-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (138 loc) · 6.29 KB
/
deploy-worker.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
on:
workflow_dispatch:
inputs:
dispatchNamespace:
description: "Cloudflare Workers for Platforms dispatch namespace"
required: true
appId:
description: "Worker App ID"
required: true
repo:
description: "GitHub repository name"
required: true
commit:
description: "Git commit hash"
required: true
branch:
description: "Git branch"
required: true
directory:
description: "Directory to deploy"
required: false
default: "."
permissions:
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
outputs:
worker-script: ${{ steps.get-script.outputs.worker-script-filename }}
env:
wranglerVersion: "3.68.0"
outDir: "codius-dist"
steps:
- name: ${{github.event.inputs.appId}}
run: echo run identifier ${{ github.run_id }}
- name: Checkout
uses: actions/checkout@v4
with:
repository: ${{ github.event.inputs.repo }}
ref: ${{ github.event.inputs.commit }}
- name: Check for pnpm-lock.yaml
id: check-pnpm-lock
run: |
directory=${{ inputs.directory }}
file_path="${directory:+${directory}/}pnpm-lock.yaml"
if [ -f "$file_path" ]; then
echo "PNPM lock file found"
echo "setup_pnpm=true" >> "$GITHUB_OUTPUT"
fi
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
- name: Setup PNPM
if: ${{ steps.check-pnpm-lock.outputs.setup_pnpm == 'true' }}
uses: pnpm/action-setup@v4
- name: Pull go-toml Docker image
run: docker pull ghcr.io/pelletier/go-toml:v2
- name: Sanitize wrangler.toml
working-directory: ${{ github.event.inputs.directory }}
run: |
mv wrangler.toml wrangler.toml.orig
docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml.orig | \
jq 'del(.d1_databases)' | \
docker run -i ghcr.io/pelletier/go-toml:v2 jsontoml > wrangler.toml
- name: Check for [build] field in wrangler.toml
id: check-custom-build
working-directory: ${{ github.event.inputs.directory }}
run: |
custom_build=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml | jq -e '.build' > /dev/null && echo "true" || echo "false")
echo "custom-build=${custom_build}" >> "$GITHUB_OUTPUT"
- name: Bundle/Build Worker
uses: cloudflare/wrangler-action@v3
with:
wranglerVersion: ${{ env.wranglerVersion }}
workingDirectory: ${{ github.event.inputs.directory }}
command: deploy --dry-run ${{ env.OUT_DIR }} --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }}
env:
OUT_DIR: ${{ steps.check-custom-build.outputs.custom-build == 'false' && format('--outdir={0}', env.outDir) || '' }}
- name: Determine worker entry script
id: get-script
working-directory: ${{ github.event.inputs.directory }}
run: |
wrangler_main=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml | jq -r '.main')
echo "wrangler_main: $wrangler_main"
if [ "${{ steps.check-custom-build.outputs.custom-build }}" == "false" ]; then
trimmed_wrangler_main=$(echo ${wrangler_main} | sed 's|^\./||')
echo "Custom build is false; looking for the bundled script in ${outDir} containing // ${trimmed_wrangler_main}"
worker_script=$(grep -rl "// ${trimmed_wrangler_main}" "${{ env.outDir }}" | head -n 1)
echo "Found worker_script: $worker_script"
else
echo "Custom build is true; using the wrangler.toml main entry..."
worker_script="${wrangler_main}"
fi
if [ -z "$worker_script" ]; then
echo "Error: Unable to find worker script!"
exit 1
fi
echo "worker-script=${worker_script}" >> "$GITHUB_OUTPUT"
echo "worker-script-filename=$(basename $worker_script)" >> "$GITHUB_OUTPUT"
- uses: actions/upload-artifact@v4
with:
name: ${{ github.event.inputs.appId }}
path: ${{ github.event.inputs.directory }}/${{ steps.get-script.outputs.worker-script }}
- name: Deploy Worker
uses: cloudflare/wrangler-action@v3
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
wranglerVersion: ${{ env.wranglerVersion }}
workingDirectory: ${{ github.event.inputs.directory }}
command: deploy --no-bundle --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }} ${{ steps.get-script.outputs.worker-script }}
attest:
needs: deploy
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
steps:
- name: Download worker script
uses: actions/download-artifact@v4
with:
name: ${{ github.event.inputs.appId }}
- uses: actions/attest-build-provenance/predicate@d58ddf9f241cd8163408934540d01c3335864d64 # [email protected]
id: generate-build-provenance-predicate
- name: Update Predicate JSON
id: update-predicate
run: |
uri="git+https://github.com/${{ github.event.inputs.repo }}@refs/heads/${{ github.event.inputs.branch }}"
resolved_dependencies=$(jq -n --arg uri "$uri" --arg commit "${{ github.event.inputs.commit }}" --arg path "${{ github.event.inputs.directory }}" '[{"uri": $uri, "digest": {"gitCommit": $commit}, "path": $path}]')
predicate=$(echo '${{ steps.generate-build-provenance-predicate.outputs.predicate }}' | jq -c '.buildDefinition.externalParameters.resolvedDependencies = $resolved_dependencies' --argjson resolved_dependencies "$resolved_dependencies")
echo "predicate=$predicate" >> $GITHUB_OUTPUT
- uses: actions/attest@2da0b136720d14f01f4dbeeafd1d5a4d76cbe21d # v1.4.0
id: attest
with:
subject-path: ${{ needs.deploy.outputs.worker-script }}
predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
predicate: ${{ steps.update-predicate.outputs.predicate }}