mail.forwardemail.net/.github/workflows/deploy.yml at main · forwardemail/mail.forwardemail.net · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Deploy

on:
  # NOTE: The release: [published] trigger does NOT fire when the release is
  # published by GITHUB_TOKEN in the release.yml orchestrator (GitHub blocks
  # workflow-to-workflow chaining via GITHUB_TOKEN). The deploy step is inlined
  # in release.yml instead. This workflow is kept for manual re-deploys.
  workflow_dispatch:

# Default to no permissions
permissions: {}

env:
  # Wrangler 4.87+ requires Node 22+. Keep this in sync with release.yml's
  # inlined deploy job (it has its own node-version pin).
  NODE_VERSION: '22'
  R2_BUCKET: ${{ vars.R2_BUCKET }}

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    # Use a deployment environment for secret isolation
    environment: release

    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          persist-credentials: false

      - name: Setup pnpm
        uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
        with:
          run_install: false

      - name: Setup Node
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Build
        run: pnpm build

      - name: Strip source maps
        run: find dist -name '*.map' -delete

      - name: Deploy to Cloudflare R2
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
        run: |
          ENDPOINT="https://${R2_ACCOUNT_ID}.r2.cloudflarestorage.com"
          # Don't --delete old assets: users with cached HTML still reference
          # old fingerprinted bundles until their SW updates. Old assets are
          # harmless (unique hashes, no conflicts) and can be cleaned up later.
          aws --endpoint-url "$ENDPOINT" s3 sync dist/ "s3://${R2_BUCKET}/" --acl private

      - name: Deploy Worker
        env:
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
        run: |
          # Update bucket name in wrangler.toml from R2_BUCKET variable
          sed -i "s/bucket_name = \"myselfhosted-webmail-test-1\"/bucket_name = \"${R2_BUCKET}\"/" worker/wrangler.toml
          cd worker
          pnpm install --no-frozen-lockfile
          npx wrangler deploy

      - name: Purge Cloudflare Cache
        env:
          CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
        run: |
          curl -X POST "https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/purge_cache" \
            -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
            -H "Content-Type: application/json" \
            --data '{"purge_everything":true}'