refactor(ci): split CI and deploy into separate workflows

Move Cloudflare deployment (R2 sync, Worker deploy, cache purge) out of
ci.yml into a new deploy.yml workflow that triggers only when a GitHub
Release is published.

Previously, deployment was gated on commit message matching
(chore(release): ...), which was fragile and required np to be configured
with a custom message format. Now the flow is:

  pnpm release → np bumps, tags, pushes, publishes GitHub Release
               → deploy.yml triggers → build → R2 → Worker → cache purge

CI (ci.yml) now only runs lint, format, tests, and build on push/PR.

Also update np config to publish a full GitHub Release instead of a
draft, and update README and deployment checklist documentation.

Author: titanism

.github/workflows/ci.yml

@@ -7,10 +7,9 @@ on:
 
 env:
   NODE_VERSION: '20'
-  R2_BUCKET: ${{ vars.R2_BUCKET }}
 
 jobs:
-  build-test-deploy:
+  build-test:
     runs-on: ubuntu-latest
 
     steps:
@@ -19,16 +18,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Check if release commit
-        id: commit_check
-        run: |
-          MSG=$(git log -1 --pretty=%s)
-          if echo "$MSG" | grep -qE '^chore\(release\):'; then
-            echo "is_release=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "is_release=false" >> "$GITHUB_OUTPUT"
-          fi
-
       - name: Check clear-manifest impact
         if: github.event_name == 'pull_request'
         id: clear_check
@@ -105,36 +94,3 @@ jobs:
       - name: E2E tests
         if: github.event_name == 'pull_request'
         run: pnpm test:e2e
-
-      - name: Deploy to Cloudflare R2
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main' && steps.commit_check.outputs.is_release == 'true'
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-        run: |
-          ENDPOINT="https://${R2_ACCOUNT_ID}.r2.cloudflarestorage.com"
-          aws --endpoint-url "$ENDPOINT" s3 sync dist/ "s3://${R2_BUCKET}/" --delete --acl private
-
-      - name: Deploy Worker
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main' && steps.commit_check.outputs.is_release == 'true'
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-        run: |
-          # Update bucket name in wrangler.toml from R2_BUCKET variable
-          sed -i "s/bucket_name = \"myselfhosted-webmail-test-1\"/bucket_name = \"${R2_BUCKET}\"/" worker/wrangler.toml
-          cd worker
-          pnpm install
-          npx wrangler deploy
-
-      - name: Purge Cloudflare Cache
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main' && steps.commit_check.outputs.is_release == 'true'
-        env:
-          CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-        run: |
-          curl -X POST "https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/purge_cache" \
-            -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
-            -H "Content-Type: application/json" \
-            --data '{"purge_everything":true}'

.github/workflows/deploy.yml

@@ -0,0 +1,67 @@
+name: Deploy
+
+on:
+  release:
+    types: [published]
+
+env:
+  NODE_VERSION: '20'
+  R2_BUCKET: ${{ vars.R2_BUCKET }}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v3
+        with:
+          run_install: false
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build
+        run: pnpm build
+
+      - name: Strip source maps
+        run: find dist -name '*.map' -delete
+
+      - name: Deploy to Cloudflare R2
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
+        run: |
+          ENDPOINT="https://${R2_ACCOUNT_ID}.r2.cloudflarestorage.com"
+          aws --endpoint-url "$ENDPOINT" s3 sync dist/ "s3://${R2_BUCKET}/" --delete --acl private
+
+      - name: Deploy Worker
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
+        run: |
+          # Update bucket name in wrangler.toml from R2_BUCKET variable
+          sed -i "s/bucket_name = \"myselfhosted-webmail-test-1\"/bucket_name = \"${R2_BUCKET}\"/" worker/wrangler.toml
+          cd worker
+          pnpm install
+          npx wrangler deploy
+
+      - name: Purge Cloudflare Cache
+        env:
+          CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+        run: |
+          curl -X POST "https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/purge_cache" \
+            -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
+            -H "Content-Type: application/json" \
+            --data '{"purge_everything":true}'

README.md

@@ -174,14 +174,22 @@ BREAKING CHANGE: settings store schema changed, requires cache clear
 
 ### Releasing
 
-Releases are cut locally using [np](https://github.com/sindresorhus/np). It runs pre-release checks (clean tree, tests, build), bumps `package.json`, creates a git tag, pushes, and drafts a GitHub Release.
-
-Only release commits trigger production deployment — regular pushes to `main` run CI (lint, test, build) but do not deploy.
+Releases are managed locally using [np](https://github.com/sindresorhus/np) and deployed automatically via GitHub Actions when a GitHub Release is published.
 
 ```bash
-pnpm release            # interactive version prompt, runs checks, pushes, drafts GitHub release
+pnpm release            # interactive version prompt, runs checks, pushes, publishes GitHub Release
 ```
 
