feat(pages): add Cloudflare acceptance deploy and release-gated production#181
Open
DevSecNinja wants to merge 2 commits into
Open
feat(pages): add Cloudflare acceptance deploy and release-gated production#181DevSecNinja wants to merge 2 commits into
DevSecNinja wants to merge 2 commits into
Conversation
…ction Add an opt-in 'cloudflare-acceptance' deploy that publishes every production-branch commit to a stable Cloudflare branch (default 'acceptance'), and 'cloudflare-production-on-release' so production deploys only on GitHub release events instead of every main commit. Both default to false, so existing callers are unaffected. Acceptance reuses the production build path and requires Cloudflare secrets (same as production).
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Collapse the duplicated deploy-cloudflare-production and deploy-cloudflare-acceptance jobs into a single deploy-cloudflare job driven by a matrix that detect-cloudflare computes per event (only the targets that should actually deploy are included, so no empty/protected environment runs). Disable the package-manager cache on the deploy job to resolve the zizmor cache-poisoning alert on published artifacts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds two opt-in inputs to the reusable Pages workflow so callers can run a
Cloudflare Pages acceptance environment on every
maincommit whilereserving production for release events.
New inputs (all default
false/safe — fully backward compatible)cloudflare-acceptancefalsecloudflare-acceptance-branchacceptancecloudflare-production-on-releasefalsereleaseevents instead of on every production-branch commit.How it works
mainpush →deploy-cloudflare-acceptanceruns (stable acceptance URL via--branch=<acceptance-branch>). Production is skipped whencloudflare-production-on-release: truebecause the ref is a branch, not a release.release: published→deploy-cloudflare-productionruns. Acceptance is skipped because the ref is a tag, not the production branch.Because acceptance (push to branch) and release-gated production (release event)
are triggered by different events, no mutual-exclusion logic is needed — they
never run in the same workflow run.
detect-cloudflarenow also treats acceptance as a reason Cloudflare is"enabled", and the missing-secrets error fires when either production or
acceptance is requested.
Backward compatibility
Both new inputs default to
false. With defaults unchanged:cloudflare-productionkeeps its existing "deploy on every production-branch push" behavior.Consumer follow-up (separate change)
To actually use release-gated production + acceptance, a caller must:
release: { types: [published] }trigger to itson:.cloudflare-acceptance: trueandcloudflare-production-on-release: true.Validation
actionlint✅ (pages.yml + workflow-templates/pages.yml)yamllint✅dprint check✅ (docs/architecture.md table re-aligned)Docs (
docs/architecture.mdinputs table) and theworkflow-templates/pages.ymlcomment block are updated to mention the new inputs.