fix(registry): correct cf entry by dropping wrong workers-sdk repo for npm URL#87
Merged
Merged
Conversation
…m URL The cf entry in registry.yaml had `repo: cloudflare/workers-sdk`, but cf is not actually in that monorepo. I enumerated all 29 packages in cloudflare/workers-sdk — none has `bin: cf`. The npm `cf` package itself (currently v0.0.5) ships pre-bundled and declares no `repository`, `homepage`, `bugs`, or `author` fields — Cloudflare's Technical Preview is published to npm without disclosing the source repo. Side effects of the original wrong entry: - The build's registry-index emitted a deterministic "duplicate owner/repo" mapping: cloudflare/workers-sdk → cf (overwriting wrangler in YAML order). A user pasting github.com/cloudflare/workers-sdk into the future live-scoring form would land on /score/cf instead of the more-canonical /score/wrangler. - /score/cf linked to the wrong upstream repo. Replace `repo:` with `url: https://www.npmjs.com/package/cf` (the canonical distribution surface for cf today) and add an inline comment explaining why there's no GitHub repo. The schema treats url as a fallback when repo is absent, so the scorecard page renders correctly (verified: dist/score/cf.html + cf.md still emit). After this change: - Build warning 'duplicate owner/repo cloudflare/workers-sdk' is gone. - cf falls into the same 'no parseable owner/repo — skipped' bucket as make and nvidia-smi (legitimate; these tools have no canonical source repo). - The discovery-chain reverse-lookup map for cloudflare/workers-sdk now correctly resolves to wrangler. Surfaced during the post-deploy log review for release PR #85.
brettdavies
changed the title
3 tasks
brettdavies
added a commit
that referenced
this pull request
May 15, 2026
…prod assets (#88) ## Summary Split the wrangler configuration into two fully independent files (`wrangler.jsonc` for production, `wrangler.staging.jsonc` for staging) and force a single-character byte divergence between the two compiled Worker scripts. Workaround for [cloudflare/workers-sdk#13925](cloudflare/workers-sdk#13925). The bug we hit: in a single-config multi-env shape (one wrangler.jsonc with a top-level block plus `env.staging`), staging deploys silently overwrite what production serves for any URL path whose asset content differs between the two builds. Cloudflare's asset deduplication appears to key on the compiled Worker script's etag; the multi-env shape produces byte-identical scripts (the bindings differ but they're not part of the script bytes), so the two Workers share an asset namespace. This was caught during a post-release log audit on PR #85. anc.dev was observed serving the post-PR-#87 content for `/registry-index.json`, `/score/cf.html`, and `/score/cf.md`, despite production having no new deploy since PR #85's merge. Production-deployed assets had been silently overlaid by the subsequent staging deploy. Full reproduction with version IDs, etags, and content hashes is in the upstream issue. ## Changelog ### Changed - Deploy configuration now uses two independent wrangler config files (`wrangler.jsonc` for production on anc.dev, `wrangler.staging.jsonc` for staging on the workers.dev subdomain). The previous single-file multi-env shape (top-level plus `env.staging`) is gone. Adding new bindings or changing observability now requires editing both files; the trade-off is real asset isolation between environments. - Every response now carries an `X-Build-Env` header set to `production`, `staging`, or `development` (the development value surfaces only when the Worker code is exercised by the bun test runner). The header is diagnostic and also the mechanism that keeps the two compiled Worker scripts at distinct etags: each config's `define` substitutes a different literal string into `src/worker/index.ts`'s `__BUILD_ENV__` reference. ### Fixed - Staging deploys no longer overwrite production-served asset content. The