+This command will:
+
+1. Verify a clean working tree and up-to-date `main` branch
+2. Run lint, format, tests, and build
+3. Bump the version in `package.json` and create a git tag
+4. Push the commit and tag to GitHub
+5. Publish a GitHub Release
+
+Once the GitHub Release is published, the **Deploy** workflow (`.github/workflows/deploy.yml`) automatically triggers and deploys to Cloudflare.
+
 ## Configuration
 
 Create a `.env` file to override defaults:
@@ -224,20 +232,25 @@ graph TB
 
 ### CI/CD Pipeline
 
-The GitHub Actions workflow (`.github/workflows/ci.yml`) runs on every push to `main` and on pull requests:
+CI and deployment are handled by two separate GitHub Actions workflows:
 
-**Every push (CI):**
+**CI** (`.github/workflows/ci.yml`) — runs on every push to `main` and on pull requests:
 
 1. **Install** — `pnpm install --frozen-lockfile`
 2. **Lint** — `pnpm lint`
 3. **Format** — `pnpm format`
-4. **Build** — `pnpm build` (Vite + Workbox service worker)
+4. **Unit tests** — `pnpm test -- --run`
+5. **Build** — `pnpm build` (Vite + Workbox service worker)
+6. **E2E tests** — Playwright (pull requests only)
+
+**Deploy** (`.github/workflows/deploy.yml`) — runs only when a GitHub Release is published:
 
-**Release commits only (`chore(release): x.y.z`):**
+1. **Build** — Full production build
+2. **Deploy to R2** — Sync `dist/` to Cloudflare R2 bucket
+3. **Deploy Worker** — Deploy CDN worker for SPA routing + cache headers
+4. **Purge Cache** — Clear Cloudflare edge cache
 
-5. **Deploy to R2** — Sync `dist/` to Cloudflare R2 bucket
-6. **Deploy Worker** — Deploy CDN worker for SPA routing + cache headers
-7. **Purge Cache** — Clear Cloudflare edge cache
+Pushing to `main` never triggers a deployment. Only publishing a GitHub Release (via `pnpm release`) triggers the deploy workflow.
 
 ### Required Secrets & Variables
 

docs/deployment-checklist.md

@@ -5,8 +5,9 @@ Complete setup guide for deploying the webmail app from scratch using Cloudflare
 
 ```mermaid
 flowchart LR
-    A["git push main"] --> B["Lint + Format"] --> C["Build + SW gen"] --> D["Deploy R2 + Worker"] --> E["Purge CDN cache"]
-    E --> F["Result: Static PWA served from Cloudflare edge"]
+    A["pnpm release"] --> B["np: lint, test, build, bump, tag"] --> C["GitHub Release published"]
+    C --> D["Deploy workflow: build, R2 sync, Worker deploy, cache purge"]
+    D --> E["Result: Static PWA served from Cloudflare edge"]
 ```
 
