# Cloudflare Deploy (Forgejo Actions) This repo deploys `https://every.channel` via Wrangler. The deploy workflow is intended to run on the primary Forgejo host (not Codeberg/GitHub mirrors). ## Prereqs - Forgejo Actions enabled on the repo. - Preferred: Forgejo Actions secret `CLOUDFLARE_API_TOKEN` set to a scoped Cloudflare API token. - Fallback: Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to a dedicated CI SSH private key that can decrypt `secrets/cloudflare-api-token.age`. Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity. The legacy `AGE_FORGE_SSH_KEY` setter refuses `~/.ssh/id_ed25519` and requires `EVERY_CHANNEL_CONFIRM_DEDICATED_CI_KEY=I_UNDERSTAND_THIS_IS_A_DEDICATED_CI_KEY` so a personal key is not accidentally uploaded. CI and deploy workflows: - PR/main checks: `.forgejo/workflows/ci-gates.yml` - Deploy (main only, depends on checks): `.forgejo/workflows/deploy-cloudflare.yml` Mirror behavior: - Workflow jobs are guarded to skip execution on `https://codeberg.org`. ## Manual deploy (local) ```sh ./scripts/deploy-workers.sh ``` ## Set Forgejo token secret With Forgejo API auth configured for `fj`, set the direct Cloudflare token secret without storing an SSH decrypt key in Forgejo: ```sh CLOUDFLARE_API_TOKEN=... ./scripts/fj-set-cloudflare-token-secret.sh ``` The helper also accepts a token file path or token on stdin.