chore: update cloudflare workflow

Author: chen-ran

.github/workflows/deploy-download-worker.yml

@@ -0,0 +1,37 @@
+name: Deploy Download Worker
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'workers/**'
+      - '.github/workflows/deploy-download-worker.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: download-worker
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Deploy Cloudflare Worker
+        uses: cloudflare/wrangler-action@v3
+        with:
+          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          workingDirectory: workers
+          command: deploy
+          secrets: |
+            GITHUB_TOKEN
+        env:
+          GITHUB_TOKEN: ${{ secrets.MEMOH_GITHUB_TOKEN }}

.github/workflows/deploy-landing.yml

@@ -5,7 +5,12 @@ on:
     branches:
       - main
     paths:
-      - './'
+      - 'index.html'
+      - 'package.json'
+      - 'pnpm-lock.yaml'
+      - 'public/**'
+      - 'scripts/**'
+      - 'src/**'
       - '.github/workflows/deploy-landing.yml'
   workflow_dispatch:
 

README.md

@@ -84,7 +84,19 @@ Deploy the Worker after configuring the `memoh.ai/downloads/desktop/*` route:
 npx wrangler deploy --config workers/wrangler.toml
 ```
 
-For higher GitHub API limits, set a Worker secret:
+GitHub Actions also deploys the Worker from `.github/workflows/deploy-download-worker.yml` when files under `workers/` change. Add these repository secrets before relying on the workflow:
+
+```text
+CLOUDFLARE_API_TOKEN
+CLOUDFLARE_ACCOUNT_ID
+MEMOH_GITHUB_TOKEN
+```
+
+`MEMOH_GITHUB_TOKEN` is written to the Worker as the runtime `GITHUB_TOKEN` secret, so the Worker can call the GitHub Releases API without hitting unauthenticated rate limits. A fine-grained read-only token for the release repository is enough.
+
+If a download URL returns a GitHub Pages 404 page, the Worker route is not active for that path yet. Re-run the Worker deployment and, if Cloudflare cached the old 404, purge `/downloads/desktop/*`.
+
+For manual deployments, set the Worker secret directly:
 
 ```bash
 npx wrangler secret put GITHUB_TOKEN --config workers/wrangler.toml

package.json

@@ -5,7 +5,7 @@
   "type": "module",
   "scripts": {
     "dev": "vite",
-    "build": "vue-tsc -b && vite build",
+    "build": "vue-tsc -b && vite build && node scripts/create-spa-fallback.mjs",
     "preview": "vite preview"
   },
   "dependencies": {

scripts/create-spa-fallback.mjs

@@ -0,0 +1,15 @@
+import { copyFile, mkdir } from 'node:fs/promises'
+import { resolve } from 'node:path'
+
+const distDir = resolve('dist')
+const indexPath = resolve(distDir, 'index.html')
+
+await copyFile(indexPath, resolve(distDir, '404.html'))
+
+for (const route of ['desktop']) {
+  const routeDir = resolve(distDir, route)
+  await mkdir(routeDir, { recursive: true })
+  await copyFile(indexPath, resolve(routeDir, 'index.html'))
+}
+
+console.log('Created SPA fallback files')

workers/desktop-download-proxy.js

@@ -34,6 +34,15 @@ const downloadFileName = (tag, slug) => {
   return `Memoh-${sanitizeFileNamePart(tag)}-${sanitizeFileNamePart(slug)}`
 }
 
+const githubAssetFileName = (tag, slug) => {
+  const version = tag.replace(/^v/i, '')
+  return `Memoh-Desktop-${version}-${slug}`
+}
+
+const githubAssetUrl = (repo, tag, slug) => {
+  return `https://github.com/${repo}/releases/download/${encodeURIComponent(tag)}/${encodeURIComponent(githubAssetFileName(tag, slug))}`
+}
+
 const jsonResponse = (body, init = {}) => {
   return new Response(JSON.stringify(body, null, 2), {
     ...init,
@@ -67,7 +76,9 @@ const githubFetch = async (url, env, accept) => {
   })
 
   if (!response.ok) {
-    throw new Error(`GitHub request failed: ${response.status} ${url}`)
+    const detail = await response.text().catch(() => '')
+    const message = detail ? ` ${detail.slice(0, 240)}` : ''
+    throw new Error(`GitHub request failed: ${response.status} ${url}${message}`)
   }
 
   return response
@@ -83,21 +94,30 @@ const pickLatestRelease = (releases) => {
     .sort((a, b) => releaseTimestamp(b) - releaseTimestamp(a))[0]
 }
 
-const getLatestRelease = async (env) => {
+const getLatestRelease = async (env, ctx) => {
   const repo = env.MEMOH_RELEASE_REPO || RELEASE_REPO
+  const cache = caches.default
+  const cacheKey = new Request(`https://memoh.internal/downloads/latest-release/${encodeURIComponent(repo)}`)
+  const cached = await cache.match(cacheKey)
+  if (cached) return cached.json()
+
   const response = await githubFetch(`https://api.github.com/repos/${repo}/releases?per_page=30`, env)
   const latest = pickLatestRelease(await response.json())
 
   if (!latest) {
     throw new Error(`No published releases found for ${repo}`)
   }
 
+  ctx.waitUntil(cache.put(cacheKey, jsonResponse(latest, {
+    headers: cacheHeaders(LATEST_TTL_SECONDS),
+  })))
+
   return latest
 }
 
-const getRelease = async (tag, env) => {
+const getRelease = async (tag, env, ctx) => {
   if (tag === 'latest') {
-    return getLatestRelease(env)
+    return getLatestRelease(env, ctx)
   }
 
   const repo = env.MEMOH_RELEASE_REPO || RELEASE_REPO
@@ -172,11 +192,10 @@ const proxyAsset = async (request, env, ctx, tag, slug) => {
     if (cached) return withCacheStatus(cached, 'HIT')
   }
 
-  const release = await getRelease(tag, env)
-  const selected = findAsset(release, slug)
-  if (!selected) return notFound()
+  if (!ASSETS[slug]) return notFound()
 
-  const assetResponse = await fetch(selected.asset.browser_download_url, {
+  const repo = env.MEMOH_RELEASE_REPO || RELEASE_REPO
+  const assetResponse = await fetch(githubAssetUrl(repo, tag, slug), {
     method: request.method === 'HEAD' ? 'HEAD' : 'GET',
     headers: {
       'user-agent': 'memoh-landing-download-proxy',
@@ -195,8 +214,8 @@ const proxyAsset = async (request, env, ctx, tag, slug) => {
     headers: assetResponse.headers,
   })
   response.headers.set('cache-control', `public, max-age=${ASSET_TTL_SECONDS}, immutable`)
-  response.headers.set('content-disposition', `attachment; filename="${downloadFileName(release.tag_name, slug)}"`)
-  response.headers.set('x-memoh-release-tag', release.tag_name)
+  response.headers.set('content-disposition', `attachment; filename="${downloadFileName(tag, slug)}"`)
+  response.headers.set('x-memoh-release-tag', tag)
   response.headers.set('x-memoh-cache', 'MISS')
   response.headers.delete('set-cookie')
 
@@ -238,7 +257,7 @@ export default {
         const cached = await cache.match(cacheKey)
         if (cached) return withCacheStatus(cached, 'HIT')
 
-        const release = await getRelease(parsed.tag, env)
+        const release = await getRelease(parsed.tag, env, ctx)
         const response = jsonResponse(request.method === 'HEAD' ? undefined : buildManifest(url, release, env.MEMOH_RELEASE_REPO || RELEASE_REPO), {
           headers: cacheHeaders(parsed.tag === 'latest' ? LATEST_TTL_SECONDS : ASSET_TTL_SECONDS, {
             'x-memoh-cache': 'MISS',
@@ -253,7 +272,7 @@ export default {
       if (!ASSETS[parsed.file]) return notFound()
 
       if (parsed.tag === 'latest') {
-        const release = await getRelease('latest', env)
+        const release = await getRelease('latest', env, ctx)
         const redirectUrl = new URL(request.url)
         redirectUrl.pathname = `${DOWNLOAD_PREFIX}/${encodeURIComponent(release.tag_name)}/${parsed.file}`