsupported runner arch for node prebuilt binary: ${arch}" exit 2 ;; esac node_dist="node-v${node_version}-linux-${node_arch}" curl -fsSL "https://nodejs.org/dist/v${node_version}/${node_dist}.tar.xz" | tar -xJ -C "$HOME/.local" ln -sf "$HOME/.local/${node_dist}/bin/node" "$HOME/.local/bin/node" ln -sf "$HOME/.local/${node_dist}/bin/npm" "$HOME/.local/bin/npm" ln -sf "$HOME/.local/${node_dist}/bin/npx" "$HOME/.local/bin/npx" ln -sf "$HOME/.local/${node_dist}/bin/corepack" "$HOME/.local/bin/corepack" || true fi node --version npm --version - name: Configure CI Age identity env: AGE_FORGE_SSH_KEY: ${{ secrets.AGE_FORGE_SSH_KEY }} shell: bash run: | set -euo pipefail if [[ -z "${AGE_FORGE_SSH_KEY:-}" ]]; then echo "error: missing Actions secret AGE_FORGE_SSH_KEY" exit 2 fi install -d -m 700 "$HOME/.ssh" if [[ "${AGE_FORGE_SSH_KEY}" == "-----BEGIN OPENSSH PRIVATE KEY-----"* ]]; then printf '%s\n' "${AGE_FORGE_SSH_KEY}" > "$HOME/.ssh/age_forge_ed25519" else printf '%s' "${AGE_FORGE_SSH_KEY}" | base64 -d > "$HOME/.ssh/age_forge_ed25519" fi chmod 600 "$HOME/.ssh/age_forge_ed25519" - name: Decrypt CI secrets from repo shell: bash run: | set -euo pipefail key_file="$HOME/.ssh/age_forge_ed25519" secret_file="secrets/cloudflare-api-token.age" if [[ ! -f "$secret_file" ]]; then echo "error: missing ${secret_file}" exit 2 fi CLOUDFLARE_API_TOKEN="$(age -d -i "$key_file" "$secret_file")" if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then echo "error: decrypted CLOUDFLARE_API_TOKEN is empty" exit 2 fi echo "::add-mask::${CLOUDFLARE_API_TOKEN}" echo "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" >> "$GITHUB_ENV" - name: Build site (Dioxus web) shell: bash run: | set -euo pipefail install -d -m 755 "$HOME/.local/bin" export PATH="$HOME/.local/bin:$PATH" if ! command -v cargo >/dev/null 2>&1; then curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal . "$HOME/.cargo/env" elif [[ -f "$HOME/.cargo/env" ]]; then . "$HOME/.cargo/env" fi rustup target add wasm32-unknown-unknown if ! command -v trunk >/dev/null 2>&1; then trunk_version="0.21.14" arch="$(uname -m)" case "${arch}" in x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;; aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;; *) echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}" exit 2 ;; esac curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \ | tar -xz -C "$HOME/.local/bin" trunk fi cd apps/tauri/ui trunk build --release --public-url / - name: Deploy worker shell: bash run: | set -euo pipefail cd ../../../deploy/cloudflare-worker npm ci npx wrangler deploy