Skip to content

feat: Cloudflare Access (M5), blob highlighting + image proxy, v0.2 CD, and release automation#1

Merged
sinameraji merged 2 commits into
mainfrom
feat/access-cd-and-release-automation
May 29, 2026
Merged

feat: Cloudflare Access (M5), blob highlighting + image proxy, v0.2 CD, and release automation#1
sinameraji merged 2 commits into
mainfrom
feat/access-cd-and-release-automation

Conversation

@sinameraji

@sinameraji sinameraji commented May 29, 2026

Copy link
Copy Markdown
Owner

Summary

Finishes v0.1 hardening and ships the first slice of v0.2, plus CI + release automation.

M5 — Privacy via Cloudflare Access

  • Worker accessGuard middleware verifies the Cf-Access-Jwt-Assertion JWT (RS256 via WebCrypto + cached JWKS — no jose, to protect the bundle) and gates /, /r/*, /api/*. No-ops unless ACCESS_AUD is set, so public mirrors stay open. /webhooks/github (HMAC) + /health stay open.
  • CLI opt-in gitflare access enable/disable provisions a self-hosted Access app + allow-list policy and redeploys with the Access vars.

v0.1 polish

  • Server-side syntax highlighting in the blob viewer (highlight.js core + ~20 curated grammars; 512 KB cap → <pre> fallback).
  • Image proxy GET /r/:name/raw/* serving blobs from the Artifacts mirror, so README images render for private repos and survive GitHub outages.
  • Styled empty/error states.

v0.2 — Continuous deploy (MVP, self-deploy model)

  • On push, DeployDO reads/parses .gitflare/deploy.yml and uploads the pre-built worker entry via the Workers Scripts API. History + Deployments UI at /r/:name/deployments; CD gated on a CD_ENABLED var.
  • CLI gitflare deploy enable/disable stores a CF_DEPLOY_TOKEN Worker Secret.

Release automation

  • CI workflow: typecheck + test + build on every PR and push to main.
  • Release workflow: Release Please opens/maintains a release PR from Conventional Commits; merging it bumps the version, tags, and publishes gitflare to npm (auth via the NPM_TOKEN secret).

Caveats (also in PLAN.md §12)

  • M5 gates the dashboard/API but not git clone (clone hits Artifacts directly). Private-clone is a later (v0.4+) item.
  • The Cloudflare Access apps/policies API shapes and the Workers Scripts multipart upload are coded to spec but not yet live-validated against a real account.
  • v0.2 MVP deploys pre-built artifacts only (build steps need Sandboxes → v0.3) and reads deploy.yml from the default-branch tip.

Tests

47 unit tests pass (Access JWT, highlight, workflow parser, deploy upload, plus existing). All packages typecheck; worker bundles at ~915 KB.

🤖 Generated with Claude Code

sinameraji and others added 2 commits May 29, 2026 14:30
@sinameraji @claude
feat: Cloudflare Access (M5), blob highlighting + image proxy, and v0…
3ef2f16 
….2 CD

Finish v0.1 hardening and ship the first slice of v0.2.

M5 — Privacy via Cloudflare Access:
- Worker accessGuard middleware verifies the Cf-Access-Jwt-Assertion JWT
  (RS256 via WebCrypto + cached JWKS, no jose) and gates /, /r/*, /api/*.
  No-ops unless ACCESS_AUD is set, so public mirrors stay open.
- CLI `gitflare access enable/disable` provisions a self-hosted Access app +
  allow-list policy and redeploys with the Access vars.

v0.1 polish:
- Server-side syntax highlighting in the blob viewer (highlight.js core +
  curated grammars, 512KB cap with <pre> fallback).
- README image proxy GET /r/:name/raw/* serving blobs from the Artifacts
  mirror, so images render for private repos and survive GitHub outages.
- Styled empty/error states.

v0.2 — Continuous deploy (MVP, self-deploy model):
- On push, DeployDO reads/parses .gitflare/deploy.yml and uploads the
  pre-built worker entry via the Workers Scripts API. History + Deployments
  UI; CD gated on a CD_ENABLED var.
- CLI `gitflare deploy enable/disable` stores a CF_DEPLOY_TOKEN Worker Secret.

Caveats (see PLAN.md §12): Access gates the dashboard/API but not git clone;
Access + Workers-Scripts API shapes still need live validation.

Also adds CI (typecheck/test/build) plus Release Please + npm publish on merge.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sinameraji @claude
ci: use packageManager field for pnpm version, not action input
0dbedaf 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sinameraji sinameraji merged commit c1bced6 into main May 29, 2026
1 check passed
This was referenced May 29, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sinameraji