+++
title = "Write .gitea/workflows/deploy-api.yml — Gitea Actions workflow to build and deploy API Worker via OpenTofu"
priority = 4
status = "todo"
ticket_type = "task"
dependencies = ["a23489", "2d1371"]
+++

<context>
The API Worker is a workers-rs Wasm binary deployed to Cloudflare Workers. The OpenTofu resource (`infra/worker.tf`) reads the compiled Wasm via `filebase64("../target/wasm32-unknown-unknown/release/api.wasm")` and uploads it on `tofu apply`. This means the CI workflow must compile the Wasm before running `tofu apply`.

Counterpart to ticket 5137d7 (UI deploy via wrangler pages deploy).
</context>

<goal>
Create `.gitea/workflows/deploy-api.yml` at the repository root. The workflow must:
1. Compile the `api` binary for `wasm32-unknown-unknown`
2. Run `tofu apply` from `quotesdb/infra/` to upload the Worker and provision/update all infra

Triggered on push to `quotesdb` branch when files under `quotesdb/src/bin/api/` or `quotesdb/infra/` change.
</goal>

<implementation>
```yaml
# .gitea/workflows/deploy-api.yml
# Builds the quotesdb API Worker Wasm binary and applies OpenTofu infra.
# Triggered on push to the quotesdb integration branch when API or infra files change.
# Requires repository secrets: CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID, TF_STATE_* (if using remote state).

name: Deploy quotesdb API

on:
  push:
    branches:
      - quotesdb
    paths:
      - "quotesdb/src/bin/api/**"
      - "quotesdb/src/lib.rs"
      - "quotesdb/infra/**"
      - "quotesdb/Cargo.toml"
      - "quotesdb/Cargo.lock"

jobs:
  deploy-api:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: quotesdb

    env:
      CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
      CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Rust toolchain with wasm32 target
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: wasm32-unknown-unknown

      - name: Cache Rust build artifacts
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            quotesdb/target
          key: ${{ runner.os }}-cargo-api-${{ hashFiles("quotesdb/Cargo.lock") }}
          restore-keys: |
            ${{ runner.os }}-cargo-api-

      - name: Build API Worker Wasm binary
        run: cargo build --release --target wasm32-unknown-unknown --bin api

      - name: Install OpenTofu
        uses: opentofu/setup-opentofu@v1

      - name: OpenTofu init
        working-directory: quotesdb/infra
        run: tofu init

      - name: OpenTofu apply
        working-directory: quotesdb/infra
        run: tofu apply -auto-approve
```
</implementation>

<secrets>
The following repository secrets must be configured in Gitea (Settings → Secrets):

| Secret | Description |
|--------|-------------|
| `CLOUDFLARE_API_TOKEN` | Cloudflare API token with Workers:Edit, D1:Edit, Account:Read permissions |
| `CLOUDFLARE_ACCOUNT_ID` | Cloudflare account ID |

Remote state credentials (if applicable) — see ticket 71b1d4.
</secrets>

<notes>
- `opentofu/setup-opentofu@v1` is the official GitHub/Gitea Action for OpenTofu installation.
- The `env:` block at job level makes credentials available to both `tofu init` and `tofu apply` via the Cloudflare provider environment variable convention.
- The Wasm binary at `target/wasm32-unknown-unknown/release/api.wasm` is read by `filebase64()` in `infra/worker.tf` at apply time — the file must exist before `tofu apply` runs.
- `tofu apply -auto-approve` is safe in CI because the plan is deterministic and the repo is the source of truth.
- OpenTofu state: the `infra/` directory needs a configured backend. If using local state, the state file must be committed or a remote backend (e.g. Cloudflare R2) configured. See ticket 2d1371.
- The `paths` filter ensures the workflow only triggers when API code or infra config changes, avoiding spurious runs on UI-only pushes.
</notes>

<constraints>
- The Cloudflare infra (D1, Worker script resource) must be defined (ticket a23489, d0da0b) and `infra/` must be initialised (ticket 2d1371) before this workflow is useful.
- Do not commit Cloudflare credentials or OpenTofu state files containing secrets.
</constraints>

<validation>
After creating the workflow file:
1. Push to the `quotesdb` branch with a change to `src/bin/api/`
2. Confirm the Gitea Actions run succeeds
3. Confirm the Worker appears/updates in the Cloudflare Workers dashboard
</validation>

<commit>
`ci(quotesdb): add Gitea Actions workflow to build and deploy API Worker via OpenTofu`
</commit>