You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4.7 KiB
4.7 KiB
| title | status | type | priority | created_at | updated_at | blocked_by | ||
|---|---|---|---|---|---|---|---|---|
| Write .gitea/workflows/deploy-api.yml — Gitea Actions workflow to build and deploy API Worker via OpenTofu | completed | task | low | 2026-03-10T23:32:07Z | 2026-03-10T23:32:14Z |
|
Counterpart to ticket 5137d7 (UI deploy via wrangler pages deploy).
Create `.gitea/workflows/deploy-api.yml` at the repository root. The workflow must: 1. Compile the `api` binary for `wasm32-unknown-unknown` 2. Run `tofu apply` from `quotesdb/infra/` to upload the Worker and provision/update all infraTriggered on push to quotesdb branch when files under quotesdb/src/bin/api/ or quotesdb/infra/ change.
name: Deploy quotesdb API
on: push: branches: - quotesdb paths: - "quotesdb/src/bin/api/" - "quotesdb/src/lib.rs" - "quotesdb/infra/" - "quotesdb/Cargo.toml" - "quotesdb/Cargo.lock"
jobs: deploy-api: runs-on: ubuntu-latest defaults: run: working-directory: quotesdb
env:
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Rust toolchain with wasm32 target
uses: dtolnay/rust-toolchain@stable
with:
targets: wasm32-unknown-unknown
- name: Cache Rust build artifacts
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
quotesdb/target
key: ${{ runner.os }}-cargo-api-${{ hashFiles("quotesdb/Cargo.lock") }}
restore-keys: |
${{ runner.os }}-cargo-api-
- name: Build API Worker Wasm binary
run: cargo build --release --target wasm32-unknown-unknown --bin api
- name: Install OpenTofu
uses: opentofu/setup-opentofu@v1
- name: OpenTofu init
working-directory: quotesdb/infra
run: tofu init
- name: OpenTofu apply
working-directory: quotesdb/infra
run: tofu apply -auto-approve
</implementation>
<secrets>
The following repository secrets must be configured in Gitea (Settings → Secrets):
| Secret | Description |
|--------|-------------|
| `CLOUDFLARE_API_TOKEN` | Cloudflare API token with Workers:Edit, D1:Edit, Account:Read permissions |
| `CLOUDFLARE_ACCOUNT_ID` | Cloudflare account ID |
Remote state credentials (if applicable) — see ticket 71b1d4.
</secrets>
<notes>
- `opentofu/setup-opentofu@v1` is the official GitHub/Gitea Action for OpenTofu installation.
- The `env:` block at job level makes credentials available to both `tofu init` and `tofu apply` via the Cloudflare provider environment variable convention.
- The Wasm binary at `target/wasm32-unknown-unknown/release/api.wasm` is read by `filebase64()` in `infra/worker.tf` at apply time — the file must exist before `tofu apply` runs.
- `tofu apply -auto-approve` is safe in CI because the plan is deterministic and the repo is the source of truth.
- OpenTofu state: the `infra/` directory needs a configured backend. If using local state, the state file must be committed or a remote backend (e.g. Cloudflare R2) configured. See ticket 2d1371.
- The `paths` filter ensures the workflow only triggers when API code or infra config changes, avoiding spurious runs on UI-only pushes.
</notes>
<constraints>
- The Cloudflare infra (D1, Worker script resource) must be defined (ticket a23489, d0da0b) and `infra/` must be initialised (ticket 2d1371) before this workflow is useful.
- Do not commit Cloudflare credentials or OpenTofu state files containing secrets.
</constraints>
<validation>
After creating the workflow file:
1. Push to the `quotesdb` branch with a change to `src/bin/api/`
2. Confirm the Gitea Actions run succeeds
3. Confirm the Worker appears/updates in the Cloudflare Workers dashboard
</validation>
<commit>
`ci(quotesdb): add Gitea Actions workflow to build and deploy API Worker via OpenTofu`
</commit>