every.channel/docs/DEPLOY_CLOUDFLARE.md
Conrad Kramer d0a2cea40e
Some checks failed
deploy-cloudflare / checks (push) Successful in 1m46s
deploy-cloudflare/breadcrumb bootstrap ok
deploy-cloudflare / deploy (push) Failing after 24s
ci-gates / checks (push) Has been cancelled
Add scoped Cloudflare token secret helper
2026-06-10 04:29:33 -07:00

1.2 KiB

Cloudflare Deploy (Forgejo Actions)

This repo deploys https://every.channel via Wrangler. The deploy workflow is intended to run on the primary Forgejo host (not Codeberg/GitHub mirrors).

Prereqs

  • Forgejo Actions enabled on the repo.
  • Preferred: Forgejo Actions secret CLOUDFLARE_API_TOKEN set to a scoped Cloudflare API token.
  • Fallback: Forgejo Actions secret AGE_FORGE_SSH_KEY set to a dedicated CI SSH private key that can decrypt secrets/cloudflare-api-token.age.

Do not put a personal SSH or encryption key in Forgejo Actions. Use a scoped Cloudflare token or a dedicated CI identity.

CI and deploy workflows:

  • PR/main checks: .forgejo/workflows/ci-gates.yml
  • Deploy (main only, depends on checks): .forgejo/workflows/deploy-cloudflare.yml

Mirror behavior:

  • Workflow jobs are guarded to skip execution on https://codeberg.org.

Manual deploy (local)

./scripts/deploy-workers.sh

Set Forgejo token secret

With Forgejo API auth configured for fj, set the direct Cloudflare token secret without storing an SSH decrypt key in Forgejo:

CLOUDFLARE_API_TOKEN=... ./scripts/fj-set-cloudflare-token-secret.sh

The helper also accepts a token file path or token on stdin.