@decocms/start 2.30.0 → 3.0.0

package/scripts/migrate/phase-verify.ts

@@ -13,8 +13,8 @@ const REQUIRED_FILES = [
   "package.json",
   "tsconfig.json",
   "vite.config.ts",
-  // wrangler.jsonc is INTENTIONALLY absent -- D6: it lives in decocms/deco-start
-  // under deploy/sites/<repo>.jsonc and is generated locally by `deco-wrangler gen`.
+  // wrangler.jsonc is INTENTIONALLY absent -- D6.2: it's generated from
+  // decocms/deco-start's deploy/wrangler-template.jsonc by `deco-wrangler gen`.
   ".github/workflows/deploy.yml",
   ".github/workflows/preview.yml",
   ".github/workflows/regen-blocks.yml",

package/scripts/migrate/templates/github-workflows.ts

@@ -1,33 +1,51 @@
-// Caller workflow stubs for new sites. Each stub delegates to a reusable
-// workflow under `decocms/deco-start/.github/workflows/` -- the customer repo
-// holds no deploy/build logic of its own. See D6 in
-// `.cursor/rules/migration-tooling-policy.mdc` and the `deploy/` directory
-// for the central registry contract.
+// Caller workflow stubs for new sites (v3, D6.2 architecture). Each stub mints
+// a short-lived `decocms-deployer` GitHub App installation token and uses it
+// to call the corresponding reusable workflow under
+// `decocms/deco-start/.github/workflows/`. The customer repo holds no deploy
+// logic of its own AND no Cloudflare credentials -- only the App ID + private
+// key as deco-sites org-level secrets (`DECOCMS_DEPLOYER_APP_ID` and
+// `DECOCMS_DEPLOYER_APP_PRIVATE_KEY`).
+//
+// See `deploy/README.md` and the migration-tooling-policy rule (D6.2) for the
+// full trust model.
 
 const DEPLOY_YML = `name: Deploy
 
-# Thin caller for decocms/deco-start's central deploy workflow.
+# Triggers decocms/deco-start's central deploy workflow via App-token.
 
 on:
   push:
     branches: [main]
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
-  deploy:
-    uses: decocms/deco-start/.github/workflows/deploy.yml@v2
-    secrets: inherit
+  trigger:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: \${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
+          private-key: \${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
+          owner: decocms
+          repositories: deco-start
+      - env:
+          GH_TOKEN: \${{ steps.app-token.outputs.token }}
+        run: |
+          gh workflow run deploy.yml \\
+            --repo decocms/deco-start \\
+            --ref v3 \\
+            -f site_owner=\${GITHUB_REPOSITORY%%/*} \\
+            -f site_name=\${GITHUB_REPOSITORY##*/}
 `;
 
 const PREVIEW_YML = `name: Preview
 
-# Thin caller for decocms/deco-start's central preview workflow.
+# Triggers decocms/deco-start's central preview workflow via App-token.
 
 on:
-  repository_dispatch:
-    types: [preview-deploy]
   pull_request:
     types: [opened, synchronize, reopened]
   push:
@@ -35,18 +53,46 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
-  statuses: write
 
 jobs:
-  preview:
-    uses: decocms/deco-start/.github/workflows/preview.yml@v2
-    secrets: inherit
+  trigger:
+    runs-on: ubuntu-latest
+    steps:
+      - id: meta
+        run: |
+          if [ "\${{ github.event_name }}" = "pull_request" ]; then
+            echo "alias=pr-\${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+            echo "sha=\${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT"
+          else
+            REF="\${GITHUB_REF#refs/heads/env/}"
+            echo "alias=$(echo "$REF" | sed 's|[^a-z0-9-]|-|g')" >> "$GITHUB_OUTPUT"
+            echo "sha=\${{ github.sha }}" >> "$GITHUB_OUTPUT"
+          fi
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: \${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
+          private-key: \${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
+          owner: decocms
+          repositories: deco-start
+      - env:
+          GH_TOKEN: \${{ steps.app-token.outputs.token }}
+        run: |
+          gh workflow run preview.yml \\
+            --repo decocms/deco-start \\
+            --ref v3 \\
+            -f site_owner=\${GITHUB_REPOSITORY%%/*} \\
+            -f site_name=\${GITHUB_REPOSITORY##*/} \\
+            -f site_sha=\${{ steps.meta.outputs.sha }} \\
+            -f alias=\${{ steps.meta.outputs.alias }} \\
+            -f pr_number=\${{ github.event.pull_request.number || '' }}
 `;
 
