The Cloudflare worker deploy workflow was printing secret-derived config into CI logs and doing unnecessary root installs. Tighten the workflow to use read-only permissions, secure file writes, and per-worker dependency installs, then add a staged TypeScript migration plan so the repo-wide conversion has explicit CI-safe ordering.
Constraint: Must keep the current Cloudflare deploy path working while removing secret exposure from logs
Rejected: Leave the workflow as-is and document the risk | known secret leakage in CI is an immediate operational defect
Confidence: high
Scope-risk: narrow
Reversibility: clean
Directive: Keep worker deploy inputs secret-only and validate repo-wide TypeScript work in bounded slices, not one bulk migration
Tested: ruby YAML parse of .github/workflows/deploy-cloudflare-workers.yml; git diff --check; npm ci --prefix doesitarm-default --ignore-scripts --no-audit --no-fund; npm ci --prefix workers/analytics --ignore-scripts --no-audit --no-fund
Not-tested: Full GitHub Actions execution after commit
The generic
> doesitarm@1.0.0 test /Users/athena/Code/doesitarm
> vitest run
Running Astro Config File
RUN v4.1.0 /Users/athena/Code/doesitarm
Test Files 7 passed (7)
Tests 20 passed | 3 todo (23)
Start at 13:00:20
Duration 1.76s (transform 317ms, setup 138ms, import 1.23s, tests 2.55s, environment 2ms) entrypoint assumes artifacts that only exist after the repo's full Netlify-style build. Run the real end-to-end Netlify build in GitHub Actions instead so the hosted Node 24 check matches the supported build surface.
Install pnpm before enabling setup-node's pnpm cache in the Cloudflare deploy job, and make the Node 24 check workflow self-contained by providing the public build URLs directly.
These fixes address the first GitHub-hosted failures that surfaced after the Node 24 migration push without changing the application runtime.
Align local version markers and GitHub Actions with Node 24, switch the default test entrypoint to the maintained Vitest runner, and replace pnpm-incompatible npm helpers in repo scripts.
This also removes the obsolete AVA plus esm path and excludes disabled test fixtures from generic Vitest discovery so CI reflects the supported test surface.
