Cloudflare Workers CI/CD with GitHub Actions

This page defines a minimal, auditable deployment flow for Cloudflare Workers static assets using GitHub Actions.

This page defines a minimal, auditable deployment flow for Cloudflare Workers static assets using GitHub Actions.

Why this flow

  • Keep a single deployment authority: GitHub Actions only.
  • Make release intent explicit: master is production deploy.
  • Enforce a deploy gate before publish (yarn build).

Workflow summary

  • Workflow file: .github/workflows/deploy-workers.yml
  • Wrangler config: wrangler.jsonc
  • Runtime setup: actions/setup-node@v6
  • Deploy command: yarn wrangler deploy
  • Worker: viasnake-web

Branch behavior:

  • push to master -> Production deploy
  • workflow_dispatch -> Manual production redeploy of the selected ref

Secrets and minimum permissions

Required GitHub repository secrets:

  • CLOUDFLARE_ACCOUNT_ID
  • CLOUDFLARE_WORKERS_API_TOKEN

Cloudflare API token (recommended minimum):

  • Permission: Account -> Workers Scripts: Edit
  • Scope: only the account that owns viasnake-web

Store this token as CLOUDFLARE_WORKERS_API_TOKEN. Do not grant unrelated permissions such as DNS, Billing, or KV/R2/D1 unless a separate workflow needs them.

GitHub Actions permissions (workflow-level):

  • contents: read

Operations

Production deployment:

git push origin master