every.channel/docs/DEPLOY_CLOUDFLARE.md
Conrad Kramer 1b2f1f7258
Some checks failed
deploy-cloudflare / checks (push) Successful in 1m46s
deploy-cloudflare/breadcrumb bootstrap ok
deploy-cloudflare / deploy (push) Failing after 24s
ci-gates / checks (push) Successful in 6m22s
Guard Forgejo age secret setter
2026-06-10 04:33:44 -07:00

41 lines
1.4 KiB
Markdown

# Cloudflare Deploy (Forgejo Actions)
This repo deploys `https://every.channel` via Wrangler.
The deploy workflow is intended to run on the primary Forgejo host (not Codeberg/GitHub mirrors).
## Prereqs
- Forgejo Actions enabled on the repo.
- Preferred: Forgejo Actions secret `CLOUDFLARE_API_TOKEN` set to a scoped Cloudflare API token.
- Fallback: Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to a dedicated CI SSH private key that can decrypt `secrets/cloudflare-api-token.age`.
Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity.
The legacy `AGE_FORGE_SSH_KEY` setter refuses `~/.ssh/id_ed25519` and requires
`EVERY_CHANNEL_CONFIRM_DEDICATED_CI_KEY=I_UNDERSTAND_THIS_IS_A_DEDICATED_CI_KEY`
so a personal key is not accidentally uploaded.
CI and deploy workflows:
- PR/main checks: `.forgejo/workflows/ci-gates.yml`
- Deploy (main only, depends on checks): `.forgejo/workflows/deploy-cloudflare.yml`
Mirror behavior:
- Workflow jobs are guarded to skip execution on `https://codeberg.org`.
## Manual deploy (local)
```sh
./scripts/deploy-workers.sh
```
## Set Forgejo token secret
With Forgejo API auth configured for `fj`, set the direct Cloudflare token secret without storing an
SSH decrypt key in Forgejo:
```sh
CLOUDFLARE_API_TOKEN=... ./scripts/fj-set-cloudflare-token-secret.sh
```
The helper also accepts a token file path or token on stdin.