Step 6: Set up GitHub Actions for CI/CD

Step 6: Set up GitHub Actions for CI/CD

Manual deployments work for occasional updates, but they don't scale. Every time you push code, you need to remember to sync secrets. If a team member deploys without syncing, secrets could get out of date. And there's no record of who deployed what or when.

To solve this, all we need to do is create a GitHub Actions workflow. Once the Worker is created, the workflow will automatically fetch the latest secrets from Doppler, update them in Cloudflare, and deploy the Worker whenever you push code.

Create a Doppler service token

You've been using the Doppler CLI with your personal login, which works for interactive use. For automated systems like GitHub Actions, you need a service token instead.

Service tokens are scoped to a single environment(like production) and provide read-only access to secrets. If a token is compromised, an attacker can read secrets but can't modify them or access other environments. This principle of least privilege is important for CI/CD security.

To proceed, generate a token for your production configuration:

Save the output somewhere secure. You'll add it to GitHub in a moment.

Create a Cloudflare API token

Next, go to the API Tokens page in your Cloudflare dashboard and click Create Token. Select the Edit Cloudflare Workers template, as shown in the image below, then generate and save the token.

Screenshot of API token templates on Cloudflare highlighting the “Edit Cloudflare Workers” template.

After selecting the template, generate the token and copy it somewhere safe for now. You will need it shortly.

Find your Cloudflare account ID

You'll also need your Cloudflare account ID. You can find it on the account home page by clicking the three-dot menu next to your email address, as shown below.

Cloudflare dashboard screenshot highlighting the “Copy Account ID” button.

Add secrets to GitHub

Now that you have all three values, add them as repository secrets. In your GitHub repository, go to Settings > Secrets and variables > Actions, then click "New repository secret" to add each of the following:

• DOPPLER_TOKEN: The service token you created earlier
• CLOUDFLARE_API_TOKEN: The API token from the previous step
• CLOUDFLARE_ACCOUNT_ID: Your Cloudflare account ID from the dashboard

Create the workflow file

Next, create a new GitHub Actions workflow at .github/workflows/deploy.yml. This file will define the steps used to build and deploy your Worker automatically on each deployment.

Now, every push to your main branch automatically installs dependencies, pulls secrets from Doppler using the service token, syncs those secrets to Cloudflare, and deploys the Worker. This eliminates manual steps, forgotten secret syncs, and uncertainty about whether production has the latest credentials. Every deployment is consistent and fully auditable.

Multi-environment deployment

For more sophisticated setups, you may want separate staging and production deployments driven by different branches. The expanded workflow below deploys automatically based on the branch that was pushed.

With this setup, staging and production are cleanly separated while still being fully automated through the same pipeline. Each environment uses its own configuration, secrets, and deployment target, reducing the risk of accidental cross-environment changes.