fix(ci): drop D1 migration step + add Paraglide compile to deploy job#51
Open
thunpisit wants to merge 1 commit into
Open
fix(ci): drop D1 migration step + add Paraglide compile to deploy job#51thunpisit wants to merge 1 commit into
thunpisit wants to merge 1 commit into
Conversation
Two issues hit when forking khaopad to a new project (caught by codustry/drvakuum-website during its first deploy): 1. D1 migration step fails with HTTP 7403 "account is not valid or not authorized" even when CLOUDFLARE_ACCOUNT_ID is set correctly. Root cause: the conventional `CLOUDFLARE_API_TOKEN` created from the "Edit Cloudflare Workers" template only grants `Workers Scripts — Edit`. D1's REST API needs the separate `D1 — Edit` permission. The deploy step itself works because it only needs Workers Scripts. Fix: drop the D1 step entirely, document the out-of-band command inline. Same pattern codustry/bactrack-website settled on. 2. Deploy job's `pnpm build` would fail because `src/lib/paraglide` is gitignored and the deploy job never compiled it. The gate job compiles it but each runner is fresh, so the artifact doesn't carry over. Adding the same compile step to the deploy job. Both bugs are silent on a freshly-forked repo because the gate job gates the deploy — by the time someone hits codustry#1, they've already had to set up CLOUDFLARE_API_TOKEN/CLOUDFLARE_ACCOUNT_ID and probably spent time wondering whether the token scope was wrong (it's not). The 7403 error message doesn't mention permissions, which makes this even harder to diagnose. Migrations are still trivial to apply manually: CLOUDFLARE_ACCOUNT_ID=<id> pnpm exec wrangler d1 migrations apply \ khaopad-db --remote --env staging
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two CI bugs that bite every fresh fork of khaopad. Both surfaced when bootstrapping
codustry/drvakuum-websitefrom this template — would have hitcodustry/bactrack-websitetoo if it weren't for the workaround in its deploy.yml.1. D1 migration step fails with 7403
Symptom on a fresh fork after wiring
CLOUDFLARE_API_TOKENandCLOUDFLARE_ACCOUNT_IDcorrectly:```
✘ ERROR A request to the Cloudflare API
/accounts//d1/database//query failed.
The given account is not valid or is not authorized to access
this service [code: 7403]
```
Even though the deploy step against the same account works fine.
Root cause: the conventional org-wide
CLOUDFLARE_API_TOKENis created from the "Edit Cloudflare Workers" template, which only grantsWorkers Scripts — Edit. D1's REST API needs the separateD1 — Editpermission. The 7403 error message doesn't mention permissions, which makes this hard to diagnose.Fix: drop the D1 step entirely, document the out-of-band command inline. Same pattern
codustry/bactrack-websitesettled on (their deploy.yml has the same comment block I'm proposing here).If a fork wants migrations in CI, they can create a repo-level
CLOUDFLARE_API_TOKENwithD1 — Editadded (it overrides the org-wide one for that repo only) and re-add a migration step.2. Deploy job missing Paraglide compile
The
deployjob runspnpm buildwithout first compiling Paraglide messages.src/lib/paraglideis gitignored, and each GitHub Actions job gets a fresh runner — so the gate job's compile output doesn't carry over. On any non-trivial fork the build fails on missing imports from\$lib/paraglide/messages.Fix: add the same compile step the gate job already has.
Test plan
codustry/drvakuum-website— first deploy went green: gate ✅ resolve-env ✅ deploy ✅ smoke-test ✅🤖 Generated with Claude Code