What would be the best way to do that?

The most naive way I can think is allow all the audit peeps have read access to the worker code and checking whether it matches

But I don't know if that's doable with CF's pretty barebone access policies

Give the team read-access to the repository?

that doesn't prove someone from infra didn't inject code into the worker that's actually running

Maybe have a service that runs the API call?

If the deployment runs in Actions, you could probably just let them inspect the repo, since any steps taken to inject something into the script would also show up in the repo

But now what if someone had a spy working for Cloudflare that did a switcharoo with the code behind the curtains

And also because most Workers are very difficult to inspect once they are deployed, since they may be minified, include a D1 stub, have random patches of binary, etc

So it might be more efficient to audit the pipeline and the source, rather than trying to audit the built output

aren't worker builds reproducible?

Not without the build pipeline

You can probably guess at what dependencies were used

But for stuff like WebAssembly, it would be very difficult to reverse without the source

I am OK with having the worker use a specific type if it means it is reproducible/auditable

I’m not sure what you mean, “a specific type”?

I mean barebone JS vs webpack vs webassembly, etc..

I mean, it’s not so much that. It is more that it is a lot easier to audit a Worker when it is split into multiple files, the function/variable names are intact, etc. Most build tools minify your script, since JS runtimes don’t actually care about the names of stuff, but that means it is much harder for a human to read

And not using said build tools greatly reduces the amount of work you can do with a single Worker

sorry if that wasn't clear but the code will be public

my thought process was to have auditors build the worker locally and check whether it matches the (minified or not) code running on Cloudflare

Oh, like that

That should be fine

Most build tools should be deterministic, as long as you don’t update them

Though again, not 100% sure how that tracks to WebAssembly

The same code with the same versions of dependencies and bundler should always produce the same output

can I give some team members the capacity to only read the worker code?

Nada

You can give them write access to all Workers or read access to all of the account

Is anyone aware of a way to grab the zero trust auth token from inside the worker behind it?