helix/deploy-cloudflare.yml at main · gofynd/helix · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: Deploy to Cloudflare Containers

on:
  push:
    branches: [ main, develop, feature/cf-container/improvements ]
  pull_request:
    branches: [ main ]

env:
  CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
  CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Setup Node.js
      uses: actions/setup-node@v4
      with:
        node-version: '18'
        cache: 'npm'

    - name: Install dependencies
      run: npm ci

    - name: Run tests
      run: npm test
      if: github.event_name == 'pull_request'

    - name: Install Wrangler CLI
      run: npm install -g wrangler

    - name: Login to Cloudflare
      run: wrangler auth login --api-token ${{ secrets.CLOUDFLARE_API_TOKEN }}

    - name: Build Docker image
      run: |
        docker build -t ${{ github.repository }}:${{ github.sha }} .

    - name: Deploy to Cloudflare
      run: |
        wrangler deploy --compatibility-date $(date +%Y-%m-%d)
      env:
        CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

    - name: Verify deployment
      run: |
        # Wait for deployment to be ready
        sleep 30

        # Test worker health
        curl -f https://${{ github.event.repository.name }}.${{ secrets.CLOUDFLARE_SUBDOMAIN }}.workers.dev/__worker_ok || exit 1

        # Test container health
        curl -f https://${{ github.event.repository.name }}.${{ secrets.CLOUDFLARE_SUBDOMAIN }}.workers.dev/health || exit 1

    - name: Comment deployment status
      if: github.event_name == 'pull_request'
      uses: actions/github-script@v7
      with:
        script: |
          const { data: comments } = await github.rest.issues.listComments({
            owner: context.repo.owner,
            issue_number: context.issue.number,
          });

          const botComment = comments.find(comment =>
            comment.user.type === 'Bot' &&
            comment.body.includes('🚀 Cloudflare Deployment Status')
          );

          const commentBody = `🚀 **Cloudflare Deployment Status**

          ✅ **Deployment Successful**
          - Worker URL: https://${{ github.event.repository.name }}.${{ secrets.CLOUDFLARE_SUBDOMAIN }}.workers.dev
          - Commit: \`${{ github.sha }}\`
          - Branch: \`${{ github.ref_name }}\`
          - Status: All health checks passed

          🔍 **Test Endpoints:**
          - Worker Health: \`/__worker_ok\`
          - Container Health: \`/health\`
          - Main App: \`/\``;

          if (botComment) {
            await github.rest.issues.updateComment({
              owner: context.repo.owner,
              issue_number: context.issue.number,
              comment_id: botComment.id,
              body: commentBody
            });
          } else {
            await github.rest.issues.createComment({
              owner: context.repo.owner,
              issue_number: context.issue.number,
              body: commentBody
            });
          }

  security-scan:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        scan-ref: '.'
        format: 'sarif'
        output: 'trivy-results.sarif'

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'

  notify:
    runs-on: ubuntu-latest
    needs: [build-and-deploy]
    if: always() && github.ref == 'refs/heads/main'

    steps:
    - name: Notify deployment status
      uses: 8398a7/action-slack@v3
      if: always()
      with:
        status: ${{ job.status }}
        channel: '#deployments'
        webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
        fields: repo,message,commit,author,action,eventName,ref,workflow
        text: |
          🚀 Cloudflare Container Deployment
          Status: ${{ job.status }}
          Repository: ${{ github.repository }}
          Branch: ${{ github.ref_name }}
          Commit: ${{ github.sha }}
          Author: ${{ github.actor }}