Chore: deploy CommandGrid preview from main

Merge deploy automation after Scout merge-ready. Robin approved override despite missing Cloudflare repo secrets; post-merge workflow may fail until secrets are configured.

Author: RobinOppenstam

.github/workflows/ci.yml

@@ -5,6 +5,7 @@ on:
   push:
     branches:
       - main
+  workflow_dispatch:
 
 jobs:
   check:
@@ -36,3 +37,55 @@ jobs:
 
       - name: Cloudflare build
         run: npm run cf:build
+
+  deploy-preview:
+    name: Deploy Cloudflare preview
+    runs-on: ubuntu-latest
+    needs: check
+    if: >-
+      ${{
+        (github.event_name == 'push' && github.ref == 'refs/heads/main') ||
+        (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main')
+      }}
+    concurrency:
+      group: cloudflare-preview-deploy
+      cancel-in-progress: false
+    permissions:
+      contents: read
+    env:
+      CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+      CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      CLOUDFLARE_HYPERDRIVE_LOCAL_CONNECTION_STRING_COMMANDGRID_DB: ${{ secrets.CLOUDFLARE_HYPERDRIVE_LOCAL_CONNECTION_STRING_COMMANDGRID_DB }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+
+      - name: Install
+        run: npm ci
+
+      - name: Verify deploy configuration
+        run: |
+          missing=0
+          for name in \
+            CLOUDFLARE_API_TOKEN \
+            CLOUDFLARE_ACCOUNT_ID \
+            CLOUDFLARE_HYPERDRIVE_LOCAL_CONNECTION_STRING_COMMANDGRID_DB
+          do
+            if [ -z "${!name}" ]; then
+              echo "::error title=Missing deploy secret::${name} is required for Cloudflare preview deploy."
+              missing=1
+            fi
+          done
+          exit "${missing}"
+
+      - name: Cloudflare build
+        run: npm run cf:build
+
+      - name: Deploy preview Worker
+        run: npx wrangler deploy --env preview

docs/infra/README.md

@@ -86,6 +86,28 @@ Expected results:
 - `/api/health`: all Phase 1 bindings present, AI Gateway configured mode
 - `/api/db-smoke`: `ok=true`, database `neondb`, user `neondb_owner`, schema `public`
 
+## Automated preview deployment
+
+GitHub Actions deploys the Cloudflare preview Worker after the CI `check` job succeeds on `push` to `main`. The deploy job runs:
+
+```bash
+npm ci
+npm run cf:build
+npx wrangler deploy --env preview
+```
+
+A manual `workflow_dispatch` run is also available, but the deploy job is guarded to run only from `refs/heads/main`. Pull requests and non-`main` branches never deploy.
+
+Required GitHub Actions secrets/config for preview deploy:
+
+- `CLOUDFLARE_API_TOKEN`: Cloudflare API token with permission to deploy the `commandgrid-preview` Worker and read/write the configured preview resources as required by Wrangler.
+- `CLOUDFLARE_ACCOUNT_ID`: Cloudflare account ID used by Wrangler during non-interactive deploys.
+- `CLOUDFLARE_HYPERDRIVE_LOCAL_CONNECTION_STRING_COMMANDGRID_DB`: deploy-time Hyperdrive local connection string for the `COMMANDGRID_DB` binding. Use the safe preview/deploy equivalent of `COMMANDGRID_DATABASE_URL`; never commit or print the value.
+
+If any required secret is missing, the deploy job fails during the `Verify deploy configuration` step with the missing secret name only. Secret values are never printed.
+
+This automation targets only the `preview` Wrangler environment (`commandgrid-preview`). It does not deploy production.
+
 ## Deployment caveats
 
 OpenNext/Cloudflare requires a local Hyperdrive emulation connection string during build/deploy. Use the local secret only: