pop
/
vibed
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
quotesdb
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '267a95aa13'
${ noResults }
vibed/quotesdb/.nbd/tickets/57fe5e.md

125 lines
4.6 KiB
Markdown
Raw Blame History

+++
title = "Write .gitea/workflows/deploy-api.yml — Gitea Actions workflow to build and deploy API Worker via OpenTofu"
priority = 4
status = "done"
ticket_type = "task"
dependencies = ["a23489", "2d1371"]
+++
<context>
The API Worker is a workers-rs Wasm binary deployed to Cloudflare Workers. The OpenTofu resource (`infra/worker.tf`) reads the compiled Wasm via `filebase64("../target/wasm32-unknown-unknown/release/api.wasm")` and uploads it on `tofu apply`. This means the CI workflow must compile the Wasm before running `tofu apply`.
Counterpart to ticket 5137d7 (UI deploy via wrangler pages deploy).
</context>
<goal>
Create `.gitea/workflows/deploy-api.yml` at the repository root. The workflow must:
1. Compile the `api` binary for `wasm32-unknown-unknown`
2. Run `tofu apply` from `quotesdb/infra/` to upload the Worker and provision/update all infra
Triggered on push to `quotesdb` branch when files under `quotesdb/src/bin/api/` or `quotesdb/infra/` change.
</goal>
<implementation>
```yaml
# .gitea/workflows/deploy-api.yml
# Builds the quotesdb API Worker Wasm binary and applies OpenTofu infra.
# Triggered on push to the quotesdb integration branch when API or infra files change.
# Requires repository secrets: CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID, TF_STATE_* (if using remote state).
name: Deploy quotesdb API
on:
push:
branches:
- quotesdb
paths:
- "quotesdb/src/bin/api/**"
- "quotesdb/src/lib.rs"
- "quotesdb/infra/**"
- "quotesdb/Cargo.toml"
- "quotesdb/Cargo.lock"
jobs:
deploy-api:
runs-on: ubuntu-latest
defaults:
run:
working-directory: quotesdb
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Rust toolchain with wasm32 target
uses: dtolnay/rust-toolchain@stable
with:
targets: wasm32-unknown-unknown
- name: Cache Rust build artifacts
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
quotesdb/target
key: ${{ runner.os }}-cargo-api-${{ hashFiles("quotesdb/Cargo.lock") }}
restore-keys: |
${{ runner.os }}-cargo-api-
- name: Build API Worker Wasm binary
run: cargo build --release --target wasm32-unknown-unknown --bin api
- name: Install OpenTofu
uses: opentofu/setup-opentofu@v1
- name: OpenTofu init
working-directory: quotesdb/infra
run: tofu init
- name: OpenTofu apply
working-directory: quotesdb/infra
run: tofu apply -auto-approve
```
</implementation>
<secrets>
The following repository secrets must be configured in Gitea (Settings → Secrets):
| Secret | Description |
|--------|-------------|
| `CLOUDFLARE_API_TOKEN` | Cloudflare API token with Workers:Edit, D1:Edit, Account:Read permissions |
| `CLOUDFLARE_ACCOUNT_ID` | Cloudflare account ID |
Remote state credentials (if applicable) — see ticket 71b1d4.
</secrets>
<notes>
- `opentofu/setup-opentofu@v1` is the official GitHub/Gitea Action for OpenTofu installation.
- The `env:` block at job level makes credentials available to both `tofu init` and `tofu apply` via the Cloudflare provider environment variable convention.
- The Wasm binary at `target/wasm32-unknown-unknown/release/api.wasm` is read by `filebase64()` in `infra/worker.tf` at apply time — the file must exist before `tofu apply` runs.
- `tofu apply -auto-approve` is safe in CI because the plan is deterministic and the repo is the source of truth.
- OpenTofu state: the `infra/` directory needs a configured backend. If using local state, the state file must be committed or a remote backend (e.g. Cloudflare R2) configured. See ticket 2d1371.
- The `paths` filter ensures the workflow only triggers when API code or infra config changes, avoiding spurious runs on UI-only pushes.
</notes>
<constraints>
- The Cloudflare infra (D1, Worker script resource) must be defined (ticket a23489, d0da0b) and `infra/` must be initialised (ticket 2d1371) before this workflow is useful.
- Do not commit Cloudflare credentials or OpenTofu state files containing secrets.
</constraints>
<validation>
After creating the workflow file:
1. Push to the `quotesdb` branch with a change to `src/bin/api/`
2. Confirm the Gitea Actions run succeeds
3. Confirm the Worker appears/updates in the Cloudflare Workers dashboard
</validation>
<commit>
`ci(quotesdb): add Gitea Actions workflow to build and deploy API Worker via OpenTofu`
</commit>
Reference in New Issue View Git Blame Copy Permalink