chore: set custom domain

[Rindrics]

User description

• doing Setup custom domain #20

---

PR Type

Enhancement

---

Description

• Set up Pulumi infrastructure project for managing Cloudflare

• Configure custom domain for Kotetsu Cloudflare Pages project

• Create GitHub Actions workflow for infrastructure preview and deployment

• Define TypeScript configuration and project dependencies

---

Diagram Walkthrough

flowchart LR
  A["Pulumi Infrastructure Setup"] --> B["Custom Domain Configuration"]
  A --> C["GitHub Actions Workflow"]
  B --> D["Cloudflare Pages Domain"]
  C --> E["Preview on PR"]
  C --> F["Deploy on Push to Main"]

Loading

File Walkthrough

	Relevant files
Enhancement	index.ts Define Cloudflare Pages custom domain configuration            infrastructure/index.ts Initializes Pulumi project with Cloudflare provider Configures custom domain kotetsu.rindrics.com for Cloudflare Pages Exports domain name and status for reference Requires Cloudflare Account ID from configuration +25/-0    pulumi.yml Add Pulumi infrastructure CI/CD workflow                                  .github/workflows/pulumi.yml Creates GitHub Actions workflow for infrastructure management Implements preview job on pull requests to infrastructure changes Implements deploy job on push to main branch Sets up Node.js, pnpm, and Pulumi authentication +88/-0
Configuration changes	package.json Configure Node.js project dependencies and scripts              infrastructure/package.json Defines project metadata and scripts for Pulumi operations Specifies Pulumi and Cloudflare dependencies Includes TypeScript and development tooling dependencies Configures pnpm as package manager +23/-0    tsconfig.json Configure TypeScript compilation settings                                infrastructure/tsconfig.json Configures TypeScript compiler for strict type checking Sets target to ES2020 with CommonJS module system Enables source maps and module resolution for Node.js Excludes node_modules and build output from compilation +20/-0    Pulumi.yaml Define Pulumi project configuration                                            infrastructure/Pulumi.yaml Defines Pulumi project metadata and runtime configuration Specifies Node.js runtime with TypeScript support Sets project name and description for infrastructure management +6/-0
Dependencies	pnpm-lock.yaml Lock package manager dependencies                                                infrastructure/pnpm-lock.yaml Locks dependency versions for reproducible builds Manages transitive dependencies for Pulumi and Cloudflare packages +2533/-0

---

Summary by CodeRabbit

• Chores
  • Established automated infrastructure deployment pipelines that validate proposed changes on pull requests and automatically apply approved updates to production
  • Configured centralized infrastructure management system for domain and hosting settings
  • Enabled continuous integration workflows for streamlined infrastructure provisioning and deployment

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@Rindrics has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 21 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 81ccd9d and 744c183.

📒 Files selected for processing (1)

• .github/workflows/pulumi.yml

📝 Walkthrough

Walkthrough

A new Pulumi infrastructure project is added to automate Cloudflare Pages domain configuration. The setup includes GitHub Actions workflows for preview and deploy operations, Pulumi project configuration, and TypeScript-based infrastructure code that provisions a custom domain for the bibliography project.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/pulumi.yml	Adds preview job (on pull request to main) and deploy job (on push to main) with shared setup steps for pnpm, Node.js, and dependencies; each job runs respective Pulumi commands (preview/up) with stack prd
Pulumi Project Configuration infrastructure/Pulumi.yaml, infrastructure/.gitignore	Defines Pulumi project kotetsu-infrastructure with nodejs runtime; adds gitignore rules excluding build artifacts and Pulumi stack files while preserving Pulumi.yaml
Infrastructure Code infrastructure/index.ts	Implements Cloudflare Pages domain provisioning that reads account ID from config and exports domain name and status; hard-codes project name and custom domain
Build Configuration infrastructure/package.json, infrastructure/tsconfig.json	Sets up TypeScript build environment with Pulumi and Cloudflare dependencies; configures strict TypeScript compiler options and standard Pulumi CLI commands