two compiled Worker scripts now have distinct etags by construction, which keeps their asset namespaces isolated even on Cloudflare's current shared-namespace implementation. ### Documentation - `RELEASES.md` deploy section documents the two-config layout and links to [cloudflare/workers-sdk#13925](cloudflare/workers-sdk#13925). - `RELEASES.md` sandbox image release procedure points at `wrangler.jsonc` and `wrangler.staging.jsonc` instead of the old `env.staging` block. - `docker/sandbox/README.md` updated to match. ## Type of Change - [x] `fix`: Bug fix (non-breaking change which fixes an issue) ## Related Issues/Stories - Story: Surfaced during a post-deploy log audit of release PR #85 plus the cf-vs-wrangler registry-data investigation in PR #87. The first staging deploy after PR #87 silently replaced anc.dev's `/registry-index.json` content. - Issue: [cloudflare/workers-sdk#13925](cloudflare/workers-sdk#13925) - Architecture: None (workaround pattern; awaiting upstream resolution). - Related PRs: #85, #86, #87. ## Files Modified **Modified:** - `wrangler.jsonc`: dropped the `env.staging` block, added a `define` for `__BUILD_ENV__: "production"`. - `.github/workflows/deploy.yml`: staging job uses `--config wrangler.staging.jsonc`; production job retains the default `wrangler deploy`. - `.github/workflows/ci.yml`: sandbox image-pin guard reads both configs via `--config`. - `scripts/hooks/pre-push`: wrangler dry-run step now covers both configs. - `src/worker/index.ts`: declared `__BUILD_ENV__` and the `BUILD_ENV` constant with a `development` fallback for tests. - `src/worker/headers.ts`: `applyHeaders` accepts a `buildEnv` option and emits `X-Build-Env` on every response. - `tests/worker.test.ts`: every `applyHeaders` call site updated with `buildEnv: 'development'`; three new tests cover the `X-Build-Env` header for each env value. - `RELEASES.md`: deploy table updated, new subsection on the two-config layout, sandbox image release procedure rewritten. - `docker/sandbox/README.md`: pin location updated. - `styles/config/vocabularies/site/accept.txt`: legitimate technical terms (`configs`, `etag`, `etags`, `deduplication`, `namespaces`, `envs`, `CF's`) added so the new prose passes Vale at the error tier. **Created:** - `wrangler.staging.jsonc`: standalone staging config with all the same fields production needs, plus `define` setting `__BUILD_ENV__: "staging"`. **Renamed:** - None. **Deleted:** - None. ## Testing - [x] Unit tests added/updated - [x] All tests passing **Test Summary:** - 318 unit and regression tests pass (315 prior + 3 new `X-Build-Env` cases). - `bun x wrangler deploy --dry-run --config wrangler.jsonc`: clean, lists the production-side bindings (anc-score-cache R2, rate-limit namespace 1001, prod container app). - `bun x wrangler deploy --dry-run --config wrangler.staging.jsonc`: clean, lists the staging-side bindings (anc-score-cache-staging R2, rate-limit namespace 1002, staging container app). - The two dry-run outputs report different compressed sizes (28.36 vs 28.35 KiB), evidence that the compiled scripts now have distinct content thanks to the `define` substitution. - Pre-push gate (lint, build, 318 tests, both wrangler dry-runs, pack-README, banned-fonts, prose-check) passes end-to-end. - prose-check: 0 blocking, 1108 warning. **Post-merge verification plan:** After the staging deploy on this PR's merge to dev: - `curl -sI https://agentnative-site-staging.brettdavies.workers.dev/` returns 200 with `X-Build-Env: staging` and `X-Robots-Tag: noindex`. - The deployed staging Worker version has a new script etag (different from the previously-staged version). After the next release PR to main: - `curl -sI https://anc.dev/` returns 200 with `X-Build-Env: production` and no `X-Robots-Tag` header. - Compare the new production Worker version's script etag against the staging version's: they should differ. That confirms the fix is in effect.
