.github/workflows/deploy-worker.yml #124
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
workflow_dispatch: | |
inputs: | |
dispatchNamespace: | |
description: "Cloudflare Workers for Platforms dispatch namespace" | |
required: true | |
appId: | |
description: "Worker App ID" | |
required: true | |
repo: | |
description: "GitHub repository name" | |
required: true | |
commit: | |
description: "Git commit hash" | |
required: true | |
branch: | |
description: "Git branch" | |
required: true | |
directory: | |
description: "Directory to deploy" | |
required: false | |
default: "." | |
permissions: | |
contents: read | |
jobs: | |
deploy: | |
runs-on: ubuntu-latest | |
outputs: | |
WORKER_SCRIPT: ${{ steps.get-script.outputs.WORKER_SCRIPT }} | |
env: | |
wranglerVersion: "3.68.0" | |
outDir: "codius-dist" | |
steps: | |
- name: ${{github.event.inputs.appId}} | |
run: echo run identifier ${{ github.run_id }} | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
repository: ${{ github.event.inputs.repo }} | |
ref: ${{ github.event.inputs.commit }} | |
- name: Check for pnpm-lock.yaml | |
id: check-pnpm-lock | |
run: | | |
directory=${{ inputs.directory }} | |
file_path="${directory:+${directory}/}pnpm-lock.yaml" | |
if [ -f "$file_path" ]; then | |
echo "PNPM lock file found" | |
echo "::set-output name=setup_pnpm::true" | |
fi | |
- name: Setup Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: "20" | |
- name: Setup PNPM | |
if: ${{ steps.check-pnpm-lock.outputs.setup_pnpm == 'true' }} | |
uses: pnpm/action-setup@v4 | |
- name: Pull go-toml Docker image | |
run: docker pull ghcr.io/pelletier/go-toml:v2 | |
- name: Sanitize wrangler.toml | |
working-directory: ${{ github.event.inputs.directory }} | |
run: | | |
mv wrangler.toml wrangler.toml.orig | |
docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml.orig | \ | |
jq 'del(.d1_databases)' | \ | |
docker run -i ghcr.io/pelletier/go-toml:v2 jsontoml > wrangler.toml | |
- name: Check for [build] field in wrangler.toml | |
id: check-custom-build | |
working-directory: ${{ github.event.inputs.directory }} | |
run: | | |
CUSTOM_BUILD=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml | jq -e '.build' > /dev/null && echo "true" || echo "false") | |
echo "CUSTOM_BUILD=${CUSTOM_BUILD}" >> "$GITHUB_OUTPUT" | |
- name: Bundle/Build Worker | |
uses: cloudflare/wrangler-action@v3 | |
with: | |
wranglerVersion: ${{ env.wranglerVersion }} | |
workingDirectory: ${{ github.event.inputs.directory }} | |
command: deploy --dry-run ${{ env.OUT_DIR }} --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }} | |
env: | |
OUT_DIR: ${{ steps.check-custom-build.outputs.CUSTOM_BUILD == 'false' && format('--outdir={0}', env.outDir) || '' }} | |
- name: Determine worker entry script | |
id: get-script | |
working-directory: ${{ github.event.inputs.directory }} | |
run: | | |
wrangler_main=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml | jq -r '.main') | |
echo "wrangler_main: $wrangler_main" | |
if [ "${{ steps.check-custom-build.outputs.CUSTOM_BUILD }}" == "false" ]; then | |
trimmed_wrangler_main=$(echo ${wrangler_main} | sed 's|^\./||') | |
echo "Custom build is false; looking for the bundled script in ${outDir} containing // ${trimmed_wrangler_main}" | |
worker_script=$(grep -rl "// ${trimmed_wrangler_main}" "${{ env.outDir }}" | head -n 1) | |
echo "Found worker_script: $worker_script" | |
else | |
echo "Custom build is true; using the wrangler.toml main entry..." | |
worker_script="${wrangler_main}" | |
fi | |
if [ -z "$worker_script" ]; then | |
echo "Error: WORKER_SCRIPT is empty!" | |
exit 1 | |
fi | |
echo "WORKER_SCRIPT=${worker_script}" >> "$GITHUB_OUTPUT" | |
- uses: actions/upload-artifact@v4 | |
with: | |
name: worker_script | |
path: ${{ github.event.inputs.directory }}/${{ steps.get-script.outputs.WORKER_SCRIPT }} | |
- name: Deploy Worker | |
uses: cloudflare/wrangler-action@v3 | |
with: | |
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} | |
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} | |
wranglerVersion: ${{ env.wranglerVersion }} | |
workingDirectory: ${{ github.event.inputs.directory }} | |
command: deploy --no-bundle --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }} ${{ steps.get-script.outputs.WORKER_SCRIPT }} | |
attest: | |
needs: deploy | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
attestations: write | |
steps: | |
- name: Download worker script | |
uses: actions/download-artifact@v4 | |
with: | |
name: worker_script | |
path: ./ | |
- uses: actions/attest-build-provenance/predicate@d58ddf9f241cd8163408934540d01c3335864d64 # predicate@1.1.2 | |
id: generate-build-provenance-predicate | |
- name: Update Predicate JSON | |
id: update-predicate | |
run: | | |
uri="git+https://github.com/${{ github.event.inputs.repo }}@refs/heads/${{ github.event.inputs.branch }}" | |
resolved_dependencies=$(jq -n --arg uri "$uri" --arg commit "${{ github.event.inputs.commit }}" --arg path "${{ github.event.inputs.directory }}" '[{"uri": $uri, "digest": {"gitCommit": $commit}, "path": $path}]') | |
predicate=$(echo '${{ steps.generate-build-provenance-predicate.outputs.predicate }}' | jq -c '.buildDefinition.externalParameters.resolvedDependencies = $resolved_dependencies' --argjson resolved_dependencies "$resolved_dependencies") | |
echo "predicate=$predicate" >> $GITHUB_OUTPUT | |
- uses: actions/attest@2da0b136720d14f01f4dbeeafd1d5a4d76cbe21d # v1.4.0 | |
id: attest | |
with: | |
subject-path: ${{ github.event.inputs.directory }}/${{ needs.deploy.outputs.WORKER_SCRIPT }} | |
predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }} | |
predicate: ${{ steps.update-predicate.outputs.predicate }} |