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A rabbit now hops through the cloud, 🐰
With Pulumi's magic, infrastructure proud,
Pages and domains, all neatly in place,
Automation's heartbeat, a quickened pace! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: set custom domain' accurately describes the main objective of the changeset—setting up a custom domain for the Cloudflare Pages project.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying kotetsu with    Cloudflare Pages

Latest commit:	744c183
Status:	✅  Deploy successful!
Preview URL:	https://58b65a4c.kotetsu.pages.dev
Branch Preview URL:	https://issue-20-custom-domain.kotetsu.pages.dev

View logs

[qodo-free-for-open-source-projects]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Long-lived token exposure Description: The PULUMI_ACCESS_TOKEN secret grants full access to Pulumi state and could allow unauthorized infrastructure modifications if compromised; consider using OIDC-based authentication instead of long-lived tokens for enhanced security. pulumi.yml [52-52] Referred Code PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
	Unvalidated account identifier Description: The Cloudflare Account ID is retrieved from configuration without validation, which could lead to operations on unintended accounts if misconfigured; consider adding validation or restricting the account ID to expected values. index.ts [7-7] Referred Code const accountId = config.require("cloudflareAccountId");
Ticket Compliance
🟡	🎫 #20 🟢 Setup custom domain for the Kotetsu project Configure domain to work with Cloudflare Pages Implement infrastructure as code for domain management ⚪ Verify that the custom domain kotetsu.rindrics.com is properly configured in DNS and accessible via browser Confirm that the Cloudflare account ID secret is properly configured in GitHub repository settings Verify that the Pulumi access token secret is properly configured in GitHub repository settings
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing error handling: The Pulumi infrastructure code does not include explicit error handling for potential failures in domain creation or configuration retrieval. Referred Code const pagesDomain = new cloudflare.PagesDomain("kotetsu-custom-domain", { accountId: accountId, projectName: projectName, name: customDomain, }); Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Missing input validation: The accountId retrieved from configuration is not validated before use, which could lead to runtime errors if the value is malformed. Referred Code const accountId = config.require("cloudflareAccountId"); Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-free-for-open-source-projects]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Use a valid Node.js version Change the Node.js version in the workflow from '24' to a valid LTS version like '20' to prevent the job from failing. .github/workflows/pulumi.yml [35-40] - name: Setup Node.js uses: actions/setup-node@v4 with: - node-version: '24' + node-version: '20' cache: 'pnpm' cache-dependency-path: infrastructure/pnpm-lock.yaml Apply / Chat Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies that Node.js version '24' is not a valid LTS version and will cause the workflow to fail, proposing a fix that makes the CI pipeline runnable.	High
	✅ Provide required Pulumi configuration values Suggestion Impact: The suggestion identified the need to provide the cloudflareAccountId configuration. The commit implemented this requirement but used a different approach: instead of setting it via PULUMI_CONFIG environment variable as suggested, it added a separate step that runs 'pulumi config set' command before the Pulumi preview/deploy steps. Both approaches achieve the same goal of providing the required configuration value. code diff: + - name: Set Pulumi config + run: | + pulumi config set cloudflareAccountId ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} --non-interactive + - name: Pulumi preview uses: pulumi/actions@v5 with: @@ -50,6 +54,7 @@ work-dir: infrastructure env: PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} deploy: name: Deploy Infrastructure @@ -78,6 +83,10 @@ - name: Install dependencies run: pnpm install --frozen-lockfile + - name: Set Pulumi config + run: | + pulumi config set cloudflareAccountId ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} --non-interactive Add the required cloudflareAccountId configuration to the Pulumi steps in the workflow using a GitHub secret to prevent the commands from failing. .github/workflows/pulumi.yml [45-52] - name: Pulumi preview uses: pulumi/actions@v5 with: command: preview stack-name: prd work-dir: infrastructure env: PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + PULUMI_CONFIG: | + cloudflareAccountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} [Suggestion processed] Suggestion importance[1-10]: 9 __ Why: This suggestion correctly identifies that the required cloudflareAccountId configuration is missing from the workflow, which would cause the Pulumi command to fail. Providing it via secrets is the correct approach.	High
High-level	Avoid hardcoding configuration in code Move hardcoded configuration values like projectName and customDomain into the Pulumi stack configuration. This improves flexibility by allowing different values for different environments, such as staging or production. Examples: infrastructure/index.ts [10-13] const projectName = "kotetsu"; // Custom domain to add const customDomain = "kotetsu.rindrics.com"; Solution Walkthrough: Before: import * as pulumi from "@pulumi/pulumi"; import * as cloudflare from "@pulumi/cloudflare"; const config = new pulumi.Config(); const accountId = config.require("cloudflareAccountId"); // Hardcoded values const projectName = "kotetsu"; const customDomain = "kotetsu.rindrics.com"; const pagesDomain = new cloudflare.PagesDomain("kotetsu-custom-domain", { accountId: accountId, projectName: projectName, name: customDomain, }); After: import * as pulumi from "@pulumi/pulumi"; import * as cloudflare from "@pulumi/cloudflare"; const config = new pulumi.Config(); // Configuration loaded from Pulumi config const accountId = config.require("cloudflareAccountId"); const projectName = config.require("projectName"); const customDomain = config.require("customDomain"); const pagesDomain = new cloudflare.PagesDomain("kotetsu-custom-domain", { accountId: accountId, projectName: projectName, name: customDomain, }); Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies hardcoded configuration values (projectName, customDomain) and proposes using Pulumi's configuration system, which is a best practice that significantly improves the code's flexibility and reusability for different environments.	Medium
General	Use pnpm version from package.json Remove the hardcoded pnpm version from the pnpm/action-setup step to allow it to automatically use the version specified in the package.json packageManager field. .github/workflows/pulumi.yml [30-33] - name: Setup pnpm uses: pnpm/action-setup@v4 - with: - version: 10 Apply / Chat Suggestion importance[1-10]: 6 __ Why: This is a good practice suggestion that improves CI/CD consistency by ensuring the pnpm version from package.json is used, reducing potential discrepancies between local and CI environments.	Low
Update

