BUILD: Adding release workflow for deployments

[blckmn]

Summary by CodeRabbit

• New Features

  • Automated Cloudflare deployments with separate maintenance and production paths; production deploys only when the release is the latest.
  • Deployment previews per environment and PR comments updated to reference the deployment alias URL.

• Chores

  • Enhanced tag and branch validation to conditionally run CI and release jobs.
  • Automatic derivation of branch/environment names, reusable deployment workflow, and robust latest-release check with retries.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds tag-validation, environment-name preparation, and "is latest" checks to the release workflow; refactors build gating; splits deployment into maintenance and production flows that call a new reusable Cloudflare deploy workflow; updates deploy orchestration and PR comment outputs. (≈34 words)

Changes

Cohort / File(s)	Summary
Release workflow .github/workflows/build-release.yml	Adds check_tag (validates tag & exposes should_run), prepare_environment (derives env_name output), check_latest (calls GitHub API, exposes is_latest); gates modern_build on check_tag; adds modern_deploy (maintenance) and modern_deploy_latest (production when latest); wires outputs between jobs.
Deploy orchestration .github/workflows/deploy.yml	Replaces inline deploy with prepare_branch job that outputs BRANCH; adds Deploy job that invokes reusable deploy_cloudflare.yml passing branch_name, environment_name, project_name and Cloudflare secrets; adds pr_comment job using needs.deploy.outputs.deployment_alias_url; removes prior artifact-download+direct deploy steps.
Reusable Cloudflare deploy .github/workflows/deploy_cloudflare.yml	New callable workflow (workflow_call) accepting branch_name, environment_name, project_name and required Cloudflare secrets; downloads dist artifact into src/dist and runs cloudflare/wrangler-action to deploy to the specified project/branch; exposes deployment_url and deployment_alias_url.
PR workflow .github/workflows/pr.yml	Adds check_branch job that skips CI for base branches starting with 20; conditions ci job on needs.check_branch.outputs.should_run.

Sequence Diagram

sequenceDiagram
    actor GH as GitHub Events
    participant CheckTag as check_tag
    participant Build as modern_build
    participant PrepareEnv as prepare_environment
    participant CheckLatest as check_latest
    participant DeployMaint as modern_deploy
    participant DeployLatest as modern_deploy_latest
    participant DeployWF as deploy_cloudflare.yml
    participant CF as Cloudflare

    GH->>CheckTag: release/tag event
    CheckTag-->>Build: should_run
    Build->>PrepareEnv: provide tag metadata
    PrepareEnv-->>DeployMaint: env_name
    Build->>CheckLatest: request latest check
    CheckLatest-->>DeployLatest: is_latest
    DeployMaint->>DeployWF: call with branch, env, project
    DeployLatest->>DeployWF: call when is_latest == true
    DeployWF->>CF: wrangler deploy src/dist to project/branch
    DeployWF-->>DeployMaint: deployment_url, deployment_alias_url
    DeployWF-->>DeployLatest: deployment_url, deployment_alias_url

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Possibly related PRs

• HOUSEKEEPING: Updating the build process to separate the build and deploy, and naming the APK file #4737: Overlapping changes to tag-based gating and build/deploy job configuration in build-release.yml.
• Update deploy-preview.yml #4453: Similar Cloudflare Pages deploy adjustments and exposing deployment outputs for PR comments.
• Update deploy-preview.yml for short sha #4475: Related branch-name derivation and passing branch/alias into Cloudflare deploy steps.

Suggested labels

build system improvement, Housekeeping

Suggested reviewers

• haslinghuis
• nerdCopter

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided by the author. The template requires multiple important sections and considerations, but none were included.	Add a comprehensive pull request description explaining the changes, their purpose, testing performed, and why the release workflow additions are necessary for the project.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'BUILD: Adding release workflow for deployments' accurately describes the main changes which add new release and deployment workflow files (.github/workflows/build-release.yml and deploy_cloudflare.yml) and updates existing workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into master

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/build-release.yml:
- Around line 94-105: The check for releases/latest can race with the new
release publish because check_latest runs in parallel with modern_build; modify
the workflow so the check waits for the release to propagate by either adding a
short sleep/retry loop before comparing CURRENT_TAG and LATEST_TAG (retry gh api
up to N times with delay) or by making check_latest depend on modern_build (or
move the check into modern_deploy_latest) to ensure the published release is
visible; update the job name/depends-on accordingly and reference the
CURRENT_TAG and LATEST_TAG comparison logic to apply the delay/retry or
dependency change.
- Around line 79-80: The environment name string has a typo ("-maintenence");
update the ENV_NAME assignment to use the correct spelling "-maintenance" (i.e.,
change ENV_NAME="${VERSION}-maintenence" to ENV_NAME="${VERSION}-maintenance")
so the GitHub environment and Cloudflare Pages branch names are created
correctly.
- Around line 18-25: The run block interpolates user-controlled
github.event.release.tag_name directly into the shell, which risks script
injection; instead, pass the tag into the job as an environment variable (e.g.
define RELEASE_TAG: ${{ github.event.release.tag_name }} under env:) and then
reference the safe shell variable inside the run script (use quoted
"$RELEASE_TAG" and the test [[ "$RELEASE_TAG" == 20* ]] ), update the echo to
write should_run to $GITHUB_OUTPUT the same way, and apply the same env-variable
pattern for the other occurrences of github.event.release.tag_name mentioned
(lines ~76 and ~95) so no untrusted value is expanded directly in the run block.

🧹 Nitpick comments (2)

.github/workflows/build-release.yml (2)

113-118: Overly broad permissions for deploy jobs.

issues: write and pull-requests: write are not used by the artifact download or Cloudflare deploy steps. Dropping them follows least-privilege. Same applies to modern_deploy_latest (lines 143-148).

Proposed fix

     permissions:
       actions: read
       contents: read
       deployments: write
-      issues: write
-      pull-requests: write

---

109-166: Near-duplicate deploy jobs could be consolidated.

modern_deploy and modern_deploy_latest share identical steps (download artifact → wrangler deploy) and differ only in branch/environment. Consider extracting a reusable workflow (or composite action) to reduce maintenance burden, though this is fine to defer.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/deploy.yml (1)

38-40: ⚠️ Potential issue | 🟠 Major

Case mismatch in commit_ref output will produce an empty value.

Line 28 sets the step output with uppercase key COMMIT_REF, but line 18 declares the job output reading lowercase steps.set_commit_ref.outputs.commit_ref. This mismatch causes the job-level output to be empty. Then line 40 references needs.commit_reference.outputs.COMMIT_REF (uppercase), but the job-level key is commit_ref (lowercase), which again resolves to an empty string. The build workflow receives an empty commit_ref on line 53, breaking the checkout step that depends on it.

This is pre-existing, but since the new deployment flow depends on a successful build with a valid checkout reference, it should be fixed. Recommended fix: Make all keys lowercase—change line 28 to echo "commit_ref=$COMMIT_REF" >> $GITHUB_OUTPUT and line 40 to commit_ref: ${{ needs.commit_reference.outputs.commit_ref }}.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🎉 Do you want to test this code? 🎉

• 🌐 Progressive Web Application (PWA)
• 🤖 Android APK

⚠️ CAUTION: The build may be unstable and result in corrupted configurations or data loss. Use only for testing! ⚠️