every.channel/.forgejo/workflows/deploy-cloudflare.yml
Conrad Kramer 0c41193867
Some checks failed
ci-gates / checks (push) Failing after 1m41s
deploy-cloudflare / checks (push) Successful in 1m58s
deploy-cloudflare / deploy (push) Failing after 6s
Make ECP lint runner-compatible
2026-06-10 03:41:11 -07:00

233 lines
8.3 KiB
YAML

name: deploy-cloudflare
on:
push:
branches: [main]
workflow_dispatch: {}
concurrency:
group: cloudflare-deploy-${{ forgejo.ref }}
cancel-in-progress: true
jobs:
checks:
if: ${{ github.server_url != 'https://codeberg.org' }}
runs-on: namespace-profile-linux-medium
steps:
- name: Fetch Source (no git required)
env:
GITHUB_TOKEN: ${{ github.token }}
shell: bash
run: |
set -euo pipefail
if [[ -z "${GITHUB_TOKEN:-}" ]]; then
echo "error: missing github.token"
exit 2
fi
if ! command -v curl >/dev/null 2>&1; then
echo "error: curl is required"
exit 2
fi
if ! command -v tar >/dev/null 2>&1; then
echo "error: tar is required"
exit 2
fi
if [[ -z "${GITHUB_SHA:-}" ]]; then
echo "error: missing GITHUB_SHA"
exit 2
fi
if [[ -z "${GITHUB_SERVER_URL:-}" ]]; then
echo "error: missing GITHUB_SERVER_URL"
exit 2
fi
if [[ -z "${GITHUB_REPOSITORY:-}" ]]; then
echo "error: missing GITHUB_REPOSITORY"
exit 2
fi
rm -rf .repo
mkdir -p .repo
curl -fsSL -H "Authorization: token ${GITHUB_TOKEN}" \
"${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/archive/${GITHUB_SHA}.tar.gz?rev=${GITHUB_SHA}" \
-o .repo/src.tgz
tar -xzf .repo/src.tgz -C .repo --strip-components=1
rm -f .repo/src.tgz
- name: Check Nix toolchain
shell: bash
run: |
set -euo pipefail
cd .repo
nix develop --accept-flake-config -c cargo --version
nix develop --accept-flake-config -c rustc --version
nix develop --accept-flake-config -c trunk --version
- name: ECP lint
shell: bash
run: |
set -euo pipefail
cd .repo
export EVERY_CHANNEL_ECP_LINT_MIN_ID=120
nix develop --accept-flake-config -c bash ./scripts/ecp-lint.sh
- name: Rust tests (core subset)
shell: bash
run: |
set -euo pipefail
cd .repo
nix develop --accept-flake-config -c cargo test -p ec-core -p ec-crypto -p ec-moq -p ec-iroh -p ec-linux-iptv
- name: Build site (web)
shell: bash
run: |
set -euo pipefail
cd .repo
nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'
deploy:
if: ${{ github.server_url != 'https://codeberg.org' }}
needs: checks
runs-on: namespace-profile-linux-medium
steps:
- name: Fetch Source (no git required)
env:
GITHUB_TOKEN: ${{ github.token }}
shell: bash
run: |
set -euo pipefail
if [[ -z "${GITHUB_TOKEN:-}" ]]; then
echo "error: missing github.token"
exit 2
fi
if ! command -v curl >/dev/null 2>&1; then
echo "error: curl is required"
exit 2
fi
if ! command -v tar >/dev/null 2>&1; then
echo "error: tar is required"
exit 2
fi
if [[ -z "${GITHUB_SHA:-}" ]]; then
echo "error: missing GITHUB_SHA"
exit 2
fi
if [[ -z "${GITHUB_SERVER_URL:-}" ]]; then
echo "error: missing GITHUB_SERVER_URL"
exit 2
fi
if [[ -z "${GITHUB_REPOSITORY:-}" ]]; then
echo "error: missing GITHUB_REPOSITORY"