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI Agents

In @.github/workflows/pulumi.yml:
- Around line 54-88: The deploy job named "deploy" repeats the same problems as
preview: update the actions/setup-node@v4 step to use an existing Node version
(e.g., '20' or '18') by changing the node-version value, remove or correct the
cache-dependency-path reference to a real lockfile (replace
infrastructure/pnpm-lock.yaml with the actual lockfile path or remove the
cache-dependency-path), and ensure required Cloudflare/Pulumi credentials are
injected into the Pulumi up step (add the same Cloudflare env vars and secrets
used in preview and ensure PULUMI_ACCESS_TOKEN is set from secrets); locate
these changes around the Deploy job's steps that include "Setup Node.js",
"Install dependencies", and "Pulumi up".
- Around line 45-52: The Pulumi workflow step "Pulumi preview" is missing the
Cloudflare credential needed for Pulumi to manage Cloudflare resources; update
the workflow so the Pulumi preview step (uses: pulumi/actions@v5) includes an
env entry for CLOUDFLARE_API_TOKEN using a repository secret (e.g., add
CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }} alongside
PULUMI_ACCESS_TOKEN), and add the corresponding secret in the repo Settings →
Secrets and variables → Actions.

🧹 Nitpick comments (2)

infrastructure/package.json (1)

5-5: Consider removing or updating the main field.

Infrastructure projects typically don't need a main entry point, as they're executed directly by Pulumi. If you want to keep it, it should point to the compiled output (bin/index.js) rather than the TypeScript source.

🔎 Suggested change

Option 1 (preferred): Remove the field entirely:

  "description": "Infrastructure for kotetsu bibliography project",
-  "main": "index.ts",
  "scripts": {

Option 2: Point to compiled output:

-  "main": "index.ts",
+  "main": "bin/index.js",

infrastructure/index.ts (1)

9-13: Consider making these values configurable.

The hard-coded projectName and customDomain work for this specific use case but reduce reusability. Consider reading these from Pulumi config to make the infrastructure more flexible.

