fix: skip --env=production in deploy and allow Cloudflare secrets

[chitcommit]

Summary

• Override environment to empty string in deploy-worker.yml — wrangler.toml uses flat config, not [env.production]
• Add CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID to .github/allowed-workflow-secrets.txt so Governance Gates pass

Fixes both deploy failures from PR #42 merge:

1. No environment found in configuration with name "production" (wrangler error)
2. Disallowed workflow secret reference: CLOUDFLARE_API_TOKEN (governance gate)

Test plan

• Governance Gates workflow passes (secret policy check)
• Deploy Worker succeeds once CLOUDFLARE_API_TOKEN secret is set

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated deployment workflows to support environment-specific configurations and additional authentication credentials.

[github-actions]

1. @coderabbitai review
2. @copilot review
3. @codex review
4. @claude review
   Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

📝 Walkthrough

Walkthrough

Expands GitHub workflow configuration by adding two Cloudflare-related secrets (CLOUDFLARE_ACCOUNT_ID and CLOUDFLARE_API_TOKEN) to the allowed workflow secrets allowlist and introduces an environment input parameter to the worker deployment workflow invocation interface.

Changes

Cohort / File(s)	Summary
GitHub Workflow Configuration .github/allowed-workflow-secrets.txt	Added two new allowed workflow secrets: CLOUDFLARE_ACCOUNT_ID and CLOUDFLARE_API_TOKEN to expand permitted secrets in workflow environments.
Worker Deployment Workflow .github/workflows/deploy-worker.yml	Added environment input parameter to the reusable workflow call invocation interface for the worker deployment step.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• feat: add Cloudflare Pages deploy pipeline for UI #33: Adds Cloudflare API-related secrets to workflow allowlist and enables environment parameter in Cloudflare deploy workflow configuration.

Poem

🐰 Secrets tucked in files so neat,
Environment parameters, what a treat!
Cloudflare credentials now take flight,
Workflows deploy with all their might! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes both main changes: skipping the production environment in the deploy workflow and allowing Cloudflare secrets.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/deploy-worker-env

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/deploy-worker.yml (1)

18-20: LGTM - correct fix for flat wrangler.toml configuration.

Setting environment: '' correctly prevents the reusable workflow from passing --env=production to wrangler, which would fail since wrangler.toml doesn't define an [env.production] section. The Worker still operates in production mode via the ENVIRONMENT = "production" variable in [vars].

Consider adding a brief comment to prevent future confusion:

,

📝 Optional: Add a clarifying comment

   with:
     service_name: chittycommand
+    # Empty because wrangler.toml uses flat config without [env.*] sections
     environment: ''

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-worker.yml around lines 18 - 20, The workflow
already sets environment: '' to avoid wrangler passing --env=production; add a
brief inline comment next to the environment key explaining that an empty
environment prevents the reusable workflow from adding --env=production and that
production mode is still provided via the ENVIRONMENT var in [vars], so future
maintainers won't revert this change; reference the keys service_name and
environment in the comment for clarity.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/deploy-worker.yml:
- Around line 18-20: The workflow already sets environment: '' to avoid wrangler
passing --env=production; add a brief inline comment next to the environment key
explaining that an empty environment prevents the reusable workflow from adding
--env=production and that production mode is still provided via the ENVIRONMENT
var in [vars], so future maintainers won't revert this change; reference the
keys service_name and environment in the comment for clarity.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6e83ef93-7adb-499c-84aa-6f42d279ffe1

📥 Commits

Reviewing files that changed from the base of the PR and between 426a0b7 and a46b7b4.

📒 Files selected for processing (2)

• .github/allowed-workflow-secrets.txt
• .github/workflows/deploy-worker.yml