This repository is the modern rebuild of the GetUp.org.au site, replacing the legacy Next.js implementation living at GetUp/getup.org.au-v2. The new stack moves us to SvelteKit, simplifies the asset pipeline, and pairs the public site with an authenticated Decap CMS workflow backed by GitHub.
Deeper integration with Campaigns By Me and a unified GetUp/CbM is featured.
- Framework swap: Next.js 12 → SvelteKit (Vite-powered) with Tailwind utility classes.
- Content editing: Decap CMS with a Cloudflare Worker proxy for authenticated GitHub reads/writes instead of Netlify/git-gateway.
- Hosting: static build deployed to Cloudflare Pages; Worker handles CMS auth/proxy behind Cloudflare Access.
- Content shape: JSON content under
content/feeds the components insrc/liband pages insrc/routes.
pnpm install
pnpm dev # runs Decap CMS local server + Vite dev server
pnpm build # production build
pnpm preview # serve the production build locallyTo run the dev server with HTTPS (useful for testing secure contexts, service workers, etc.):
# Use the dedicated script:
pnpm dev:https
# Or set the environment variable manually:
VITE_HTTPS=true pnpm devThis will:
- Automatically generate local SSL certificates using mkcert
- Serve the site at https://localhost:3000
- The first time you run it, you may need to install mkcert on your system:
# macOS brew install mkcert mkcert -install # Other platforms: see https://github.com/FiloSottile/mkcert#installation
Key entry points:
src/routes/+page.svelte– home page composition.src/lib/components/– UI building blocks (hero, campaign cards, etc.).static/config.yml– Decap CMS config that points editors at content files.
The CMS uses a secure architecture with Cloudflare Access and a private Worker:
Browser → getup-static-v3.gu.tools/edit → Cloudflare Access (Google login)
↓
Browser → getup-static-v3.gu.tools/api/* → Pages Function → [Service Binding] → Worker → GitHub API
(same origin) (internal only)
-
Cloudflare Access Application:
GetUp-V3- Protects
/apiand/editpaths ongetup-static-v3.gu.tools - Uses Google Workspace identity provider (restricted to org domain)
- Issues JWT tokens validated by the worker
- Protects
-
Pages Function (
functions/api/[[path]].js)- Proxies
/api/*requests to the worker via service binding - Forwards the
Cf-Access-Jwt-Assertionheader for authentication - Eliminates CORS issues by keeping requests same-origin
- Proxies
-
Decap Proxy Worker (
cloudflare/decap-proxy-worker.js)- Not publicly accessible (no workers.dev URL, no custom domain)
- Only reachable via the Pages Function service binding
- Validates Cloudflare Access JWTs (signature, expiry, audience)
- Proxies authenticated requests to GitHub API using a PAT
Configured in wrangler.toml under [pages]:
[[pages.services]]
binding = "DECAP_WORKER"
service = "getup-v3-decap-proxy-worker"This connects the Pages Function to the private worker without needing a public URL.
Set in wrangler.toml or Cloudflare dashboard:
GITHUB_TOKEN– GitHub PAT with repo access (set as secret)REPO_OWNER– GitHub org/user (e.g.,GetUp)REPO_NAME– Repository name (e.g.,getup.org.au-v3)ALLOWED_BRANCH– Branch for content operations (default:main)CF_ACCESS_TEAM_NAME– Zero Trust org name (e.g.,getup)CF_ACCESS_AUD– Access Application audience tag
All deploy commands read configuration from wrangler.toml.
pnpm deploy:worker # Deploy the Decap proxy worker
pnpm deploy:pages # Build and deploy to Cloudflare Pages
pnpm deploy # Deploy both (worker first, then pages)First-time setup only: wrangler secret put GITHUB_TOKEN (GitHub PAT with repo access)
Target GitHub location: GetUp/getup.org.au-v3. Initialize the repo here and push to that remote to make this the canonical v3 codebase.