Fix Astro + Cloudflare static/prerendered builds#894
Merged
Conversation
Contributor
|
The changes in this PR will be included in the next version bump.
|
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
varlock-website | 31a2295 | Commit Preview URL Branch Preview URL |
Jul 17 2026, 11:44 PM |
@env-spec/parser
varlock
@varlock/astro-integration
@varlock/cloudflare-integration
@varlock/vite-integration
commit: |
theoephraim
force-pushed
the
fix-astro-cf-static-prerender-build
branch
from
July 17, 2026 23:26
427b7fc to
c016b42
Compare
@astrojs/cloudflare v14 prerenders static routes inside a build-time workerd worker, which has no bindings and no process.env.__VARLOCK_ENV, so the runtime env loader threw "initVarlockEnv failed" and any static or prerendered-route CF build failed. Bake the resolved env directly into the virtual init module when it loads in the CF 'prerender' vite environment (a build-only artifact Astro discards after prerendering; generated HTML is still leak-scanned). Also make the moduleIds[0] entry-detection fallback dev-only. During builds isEntry is authoritative, and under Rolldown's parallel transforms moduleIds[0] is timing-dependent and could inject the TLA init module into CJS-reachable modules like react-dom, producing REQUIRE_TLA errors.
theoephraim
force-pushed
the
fix-astro-cf-static-prerender-build
branch
from
July 17, 2026 23:42
c016b42 to
31a2295
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.


Fixes #893
Problem
An Astro static build using the Cloudflare adapter fails. There are two distinct defects behind the report:
Deterministic regression (since astro-integration 1.2.0 / Fix redundant resolved-env injection on Cloudflare, warn on unencrypted Vercel deploys #881).
@astrojs/cloudflarev14 prerenders static/prerendered routes inside a real build-timeworkerdworker (@cloudflare/vite-plugin's experimentalprerenderWorker, a Vite environment namedprerender). Since Fix redundant resolved-env injection on Cloudflare, warn on unencrypted Vercel deploys #881 stopped bakingresolved-envinto Cloudflare builds, that build-time worker has no env source — no bindings, andprocess.env.__VARLOCK_ENVdoesn't exist inside workerd — soinitVarlockEnv()throwsinitVarlockEnv failedand any static or prerendered-route CF build fails.The reporter's
REQUIRE_TLAvariant (nondeterministic). The Vite plugin's entry-detection fallback (moduleIds[0] === id) can misfire under Rolldown's parallel transforms and inject the top-level-awaitvarlock-ssr-initmodule into arequire()-reachable module (e.g. react-dom's CJS internals), which Rolldown rejects withREQUIRE_TLA. This is why the same commit built on Linux CI but failed locally.Fix
prerenderVite environment during a build, bake the resolved env directly (globalThis.__varlockLoadedEnv) and skip the TLA bindings loader. This artifact only generates static HTML at build time and is discarded afterward (not deployed), and the generated HTML is still leak-scanned by the framework integrations.@encryptInjectedEnvis intentionally not applied there — the decryption key isn't readable inside the build-time worker.moduleIds[0]entry-detection fallback dev-only. During buildsisEntryis authoritative, so we no longer rely on the timing-dependent heuristic that caused theREQUIRE_TLAmisfire.Tests
Adds three Cloudflare-adapter framework-test scenarios to the Astro suite:
output: 'static') — the reporter's repro; a CJS dep (react-dom) in the prerender build must not receive the TLA init module (guards againstREQUIRE_TLA), and env is injected into the static HTML.output: 'server') — the production-representative case. Exercises both env paths in one build: the build-time prerender worker (env baked in) and the deployed SSR worker (runtime bindings loader, no baked env), asserting they don't cross-contaminate (SSR worker keeps itscloudflare:workersloader and bakes no secret).Full
test:astro(v5/v6/v7) plus vite, cloudflare, sveltekit, and tanstack-start suites are green.