Deployment Runbook
This runbook covers staging and production deployments for a Factory app Worker.Environment overview
| Environment | Wrangler env | Domain |
|---|---|---|
| Local dev | (none) | localhost:8787 |
| Staging | staging | {app}-staging.{account}.workers.dev |
| Production | production | {app}.thefactory.dev |
{account} is always adrper79, so staging-style Worker URLs use {app}-staging.adrper79.workers.dev and direct production Worker URLs use {app}.adrper79.workers.dev unless a custom domain is documented in Service Registry.
Secrets are managed per-environment via Wrangler secrets and are never stored in source.
Prerequisites
CF_API_TOKENwith Workers Deploy permission (this is the canonical name used by all Factory workflows)CLOUDFLARE_ACCOUNT_IDfor the target account- GitHub Actions: both secrets must be set at the repo level
⚠️ Token naming note: Factory workflows useCF_API_TOKEN(notCLOUDFLARE_API_TOKEN). Both are set as GitHub secrets on every app repo so tools that look for either name will work. When writing new workflows, always referencesecrets.CF_API_TOKEN. See GitHub Secrets Runbook for full details.
1. Deploy to staging
Ready-to-deploy checklist
-
npm run typecheckpasses with zero errors. -
npm run lintpasses with--max-warnings 0. -
npm testpasses for touched packages/apps. -
npm run buildpasses when the package/app defines a build script. - Required Wrangler secrets are set for the target Worker.
- Service Registry has the canonical Worker name, URL, critical endpoints, consumers, bindings, and secrets.
- Any Worker rename followed the rename protocol before deployment.
- Rollback path is known before production deploy begins.
Via GitHub Actions
Push to thestaging branch, or trigger the deploy-staging workflow manually:
2. Smoke-test staging
Per-app smoke tests
After every staging or production deploy, test the Worker-specificcritical_endpoints listed in Service Registry, not only /health.
Minimum smoke set:
GET /healthreturns200.- Public read endpoints return the documented status.
- Protected endpoints return
401or403without credentials, not5xx. - Authenticated operator endpoints return the expected status with valid credentials.
- Mutating endpoints reject invalid payloads with structured
4xxerrors.
schedule-worker:/health,/jobs/pending,/jobs/:id,/jobs,/migrate.video-cron:/health,/trigger.
Smoke Video Phase 0 GitHub Actions workflow. It verifies public health, anonymous 401 responses, idempotent migration, a synthetic schedule-to-failed audit flow, and the authenticated video-cron trigger path.
Do not mark deployment complete until the expected HTTP status codes are observed directly.
3. Deploy to production
Via GitHub Actions
Merge tomain. The deploy.yml workflow runs automatically:
typecheckjob must pass.deployjob runswrangler deploy.- Cloudflare returns a deployment URL — verify
/health.
4. Rollback
Before rollback, confirm whether rollback is safe:- Schema changed? Prefer a forward fix if rollback would strand new rows or break migrated data.
- Consumers changed? Roll back consumers first if the Worker URL or response contract changed.
- Secrets changed? Verify the previous deployment can still read required Wrangler secrets.
- Money movement involved? Pause payouts/webhooks before rollback and reconcile after recovery.
- Telemetry changed? Keep correlation IDs stable so incident review remains traceable.
Instant rollback (last deployment)
Rollback to a specific deployment
5. Check deployment status
6. Monitor after deploy
- Check Sentry for new error spikes (first 15 minutes are critical).
- Check PostHog for any drop in key events (page views, conversions).
- Check Cloudflare Analytics for error rate; alert threshold is > 1% 5xx.