Add Github Actions for deployment

venables · venables · commit 6af10f3df670 · 2025-09-26T21:44:03.000-04:00
diff --git a/.github/actions/check/action.yml b/.github/actions/check/action.yml
@@ -0,0 +1,18 @@
+name: "Run Code Quality Checks"
+description: "Install dependencies and run formatting, linting, type checking, and tests"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Bun
+      uses: oven-sh/setup-bun@v2
+      with:
+        bun-version: latest
+
+    - name: Install dependencies
+      shell: bash
+      run: bun install --frozen-lockfile --prefer-offline
+
+    - name: Run checks
+      shell: bash
+      run: bun run check
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -1,4 +1,4 @@
-name: Check
+name: Code Quality Checks
 
 on:
   push:
@@ -13,6 +13,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
-      - uses: oven-sh/setup-bun@v2
-      - run: bun install --frozen-lockfile --prefer-offline
-      - run: bun run check
+      - uses: ./.github/actions/check
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,187 @@
+name: Deploy to Cloudflare Workers
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, closed]
+  push:
+    branches: [main]
+
+jobs:
+  # Check code quality on PRs and main pushes
+  check:
+    if: github.event.action != 'closed'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: ./.github/actions/check
+
+  # Deploy preview environment on PRs
+  preview:
+    if: github.event_name == 'pull_request' && github.event.action != 'closed'
+    needs: check
+    runs-on: ubuntu-latest
+    environment:
+      name: preview
+      url: https://startkit-preview-pr-${{ github.event.number }}.startkit-dev.workers.dev
+    outputs:
+      preview-url: ${{ steps.deploy.outputs.deployment-url }}
+      db-name: ${{ steps.setup-db.outputs.db-name }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Setup preview database and run migrations
+        id: setup-db
+        run: |
+          DB_NAME="startkit-preview-pr-${{ github.event.number }}"
+          echo "db-name=$DB_NAME" >> $GITHUB_OUTPUT
+
+          # Create preview database and capture the database ID
+          bunx wrangler d1 create "$DB_NAME" --output json > db-output.json
+          DB_ID=$(cat db-output.json | jq -r '.result.uuid')
+          echo "DB_ID=$DB_ID" >> $GITHUB_ENV
+
+          # Run migrations on preview database
+          bunx wrangler d1 migrations apply "$DB_NAME" --remote
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+
+      - name: Build application
+        run: bun run build
+        env:
+          BETTER_AUTH_URL: ${{ vars.BETTER_AUTH_URL || format('https://startkit-preview-pr-{0}.startkit-dev.workers.dev', github.event.number) }}
+          BETTER_AUTH_SECRET: ${{ secrets.BETTER_AUTH_SECRET }}
+          GITHUB_CLIENT_ID: ${{ secrets.OAUTH_GITHUB_CLIENT_ID }}
+          GITHUB_CLIENT_SECRET: ${{ secrets.OAUTH_GITHUB_CLIENT_SECRET }}
+
+      - name: Create temporary wrangler config for preview
+        run: |
+          cat > wrangler.preview.jsonc << EOF
+          {
+            "name": "startkit-preview-pr-${{ github.event.number }}",
+            "main": "@tanstack/react-start/server-entry",
+            "compatibility_date": "2025-09-24",
+            "compatibility_flags": ["nodejs_compat"],
+            "observability": {
+              "enabled": true
+            },
+            "vars": {
+              "BETTER_AUTH_URL": "${{ vars.BETTER_AUTH_URL || format('https://startkit-preview-pr-{0}.startkit-dev.workers.dev', github.event.number) }}",
+              "GITHUB_CLIENT_ID": "${{ secrets.OAUTH_GITHUB_CLIENT_ID }}"
+            },
+            "d1_databases": [
+              {
+                "binding": "DB",
+                "database_name": "startkit-preview-pr-${{ github.event.number }}",
+                "database_id": "${{ env.DB_ID }}"
+              }
+            ]
+          }
+          EOF
+
+      - name: Deploy to Cloudflare Workers
+        id: deploy
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: deploy --config wrangler.preview.jsonc
+
+      - name: Comment PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `🚀 **Preview deployment is ready!**
+
+              **Preview URL:** ${{ steps.deploy.outputs.deployment-url }}
+              **Database:** startkit-preview-pr-${{ github.event.number }}
+
+              This preview will be automatically deleted when the PR is closed.`
+            })
+
+  # Clean up preview environment when PR is closed
+  cleanup:
+    if: github.event_name == 'pull_request' && github.event.action == 'closed'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete preview deployment
+        uses: cloudflare/wrangler-action@v3
+        continue-on-error: true
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: delete startkit-preview-pr-${{ github.event.number }} --force
+
+      - name: Delete preview database
+        uses: cloudflare/wrangler-action@v3
+        continue-on-error: true
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: d1 delete startkit-preview-pr-${{ github.event.number }} --force
+
+      - name: Comment PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `🧹 **Preview environment cleaned up**
+
+              The preview deployment and database for this PR have been deleted.`
+            })
+
+  # Deploy to production on main branch
+  production:
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    needs: check
+    runs-on: ubuntu-latest
+    environment:
+      name: production
+      url: ${{ vars.BETTER_AUTH_URL }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Run database migrations
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: d1 migrations apply DB --remote
+
+      - name: Build application
+        run: bun run build
+        env:
+          BETTER_AUTH_URL: ${{ vars.BETTER_AUTH_URL }}
+          BETTER_AUTH_SECRET: ${{ secrets.BETTER_AUTH_SECRET }}
+          GITHUB_CLIENT_ID: ${{ secrets.OAUTH_GITHUB_CLIENT_ID }}
+          GITHUB_CLIENT_SECRET: ${{ secrets.OAUTH_GITHUB_CLIENT_SECRET }}
+
+      - name: Deploy to production
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          command: deploy
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@
 
