CI/CD Ship & operate

Official GitHub Actions patterns for Devflare

Devflare ships reusable GitHub Actions for setup, impact checks, deploy execution, and feedback, plus supported workflow strategies for validation, previews, production, and cleanup.

Treat GitHub workflows as policy and target selection. Treat the reusable Devflare actions as the supported mechanics for workspace setup, impact checks, explicit deploys, and GitHub feedback.

Best for: GitHub Actions with validation, preview, production, and cleanup lanes
Supported actions: 4 reusable actions
Package selector: picks which Devflare config deploys

GitHub Actions are a supported deployment surface

This page is the reference for running Devflare from GitHub Actions. The reusable actions and workflow shapes in this repository are the supported CI/CD patterns, not incidental excerpts copied out of one lucky workflow.

Keep the ownership split sharp: workflows decide when a lane runs, which permissions it gets, which package it targets, and what verification happens afterwards. The reusable Devflare actions own the mechanics that should stay consistent across repositories.

Inside this repository, use local action paths like .
From another repository, use .
Make the target package visible through instead of hiding package selection in a shell wrapper.
Keep validation, preview, production, and cleanup lanes explicit. They have different verification rules for good reasons.

Layer	Owns	Should not own
Workflow file	Triggers, permissions, concurrency, package selection, and verification order.	Deploy argument construction, Bun setup, or PR comment formatting.
	Bun installation, cache restore, and one shared workspace install.	Target selection or any deploy step.
	Change detection for one deployment target.	Cloudflare deploys or GitHub reporting.
	One explicit production or named preview-scope deploy.	PR comment policy or multi-package orchestration.
	PR comments, deployment records, and inactive cleanup updates.	Cloudflare deploy execution.

The goal

Reusable mechanics, explicit policy, and CI logs a human can still trust before coffee.

Supported reusable actions

Devflare ships four reusable GitHub Actions for the repeatable parts. Use them directly rather than cloning shell logic into every workflow file.

The action source lives in this repository, but the contract is meant to be reused: workspace setup, impact detection, deploy execution, and GitHub feedback are separate on purpose.

Action

devflare-setup-workspace

Setup

Install Bun, restore the Bun cache, and run one shared workspace install for the job.

Action

devflare-deploy-impact

Impact

Decide whether one target package actually needs a deploy before Cloudflare work starts.

Action

devflare-deploy

Deploy

Run one explicit production or named preview-scope deploy and expose outputs for later verification.

Action

devflare-github-feedback

Feedback

Publish PR comments, GitHub deployments, or both without mixing reporting into deploy execution.

Use once near the start of a job when later steps share the same checkout and dependency install. It installs Bun, restores the Bun cache, and runs the workspace install command from the chosen directory.

This action is intentionally target-agnostic. It prepares the workspace; it never decides what to deploy.

Best fit: one job that deploys more than one package or deploys and then runs follow-up verification.
In a monorepo, keep so package deploy steps can reuse the root install.
Later steps should set and after shared setup already ran.
If you only have one simple deploy step, you can let handle setup itself instead.

Use it when the job has shared setup work

This action exists so Bun setup and dependency installation stay boring. That is a compliment.

Prepare the workspace once

- uses: Refzlund/devflare/.github/actions/devflare-setup-workspace@next

with:

working-directory: .

Use before any Cloudflare work. It compares the target package against the relevant git range and tells the workflow whether a deploy is actually needed.

Call it once per deployment target. In multi-package preview families, that means one impact decision per worker or app, not one giant yes-or-no for the whole job.

Run it before deploys, not after — skipping a no-op deploy is the whole point.
Pass event metadata from GitHub instead of guessing at comparison refs in shell.
Keep one impact decision per target so the workflow can skip or deploy packages independently.
Promote the output into human-readable feedback. It makes skipped runs much easier to trust.

Key field	Why it matters
	Selects the workspace package whose changes should trigger a deploy.
	Lets shared files outside the package root invalidate that target too.
	The boolean gate your workflow should use before any deploy step runs.
	Short explanation you can surface in summaries, PR comments, and logs.
	Audit trail for what the comparison actually saw.

Use this to skip the boring non-events

No-op deploys still cost time, secrets exposure, and reviewer attention. This action exists to spend less of all three.

Gate the deploy before Cloudflare work starts

- name: Resolve documentation preview impact

id: impact

uses: Refzlund/devflare/.github/actions/devflare-deploy-impact@next

with:

target-package: documentation

default-branch: \${{ github.event.repository.default_branch }}

event-name: \${{ github.event_name }}

event-action: \${{ github.event.action || '' }}

push-before: \${{ github.event.before || '' }}

pull-request-base-sha: \${{ github.event.pull_request.base.sha || '' }}

pull-request-head-sha: \${{ github.event.pull_request.head.sha || '' }}

Use for the actual Devflare deploy step. It can prepare Bun and dependencies for a standalone job, or it can reuse shared setup from an earlier step.

The action requires one explicit target. Use for , or for . selects which package-local and scripts are in play.

Its outputs are the hand-off point for the rest of the workflow: , , , , , , and are all meant for later verification and GitHub feedback.

