.github/workflows/deploy-worker.yml #135

Workflow file for this run

.github/workflows/deploy-worker.yml at 45b8ab0

	on:
	workflow_dispatch:
	inputs:
	dispatchNamespace:
	description: "Cloudflare Workers for Platforms dispatch namespace"
	required: true
	appId:
	description: "Worker App ID"
	required: true
	repo:
	description: "GitHub repository name"
	required: true
	commit:
	description: "Git commit hash"
	required: true
	branch:
	description: "Git branch"
	required: true
	directory:
	description: "Directory to deploy"
	required: false
	default: "."

	permissions:
	contents: read

	jobs:
	notify:
	runs-on: ubuntu-latest
	steps:
	- name: ${{github.event.inputs.appId}}
	run: echo run identifier ${{ github.run_id }}

	deploy:
	runs-on: ubuntu-latest
	outputs:
	worker-script: ${{ steps.get-script.outputs.worker-script-filename }}

	env:
	wranglerVersion: "3.68.0"
	outDir: "codius-dist"

	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	repository: ${{ github.event.inputs.repo }}
	ref: ${{ github.event.inputs.commit }}

	- name: Check for pnpm-lock.yaml
	id: check-pnpm-lock
	run: \|
	directory=${{ inputs.directory }}
	file_path="${directory:+${directory}/}pnpm-lock.yaml"
	if [ -f "$file_path" ]; then
	echo "PNPM lock file found"
	echo "setup_pnpm=true" >> "$GITHUB_OUTPUT"
	fi

	- name: Setup Node.js
	uses: actions/setup-node@v4
	with:
	node-version: "20"

	- name: Setup PNPM
	if: ${{ steps.check-pnpm-lock.outputs.setup_pnpm == 'true' }}
	uses: pnpm/action-setup@v4

	- name: Pull go-toml Docker image
	run: docker pull ghcr.io/pelletier/go-toml:v2

	- name: Sanitize wrangler.toml
	working-directory: ${{ github.event.inputs.directory }}
	run: \|
	mv wrangler.toml wrangler.toml.orig
	docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml.orig \| \
	jq 'del(.d1_databases)' \| \
	docker run -i ghcr.io/pelletier/go-toml:v2 jsontoml > wrangler.toml

	- name: Check for [build] field in wrangler.toml
	id: check-custom-build
	working-directory: ${{ github.event.inputs.directory }}
	run: \|
	custom_build=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml \| jq -e '.build' > /dev/null && echo "true" \|\| echo "false")
	echo "custom-build=${custom_build}" >> "$GITHUB_OUTPUT"

	- name: Bundle/Build Worker
	uses: cloudflare/wrangler-action@v3
	with:
	wranglerVersion: ${{ env.wranglerVersion }}
	workingDirectory: ${{ github.event.inputs.directory }}
	command: deploy --dry-run ${{ env.OUT_DIR }} --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }}
	env:
	OUT_DIR: ${{ steps.check-custom-build.outputs.custom-build == 'false' && format('--outdir={0}', env.outDir) \|\| '' }}

	- name: Determine worker entry script
	id: get-script
	working-directory: ${{ github.event.inputs.directory }}
	run: \|
	wrangler_main=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml \| jq -r '.main')
	echo "wrangler_main: $wrangler_main"

	if [ "${{ steps.check-custom-build.outputs.custom-build }}" == "false" ]; then
	trimmed_wrangler_main=$(echo ${wrangler_main} \| sed 's\|^\./\|\|')
	echo "Custom build is false; looking for the bundled script in ${outDir} containing // ${trimmed_wrangler_main}"
	worker_script=$(grep -rl "// ${trimmed_wrangler_main}" "${{ env.outDir }}" \| head -n 1)
	echo "Found worker_script: $worker_script"
	else
	echo "Custom build is true; using the wrangler.toml main entry..."
	worker_script="${wrangler_main}"
	fi

	if [ -z "$worker_script" ]; then
	echo "Error: Unable to find worker script!"
	exit 1
	fi

	echo "worker-script=${worker_script}" >> "$GITHUB_OUTPUT"
	echo "worker-script-filename=$(basename $worker_script)" >> "$GITHUB_OUTPUT"

	- uses: actions/upload-artifact@v4
	with:
	name: ${{ github.event.inputs.appId }}
	path: ${{ github.event.inputs.directory }}/${{ steps.get-script.outputs.worker-script }}

	- name: Deploy Worker
	uses: cloudflare/wrangler-action@v3
	with:
	apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
	accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
	wranglerVersion: ${{ env.wranglerVersion }}
	workingDirectory: ${{ github.event.inputs.directory }}
	command: deploy --no-bundle --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }} ${{ steps.get-script.outputs.worker-script }}

	attest:
	needs: deploy
	runs-on: ubuntu-latest

	permissions:
	id-token: write
	attestations: write

	steps:
	- name: Download worker script
	uses: actions/download-artifact@v4
	with:
	name: ${{ github.event.inputs.appId }}

	- uses: actions/attest-build-provenance/predicate@d58ddf9f241cd8163408934540d01c3335864d64 # [email protected]
	id: generate-build-provenance-predicate

	- name: Update Predicate JSON
	id: update-predicate
	run: \|
	uri="git+https:/${{ github.event.inputs.repo }}@refs/heads/${{ github.event.inputs.branch }}"
	resolved_dependencies=$(jq -n --arg uri "$uri" --arg commit "${{ github.event.inputs.commit }}" --arg path "${{ github.event.inputs.directory }}" '[{"uri": $uri, "digest": {"gitCommit": $commit}, "path": $path}]')
	predicate=$(echo '${{ steps.generate-build-provenance-predicate.outputs.predicate }}' \| jq -c '.buildDefinition.externalParameters.resolvedDependencies = $resolved_dependencies' --argjson resolved_dependencies "$resolved_dependencies")
	echo "predicate=$predicate" >> $GITHUB_OUTPUT

	- uses: actions/attest@2da0b136720d14f01f4dbeeafd1d5a4d76cbe21d # v1.4.0
	id: attest
	with:
	subject-path: ${{ needs.deploy.outputs.worker-script }}
	predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
	predicate: ${{ steps.update-predicate.outputs.predicate }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.github/workflows/deploy-worker.yml #135

Workflow file

.github/workflows/deploy-worker.yml #135

Jobs

Run details

Workflow file for this run