3 tasks
brettdavies
added a commit
that referenced
this pull request
May 15, 2026
## Summary Third production release of the day. Bundles all post-PR-#85 dev work that survived today's incident, namely the three PRs that are net additive after the failed split-config experiment (PR #88) and its revert (PR #89) cancel out: PR #86 (explicit Wrangler env target + dual-env pre-push dry-run), PR #87 (corrected `cf` registry entry pointing at its npm distribution surface), and PR #90 (the actual fix for the 2-week routing-drift bug: explicit `routes: []` override on `env.staging` to break Wrangler's inheritable-keys inheritance, plus prophylactic `triggers: { crons: [] }` override for the same trap shape). The headline is PR #90's wrangler.jsonc change. anc.dev is currently bound to the production Worker (after a manual rebind earlier today), and PR #90's staging-deploy verification confirmed the routing fix holds: the `Deployed agentnative-site-staging triggers` block no longer lists `anc.dev (custom domain)`, and the CF API confirms the binding stays on `agentnative-site` through staging deploys. Promoting that wrangler.jsonc state to main means the routing fix is in the committed source-of-truth, not just in dev's history. User-facing effects on anc.dev after this deploy: the corrected `/registry-index.json` and `/score/cf` content from PR #87 reach production (today they live on staging only); the env-target explicitness from PR #86 removes the wrangler ambiguity warning from the next production deploy log. The Worker code itself, bindings, and DO migrations are unchanged. ## Changelog ### Fixed - Stop staging deploys from re-attaching `anc.dev` to the staging Worker on every dev push. The routing-drift bug tracked since 2026-04-30 was caused by `env.staging` silently inheriting the top-level `routes` array. Explicit `routes: []` override on `env.staging` breaks the inheritance. anc.dev now stays on the production Worker across staging deploys. - Correct the `cf` entry in `registry.yaml`. The previous entry claimed `repo: cloudflare/workers-sdk`, but `cf` is not in that repo and the npm package itself declares no repository. Replaced with a `url:` pointing at the npm distribution page. Side effect: the build's reverse-lookup map for `cloudflare/workers-sdk` now correctly resolves to `wrangler` instead of `cf`. ### Changed - Pass `--env=""` explicitly on the production wrangler-action deploy command. Removes the "Multiple environments are defined" ambiguity warning from production deploy logs. - Pre-push hook now runs `wrangler deploy --dry-run` for both the production and staging environments instead of one bare invocation. Catches binding mistakes in either environment before push. - Added explicit `triggers: { crons: [] }` override on `env.staging` as a prophylactic against the same inheritance trap shape on scheduled triggers. Currently no scheduled triggers; the override forces a deliberate decision when adding any. ## Type of Change - [x] `fix`: Bug fix (non-breaking change which fixes an issue) The release is multi-typed (one fix headline plus two ride-along changes) but `fix` headlines because PR #90's routes-inheritance fix is the durable resolution of the 2-week routing-drift incident. ## Related Issues/Stories - Story: Closes the production side of the routing-drift fix arc. PR #85 brought `agentnative-site` (named-prod) current and manually rebound anc.dev to prod, but the fix was not durable because the underlying wrangler.jsonc still inherited the prod route into `env.staging` on every staging deploy. PR #90 fixed the inheritance in source; this release ships that to main. - Issue: [cloudflare/workers-sdk#13925](cloudflare/workers-sdk#13925), rewritten today as a docs/UX bug describing the inheritance trap and recommending a deploy-time warning when env blocks silently inherit a `routes` array containing custom domains. - Architecture: `docs/solutions/integration-issues/wrangler-routes-inheritance-staging-custom-domain-drift-2026-05-15.md` (dev-only) for the full investigation writeup. - Related PRs: #85, #86, #87, #88 (reverted), #89 (revert), #90. ## Files Modified **Modified:** - `wrangler.jsonc`: env.staging block now explicitly overrides `routes: []` and `triggers: { crons: [] }` to break Wrangler's inheritable-keys inheritance. Top-level production config unchanged (`routes: [{ pattern: "anc.dev", custom_domain: true }]`, `workers_dev: false`). - `.github/workflows/deploy.yml`: production job's wrangler-action command is `deploy --env=""` (was bare `deploy`); staging job's command is unchanged (`deploy --env staging`). - `scripts/hooks/pre-push`: replaces the single bare `wrangler deploy --dry-run` step with two dry-runs, one per environment (`--env=""` and `--env staging`). - `registry.yaml`: `cf` entry replaces `repo: cloudflare/workers-sdk` with `url: https://www.npmjs.com/package/cf` and an inline comment explaining why. **Created:** - None. **Renamed:** - None. **Deleted:** - None. ## Testing - [x] Unit tests added/updated - [x] All tests passing **Test Summary:** - 315 unit and regression tests pass. - `bun x wrangler deploy --dry-run --env=""`: clean, lists the production-side bindings (Sandbox DO, R2 bucket `anc-score-cache`, rate-limit namespace 1001, ASSETS). Container image pinned at `:30f61f1`. - `bun x wrangler deploy --dry-run --env staging`: clean, lists the staging-side bindings (R2 `anc-score-cache-staging`, rate-limit namespace 1002). The `Deployed triggers` section in dry-run output is suppressed. - Pre-push hook (lint, build, both wrangler dry-runs, pack-README, banned-fonts, prose-check) passes end-to-end. - prose-check: 0 blocking. **Post-merge verification plan** (after the production deploy on this PR's merge): - Production deploy log's `Deployed agentnative-site triggers` section lists only `anc.dev (custom domain)`. The wrangler ambiguity warning is gone from the log thanks to `--env=""`. - `curl https://anc.dev/registry-index.json` returns the corrected mapping (`cloudflare/workers-sdk` → `wrangler`, md5 should match the dev-side build, which is `f50579f244013d2b76e999a9502f4e46`). - `curl -sI https://anc.dev/` returns 200 with no `X-Robots-Tag` header (production Worker). - CF API confirms `anc.dev` Custom Domain record stays on `service: agentnative-site` after the deployment completes. - A subsequent dev push (next staging deploy) leaves `anc.dev` on production. This is the durability test: pre-PR-#90, every staging deploy would have flipped the binding; post-PR-#90, it should not.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Correct the
cfentry inregistry.yaml. The previous entry claimedrepo: cloudflare/workers-sdk, butcfis not in that repo. I enumerated all 29 packages incloudflare/workers-sdkand none hasbin: cf. The npmcfpackage itself (currently v0.0.5) ships pre-bundled and declares norepository,homepage,bugs, orauthorfields. Cloudflare's Technical Preview is published to npm without disclosing the source repository.The wrong
repo:had two downstream effects:cloudflare/workers-sdktocf(overwriting wrangler in YAML order). A user pastinggithub.com/cloudflare/workers-sdkinto the future live-scoring form would land on/score/cfinstead of/score/wrangler. The build's "duplicate owner/repo" warning was a symptom of this./score/cfpage linked to the wrong upstream repository.Replace
repo:withurl: https://www.npmjs.com/package/cf(the canonical distribution surface forcftoday) and add an inline comment explaining why there is no GitHub repo. The registry schema treatsurl:as the fallback whenrepo:is absent, so the scorecard page still renders.Surfaced during the post-deploy log review for release PR #85.
Changelog
Fixed
/score/cfand the registry-index now reflectcf's actual distribution surface: no GitHub source repo is publicly declared, so the project link is the npm package page. The reverse-lookup map forcloudflare/workers-sdknow resolves correctly towrangler.Type of Change
fix: Bug fix (non-breaking change which fixes an issue)Related Issues/Stories
Files Modified
Modified:
registry.yaml:cfentry replacesrepo: cloudflare/workers-sdkwithurl: https://www.npmjs.com/package/cfand adds an inline comment explaining the rationale.Created:
Renamed:
Deleted:
Testing
Test Summary:
bun run build: clean output. The previous "duplicate owner/repo cloudflare/workers-sdk" warning is gone.cfnow joinsmakeandnvidia-smiin the "no parseable owner/repo, owner/repo entry skipped" bucket (legitimate; these tools have no canonical source repository).dist/score/cf.htmlanddist/score/cf.mdstill emit. The fallback fromrepo:tourl:does not break scorecard rendering.Evidence for the upstream claim:
cloudflare/workers-sdk/packages/:chrome-devtools-patches,cli,codemod,containers-shared,create-cloudflare,devprod-status-bot,edge-preview-authenticated-proxy,format-errors,kv-asset-handler,lint-config-shared,local-explorer-ui,miniflare,mock-npm-registry,pages-shared,playground-preview-worker,quick-edit-extension,quick-edit,solarflare-theme,turbo-r2-archive,unenv-preset,vite-plugin-cloudflare,vitest-pool-workers,workers-editor-shared,workers-playground,workers-shared,workers-tsconfig,workers-utils,workflows-shared,wrangler. None hasbin: cfin package.json. The package namedcliis@cloudflare/cli-shared-helpers(internal helpers, no executable).cf:repository: null,homepage: null,bugs: null,author: null. Tarball contents are entirely pre-bundled JavaScript undercf-dist/(bundler output, no source files).