Production is the supported lane for strict control-plane verification. Leave at its default , and enable when you need a hard failure if Cloudflare keeps the old live deployment.
Preview workflows in this repository use named preview scopes and then perform app-level verification after the deploy step. That is the supported preview posture here.
Use when the package already wraps Devflare behind or another package-local script.
Use to reuse a workspace-root install while still deploying from a package subdirectory.
Pass and when you want workflow runs to map cleanly onto Cloudflare version history.

Input or output	Role
	Selects the package-local Devflare config and scripts.
	Requests an explicit deployment.
	Requests an explicit named preview deployment via .
	Controls whether the action enforces Cloudflare control-plane verification.
	Tightens production verification when a new live deployment must be visible.
, , ,	Outputs the rest of the workflow should consume for verification and feedback.

Choose exactly one target

The action intentionally rejects ambiguous callers. If a workflow cannot tell whether it is preview or production, the logs will not be much comfort later either.

Preview verification is different from production verification

Preview jobs still need real post-deploy checks for the application they expose. In this repository that means URL and content verification for documentation previews plus deployed-binding verification for the testing preview family.

Named preview deploy

- id: pr-deploy

uses: Refzlund/devflare/.github/actions/devflare-deploy@next

with:

working-directory: apps/documentation

install-working-directory: .

skip-setup: 'true'

skip-install: 'true'

deploy-command: bun run deploy --

preview-scope: \${{ needs.resolve-context.outputs.pr-preview-scope }}

verify-deployment: 'false'

deploy-message: Documentation PR preview \${{ github.sha }} (run \${{ github.run_id }})

deploy-tag: documentation-pr-preview-\${{ github.run_id }}

cloudflare-api-token: \${{ secrets.CLOUDFLARE_API_TOKEN }}

cloudflare-account-id: \${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

Explicit production deploy

- id: deploy

uses: Refzlund/devflare/.github/actions/devflare-deploy@next

with:

working-directory: apps/documentation

install-working-directory: .

deploy-command: bun run deploy --

production: 'true'

deploy-message: Documentation production \${{ github.sha }} (run \${{ github.run_id }})

deploy-tag: documentation-production-\${{ github.run_id }}

cloudflare-api-token: \${{ secrets.CLOUDFLARE_API_TOKEN }}

cloudflare-account-id: \${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

Use to publish the result after deploy and verification have already been decided. It can update a PR comment, a GitHub deployment record, or both.

Keeping feedback separate from deploy execution matters. You can retry reporting, mark cleanup inactive, or change comment grouping without touching the Cloudflare deploy mechanics.

Use for branch previews and production lanes that should show up in the GitHub Deployments UI.
Use for PR previews and group multiple sections into one stable comment with plus .
Use and after preview cleanup so GitHub stops pretending old previews are still alive.
Surface , , and log links so reviewers do not have to spelunk raw job output.

Field	Use it for
	Choose PR comments, GitHub deployments, or both.
	Differentiate normal reporting from cleanup or inactive updates.
	Publish , , , , or .
and	Keep one durable PR comment and merge multiple preview sections into it.
and	Populate the GitHub Deployments UI with the right environment identity.
and	Make failure context readable without digging through raw workflow output.

Publish grouped PR feedback

- uses: Refzlund/devflare/.github/actions/devflare-github-feedback@next

with:

github-token: \${{ github.token }}

mode: comment

operation: report

status: success

title: Documentation PR preview

comment-key: pr-deployment-status

comment-section-key: documentation-preview

pr-number: \${{ needs.resolve-context.outputs.pr-number }}

preview-url: \${{ steps.pr-deploy.outputs.preview-url }}

version-id: \${{ steps.pr-deploy.outputs.version-id }}

log-url: \${{ github.server_url }}/\${{ github.repository }}/actions/runs/\${{ github.run_id }}

Supported workflow files and deployment strategies

The repository currently demonstrates three workflow files and six supported lane types. You do not need to collapse them into one mega-workflow to be “official”; the official part is the clear contract between the workflow lane and the reusable actions.

workspace-ci.yml

Validation-only lane for the monorepo. No Cloudflare target, no deploy side door.

preview.yml

Shared preview lifecycle workflow for branch previews, PR previews, multi-package preview families, and cleanup.

documentation-production.yml

Explicit production lane for the documentation app with live verification after deploy.

Strategy	Verification style	GitHub surface
Validation only	Workspace build, typecheck, and test validation.	None — this lane does not deploy.
Branch preview	Target checks plus app-level verification after deploy.	GitHub deployment record.
Pull request preview	Target checks plus app-level verification after deploy.	Grouped PR comment.
Multi-package preview family	Per-package deploys plus family-level verification.	GitHub deployment record and grouped PR comment.
Production	Deploy action control-plane checks plus live URL verification.	GitHub deployment record.
Cleanup	Successful cleanup command plus inactive feedback update.	Inactive deployment or PR comment section.

Validation strategy:

is the validation lane. It restores Bun and Turborepo caches, installs once, and runs .

