Quick Deploy
There are two deploy paths. Use the quick workers.dev path for first proof in
a copied product. Use the advanced custom-domain and GitHub Actions path after
Cloudflare resources, DNS, zone permissions, repository secrets, and Actions
billing are ready.
Quick Path: workers.dev Staging
This path avoids custom-domain routing. It proves the Worker and smoke flow against a URL like:
https://<worker-name>.<account-subdomain>.workers.devUse it for the first downstream deploy.
-
Replace the staging Worker name, D1 database, R2 buckets, and staging smoke URL in the copied product.
-
Keep custom-domain
routesout of the first staging target unless the zone is already owned, active, and permissioned for this account. -
Create or verify the remote resources. Replace
<web-package>with the web package filter in the copied product.pnpm --filter <web-package> exec wrangler d1 list pnpm --filter <web-package> exec wrangler r2 bucket list -
Set the Worker-side demo auth secret for shared demo-auth staging:
printf '%s' "$CONVERSION_DEMO_AUTH_TOKEN" | pnpm --filter <web-package> exec wrangler secret put CONVERSION_DEMO_AUTH_TOKEN --env staging -
Run the local deploy helper:
export CONVERSION_DEMO_AUTH_TOKEN=<same-token-configured-on-staging-worker> pnpm release:deploy-staging-local pnpm release:deploy-staging-local -- --yes
The helper runs local release verification, config doctor, Cloudflare auth
preflight, staging build with the current commit SHA, target assertion, remote
D1 migrations, wrangler deploy, health smoke, Better Auth smoke, and one real
conversion smoke. It writes public-safe evidence under
artifacts/staging-smoke/local-<commit> unless an output directory override is
provided.
For a manual lower-level workers.dev smoke, set the URL explicitly:
export STAGING_BASE_URL=https://<worker-name>.<account-subdomain>.workers.dev
export CURRENT_SHA="$(git rev-parse HEAD)"
DEPLOY_HEALTH_BASE_URL="$STAGING_BASE_URL" \
DEPLOY_HEALTH_EXPECT_RELEASE_COMMIT_SHA="$CURRENT_SHA" \
pnpm smoke:deploy-health -- --environment staging --base-url "$STAGING_BASE_URL"
SMOKE_BASE_URL="$STAGING_BASE_URL" \
SMOKE_EXPECT_RELEASE_COMMIT_SHA="$CURRENT_SHA" \
pnpm smoke:stagingAdvanced Path: Custom Domain And GitHub Actions
Use this path after quick staging is proven.
-
Configure the staging custom domain in
apps/web/wrangler.jsoncwithcustom_domain: true. -
Confirm the hostname belongs to an active Cloudflare zone in the deploy account and does not already have a conflicting DNS record.
-
Make sure the API token can deploy Workers and manage the selected route or custom domain.
-
Sync GitHub repository secrets:
pnpm secrets:sync-github pnpm secrets:sync-github -- --yes -
Confirm Worker secret parity for the staging target:
printf '%s' "$CONVERSION_DEMO_AUTH_TOKEN" | pnpm --filter <web-package> exec wrangler secret put CONVERSION_DEMO_AUTH_TOKEN --env staging -
Dispatch the staging deploy workflow:
pnpm release:dispatch-staging pnpm release:dispatch-staging -- --yes -
Download and use current-commit smoke evidence for strict readiness:
pnpm evidence:download-smoke -- --run-id <run-id> --output-dir artifacts/staging-smoke/github-<commit> pnpm report:release-readiness -- --strict --staging-smoke-evidence artifacts/staging-smoke/github-<commit> --image-safety-launch-decision "<decision>"
Production Is A Separate Gate
Do not treat either staging path as production approval. Production needs:
pnpm plan:production-resources
pnpm preflight:production-cutover -- --stage resource-ready --production-resource-ready-evidence <resource-ready-evidence.json> --strict
pnpm preflight:production-cutover -- --stage traffic-ready --production-resource-ready-evidence <resource-ready-evidence.json> --operator-assisted-production-evidence <operator-evidence.json> --strictAttach DNS, custom-domain, D1/R2, deploy workflow, health smoke, rollback, legal trust, and image-safety evidence before traffic cutover.