@adobe/helix-config 5.9.4 → 5.10.0

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+# [5.10.0](https://github.com/adobe/helix-config/compare/v5.9.4...v5.10.0) (2026-03-10)
+
+
+### Features
+
+* access.site secretIds with access.preview and access.live ([#364](https://github.com/adobe/helix-config/issues/364)) ([953f595](https://github.com/adobe/helix-config/commit/953f5958d9d05e5e69a06afd299ef87fe6d8ad4b)), closes [#363](https://github.com/adobe/helix-config/issues/363)
+
 ## [5.9.4](https://github.com/adobe/helix-config/compare/v5.9.3...v5.9.4) (2026-03-05)
 
 

package/README.md

@@ -19,6 +19,12 @@ $ npm install @adobe/helix-config
 
 See the [API documentation](docs/API.md).
 
+## Configuration
+
+### Access and secretIds
+
+`secretId` (and legacy `apiKeyId`) can be set on `access.preview`, `access.live`, and `access.site`. The normalized config only has `access.preview` and `access.live`; `access.site` is used only during resolution. For each partition, the effective secretIds (and `allow`) are the **merge** of the partition’s list and `access.site`’s list—site values are merged in, not used as fallback only when the partition is empty.
+
 ## Development
 
 ### Build

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-config",
-  "version": "5.9.4",
+  "version": "5.10.0",
   "description": "Helix Config",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -40,7 +40,7 @@
     "@semantic-release/changelog": "6.0.3",
     "@semantic-release/git": "10.0.1",
     "@semantic-release/npm": "13.1.4",
-    "c8": "10.1.3",
+    "c8": "11.0.0",
     "eslint": "9.4.0",
     "husky": "9.1.7",
     "junit-report-builder": "5.1.1",

package/src/config-view.js

@@ -144,22 +144,33 @@ function resolveSecret(object, idProp, dstProp, siteConfig, orgConfig) {
 }
 
 /**
- * Returns the normalized access configuration for the give partition.
+ * Returns the normalized access configuration for the given partition.
+ *
+ * SecretIds (and legacy apiKeyIds) can be set on access.preview, access.live, and access.site.
+ * The normalized config only has access.preview and access.live; access.site is not present in
+ * the final object and is only used during resolution. For each partition (preview or live),
+ * the effective secretId and allow lists are the merge of the partition's values and
+ * access.site's values (union, deduplicated).
+ *
+ * @param {object} ctx - The context
+ * @param {object} config - The config (with access.preview, access.live, access.site)
+ * @param {object} orgConfig - The org config
+ * @param {'preview'|'live'} partition - The partition name
+ * @param {object} rso - RSO (ref, site, org)
+ * @returns {Promise<{secretId: string[], allow: string[], tokenHash: string[]}>}
+ *   Normalized access config for the partition
  */
 export async function getAccessConfig(ctx, config, orgConfig, partition, rso) {
   const { access = {} } = config;
-  // get the (legacy) apiKeyIds or secretIds from the partition specific config
   const pAccess = access[partition] ?? {};
-  let secretId = uniqueArray(pAccess.apiKeyId, pAccess.secretId);
-  if (secretId.length === 0) {
-    // if empty, also check the access.site configs
-    secretId = uniqueArray(access.site?.apiKeyId, access.site?.secretId);
-  }
-  // same for 'allow'
-  let allow = uniqueArray(pAccess.allow);
-  if (allow.length === 0) {
-    allow = uniqueArray(access.site?.allow);
-  }
+  // merge partition and site secretIds (and legacy apiKeyIds), then allow
+  const secretId = uniqueArray(
+    pAccess.apiKeyId,
+    pAccess.secretId,
+    access.site?.apiKeyId,
+    access.site?.secretId,
+  );
+  const allow = uniqueArray(pAccess.allow, access.site?.allow);
   const cfg = {
     secretId,
     allow,