fix(ci): bust Cloudflare.Vite memo so prod tracks main

[cooper (czxtm)]

Summary

Fixes stackpanel.com silently lagging main when a merge touches only packages/** (e.g. @stackpanel/api, @stackpanel/auth, @stackpanel/db).

apps/web uses alchemy's Cloudflare.Vite, which content-hashes the Worker's working directory (apps/web/) to decide whether a rebuild + upload is needed. Workspace dependencies under packages/** live outside that scope, so a push-to-main that only touches those packages hashes identically to the last deploy and alchemy short-circuits with "no change" — silently skipping the Vite build and the Worker upload. The apex stays frozen on whichever commit last happened to touch apps/web/.

Evidence

• PR feat(db): add example values to all protobuf schemas #23 merge (run 25207387008, sha b8cccf75) — touched apps/web/ → ran Vite build + uploaded a 28.20 MB worker. ✅
• PR feat(db): apply file-based Drizzle migrations programmatically at startup #25 merge (run 25216266546, sha 86bd256b) — touched only packages/db/**, packages/auth/** → Deploy step completed in ~10s with zero Vite output and printed ✓ TanstackStart (Cloudflare.Worker) no change. ❌

As of now, stackpanel.com serves the bundle from the PR #23 merge — PR #25's runtime-migration changes never reached prod.

Fix

Stamp a .build-info file inside apps/web/ (containing the commit SHA + refs) before alchemy deploy. The file sits inside the default memo scope and is not gitignored — so every CI run produces a fresh hash and alchemy is forced to rebuild + upload. Ephemeral on the runner; no secrets.

Leaves Cloudflare.Vite and the memo scope alone — minimum blast radius, matches the existing CI pattern of "stage resolution → install → deploy".

docs/ and api/ are untouched:

• docs/ already pre-builds with bun run build:worker + Cloudflare.Worker (hash = main bundle bytes, naturally covers upstream changes) — verified live-deployed on the PR feat(db): apply file-based Drizzle migrations programmatically at startup #25 merge (31.07 MB upload).
• api/ deploys have been failing since 2026-04-29 with Cannot find module '@stackpanel/infra/lib/deploy' from apps/api/alchemy.run.ts — unrelated to this fix; filed separately.

Test plan

• Merge → watch Deploy Web run on main → confirm the step shows Vite build output and ✓ TanstackStart (Cloudflare.Worker) updated with Uploading worker (XX MB).
• curl -sI https://stackpanel.com/ → confirm new cf-ray and a response served by the fresh Worker.
• After PR feat(env): build-time secret injection + effect/Config consumer reads #26 lands, re-verify that curl -sS -X POST 'https://stackpanel.com/api/trpc/waitlist.join?batch=1' -H 'content-type: application/json' -d '{"0":{"json":{"email":"test@example.invalid"}}}' no longer returns the default-secret 500.

[cursor]

PR Summary

Medium Risk
Changes the production deploy workflow behavior by forcing a rebuild/upload on every run, which could increase deploy time/costs or mask real memo behavior, but is limited to CI and contains no secrets.

Overview
Ensures Deploy Web no longer skips Cloudflare Worker rebuilds when only workspace packages change by writing a non-gitignored apps/web/.build-info file (commit/run metadata) before alchemy deploy, forcing Cloudflare.Vite's content-hash memo to change on every CI run.

^{Reviewed by Cursor Bugbot for commit 1ccea00. Configure here.}

[github-actions]

Preview pr-27 has been destroyed.