From bd0d4b13bcb24dc332d2b1e2626bb696c5c3de1e Mon Sep 17 00:00:00 2001
From: fullstackjam <fullstackjam@outlook.com>
Date: Tue, 9 Jun 2026 22:38:07 +0800
Subject: [PATCH] ci: manage worker secrets via wrangler-action in deploy

Push GITHUB_CLIENT_ID/SECRET, GOOGLE_CLIENT_ID/SECRET and JWT_SECRET to
the Worker on each deploy, sourced from repo Actions secrets. GITHUB_*
worker secrets map from GH_OAUTH_* actions secrets (GITHUB_ prefix is
reserved). SENTRY_DSN stays manually managed on Cloudflare.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/deploy.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 3ee4e63..fe54994 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -40,6 +40,18 @@ jobs:
         with:
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          secrets: |
+            GITHUB_CLIENT_ID
+            GITHUB_CLIENT_SECRET
+            GOOGLE_CLIENT_ID
+            GOOGLE_CLIENT_SECRET
+            JWT_SECRET
+        env:
+          GITHUB_CLIENT_ID: ${{ secrets.GH_OAUTH_CLIENT_ID }}
+          GITHUB_CLIENT_SECRET: ${{ secrets.GH_OAUTH_CLIENT_SECRET }}
+          GOOGLE_CLIENT_ID: ${{ secrets.GOOGLE_CLIENT_ID }}
+          GOOGLE_CLIENT_SECRET: ${{ secrets.GOOGLE_CLIENT_SECRET }}
+          JWT_SECRET: ${{ secrets.JWT_SECRET }}
 
       - name: Health Check
         run: |