Skip to content

.github/workflows/deploy-worker.yml #123

.github/workflows/deploy-worker.yml

.github/workflows/deploy-worker.yml #123

Workflow file for this run

on:
workflow_dispatch:
inputs:
dispatchNamespace:
description: "Cloudflare Workers for Platforms dispatch namespace"
required: true
appId:
description: "Worker App ID"
required: true
repo:
description: "GitHub repository name"
required: true
commit:
description: "Git commit hash"
required: true
branch:
description: "Git branch"
required: true
directory:
description: "Directory to deploy"
required: false
permissions:
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
outputs:
WORKER_SCRIPT: ${{ steps.get-script.outputs.WORKER_SCRIPT }}
env:
wranglerVersion: "3.68.0"
outDir: "codius-dist"
steps:
- name: ${{github.event.inputs.appId}}
run: echo run identifier ${{ github.run_id }}
- name: Checkout
uses: actions/checkout@v4
with:
repository: ${{ github.event.inputs.repo }}
ref: ${{ github.event.inputs.commit }}
- name: Check for pnpm-lock.yaml
id: check-pnpm-lock
run: |
directory=${{ inputs.directory }}
file_path="${directory:+${directory}/}pnpm-lock.yaml"
if [ -f "$file_path" ]; then
echo "PNPM lock file found"
echo "::set-output name=setup_pnpm::true"
fi
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
- name: Setup PNPM
if: ${{ steps.check-pnpm-lock.outputs.setup_pnpm == 'true' }}
uses: pnpm/action-setup@v4
- name: Pull go-toml Docker image
run: docker pull ghcr.io/pelletier/go-toml:v2
- name: Sanitize wrangler.toml
working-directory: ${{ github.event.inputs.directory }}
run: |
mv wrangler.toml wrangler.toml.orig
docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml.orig | \
jq 'del(.d1_databases)' | \
docker run -i ghcr.io/pelletier/go-toml:v2 jsontoml > wrangler.toml
- name: Check for [build] field in wrangler.toml
id: check-custom-build
working-directory: ${{ github.event.inputs.directory }}
run: |
CUSTOM_BUILD=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml | jq -e '.build' > /dev/null && echo "true" || echo "false")
echo "CUSTOM_BUILD=${CUSTOM_BUILD}" >> "$GITHUB_OUTPUT"
- name: Bundle/Build Worker
uses: cloudflare/wrangler-action@v3
with:
wranglerVersion: ${{ env.wranglerVersion }}
workingDirectory: ${{ github.event.inputs.directory }}
command: deploy --dry-run ${{ env.OUT_DIR }} --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }}
env:
OUT_DIR: ${{ steps.check-custom-build.outputs.CUSTOM_BUILD == 'false' && format('--outdir={0}', env.outDir) || '' }}
- name: Determine worker entry script
id: get-script
working-directory: ${{ github.event.inputs.directory }}
run: |
wrangler_main=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml | jq -r '.main')
echo "wrangler_main: $wrangler_main"
if [ "${{ steps.check-custom-build.outputs.CUSTOM_BUILD }}" == "false" ]; then
trimmed_wrangler_main=$(echo ${wrangler_main} | sed 's|^\./||')
echo "Custom build is false; looking for the bundled script in ${outDir} containing // ${trimmed_wrangler_main}"
worker_script=$(grep -rl "// ${trimmed_wrangler_main}" "${{ env.outDir }}" | head -n 1)
echo "Found worker_script: $worker_script"
else
echo "Custom build is true; using the wrangler.toml main entry..."
worker_script="${wrangler_main}"
fi
if [ -z "$worker_script" ]; then
echo "Error: WORKER_SCRIPT is empty!"
exit 1
fi
echo "WORKER_SCRIPT=${worker_script}" >> "$GITHUB_OUTPUT"
- uses: actions/upload-artifact@v4
with:
name: worker_script
path: ${{ steps.get-script.outputs.WORKER_SCRIPT }}
- name: Deploy Worker
uses: cloudflare/wrangler-action@v3
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
wranglerVersion: ${{ env.wranglerVersion }}
workingDirectory: ${{ github.event.inputs.directory }}
command: deploy --no-bundle --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }} ${{ steps.get-script.outputs.WORKER_SCRIPT }}
attest:
needs: deploy
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
steps:
- name: Download worker script
uses: actions/download-artifact@v4
with:
name: worker_script
path: ./
- uses: actions/attest-build-provenance/predicate@d58ddf9f241cd8163408934540d01c3335864d64 # predicate@1.1.2
id: generate-build-provenance-predicate
- name: Update Predicate JSON
id: update-predicate
run: |
uri="git+https://github.com/${{ github.event.inputs.repo }}@refs/heads/${{ github.event.inputs.branch }}"
resolved_dependencies=$(jq -n --arg uri "$uri" --arg commit "${{ github.event.inputs.commit }}" --arg path "${{ github.event.inputs.directory }}" '[{"uri": $uri, "digest": {"gitCommit": $commit}, "path": $path}]')
predicate=$(echo '${{ steps.generate-build-provenance-predicate.outputs.predicate }}' | jq -c '.buildDefinition.externalParameters.resolvedDependencies = $resolved_dependencies' --argjson resolved_dependencies "$resolved_dependencies")
echo "predicate=$predicate" >> $GITHUB_OUTPUT
- uses: actions/attest@2da0b136720d14f01f4dbeeafd1d5a4d76cbe21d # v1.4.0
id: attest
with:
subject-path: ${{ needs.deploy.outputs.WORKER_SCRIPT }}
predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
predicate: ${{ steps.update-predicate.outputs.predicate }}