Files
ccs/.github/workflows/deploy-ccs-worker.yml
T
Kai (Tam Nhu) TranandGitHub 2273757c83 fix(ci): harden self-hosted workflow trust boundaries
Keep active CCS workflows on self-hosted runners, gate self-hosted PR execution to trusted authors, and scope privileged release credentials to the exact git operations that need them.
2026-05-12 12:34:15 -04:00

53 lines
1.5 KiB
YAML

name: Deploy CCS CloudFlare Worker
on:
push:
branches: [main]
paths:
- 'scripts/worker.js'
- 'scripts/wrangler.toml'
- 'installers/**'
# Only run on PRs that touch installer-related files
pull_request:
branches: [main]
paths:
- 'scripts/worker.js'
- 'scripts/wrangler.toml'
- 'installers/**'
# Allow manual trigger
workflow_dispatch:
jobs:
deploy:
if: >-
github.event_name != 'pull_request' ||
contains(fromJSON('["COLLABORATOR","MEMBER","OWNER"]'), github.event.pull_request.author_association)
runs-on: [self-hosted, linux, x64]
name: Deploy ccs-installer to CloudFlare
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Validate Worker (PR Mode)
if: github.event_name == 'pull_request'
uses: cloudflare/wrangler-action@v3
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
workingDirectory: scripts
wranglerVersion: "4.45.3"
command: deploy --dry-run
- name: Deploy Worker (Production)
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
uses: cloudflare/wrangler-action@v3
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
workingDirectory: scripts
wranglerVersion: "4.45.3"
command: deploy