exit 2
fi
rm -rf .repo
mkdir -p .repo
# Use the authenticated API archive endpoint (works for private repos).
curl -fsSL -H "Authorization: token ${GITHUB_TOKEN}" \
"${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/archive/${GITHUB_SHA}.tar.gz?rev=${GITHUB_SHA}" \
-o .repo/src.tgz
tar -xzf .repo/src.tgz -C .repo --strip-components=1
rm -f .repo/src.tgz
- name: Check Nix deploy toolchain
shell: bash
run: |
set -euo pipefail
cd .repo
nix develop --accept-flake-config -c age --version
nix develop --accept-flake-config -c node --version
nix develop --accept-flake-config -c npm --version
nix develop --accept-flake-config -c wrangler --version
- name: CI Breadcrumb (bootstrap ok)
env:
GITHUB_TOKEN: ${{ github.token }}
shell: bash
run: |
set -euo pipefail
cd .repo
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
-H "content-type: application/json" \
"${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \
-d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"bootstrap ok"}' >/dev/null
- name: Configure CI Age identity
env:
AGE_FORGE_SSH_KEY: ${{ secrets.AGE_FORGE_SSH_KEY }}
GITHUB_TOKEN: ${{ github.token }}
shell: bash
run: |
set -euo pipefail
cd .repo
if [[ -z "${AGE_FORGE_SSH_KEY:-}" ]]; then
echo "error: missing Actions secret AGE_FORGE_SSH_KEY"
exit 2
fi
install -d -m 700 "$HOME/.ssh"
if [[ "${AGE_FORGE_SSH_KEY}" == "-----BEGIN OPENSSH PRIVATE KEY-----"* ]]; then
printf '%s\n' "${AGE_FORGE_SSH_KEY}" > "$HOME/.ssh/age_forge_ed25519"
else
printf '%s' "${AGE_FORGE_SSH_KEY}" | base64 -d > "$HOME/.ssh/age_forge_ed25519"
fi
chmod 600 "$HOME/.ssh/age_forge_ed25519"
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
-H "content-type: application/json" \
"${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \
-d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"age key ok"}' >/dev/null
- name: Decrypt CI secrets from repo
env:
GITHUB_TOKEN: ${{ github.token }}
shell: bash
run: |
set -euo pipefail
cd .repo
key_file="$HOME/.ssh/age_forge_ed25519"
secret_file="secrets/cloudflare-api-token.age"
if [[ ! -f "$secret_file" ]]; then
echo "error: missing ${secret_file}"
exit 2
fi
CLOUDFLARE_API_TOKEN="$(nix develop --accept-flake-config -c age -d -i "$key_file" "$secret_file")"
if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
echo "error: decrypted CLOUDFLARE_API_TOKEN is empty"
exit 2
fi
echo "::add-mask::${CLOUDFLARE_API_TOKEN}"
echo "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" >> "$GITHUB_ENV"
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
-H "content-type: application/json" \
"${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \
-d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"decrypt ok"}' >/dev/null
- name: Build site (web)
env:
GITHUB_TOKEN: ${{ github.token }}
shell: bash
run: |
set -euo pipefail
cd .repo
nix develop --accept-flake-config -c bash -c 'cd apps/web && env -u NO_COLOR trunk build --release --public-url /'
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
-H "content-type: application/json" \
"${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \
-d '{"context":"deploy-cloudflare/breadcrumb","state":"pending","description":"build ok"}' >/dev/null
- name: Deploy worker
env:
GITHUB_TOKEN: ${{ github.token }}
shell: bash
run: |
set -euo pipefail
cd .repo
nix develop --accept-flake-config -c bash -c 'cd deploy/cloudflare-worker && npm ci && wrangler deploy'
curl -fsSL -X POST -H "Authorization: token ${GITHUB_TOKEN}" \
-H "content-type: application/json" \
"${GITHUB_SERVER_URL}/api/v1/repos/${GITHUB_REPOSITORY}/statuses/${GITHUB_SHA}" \
-d '{"context":"deploy-cloudflare/breadcrumb","state":"success","description":"deploy ok"}' >/dev/null