Skip to content
wrangler-deploy

CI/CD

wrangler-deploy uses wrangler under the hood. CI runs the same wrangler.jsonc configs your local dev uses, unchanged. This page covers setting up pipelines that create PR preview environments automatically and clean them up on merge.

Authentication

Section titled “Authentication”

Set these environment variables in your CI:

Terminal window
CLOUDFLARE_API_TOKEN=xxx    # required
CLOUDFLARE_ACCOUNT_ID=xxx   # recommended (auto-detected if omitted)

For PR comments and check runs, also set:

Terminal window
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}

Pipeline

Section titled “Pipeline”

A minimal CI pipeline is two commands:

Terminal window
$ wd apply --stage pr-42
  + payments-db-pr-42 (d1) created
  + token-kv-pr-42 (kv) created
  + payment-outbox-pr-42 (queue) created
   3 resources applied


$ wd deploy --stage pr-42 --verify
   payment-api-pr-42 deployed
   payment-batch-workflow-pr-42 deployed
  Verification: 8 passed, 0 failed

--verify runs post-deploy coherence checks and fails the pipeline if anything is wrong.

Generate a workflow

Section titled “Generate a workflow”

Run this once to set up CI/CD:

Terminal window
$ wd ci init --branch main
   Generated .github/workflows/wrangler-deploy.yml

The generated workflow has three jobs:

  • preview (on PR open/sync) — wd apply + wd deploy --verify + wd ci comment + wd ci check
  • cleanup (on PR close) — wd destroy
  • deploy (on push to main) — wd apply + wd deploy --verify for production

CI subcommands

Section titled “CI subcommands”

wd ci comment --stage <name>

Section titled “wd ci comment --stage <name>”

Posts or updates a PR comment with worker URLs, a Mermaid topology diagram, resource tables, and secret status. Uses a <!-- wrangler-deploy --> HTML marker to update the same comment on subsequent pushes instead of creating new ones.

wd ci check --stage <name>

Section titled “wd ci check --stage <name>”

Posts a GitHub check run. If no state exists for the stage, the check reports failure and the command exits 1:

Terminal window
# Stage deployed successfully
$ wd ci check --stage pr-42
   Check run posted for pr-42


# Stage was never applied
$ wd ci check --stage pr-99
   No state found for stage "pr-99"
  (exit code 1)

Without this, CI would pass silently on a stage that was never deployed.

Permissions

Section titled “Permissions”

The generated workflow declares these permissions:

permissions:
  contents: read
  issues: write
  checks: write

If you write your own workflow, include these — without them, ci comment and ci check fail with 403 errors in repos that restrict the default GITHUB_TOKEN scope.