deployment.org Properties
deployment.org is the declarative config for wb deploy. It describes the full
runtime deployment: the OCI image, the container runtime, environment config,
domain routing, and cloud provider parameters. The file uses a :PROPERTIES:
drawer on a heading tagged :deploy:.
Format
* deployment :deploy:
:PROPERTIES:
:DEPLOY_TARGET: local
:DEPLOY_IMAGE: ghcr.io/workbooks-sh/runtime:latest
:DEPLOY_PORT: 4000
:DEPLOY_DOMAIN: app.example.com
:END:
Core properties
DEPLOYTARGET
Required. Where to deploy.
| Value | Description |
local | Local container (krunvm on macOS, podman/docker fallback) |
fly | Fly.io |
render | Render.com |
railway | Railway |
DEPLOYIMAGE
Optional. OCI image reference. Defaults to the official
ghcr.io/workbooks-sh/runtime:latest image. Set this to use a custom build.
:DEPLOY_IMAGE: ghcr.io/myorg/my-runtime:v1.2.3
DEPLOYPORT
Optional. The port the runtime listens on inside the container. Default: 4000.
The container runtime maps this to the host or cloud provider's public port.
DEPLOYDOMAIN
Optional. Custom domain to route to this deployment. For local deploys, used for the printed URL. For cloud deploys, triggers domain provisioning on the provider.
Build properties
DEPLOYBUILD_CONTEXT
Optional. Docker build context path. Default: the repo root. Set this if your Dockerfile is in a subdirectory.
DEPLOYDOCKERFILE
Optional. Path to the Dockerfile. Default: Dockerfile in the build context.
DEPLOYREGISTRY
Optional. OCI registry to push the built image to. Required for cloud targets.
Example: ghcr.io/myorg.
DEPLOYTAG
Optional. Image tag. Default: latest. Use a version string or git SHA for
reproducible deploys.
Cloud provider properties
DEPLOYFLY_APP
Required for fly target. The Fly.io app name.
:DEPLOY_TARGET: fly
:DEPLOY_FLY_APP: my-workbooks-app
Requires flyctl on PATH and authenticated (flyctl auth login).
DEPLOYRENDER_SERVICE
Required for render target. The Render service ID or name.
DEPLOYRAILWAY_PROJECT
Required for railway target. The Railway project name.
Environment variables
Pass environment variables to the running container:
:DEPLOY_ENV: KEY=value OTHER_KEY=value
Multiple key=value pairs, space-separated. For secrets, reference vars from
the variable store using {{secret:key}} — these are resolved at deploy time from
the encrypted store and injected as env vars without appearing in the org file.
:DEPLOY_ENV: DATABASE_URL={{secret:database_url}} API_KEY={{secret:api_key}}
Resource limits
DEPLOYCPU
Optional. CPU allocation. Format varies by provider.
Fly:
shared-cpu-1x,dedicated-cpu-2x, etc.Render:
starter,standard,prolocal: Docker CPU quota (e.g.
2.0for 2 cores)
DEPLOYMEMORY
Optional. Memory limit. Examples: 512mb, 1gb, 2048mb.
wb deploy verbs
| Verb | Description |
wb deploy init | Scaffold deployment.org |
wb deploy validate | Coherence-check config |
wb deploy apply | Deploy to the configured target |
wb deploy local | Run a local container |
wb deploy doctor | Check environment (wrangler, fly, docker, etc.) |
wb deploy status | Query running deployment status |
wb deploy verify | Post-deploy smoke test (GET /health) |
wb deploy down | Stop local container |
wb deploy logs | Tail container logs |
wb deploy build | Build OCI image only (no push/deploy) |
wb deploy publish | Push built image to registry |
Secrets in deployment.org
Same principle as publish.org: secrets do not go in the file. Inject via env
vars or the variable store:
wb var set database_url postgres://... --secret
Then reference in DEPLOY_ENV:
:DEPLOY_ENV: DATABASE_URL={{secret:database_url}}
wb deploy validate warns if any DEPLOY_ENV value looks like a raw secret.