ci(cloudflare): stop leaking deploy config and stage TS migration

The Cloudflare worker deploy workflow was printing secret-derived config into CI logs and doing unnecessary root installs. Tighten the workflow to use read-only permissions, secure file writes, and per-worker dependency installs, then add a staged TypeScript migration plan so the repo-wide conversion has explicit CI-safe ordering. Constraint: Must keep the current Cloudflare deploy path working while removing secret exposure from logs Rejected: Leave the workflow as-is and document the risk | known secret leakage in CI is an immediate operational defect Confidence: high Scope-risk: narrow Reversibility: clean Directive: Keep worker deploy inputs secret-only and validate repo-wide TypeScript work in bounded slices, not one bulk migration Tested: ruby YAML parse of .github/workflows/deploy-cloudflare-workers.yml; git diff --check; npm ci --prefix doesitarm-default --ignore-scripts --no-audit --no-fund; npm ci --prefix workers/analytics --ignore-scripts --no-audit --no-fund Not-tested: Full GitHub Actions execution after commit
2026-05-15 06:35:20 -07:00 · 2026-04-04 17:06:58 -05:00 · 2026-04-04 17:06:58 -05:00 · 6d858d2a19
commit 6d858d2a19
parent 9cb77a8ab4
2 changed files with 175 additions and 16 deletions
--- a/.github/workflows/deploy-cloudflare-workers.yml
+++ b/.github/workflows/deploy-cloudflare-workers.yml
@ -7,6 +7,12 @@ on:
    branches:
      - master

+permissions:
+  contents: read
+
+concurrency:
+  group: cloudflare-workers-master
+  cancel-in-progress: true

 jobs:
  deploy:
@ -16,30 +22,32 @@ jobs:
    - name: Checkout
      uses: actions/checkout@v6

-    - name: Setup PNPM
-      uses: pnpm/action-setup@v4
-      with:
-        version: 10.12.1
-        run_install: false
-
    - name: Use Node.js 24
      uses: actions/setup-node@v6
      with:
        node-version-file: .nvmrc
-        cache: pnpm
+        cache: npm
+        cache-dependency-path: |
+          doesitarm-default/package-lock.json
+          workers/analytics/package-lock.json
  
    - name: Write Wrangler configs
+      shell: bash
      run: |
-          echo ${{ secrets.WRANGLER_ENV }} | base64 -d > doesitarm-default/.env
-          cat doesitarm-default/.env
-          echo ${{ secrets.WRANGLER_TOML }} | base64 -d > doesitarm-default/wrangler.toml
-          cat doesitarm-default/wrangler.toml
-          pnpm install
+          set -euo pipefail
+          umask 077

-          # Analytics Worker
-          echo ${{ secrets.ANALYTICS_WRANGER_TOML }} | base64 -d > workers/analytics/wrangler.toml
-          cat workers/analytics/wrangler.toml
-          pnpm install
+          printf '%s' '${{ secrets.WRANGLER_ENV }}' | base64 --decode > doesitarm-default/.env
+          printf '%s' '${{ secrets.WRANGLER_TOML }}' | base64 --decode > doesitarm-default/wrangler.toml
+          printf '%s' '${{ secrets.ANALYTICS_WRANGER_TOML }}' | base64 --decode > workers/analytics/wrangler.toml
+
+    - name: Install default worker dependencies
+      working-directory: doesitarm-default
+      run: npm ci
+
+    - name: Install analytics worker dependencies
+      working-directory: workers/analytics
+      run: npm ci

    - name: Deploy Default Worker
      uses: cloudflare/wrangler-action@1.3.0