Skip to content
wojciech.io
Production stack

What this site is actually built on.

Verified from the repo, not from memory. Every layer below is in production today across wojciech.io and its subdomains. If a tool is on this page, it pays rent.

Push to production

01 · Source

GitHub

Monorepo, branch-protected main

02 · CI gate

GitHub Actions

Vitest · Playwright · Semgrep · CodeQL

03 · Build

Astro

Static + Pages Functions

04 · Deploy

Cloudflare Pages

Wrangler → 7 surfaces, only on green CI

05 · Edge

Cloudflare

CDN · WAF · rate limiting

Deploy only fires on green CI (workflow_run gate). No green, no ship.

7 surfaces deployed
8 languages shipped
524 automated tests
10 stack layers
The layers
01

Architecture

npm-workspaces monorepo. Astro on Cloudflare Pages: seven surfaces, seven Pages projects. Shared token, UI, and MDX packages.

Astro MDX npm workspaces TypeScript
02

Frontend

Tailwind CSS 4 driven by CSS custom-property tokens. Geist for type. Lenis + Motion for motion. Pagefind for static search.

Tailwind CSS Vite Geist Motion Pagefind
03

Infra

Cloudflare Pages Functions for gated surfaces. Workers for the growthhub cron. Terraform manages Pages projects and domains. Node 24 in CI.

Cloudflare Workers Terraform Node.js 24
04

Content & i18n

Astro content collections for insights, work, and testimonials. Eight languages across CV and SEO surfaces, seven fully translated locale homepages on top of EN.

Astro collections MDX 8 locales
05

Analytics

Cloudflare Web Analytics runs anonymously by default. Everything else loads only after explicit consent, all EU-resident.

GA4 Mixpanel PostHog Sentry
06

Testing

Vitest for units and coverage. Playwright across Chromium + WebKit for smoke, SEO, a11y, and broken-link checks. Daily smoke against production.

Vitest Playwright Lighthouse CI
07

CI/CD

CI on every push and PR. Deploy runs only on CI success via workflow_run, shipping site and subdomains in parallel through Wrangler. Commitlint enforced.

GitHub Actions Wrangler Commitlint
08

Security

Branch protection with required checks. Strict CSP, HSTS preload, XFO DENY. Auth gates use HMAC-SHA256 signed cookies with timing-safe compares and per-IP rate limiting.

Semgrep CodeQL gitleaks CSP · HSTS
09

Resilience

Azure Static Web Apps holds a weekly cold standby. Failover is operator-triggered, auto-detects health, then flips DNS via the Cloudflare API. Rollback is a non-destructive git revert.

Azure SWA Cloudflare DNS BetterStack
10

Working method

Claude Code implements. Codex reviews. Strategy and go/no-go stay human. Merge once docs and code agree.

Claude Code Codex
Next step

Want to see a piece of this in action

If something on the page is interesting in context of what you are building, write me and we will look at it together.