# Prompt to Create a GitHub Actions Deploy Workflow > AI agent prompt to generate a production GitHub Actions CI/CD workflow for a Next.js app with type-check, test, build, and deploy steps. **Type:** Prompt **Tools:** Cursor, Claude Code, Codex, Windsurf **Stack:** Next.js, TypeScript, Cloudflare **Difficulty:** medium **Updated:** 2026-06-08 --- Give this prompt to your agent to generate a battle-tested GitHub Actions workflow file that runs type-checking, tests, and a production build before deploying — without committing secrets or using deprecated action versions. ## Main Prompt ```txt title="Main Prompt" You are working in a Next.js 15 project that uses TypeScript and Bun as the package manager. Deployments go to Cloudflare Pages. Task: create a GitHub Actions CI/CD workflow at `.github/workflows/deploy.yml`. Requirements: - Trigger on: `push` to `main` and `pull_request` targeting `main`. - On pull_request: run only the `ci` job (lint, typecheck, build). - On push to main: run `ci` then `deploy` (deploy only if ci passes). - `ci` job: - Runner: `ubuntu-latest`. - Steps: checkout, setup Bun (`oven-sh/setup-bun@v2`), `bun install --frozen-lockfile`, `bun run typecheck`, `bun run build`. - Cache: use `actions/cache@v4` to cache `node_modules` keyed on `bun.lock` hash. - `deploy` job: - needs: [ci] - if: `github.event_name == 'push'` - Deploy to Cloudflare Pages using `cloudflare/wrangler-action@v3`. - Secrets used: `CLOUDFLARE_API_TOKEN` and `CLOUDFLARE_ACCOUNT_ID` (from GitHub secrets — do NOT hard-code values). - Set `command: pages deploy .next --project-name=my-app --branch=main`. - Add a concurrency group to cancel in-progress runs on the same branch. - Do NOT pin to `@v1` of any action — use the versions specified above. - Do NOT store any secret value in the YAML file. Stop and show the complete workflow YAML before writing the file. ``` ## Implementation Notes - `oven-sh/setup-bun@v2` installs the Bun version from `.bun-version` or `package.json#engines.bun` if present — make sure one of those files exists or pin with `bun-version: '1.x'`. - `--frozen-lockfile` prevents the CI from silently upgrading deps; failing here means `bun.lock` is out of sync locally. - Cloudflare Pages with `wrangler-action@v3` requires the project to exist in the Cloudflare dashboard first — document this prerequisite in a comment inside the YAML. - Concurrency: use `group: ${{ github.workflow }}-${{ github.ref }}` with `cancel-in-progress: true`. ## Expected File Changes ```txt .github/workflows/deploy.yml (new) ``` ## Acceptance Criteria - A PR to `main` triggers only the `ci` job and posts a status check. - Merging to `main` triggers `ci` then `deploy`, in order. - No secrets appear in the YAML file. - A second push to the same branch cancels the previous in-progress run. ## Test Commands ```bash # validate YAML syntax locally bun x @actions/validator .github/workflows/deploy.yml || true # or use actionlint docker run --rm -v "$(pwd):/repo" rhysd/actionlint:latest /repo/.github/workflows/deploy.yml ``` ## Common AI Mistakes - Hard-coding `CLOUDFLARE_API_TOKEN` value instead of using `${{ secrets.CLOUDFLARE_API_TOKEN }}`. - Using deprecated `actions/checkout@v2` or `actions/cache@v2` instead of v4. - Running the deploy job on pull_request events, deploying from forks. - Missing `needs: [ci]` on the deploy job, allowing deploys even if tests fail. ## Fix Prompt ```txt title="Fix Prompt" The workflow deploys even when CI fails, or secrets are exposed. Fix in order: 1. Add `needs: [ci]` to the `deploy` job. 2. Add `if: github.event_name == 'push' && github.ref == 'refs/heads/main'` to the deploy job. 3. Replace any hard-coded token values with `${{ secrets.CLOUDFLARE_API_TOKEN }}`. 4. Upgrade any @v1/@v2 action references to the versions specified in the original prompt. Show only the corrected YAML diff. ```