@decocms/start 3.0.0 → 4.0.0

package/scripts/deploy/build-wrangler-config.mjs

@@ -1,47 +0,0 @@
-#!/usr/bin/env node
-// build-wrangler-config.mjs
-//
-// Materializes a `wrangler.jsonc` from the canonical template, with
-// $WORKER_* tokens substituted. The output file is what `wrangler deploy` /
-// `wrangler versions upload` / `wrangler secret put` will read.
-//
-// Required env:
-//   DECO_START_PATH  - path to a checked-out deco-start (e.g. ".deco-start")
-//   WORKER_NAME      - the Cloudflare worker name (= storefront repo basename
-//                      by convention; passed by the central CI workflows)
-//   OUTPUT_PATH      - where to write the merged wrangler.jsonc
-//                      (e.g. "./wrangler.jsonc" in the caller checkout)
-
-import { writeFileSync } from "node:fs";
-import { resolve } from "node:path";
-import { applyWorkerName, loadTemplate } from "./site-registry.mjs";
-
-function fail(message) {
-  console.error(`::error::${message}`);
-  process.exit(1);
-}
-
-const decoStartPath = process.env.DECO_START_PATH;
-const workerName = process.env.WORKER_NAME;
-const outputPath = process.env.OUTPUT_PATH;
-
-if (!decoStartPath) fail("DECO_START_PATH env var is required");
-if (!workerName) fail("WORKER_NAME env var is required");
-if (!outputPath) fail("OUTPUT_PATH env var is required");
-
-let merged;
-try {
-  merged = applyWorkerName(loadTemplate(decoStartPath), workerName);
-} catch (err) {
-  fail(err instanceof Error ? err.message : String(err));
-}
-
-const header = `// AUTOGENERATED by @decocms/start at deploy time.
-// Do not edit -- changes will be overwritten on the next deploy.
-// Source: decocms/deco-start deploy/wrangler-template.jsonc + worker name "${workerName}"
-`;
-
-const body = JSON.stringify(merged, null, 2);
-writeFileSync(resolve(outputPath), `${header}${body}\n`);
-
-console.log(`Wrote ${outputPath} (worker "${workerName}")`);

package/scripts/deploy/jsonc.mjs

@@ -1,76 +0,0 @@
-// Minimal JSONC -> JSON parser used by the deploy scripts.
-//
-// Strips // line comments and /* block comments */ outside of string literals
-// and tolerates trailing commas in objects/arrays. Dependency-free so the
-// deploy scripts can run with vanilla `node` in CI.
-
-import { readFileSync } from "node:fs";
-
-/**
- * @param {string} input
- * @returns {string}
- */
-function stripComments(input) {
-  let out = "";
-  let i = 0;
-  let inStr = false;
-  let strChar = "";
-  while (i < input.length) {
-    const c = input[i];
-    const n = input[i + 1];
-    if (inStr) {
-      out += c;
-      if (c === "\\" && i + 1 < input.length) {
-        out += input[i + 1];
-        i += 2;
-        continue;
-      }
-      if (c === strChar) inStr = false;
-      i++;
-      continue;
-    }
-    if (c === '"') {
-      inStr = true;
-      strChar = c;
-      out += c;
-      i++;
-      continue;
-    }
-    if (c === "/" && n === "/") {
-      while (i < input.length && input[i] !== "\n") i++;
-      continue;
-    }
-    if (c === "/" && n === "*") {
-      i += 2;
-      while (i < input.length && !(input[i] === "*" && input[i + 1] === "/")) i++;
-      i += 2;
-      continue;
-    }
-    out += c;
-    i++;
-  }
-  return out;
-}
-
-/**
- * @param {string} text
- * @returns {unknown}
- */
-export function parseJsonc(text) {
-  const stripped = stripComments(text).replace(/,\s*([}\]])/g, "$1");
-  return JSON.parse(stripped);
-}
-
-/**
- * @param {string} path
- * @returns {unknown}
- */
-export function readJsoncFile(path) {
-  const raw = readFileSync(path, "utf8");
-  try {
-    return parseJsonc(raw);
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`Failed to parse JSONC at ${path}: ${message}`);
-  }
-}

package/scripts/deploy/site-registry.mjs

@@ -1,95 +0,0 @@
-// Template loader + token substitution for the canonical wrangler config.
-//
-// There is no per-site "registry" anymore: every site's wrangler config is
-// produced from `deploy/wrangler-template.jsonc` plus the worker name (which
-// equals the storefront repo basename by convention). To accommodate fields
-// that must vary deterministically per worker, the template can use these
-// substitution tokens, which are replaced at config-build time:
-//
-//   $WORKER_NAME        -> worker name verbatim     (e.g. "als-tanstack")
-//   $WORKER_UNDERSCORE  -> worker name, `-` -> `_`  (e.g. "als_tanstack")
-//
-// Trust model: callers cannot pass a fabricated worker name to the central
-// CI workflows -- the deploy is gated by the `decocms-deployer` GitHub App
-// being installed on the target storefront repo. If the App isn't installed
-// there, the App-token mint fails and the deploy never starts.
-
-import { existsSync } from "node:fs";
-import { join } from "node:path";
-import { readJsoncFile } from "./jsonc.mjs";
-
-/**
- * @param {string} decoStartPath
- * @returns {string}
- */
-export function templatePath(decoStartPath) {
-  return join(decoStartPath, "deploy", "wrangler-template.jsonc");
-}
-
-/**
- * @param {string} decoStartPath
- * @returns {Record<string, unknown>}
- */
-export function loadTemplate(decoStartPath) {
-  const path = templatePath(decoStartPath);
-  if (!existsSync(path)) {
-    throw new Error(`wrangler-template.jsonc not found at ${path}.`);
-  }
-  const raw = readJsoncFile(path);
-  if (raw === null || typeof raw !== "object" || Array.isArray(raw)) {
-    throw new Error(`Template at ${path} must be a JSON object.`);
-  }
-  return /** @type {Record<string, unknown>} */ (raw);
-}
-
-/**
- * Recursively replace `$WORKER_*` tokens in any string value of an
- * object/array tree. Returns a new tree.
- *
- * @param {unknown} value
- * @param {Record<string, string>} replacements
- * @returns {unknown}
- */
-function substituteTokens(value, replacements) {
-  if (typeof value === "string") {
-    let out = value;
-    for (const [token, repl] of Object.entries(replacements)) {
-      out = out.split(token).join(repl);
-    }
-    return out;
-  }
-  if (Array.isArray(value)) {
-    return value.map((v) => substituteTokens(v, replacements));
-  }
-  if (value && typeof value === "object") {
-    const out = /** @type {Record<string, unknown>} */ ({});
-    for (const [k, v] of Object.entries(value)) {
-      out[k] = substituteTokens(v, replacements);
-    }
-    return out;
-  }
-  return value;
-}
-
-/**
- * Produce the wrangler config object by substituting `$WORKER_*` tokens in
- * the template and prepending `name`.
- *
- * @param {Record<string, unknown>} template
- * @param {string} workerName
- * @returns {Record<string, unknown>}
- */
-export function applyWorkerName(template, workerName) {
-  if (typeof workerName !== "string" || !/^[a-z0-9][a-z0-9-]*$/.test(workerName)) {
-    throw new Error(
-      `Invalid worker name: ${JSON.stringify(workerName)}. Use lowercase, hyphen-separated.`,
-    );
-  }
-  const substituted = /** @type {Record<string, unknown>} */ (
-    substituteTokens(template, {
-      $WORKER_UNDERSCORE: workerName.replace(/-/g, "_"),
-      $WORKER_NAME: workerName,
-    })
-  );
-  return { name: workerName, ...substituted };
-}