It intentionally does not choose a Cloudflare target or request Cloudflare secrets. That keeps repo-wide confidence separate from deploy intent.

Trigger it on repo-wide changes that affect apps, cases, packages, or shared tooling.
Use it to prove the monorepo still builds, types, and tests before package-specific deploy lanes matter.
Treat it as a prerequisite lane, not a back door into deployment.

Validation stays validation

If a workflow validates the workspace, let it do that well. Sneaking deploy behavior into it is how release lanes get mysterious.

Branch preview strategy

Non-default branch pushes get a stable branch-named preview scope in . The workflow resolves context once, sets up the workspace once, and then updates only the affected targets for that branch scope.

This is the supported pattern when you want a shareable branch preview that survives multiple pushes and can also coexist with a PR-scoped preview.

preview.yml

The shared preview workflow resolves context once and then updates branch-scoped targets separately from PR-scoped targets.

The preview scope is the source branch name.
Run before each deploy target so unchanged packages skip Cloudflare work.
Publish a GitHub deployment record for branch previews so reviewers can find the environment history.
Follow the deploy with app-specific verification, not just “the command exited”.

Pull request preview strategy

Pull requests targeting the default branch get a stable preview scope in the same workflow. The workflow can update the branch preview, the PR preview, or both from the same checkout when that branch already belongs to an open PR.

PR preview reporting is grouped into one comment so documentation and testing results update in place instead of spraying the thread with duplicate status noise.

Use , , and to create or refresh the PR preview.
Use plus section keys to merge multiple preview lanes into one durable comment.
If impact says , report and leave the existing preview in place rather than tearing it down.
Keep branch and PR deploy steps separate even when they share preparation work. They are different targets with different review questions.

Stable PR scopes reduce churn

Updating in place is much easier to review than minting a brand-new preview identity on every commit.

Multi-package preview family strategy

Some applications are really a family of workers. is the reference pattern: auth service, search service, and main app deploy separately, but they share one preview scope and one workflow lane.

This is the supported strategy when previews need stronger isolation than same-worker uploads can provide, or when bindings across multiple workers must resolve together.

verify-testing-preview-deployment.ts

The testing preview family finishes with a purpose-built verification script that checks the deployed binding shape, not just deploy command exit codes.

Evaluate impact per worker or app package.
Deploy each package with its own and the same .
Add one family-level verification step after the main deploy to confirm the deployed bindings and URLs line up.
Publish both deployment records and grouped PR feedback from the same verified result.

This is the right instinct for DO-heavy or service-bound apps

When one preview really means several workers plus shared bindings, model that explicitly instead of pretending one same-worker upload tells the full truth.

Production strategy

is the reference production lane: resolve impact, perform one explicit production deploy, verify the live site, and then publish a GitHub deployment.

This is the supported split for production automation: let the deploy action handle Cloudflare control-plane verification, then add one live check that proves the currently served app really matches the commit you just shipped.

documentation-production.yml

The reference production workflow for a Devflare app: impact check, explicit production deploy, live verification, then GitHub deployment feedback.

Run on default-branch pushes or manual dispatch.
Use instead of inferring production from branch names inside shell logic.
Keep enabled for production.
Use the deploy output URL or the stable production URL for a live content check like .
Publish the final environment URL and version ID back to GitHub.

Production gets the strictest verification

Production should fail when the control plane or the live URL cannot prove what is serving. Better a loud release lane than a confident fiction.

Cleanup strategy

Cleanup is a supported lifecycle lane, not an afterthought. handles branch deletion, PR closure, and manual cleanup dispatches from the same policy surface as preview creation.

Each cleanup job checks out the default branch, reinstalls the shared workspace, runs , and then marks the matching GitHub deployment or PR comment section inactive.

Use branch deletion or manual dispatch for branch-scoped cleanup.
Use PR closure for PR-scoped cleanup.
Keep the scope name identical to the deploy lane so cleanup is obvious and deterministic.
Mark feedback inactive after infrastructure cleanup so GitHub reflects reality instead of wishful thinking.

Cleanup is part of the contract

A preview strategy that never documents cleanup is just deferred archaeology.

SvelteKit

Hand SvelteKit's Cloudflare adapter output to Devflare via (the adapter worker is a build artifact and does not exist until runs), keep in , and compose into so local platform bindings line up with the Worker runtime Devflare manages.

Deploy recipes

Use build, dry-run, production deploy, named preview deploy, same-worker preview upload, cleanup, and GitHub Actions as separate recipes with visible effects.

GitHub Actions are a supported deployment surface

Supported reusable actions

devflare-setup-workspace

devflare-deploy-impact

devflare-deploy

devflare-github-feedback

devflare-setup-workspace

devflare-deploy-impact

devflare-deploy

devflare-github-feedback

Supported workflow files and deployment strategies

workspace-ci.yml

preview.yml

documentation-production.yml

Validation strategy: workspace-ci.yml

Branch preview strategy

preview.yml

Pull request preview strategy

Multi-package preview family strategy

verify-testing-preview-deployment.ts

Production strategy

documentation-production.yml

Cleanup strategy

SvelteKit

Deploy recipes

Validation strategy: