👷 Update deployment workflow to trigger on release

[IamPekka058]

Deploy worker on release

[coderabbitai]

Walkthrough

The .github/workflows/deploy.yml workflow trigger is updated from push events to the main branch to release events when a release is published. The deploy job configuration remains unchanged functionally, with modifications limited to YAML indentation and restructuring.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/deploy.yml	Updated trigger from push events targeting main branch to release events on publish. Deploy job structure, runner, checkout action, and wrangler-action configuration remain identical; changes consist of trigger condition and YAML formatting restructuring.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 The workflow hops along a new path,
From pushes flowing down the main,
Now releases trigger the deploy cascade—
A rabbit's leap toward production's gain! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: updating the deployment workflow to trigger on release events instead of push events.
Description check	✅ Passed	The description 'Deploy worker on release' is related to the changeset, describing the deployment trigger change, though it is brief.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/deployOnRelease

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/deploy.yml (1)

7-16: ⚡ Quick win

Set explicit least-privilege job permissions.

deploy has no permissions block. Add explicit minimal scopes so token access doesn’t depend on repo/org defaults.

Proposed permissions block

   deploy:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 60

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy.yml around lines 7 - 16, Add an explicit
least-privilege permissions block to the deploy job: inside the deploy job (the
job named "deploy" that runs the cloudflare/wrangler-action@v3.15.0 step)
declare a permissions mapping that limits GitHub token scopes (e.g.,
permissions: contents: read and secrets: read) so the job does not inherit broad
repo/org defaults; update the deploy job to include this permissions block
immediately under the job header.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/deploy.yml:
- Around line 11-13: Replace mutable action refs used in the workflow
(actions/checkout@v6 and cloudflare/wrangler-action@v3.15.0) with their
corresponding immutable commit SHAs: look up the exact commit SHA for each tag
in the upstream repo (e.g., actions/checkout and cloudflare/wrangler-action) and
update the uses lines to use the full SHA (format:
owner/repo@<full-commit-sha>), committing the updated deploy.yml so the workflow
is pinned to immutable commits.

---

Nitpick comments:
In @.github/workflows/deploy.yml:
- Around line 7-16: Add an explicit least-privilege permissions block to the
deploy job: inside the deploy job (the job named "deploy" that runs the
cloudflare/wrangler-action@v3.15.0 step) declare a permissions mapping that
limits GitHub token scopes (e.g., permissions: contents: read and secrets: read)
so the job does not inherit broad repo/org defaults; update the deploy job to
include this permissions block immediately under the job header.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a1343237-8110-4233-9b63-55a2cd6ade79

📥 Commits

Reviewing files that changed from the base of the PR and between ec3428c and 1ed09cf.

📒 Files selected for processing (1)

• .github/workflows/deploy.yml