 ## Getting Started
 
-To get started, simply clone the repository and run `bun install`:
+To get started, simply clone the repository and run `bun run setup`:
 
 1. Clone the project or [use the template](https://github.com/new?template_owner=startkit-dev&template_name=startkit)
 
@@ -106,6 +106,139 @@ Build for production:
 bun run build
 ```
 
+## Deployment
+
+This project is configured for automatic deployment to [Cloudflare Workers](https://workers.cloudflare.com/) via GitHub Actions.
+
+### GitHub Environments Setup
+
+GitHub Environments provide secure secret management and deployment protection. Create these environments in your repository settings (`Settings > Environments`):
+
+#### 1. **Production Environment**
+
+- **Name:** `production`
+- **Deployment branches:** Restrict to `main` branch only
+- **Environment variables:**
+  - `BETTER_AUTH_URL` - Your production domain (e.g., `https://startkit.example.com`)
+  - `OAUTH_GITHUB_CLIENT_ID` - Github OAuth app ID for production
+- **Environment secrets:**
+  - `BETTER_AUTH_SECRET` - Generate using `openssl rand -base64 32`
+  - `OAUTH_GITHUB_CLIENT_SECRET` - GitHub OAuth app secret for production
+- **Protection rules (recommended):**
+  - Require reviewers (1+ team members)
+  - Wait timer (optional, e.g., 5 minutes)
+
+#### 2. **Preview Environment**
+
+- **Name:** `preview`
+- **Deployment branches:** No restrictions (allows any branch)
+- **Environment variables:**
+  - `BETTER_AUTH_URL` - Auto-generated preview URL (optional override)
+  - `OAUTH_GITHUB_CLIENT_ID` - Github OAuth app secret for preview
+- **Environment secrets:**
+  - `BETTER_AUTH_SECRET` - Generate using `openssl rand -base64 32`
+  - `OAUTH_GITHUB_CLIENT_SECRET` - GitHub OAuth app secret for preview (can reuse production or create separate)
+- **Protection rules:** None (allows automatic deployments)
+
+### Required Repository Secrets
+
+Configure these secrets in your repository settings (`Settings > Secrets and variables > Actions > Repository secrets`):
+
+- `CLOUDFLARE_API_TOKEN` - Cloudflare API token with `Cloudflare Workers:Edit` and `Cloudflare D1:Edit` permissions
+- `CLOUDFLARE_ACCOUNT_ID` - Your Cloudflare account ID
+
+### Environment-Specific Configuration
+
+**Production:**
+
+- Uses `BETTER_AUTH_URL` from production environment variable
+- Uses `BETTER_AUTH_SECRET` and `OAUTH_GITHUB_CLIENT_SECRET` from production environment secrets
+- Requires manual approval if protection rules are enabled
+- Deploys to your production domain
+
+**Preview:**
+
+- Auto-generates preview URLs: `https://startkit-preview-pr-{number}.{account}.workers.dev` (unless overridden with environment variable)