 ## Prerequisites
@@ -182,69 +183,51 @@ None needed — the app is entirely client-side after build.
 
 ## 6. CI/CD Pipeline
 
-```yaml
-# .github/workflows/ci.yml
-name: CI
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-
-env:
-  NODE_VERSION: '20'
-  R2_BUCKET: ${{ vars.R2_BUCKET }}
-
-jobs:
-  build-test-deploy:
-    runs-on: ubuntu-latest
-    steps:
-      # ... checkout, setup pnpm, install deps ...
-
-      - name: Lint + Format
-        run: pnpm lint && pnpm format
-
-      - name: Build
-        run: pnpm build
-
-      - name: Deploy to R2
-        if: github.ref == 'refs/heads/main'
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.R2_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
-          R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-        run: |
-          ENDPOINT="https://${R2_ACCOUNT_ID}.r2.cloudflarestorage.com"
-          aws --endpoint-url "$ENDPOINT" s3 sync dist/ "s3://${R2_BUCKET}/" --delete
-
-      - name: Deploy Worker
-        if: github.ref == 'refs/heads/main'
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }}
-        run: |
-          sed -i "s/bucket_name = \".*\"/bucket_name = \"${R2_BUCKET}\"/" worker/wrangler.toml
-          cd worker && pnpm install && npx wrangler deploy
-
-      - name: Purge CDN Cache
-        if: github.ref == 'refs/heads/main'
-        env:
-          CLOUDFLARE_ZONE_ID: ${{ secrets.CLOUDFLARE_ZONE_ID }}
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-        run: |
-          curl -X POST "https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/purge_cache" \
-            -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
-            -H "Content-Type: application/json" \
-            --data '{"purge_everything":true}'
+There are two separate GitHub Actions workflows:
+
+### CI (`.github/workflows/ci.yml`)
+
+Runs on every push to `main` and on pull requests. Performs lint, format, unit tests, build, and E2E tests (PRs only). **Does not deploy.**
+
+### Deploy (`.github/workflows/deploy.yml`)
+
+Runs only when a GitHub Release is published. Builds the app, syncs to R2, deploys the Worker, and purges the Cloudflare cache.
+
+```mermaid
+flowchart TD
+    subgraph CI ["CI workflow (push / PR)"]
+        A1["Install"] --> A2["Lint + Format"] --> A3["Unit tests"] --> A4["Build"]
+        A4 --> A5["E2E tests (PR only)"]
+    end
+    subgraph Deploy ["Deploy workflow (release published)"]
+        B1["Install + Build"] --> B2["Deploy to R2"] --> B3["Deploy Worker"] --> B4["Purge CDN cache"]
+    end
+    R["pnpm release → GitHub Release published"] --> Deploy
+```
+
+### Releasing
+
+Releases are managed locally using [np](https://github.com/sindresorhus/np):
+
+```bash
+pnpm release
 ```
 
+This will:
+
+1. Verify a clean working tree and up-to-date `main` branch
+2. Run lint, format, tests, and build
+3. Bump the version in `package.json` and create a git tag
+4. Push the commit and tag to GitHub
+5. Publish a GitHub Release, which triggers the Deploy workflow
+
 ---
 
 ## 7. First Deployment
 
 ```mermaid
 flowchart TD
-    A["1. Push to main"] --> B["2. Monitor GitHub Actions"] --> C["3. Verify"]
+    A["1. pnpm release"] --> B["2. Monitor GitHub Actions (Deploy workflow)"] --> C["3. Verify"]
     C --> D["R2 bucket has files?"]
     C --> E["Worker deployed?<br/>npx wrangler deployments list"]
     C --> F["Site loads?<br/>https://mail.yourdomain.com"]
@@ -285,6 +268,7 @@ flowchart TD
 | R2 bucket empty          | `aws --endpoint-url "$ENDPOINT" s3 ls "s3://${R2_BUCKET}/"`                                             |
 | Cache not clearing       | Manual purge: `curl -X POST ".../purge_cache" --data '{"purge_everything":true}'`                       |
 | Deploy 403 error         | Verify API token has: Workers Scripts: Edit, Workers R2: Edit, Cache Purge: Purge, Workers Routes: Edit |
+| Deploy not triggering    | Ensure `pnpm release` published a GitHub Release (check the Releases tab), not just a tag               |
 
 ---
 
@@ -295,18 +279,19 @@ flowchart TD
     A["1. Create R2 bucket: webmail-staging"] --> B["2. Create Worker: update wrangler.toml name"]
     B --> C["3. Add route: staging-mail.yourdomain.com/*"]
     C --> D["4. Create GitHub environment with separate secrets"]
-    D --> E["5. Modify workflow: deploy to staging on develop branch"]
+    D --> E["5. Add environment filter to deploy.yml"]
 ```
 
 ---
 
 ## Quick Reference
 
-| Resource      | Location                                  |
-| ------------- | ----------------------------------------- |
-| R2 Bucket     | Cloudflare Dashboard → R2                 |
-| Worker        | Cloudflare Dashboard → Workers & Pages    |
-| DNS           | Cloudflare Dashboard → Your Domain → DNS  |
-| Secrets       | GitHub → Settings → Secrets and variables |
-| Workflow      | `.github/workflows/ci.yml`                |
-| Worker Config | `worker/wrangler.toml`                    |
+| Resource        | Location                                  |
+| --------------- | ----------------------------------------- |
+| R2 Bucket       | Cloudflare Dashboard → R2                 |
+| Worker          | Cloudflare Dashboard → Workers & Pages    |
+| DNS             | Cloudflare Dashboard → Your Domain → DNS  |
+| Secrets         | GitHub → Settings → Secrets and variables |
+| CI Workflow     | `.github/workflows/ci.yml`                |
+| Deploy Workflow | `.github/workflows/deploy.yml`            |
+| Worker Config   | `worker/wrangler.toml`                    |

package.json

@@ -92,10 +92,8 @@
     "*.{json,css,html,md,svelte}": "pnpm format"
   },
   "np": {
-    "message": "chore(release): %s",
     "branch": "main",
-    "publish": false,
-    "releaseDraft": true
+    "publish": false
   },
   "packageManager": "pnpm@9.0.0",
   "private": true,