🔎 Proposed refactor to use config values

-// Cloudflare Pages project name
-const projectName = "kotetsu";
-
-// Custom domain to add
-const customDomain = "kotetsu.rindrics.com";
+// Cloudflare Pages project name
+const projectName = config.get("projectName") || "kotetsu";
+
+// Custom domain to add
+const customDomain = config.require("customDomain");

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 90fd260 and 81ccd9d.

⛔ Files ignored due to path filters (1)

• infrastructure/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (6)

• .github/workflows/pulumi.yml
• infrastructure/.gitignore
• infrastructure/Pulumi.yaml
• infrastructure/index.ts
• infrastructure/package.json
• infrastructure/tsconfig.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cloudflare Pages

🔇 Additional comments (11)

infrastructure/.gitignore (1)

1-4: LGTM!

The gitignore patterns are appropriate for a Pulumi Node.js project, correctly excluding build artifacts and stack-specific configs while preserving the project configuration.

infrastructure/package.json (2)

6-11: LGTM!

The scripts are well-defined and follow standard Pulumi conventions for infrastructure management.

---

16-22: All package versions are valid and free from known vulnerabilities.

All specified packages exist in the npm registry and are at their latest stable releases: @pulumi/cloudflare@6.12.0, @pulumi/pulumi@3.214.1, @types/node@25.0.3, tsx@4.21.0, and typescript@5.9.3. No known CVEs or security vulnerabilities were found in any of these versions.

infrastructure/Pulumi.yaml (1)

1-6: LGTM!

The Pulumi project configuration is correct and properly aligned with the TypeScript setup in the infrastructure project.

infrastructure/tsconfig.json (1)

1-20: LGTM!

The TypeScript configuration is well-structured with strict mode enabled and appropriate compiler options for a Node.js Pulumi project.

.github/workflows/pulumi.yml (2)

3-15: LGTM!

The workflow triggers are well-configured with appropriate path filters to run only when infrastructure code or the workflow itself changes.

---

38-43: No changes required. The workflow configuration is valid.

Verification confirms that both infrastructure/pnpm-lock.yaml exists in the repository (81KB, committed Jan 6) and Node.js version 24 is available (released May 2025, now in active development phase as of January 2026). The workflow will function correctly with these settings.

Likely an incorrect or invalid review comment.

infrastructure/index.ts (4)

1-2: LGTM!

The imports are appropriate for setting up Cloudflare Pages infrastructure with Pulumi.

---

4-7: LGTM!

Using config.require() for the Cloudflare account ID is good practice, ensuring the mandatory configuration value is provided.

---

23-25: LGTM!

Exporting the domain name and status provides useful outputs for tracking the custom domain configuration.

---

15-21: Code configuration is correct and current.

The PagesDomain resource is properly configured. The library version @pulumi/cloudflare@6.12.0 is the latest available, and DNS records for rindrics.com are correctly managed in a separate project as documented.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Deploy job has the same critical issues as preview job.

The deploy job will encounter the same failures:

1. Node.js version 24 doesn't exist (line 74)
2. Missing infrastructure/pnpm-lock.yaml file (line 76)
3. Missing Cloudflare API credentials (lines 81-88)

Apply the same fixes as suggested for the preview job to lines 71-88.

🤖 Prompt for AI Agents

In @.github/workflows/pulumi.yml around lines 54 - 88, The deploy job named
"deploy" repeats the same problems as preview: update the actions/setup-node@v4
step to use an existing Node version (e.g., '20' or '18') by changing the
node-version value, remove or correct the cache-dependency-path reference to a
real lockfile (replace infrastructure/pnpm-lock.yaml with the actual lockfile
path or remove the cache-dependency-path), and ensure required Cloudflare/Pulumi
credentials are injected into the Pulumi up step (add the same Cloudflare env
vars and secrets used in preview and ensure PULUMI_ACCESS_TOKEN is set from
secrets); locate these changes around the Deploy job's steps that include "Setup
Node.js", "Install dependencies", and "Pulumi up".