Skip to content

ci(deploy-worker): api-cors-preflight route never binds — CLOUDFLARE_API_TOKEN missing Workers Routes:Edit (auth error 10000) #4651

Description

@koala73

Summary

deploy-worker.yml (Deploy api-cors-preflight Worker) has never succeeded. Every run fails at the wrangler deploy step when it reconciles the Worker route, with a Cloudflare Authentication error [code: 10000]. Because of this, the route api.worldmonitor.app/* was never bound to the Worker — the Worker is uploaded but receives no traffic, and api.worldmonitor.app is currently served by the Vercel origin instead.

The most recent failure was surfaced by #4619 (commit 3a6d6b7), whose 4-line change to workers/api-cors-preflight/src/index.js re-triggered the path-filtered workflow. #4619 did not cause this — it just re-ran an already-broken deploy.

Evidence

Identical failure across every run of the workflow:

Run Commit Result
2026-07-02 (#4619) 3a6d6b7 routes auth error 10000 ❌
2026-06-10 (CORS preview fix) 2fdff81 routes auth error 10000 ❌
2026-05-27 (workflow added) c613a7f

Failing step log (2026-07-02, run 28587741411):

Uploaded api-cors-preflight (1.88 sec)          # script upload succeeds
✘ ERROR  A request to the Cloudflare API
         (/zones/975604917.../workers/routes) failed.
         Authentication error [code: 10000]      # routes reconciliation fails

Live confirmation the route is unbound — OPTIONS to api.worldmonitor.app is answered by Vercel, not the Worker:

$ curl -sD - -o /dev/null -X OPTIONS https://api.worldmonitor.app/v1/ping \
    -H 'Origin: https://www.worldmonitor.app' -H 'Access-Control-Request-Method: GET'
HTTP/2 204
content-disposition: inline; filename="dashboard.html"   # Vercel SPA fallback
x-vercel-id: cdg1::...                                    # served by Vercel origin
cf-ray: ...

A bound Worker would short-circuit OPTIONS and never reach Vercel.

Root cause

The CLOUDFLARE_API_TOKEN repo secret has Workers Scripts:Edit (account) — the script uploads fine — but is missing Workers Routes:Edit on the worldmonitor.app zone (or the token's Zone Resources don't include that zone). CF error 10000 = token lacks permission for the routes operation.

The workflow already documents the required scope:

#   CLOUDFLARE_API_TOKEN — token scoped to Workers Scripts:Edit + Workers
#                          Routes:Edit on the worldmonitor.app zone.

Impact

  • Not user-facing broken: api/_cors.js on the Vercel origin is currently handling CORS for api.worldmonitor.app, so the app works.
  • The api-cors-preflight Worker is inert — its per-request CORS logic (including fix(api): surface bbox diagnostics #4619's new Access-Control-Expose-Headers) is not actually serving any traffic.
  • CI stays permanently red on every Worker touch.

Fix

Permanent (token):

  1. Cloudflare dashboard → API Tokens → edit the token behind CLOUDFLARE_API_TOKEN (or create new) with:
    • Account → Workers Scripts → Edit
    • Zone → Workers Routes → Edit ← the missing permission
    • Zone Resources → Include → Specific zone → worldmonitor.app
  2. Update the CLOUDFLARE_API_TOKEN GitHub repo secret.
  3. Re-run the failed workflow (or workflow_dispatch).

Interim (bind route once): In the CF dashboard, bind api.worldmonitor.app/* → the api-cors-preflight Worker manually (Workers → api-cors-preflight → Triggers → Routes) so it starts taking traffic while the token is fixed.

Acceptance criteria

  • CLOUDFLARE_API_TOKEN has Workers Routes:Edit on the worldmonitor.app zone.
  • deploy-worker.yml runs green end-to-end (deploy + live smoke test).
  • OPTIONS to api.worldmonitor.app is answered by the Worker (no x-vercel-id; carries Access-Control-Allow-Origin + Access-Control-Expose-Headers).

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2Medium priority, schedule when capacity allowsarea: infrastructureCables, pipelines, power grids, cyber threatsbugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions