Skip to content

ci-cd.md

Latest commit

 

History

History
119 lines (79 loc) · 3.54 KB

ci-cd.md

File metadata and controls

119 lines (79 loc) · 3.54 KB

CI/CD Setup

This repository uses four GitHub Actions workflows:

  • CI (.github/workflows/ci.yml): static checks/tests only, no release builds.
  • Deploy (.github/workflows/deploy.yml): deploys Cloudflare Worker + Flutter web to Cloudflare Pages.
  • iOS Archive (.github/workflows/ios-ipa.yml): manual-only workflow for building an unsigned iOS archive for an existing release tag.
  • Release Artifacts (.github/workflows/release-artifacts.yml): on GitHub published/prereleased releases, builds Android/Linux/Windows/web and attaches non-web artifacts to the release page.

1) Required GitHub Secrets

Add these in GitHub → Settings → Secrets and variables → Actions:

  • CLOUDFLARE_API_TOKEN
  • CLOUDFLARE_ACCOUNT_ID

Recommended Cloudflare token scopes:

  • Workers Scripts:Edit
  • Workers KV/D1/Durable Objects as needed by the worker
  • Pages:Edit
  • Account scope limited to your Cloudflare account only

2) Required Cloudflare Worker Secret

Set this once (outside git):

cd worker
npx wrangler secret put GITHUB_TOKEN

GITHUB_TOKEN is consumed by the worker runtime, not GitHub Actions.

3) Environment Protection

Create a GitHub Environment named production and configure:

  • Required reviewers for deployment approvals
  • Optional wait timer
  • Restrict deployment branches to mesh-utility

The deploy workflow already targets environment: production.

4) Branch Protection

Protect branch mesh-utility:

  • Require PR before merge
  • Require status checks to pass:
    • Flutter Analyze & Test
    • Worker Type Check
  • Restrict force-push and deletion

5) Deploy Trigger Behavior

deploy.yml triggers on:

  • push to mesh-utility
  • manual workflow_dispatch

Deployment steps:

  1. Deploy worker (worker/ via Wrangler)
  2. Build Flutter web (tool/build_web_cloudflare.sh)
  3. Deploy build/web to Cloudflare Pages project mesh-utility-tracker on branch mesh-utility

6) Release Artifact Behavior

release-artifacts.yml triggers on:

  • release.published
  • release.prereleased
  • manual workflow_dispatch with release_tag input (for re-running asset publish on an existing tag)

ios-ipa.yml is currently manual-only (workflow_dispatch) and requires a release_tag input. TODO: move iOS (and future macOS re-enable) into release-artifacts.yml so all platform release builds are under one trigger.

Build matrix:

  • Android (flutter build apk --release)
  • Linux (flutter build linux --release)
  • Windows (flutter build windows --release)
  • Web (flutter build web --release) for verification only

iOS manual archive workflow:

  • iOS (flutter build ipa --release --no-codesign)
  • Packages the resulting .xcarchive as mesh-utility-<tag>-ios-xcarchive.tar.gz
  • Uploads that tarball as both a workflow artifact and a GitHub release asset
  • Can be manually dispatched with a release_tag input to backfill an existing release

Uploaded to release page (web excluded):

  • mesh-utility-<tag>-android.apk
  • mesh-utility-<tag>-linux-x64.tar.gz
  • mesh-utility-<tag>-windows-x64.zip
  • SHA256SUMS.txt

7) Open-Source Safety Rules

  • Never commit secrets, tokens, private keys, or .env values.
  • Keep examples only (.env.example, docs with placeholders).
  • Use GitHub secret scanning and push protection.
  • Rotate secrets immediately if leaked.

8) Quick Validation

After deploy:

curl -I https://mesh-utility.org
curl -I https://mesh-utility-worker.aaffiliate796.workers.dev/health

From browser console on https://mesh-utility.org, verify no CORS errors for:

  • .../history
  • .../scans