Skip to main content

Private Cloudflare Pages

Status: preferred path for the private service dashboard when a dedicated Pages project is protected by Cloudflare Access.

Current Decision

Use Cloudflare Pages instead of GitHub Pages for the private service dashboard if, and only if, the private dashboard has its own Pages project and the whole dashboard host is protected by Cloudflare Access before private registry data is bundled.

Do not deploy the private registry into the existing public Flow Studio Pages project. The dashboard is a static Docusaurus build, so route-only protection on a shared public project is not enough: private registry data can be bundled into JavaScript assets.

Sources:

Guarded Workflow

The repository includes a guarded workflow:

The workflow refuses to bundle or deploy the private registry unless all of these are true:

  • the workflow is running from main
  • Cloudflare deploy credentials are configured in GitHub Actions
  • Cloudflare Access read credentials can list Access applications
  • ENABLE_PRIVATE_CLOUDFLARE_PAGES=true
  • PRIVATE_DASHBOARD_CLOUDFLARE_PAGES_PROJECT names a dedicated private dashboard Pages project
  • PRIVATE_DASHBOARD_CLOUDFLARE_ACCESS_DOMAIN names the Access-protected dashboard host
  • the private dashboard project is not the public Flow Studio Pages project
  • the Access host is attached to the private Pages project
  • Cloudflare Access protects the selected host, the project pages.dev host, and the wildcard *.pages.dev deployment aliases for the private Pages project

This preserves the same safety goal as the GitHub Pages guard: private registry data is not bundled until identity-aware hosting is already in place.

Latest Deployment Evidence

On May 28, 2026, the guarded private-cloudflare-pages workflow passed from main at 832cdddb68aebd90fc5ce263df4803537a638d7e:

How To Enable

  1. Create a separate Cloudflare Pages project for the private service dashboard.
  2. Attach the intended dashboard hostname to that Pages project.
  3. Create Cloudflare Access self-hosted application coverage for the dashboard hostname, the project pages.dev hostname, and *.PROJECT.pages.dev deployment aliases.
  4. Confirm the GitHub Actions Cloudflare token can deploy Pages and read Access application metadata.
    • The deploy-token repository secret is required for Pages deployment.
    • A separate Access-read repository secret is optional. Use it when Access reads should use a separate least-privilege token.
    • If the separate Access-read secret is absent, the workflow uses the deploy token for Access reads too.
    • The Access read token needs Cloudflare account permission Access: Apps and Policies Read.
  5. Add the no-secret repository variables named above.
  6. Run the private-cloudflare-pages workflow from main.

Public Build Safety

The normal public Cloudflare Pages build must continue to exclude the private registry.

Public builds use a locked placeholder for /private/third-party-services and must pass:

cd docs-portal
DEPLOY_TARGET=cloudflare-pages MOBILIS_PRIVATE_DASHBOARD_ENABLED=false npm run build
npm run build:astro
npm run stage:astro-deploy
npm run test:third-party-services-public-build
npm run test:project-status-public-build
npm run test:flow-studio-access-public-build

Private Cloudflare Pages builds can include the registry and must pass:

cd docs-portal
DEPLOY_TARGET=cloudflare-private-pages MOBILIS_PRIVATE_DASHBOARD_ENABLED=true npm run build
npm run build:astro
npm run stage:astro-deploy
npm run test:flow-studio-access-private-build
npm run test:third-party-services-browser