forked from thecodeorigin/nuxt-template
-
Notifications
You must be signed in to change notification settings - Fork 0
71 lines (58 loc) · 2.55 KB
/
Copy pathdeploy.yml
File metadata and controls
71 lines (58 loc) · 2.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: Deploy (Cloudflare Workers)
# Deploys the IdP to https://id.thecodeorigin.com (Worker `thecodeorigin-auth`).
# The ONLY GitHub secret used is DOPPLER_TOKEN (a read-only Doppler service token
# scoped to project=auth, config=prd). Everything else — including the Cloudflare
# credentials and all NUXT_* runtime vars — is pulled from Doppler at run time.
on:
push:
branches: [main]
workflow_dispatch:
# Never run two production deploys at once.
concurrency:
group: deploy-production
cancel-in-progress: false
jobs:
deploy:
runs-on: ubuntu-latest
timeout-minutes: 25
env:
DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
DOPPLER_PROJECT: auth
DOPPLER_CONFIG: prd
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
with:
version: 10.7.0
- uses: actions/setup-node@v4
with:
node-version: 22
cache: pnpm
- run: pnpm install --frozen-lockfile
- name: Install Doppler CLI
uses: dopplerhq/cli-action@v3
- name: Resolve Cloudflare credentials from Doppler
run: |
CF_TOKEN="$(doppler secrets get CLOUDFLARE_TOKEN --plain)"
CF_ACCOUNT="$(doppler secrets get CLOUDFLARE_ACCOUNT_ID --plain)"
echo "::add-mask::$CF_TOKEN"
echo "::add-mask::$CF_ACCOUNT"
# wrangler reads CLOUDFLARE_API_TOKEN, not CLOUDFLARE_TOKEN.
echo "CLOUDFLARE_API_TOKEN=$CF_TOKEN" >> "$GITHUB_ENV"
echo "CLOUDFLARE_ACCOUNT_ID=$CF_ACCOUNT" >> "$GITHUB_ENV"
- name: Build (Nuxt → cloudflare-module)
# doppler run injects every prd var, so build-time runtimeConfig (e.g.
# NUXT_PUBLIC_SITE_URL → the OIDC issuer) bakes with the production values.
run: doppler run -- pnpm build
- name: Apply D1 migrations (remote)
# wrangler can't match the DB by name in the generated config — use the binding.
run: pnpm exec wrangler d1 migrations apply DB --remote --config .output/server/wrangler.json
- name: Deploy Worker
run: pnpm exec wrangler deploy --config .output/server/wrangler.json
- name: Upsert Worker env vars (all Doppler vars except CF creds + Doppler metadata)
run: |
doppler secrets download --no-file --format json \
| jq 'del(.CLOUDFLARE_ACCOUNT_ID, .CLOUDFLARE_TOKEN, .DOPPLER_CONFIG, .DOPPLER_ENVIRONMENT, .DOPPLER_PROJECT)' \
> worker-secrets.json
pnpm exec wrangler secret bulk worker-secrets.json --config .output/server/wrangler.json
rm -f worker-secrets.json