+- Uses `BETTER_AUTH_SECRET` and `OAUTH_GITHUB_CLIENT_SECRET` from preview environment secrets
+- No manual approval required
+- Automatically cleaned up when PR is closed
+
+### GitHub OAuth App Configuration
+
+**For Production:**
+
+1. Create a GitHub OAuth app with your production URL as the homepage
+2. Set authorization callback URL to: `https://your-domain.com/api/auth/callback/github`
+3. Add the Client ID as `OAUTH_GITHUB_CLIENT_ID` (repository secret)
+4. Add the Client Secret as `OAUTH_GITHUB_CLIENT_SECRET` (production environment secret)
+
+**For Preview (Two Options):**
+
+**Option 1: Shared OAuth App (Simpler)**
+
+- Use the same OAuth app for both production and preview
+- Add multiple callback URLs to your OAuth app:
+  - `https://your-domain.com/api/auth/callback/github` (production)
+  - `https://startkit-preview-pr-*.{account}.workers.dev/api/auth/callback/github` (preview - add as needed)
+- Note: You'll need to manually add preview URLs to your OAuth app settings
+
+**Option 2: Separate OAuth App (Recommended for Security)**
+
+- Create a separate GitHub OAuth app specifically for preview environments
+- Set homepage URL to your repository or a placeholder
+- Swap the callback URL for preview environments as needed:
+  - `https://startkit-preview-pr-1.{account}.workers.dev/api/auth/callback/github`
+  - `https://startkit-preview-pr-2.{account}.workers.dev/api/auth/callback/github`
+  - (Add more as needed for active PRs)
+- Override `OAUTH_GITHUB_CLIENT_ID` and `OAUTH_GITHUB_CLIENT_SECRET` in preview environment
+
+**⚠️ OAuth Callback URL Limitation:**
+GitHub OAuth apps don't support wildcard callback URLs, making it unusable in preview URLs for now. We will give instructions for setting up a `proxy`.
+
+### Deployment Workflow
+
+**Pull Requests:**
+
+- Runs code quality checks (`bun run check`)
+- Creates a preview deployment with dedicated database
+- Posts preview URL in PR comments
+- Automatically cleans up preview environment when PR is closed
+
+**Main Branch:**
+
+- Runs code quality checks
+- Applies database migrations to production
+- Deploys to production Cloudflare Workers
+
+### Initial Cloudflare Setup
+
+1. **Create production database:**
+
+   ```sh
+   bunx wrangler d1 create "startkit-db"
+   ```
+
+2. **Update `wrangler.jsonc`** with your database ID from the previous step
+
+3. **Run initial migration:**
+   ```sh
+   bun run db:migrate:prod
+   ```
+
+### Manual Deployment
+
+For manual deployments:
+
+```sh
+# Deploy to production
+bun run build
+bunx wrangler deploy
+
+# Deploy with database migrations
+bun run db:migrate:prod
+bunx wrangler deploy
+```
+
 ## Utilities
 
 ```sh
