every.channel/.forgejo/workflows/deploy-cloudflare.yml

name: deploy-cloudflare

on:
  push:
    branches: [main]
  workflow_dispatch: {}

concurrency:
  group: cloudflare-deploy-${{ forgejo.ref }}
  cancel-in-progress: true

jobs:
  deploy:
    runs-on: codeberg-medium
    steps:
      - name: Checkout
        uses: https://code.forgejo.org/actions/checkout@v4
        with:
          token: ${{ github.token }}
          fetch-depth: 0
          lfs: false

      - name: Bootstrap runner deps
        shell: bash
        run: |
          set -euo pipefail
          install -d -m 755 "$HOME/.local/bin"
          echo "PATH=$HOME/.local/bin:$PATH" >> "$GITHUB_ENV"
          export PATH="$HOME/.local/bin:$PATH"

          if ! command -v curl >/dev/null 2>&1; then
            echo "error: curl is required"
            exit 2
          fi

          if ! command -v age >/dev/null 2>&1; then
            age_version="1.2.1"
            arch="$(uname -m)"
            case "${arch}" in
              x86_64|amd64) age_arch="amd64" ;;
              aarch64|arm64) age_arch="arm64" ;;
              *)
                echo "error: unsupported runner arch for age prebuilt binary: ${arch}"
                exit 2
                ;;
            esac
            curl -fsSL "https://github.com/FiloSottile/age/releases/download/v${age_version}/age-v${age_version}-linux-${age_arch}.tar.gz" \
              | tar -xz -C "$HOME/.local/bin" --strip-components=1 age/age age/age-keygen
          fi

          required_node_major=20
          node_major=0
          if command -v node >/dev/null 2>&1; then
            node_major="$(node -p 'parseInt(process.versions.node.split(\".\")[0], 10)' || echo 0)"
          fi
          if [[ "${node_major}" -lt "${required_node_major}" ]]; then
            node_version="22.16.0"
            arch="$(uname -m)"
            case "${arch}" in
              x86_64|amd64) node_arch="x64" ;;
              aarch64|arm64) node_arch="arm64" ;;
              *)
                echo "error: unsupported runner arch for node prebuilt binary: ${arch}"
                exit 2
                ;;
            esac
            node_dist="node-v${node_version}-linux-${node_arch}"
            curl -fsSL "https://nodejs.org/dist/v${node_version}/${node_dist}.tar.xz" | tar -xJ -C "$HOME/.local"
            ln -sf "$HOME/.local/${node_dist}/bin/node" "$HOME/.local/bin/node"
            ln -sf "$HOME/.local/${node_dist}/bin/npm" "$HOME/.local/bin/npm"
            ln -sf "$HOME/.local/${node_dist}/bin/npx" "$HOME/.local/bin/npx"
            ln -sf "$HOME/.local/${node_dist}/bin/corepack" "$HOME/.local/bin/corepack" || true
          fi
          node --version
          npm --version

      - name: Configure CI Age identity
        env:
          AGE_FORGE_SSH_KEY: ${{ secrets.AGE_FORGE_SSH_KEY }}
        shell: bash
        run: |
          set -euo pipefail
          if [[ -z "${AGE_FORGE_SSH_KEY:-}" ]]; then
            echo "error: missing Actions secret AGE_FORGE_SSH_KEY"
            exit 2
          fi
          install -d -m 700 "$HOME/.ssh"
          if [[ "${AGE_FORGE_SSH_KEY}" == "-----BEGIN OPENSSH PRIVATE KEY-----"* ]]; then
            printf '%s\n' "${AGE_FORGE_SSH_KEY}" > "$HOME/.ssh/age_forge_ed25519"
          else
            printf '%s' "${AGE_FORGE_SSH_KEY}" | base64 -d > "$HOME/.ssh/age_forge_ed25519"
          fi
          chmod 600 "$HOME/.ssh/age_forge_ed25519"

      - name: Decrypt CI secrets from repo
        shell: bash
        run: |
          set -euo pipefail
          key_file="$HOME/.ssh/age_forge_ed25519"
          secret_file="secrets/cloudflare-api-token.age"
          if [[ ! -f "$secret_file" ]]; then
            echo "error: missing ${secret_file}"
            exit 2
          fi
          CLOUDFLARE_API_TOKEN="$(age -d -i "$key_file" "$secret_file")"
          if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
            echo "error: decrypted CLOUDFLARE_API_TOKEN is empty"
            exit 2
          fi
          echo "::add-mask::${CLOUDFLARE_API_TOKEN}"
          echo "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" >> "$GITHUB_ENV"

      - name: Build site (Dioxus web)
        shell: bash
        run: |
          set -euo pipefail
          install -d -m 755 "$HOME/.local/bin"
          export PATH="$HOME/.local/bin:$PATH"
          if ! command -v cargo >/dev/null 2>&1; then
            curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
            . "$HOME/.cargo/env"
          elif [[ -f "$HOME/.cargo/env" ]]; then
            . "$HOME/.cargo/env"
          fi
          rustup target add wasm32-unknown-unknown
          if ! command -v trunk >/dev/null 2>&1; then
            trunk_version="0.21.14"
            arch="$(uname -m)"
            case "${arch}" in
              x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
              aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
              *)
                echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
                exit 2
                ;;
            esac
            curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
              | tar -xz -C "$HOME/.local/bin" trunk
          fi

          cd apps/tauri/ui
          trunk build --release --public-url /

      - name: Deploy worker
        shell: bash
        run: |
          set -euo pipefail
          cd ../../../deploy/cloudflare-worker
          npm ci
          npx wrangler deploy