 const REGEN_BLOCKS_YML = `name: Regenerate blocks.gen.json
 
 # Thin caller for decocms/deco-start's central regen-blocks workflow.
+# This one stays as workflow_call: it runs in the caller's runner context
+# (writes back to the storefront repo) and needs no Cloudflare credentials.
 
 on:
   push:
@@ -59,13 +105,15 @@ permissions:
 
 jobs:
   regen:
-    uses: decocms/deco-start/.github/workflows/regen-blocks.yml@v2
+    uses: decocms/deco-start/.github/workflows/regen-blocks.yml@v3
     secrets: inherit
 `;
 
 const SYNC_SECRETS_YML = `name: Sync worker secrets
 
-# Thin caller for decocms/deco-start's central sync-secrets workflow.
+# Triggers decocms/deco-start's central sync-secrets workflow via App-token.
+# The actual SECRET_* values live in deco-start's '\${repo-basename}-secrets'
+# environment, NOT in this repo. See deco-start's deploy/README.md.
 
 on:
   workflow_dispatch:
@@ -81,11 +129,24 @@ permissions:
   contents: read
 
 jobs:
-  sync:
-    uses: decocms/deco-start/.github/workflows/sync-secrets.yml@v2
-    with:
-      mode: \${{ inputs.mode }}
-    secrets: inherit
+  trigger:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: \${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
+          private-key: \${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
+          owner: decocms
+          repositories: deco-start
+      - env:
+          GH_TOKEN: \${{ steps.app-token.outputs.token }}
+        run: |
+          gh workflow run sync-secrets.yml \\
+            --repo decocms/deco-start \\
+            --ref v3 \\
+            -f site_name=\${GITHUB_REPOSITORY##*/} \\
+            -f mode=\${{ inputs.mode }}
 `;
 
 export function generateGithubWorkflows(): Record<string, string> {

package/deploy/sites/als-tanstack.jsonc

@@ -1,7 +0,0 @@
-// Per-site overrides for `als-tanstack` (immutable repo->worker binding).
-// Renaming `worker_name` is a breaking change: it points the next deploy at a
-// different Cloudflare worker. Only the platform team can change this file
-// (CODEOWNERS-protected).
-{
-  "worker_name": "als-tanstack"
-}

package/deploy/sites/americanas-tanstack.jsonc

@@ -1,4 +0,0 @@
-// Per-site overrides for `americanas-tanstack`.
-{
-  "worker_name": "americanas-tanstack"
-}

package/deploy/sites/baggagio-tanstack.jsonc

@@ -1,4 +0,0 @@
-// Per-site overrides for `baggagio-tanstack`.
-{
-  "worker_name": "baggagio-tanstack"
-}

package/deploy/sites/casaevideo-storefront.jsonc

@@ -1,11 +0,0 @@
-// Per-site overrides for `casaevideo-storefront`.
-//
-// NOTE: `kv_namespaces[].id` is shared with `lebiscuit-tanstack`. Verify this
-// is intentional before promoting this registry to v1. R4 in the central-deploy
-// plan adds a CI check that flags shared KV ids as a copy-paste smell.
-{
-  "worker_name": "casaevideo-tanstack",
-  "kv_namespaces": [
-    { "binding": "SITES_KV", "id": "ad0b74fc4d9341c9af9149c4ab85132f" }
-  ]
-}

package/deploy/sites/lebiscuit-tanstack.jsonc

@@ -1,19 +0,0 @@
-// Per-site overrides for `lebiscuit-tanstack`.
-//
-// NOTE: `kv_namespaces[].id` is shared with `casaevideo-storefront`. See the
-// note in casaevideo's site file. R4 will add CI validation for this.
-//
-// `version_metadata` and `analytics_engine_datasets` are consumed by
-// @decocms/start's `instrumentWorker`:
-//   - version_metadata populates `service.version` on the OTel resource.
-//   - analytics_engine_datasets is the dual-emit metrics target.
-{
-  "worker_name": "lebiscuit-tanstack",
-  "kv_namespaces": [
-    { "binding": "SITES_KV", "id": "ad0b74fc4d9341c9af9149c4ab85132f" }
-  ],
-  "version_metadata": { "binding": "CF_VERSION_METADATA" },
-  "analytics_engine_datasets": [
-    { "binding": "DECO_METRICS", "dataset": "deco_metrics_lebiscuit" }
-  ]
-}

package/deploy/sites/miess-01-tanstack.jsonc

@@ -1,8 +0,0 @@
-// Per-site overrides for `miess-01-tanstack`.
-//
-// Worker name keeps the historical `miess-tanstack` (no "-01") so the deploy
-// continues to land on the existing Cloudflare worker. The repo name has the
-// `-01-` suffix; the worker name does not.
-{
-  "worker_name": "miess-tanstack"
-}

package/scripts/deploy/resolve-site.mjs

@@ -1,58 +0,0 @@
-#!/usr/bin/env node
-// resolve-site.mjs
-//
-// Validates that the calling repository has a registered site manifest in
-// deco-start, and emits the resolved fields to GITHUB_OUTPUT for downstream
-// steps (wrangler tail, status comments, etc.).
-//
-// Required env:
-//   DECO_START_PATH  - path to a checked-out deco-start (e.g. ".deco-start")
-//   SITE_NAME        - typically `${GITHUB_REPOSITORY#*/}` set by the workflow
-//
-// Optional env:
-//   GITHUB_OUTPUT    - if set, emit `key=value` lines here (CI mode).
-//                      If unset, prints a human-readable summary to stdout.
-
-import { appendFileSync } from "node:fs";
-import { loadSiteManifest } from "./site-registry.mjs";
-
-function fail(message) {
-  console.error(`::error::${message}`);
-  process.exit(1);
-}
-
-const decoStartPath = process.env.DECO_START_PATH;
-const siteName = process.env.SITE_NAME;
-const ghOutput = process.env.GITHUB_OUTPUT;
-
-if (!decoStartPath) fail("DECO_START_PATH env var is required");
-if (!siteName) fail("SITE_NAME env var is required");
-
-let manifest;
-try {
-  manifest = loadSiteManifest(decoStartPath, siteName);
-} catch (err) {
-  fail(err instanceof Error ? err.message : String(err));
-}
-
-const summary = {
-  site_name: siteName,
-  worker_name: manifest.worker_name,
-  has_routes: String(Array.isArray(manifest.routes) && manifest.routes.length > 0),
-  has_kv: String(Array.isArray(manifest.kv_namespaces) && manifest.kv_namespaces.length > 0),
-  has_analytics: String(
-    Array.isArray(manifest.analytics_engine_datasets) &&
-      manifest.analytics_engine_datasets.length > 0,
-  ),
-  has_version_metadata: String(Boolean(manifest.version_metadata)),
-};
-
-if (ghOutput) {
-  const lines = Object.entries(summary).map(([k, v]) => `${k}=${v}`);
-  appendFileSync(ghOutput, `${lines.join("\n")}\n`);
-}
-
-console.log(`Resolved site "${siteName}" -> worker "${manifest.worker_name}"`);
-for (const [k, v] of Object.entries(summary)) {
-  console.log(`  ${k}: ${v}`);
-}