package/scripts/deploy/wrangler-wrapper.mjs

@@ -1,118 +0,0 @@
-#!/usr/bin/env node
-// deco-wrangler
-//
-// Local-dev wrapper around `wrangler` for storefront repos that no longer
-// commit a `wrangler.jsonc`. Generates the canonical config from
-// `@decocms/start`'s template into `./wrangler.jsonc` (gitignored), then
-// optionally execs the real `wrangler` with that config in cwd.
-//
-// Usage from a customer repo (after `npm i -D @decocms/start@latest`):
-//
-//   npx deco-wrangler gen          # generate ./wrangler.jsonc and exit
-//                                  # (used by predev/prebuild/prepare hooks)
-//   npx deco-wrangler tail         # tail prod logs (worker name resolved automatically)
-//   npx deco-wrangler types        # regenerate worker-configuration.d.ts
-//   npx deco-wrangler deploy       # discouraged in dev; deploys go via CI
-//   npx deco-wrangler --help       # passes through to wrangler
-//
-// All non-`gen` invocations also (re)generate ./wrangler.jsonc first so the
-// file is always in sync with the template before wrangler runs. The
-// `@cloudflare/vite-plugin` and the `wrangler` CLI both auto-discover
-// ./wrangler.jsonc in cwd, so no extra config plumbing is required.
-//
-// Worker name resolves in this order:
-//
-//   1. DECO_WORKER_NAME env var (explicit override)
-//   2. git remote `origin` URL parsed for the GitHub repo basename
-//   3. package.json `name` field
-//
-// By convention worker name == storefront repo basename. The CI deploys use
-// the same convention. Local dev never deploys -- this wrapper is purely for
-// generating a config that matches what the central workflow will produce.
-
-import { execSync, spawnSync } from "node:child_process";
-import { readFileSync, writeFileSync } from "node:fs";
-import { dirname, resolve } from "node:path";
-import { fileURLToPath } from "node:url";
-import { applyWorkerName, loadTemplate } from "./site-registry.mjs";
-
-const SCRIPT_DIR = dirname(fileURLToPath(import.meta.url));
-// scripts/deploy/wrangler-wrapper.mjs -> deco-start root
-const DECO_START_PATH = resolve(SCRIPT_DIR, "..", "..");
-
-function eprintln(msg) {
-  process.stderr.write(`[deco-wrangler] ${msg}\n`);
-}
-
-function tryGitRemoteWorkerName() {
-  try {
-    const url = execSync("git remote get-url origin", {
-      stdio: ["ignore", "pipe", "ignore"],
-    })
-      .toString()
-      .trim();
-    // matches both git@github.com:org/repo(.git) and https://github.com/org/repo(.git)
-    const m = url.match(/github\.com[:/][^/]+\/([^/]+?)(?:\.git)?$/);
-    return m?.[1];
-  } catch {
-    return undefined;
-  }
-}
-
-function tryPackageJsonName() {
-  try {
-    const pkg = JSON.parse(readFileSync(resolve(process.cwd(), "package.json"), "utf8"));
-    return typeof pkg.name === "string" ? pkg.name : undefined;
-  } catch {
-    return undefined;
-  }
-}
-
-function resolveWorkerName() {
-  const envName = process.env.DECO_WORKER_NAME?.trim();
-  if (envName) return { name: envName, source: "DECO_WORKER_NAME env var" };
-  const gitName = tryGitRemoteWorkerName();
-  if (gitName) return { name: gitName, source: "git remote origin" };
-  const pkgName = tryPackageJsonName();
-  if (pkgName) return { name: pkgName, source: "package.json name" };
-  return undefined;
-}
-
-const resolved = resolveWorkerName();
-if (!resolved) {
-  eprintln(
-    "Could not determine worker name. Set DECO_WORKER_NAME or run from a repo with a github.com 'origin' remote.",
-  );
-  process.exit(1);
-}
-
-let merged;
-try {
-  merged = applyWorkerName(loadTemplate(DECO_START_PATH), resolved.name);
-} catch (err) {
-  eprintln(err instanceof Error ? err.message : String(err));
-  eprintln(`Worker name "${resolved.name}" was inferred from ${resolved.source}.`);
-  process.exit(1);
-}
-
-const outputPath = resolve(process.cwd(), "wrangler.jsonc");
-const header = `// AUTOGENERATED by deco-wrangler -- DO NOT COMMIT.
-// Add wrangler.jsonc to .gitignore. Regenerated on every \`deco-wrangler\` run.
-// Source: @decocms/start deploy/wrangler-template.jsonc + worker name "${resolved.name}"
-`;
-writeFileSync(outputPath, `${header}${JSON.stringify(merged, null, 2)}\n`);
-
-eprintln(`Resolved worker name "${resolved.name}" (via ${resolved.source})`);
-eprintln(`Generated ${outputPath}`);
-
-const argv = process.argv.slice(2);
-// `gen` mode: just write the config and exit. Used by package.json
-// predev/prebuild/prepare hooks to keep wrangler.jsonc in sync with the
-// template without invoking wrangler itself.
-if (argv[0] === "gen" || argv[0] === "generate") {
-  process.exit(0);
-}
-
-const wranglerArgs = ["wrangler", ...argv];
-const result = spawnSync("npx", wranglerArgs, { stdio: "inherit" });
-process.exit(result.status ?? 1);

package/scripts/migrate/templates/github-workflows.ts

@@ -1,159 +0,0 @@
-// Caller workflow stubs for new sites (v3, D6.2 architecture). Each stub mints
-// a short-lived `decocms-deployer` GitHub App installation token and uses it
-// to call the corresponding reusable workflow under
-// `decocms/deco-start/.github/workflows/`. The customer repo holds no deploy
-// logic of its own AND no Cloudflare credentials -- only the App ID + private
-// key as deco-sites org-level secrets (`DECOCMS_DEPLOYER_APP_ID` and
-// `DECOCMS_DEPLOYER_APP_PRIVATE_KEY`).
-//
-// See `deploy/README.md` and the migration-tooling-policy rule (D6.2) for the
-// full trust model.
-
-const DEPLOY_YML = `name: Deploy
-
-# Triggers decocms/deco-start's central deploy workflow via App-token.
-
-on:
-  push:
-    branches: [main]
-
-permissions:
-  contents: read
-
-jobs:
-  trigger:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: \${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
-          private-key: \${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
-          owner: decocms
-          repositories: deco-start
-      - env:
-          GH_TOKEN: \${{ steps.app-token.outputs.token }}
-        run: |
-          gh workflow run deploy.yml \\
-            --repo decocms/deco-start \\
-            --ref v3 \\
-            -f site_owner=\${GITHUB_REPOSITORY%%/*} \\
-            -f site_name=\${GITHUB_REPOSITORY##*/}
-`;
-
-const PREVIEW_YML = `name: Preview
-
-# Triggers decocms/deco-start's central preview workflow via App-token.
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-  push:
-    branches: ['env/**']
-
-permissions:
-  contents: read
-
-jobs:
-  trigger:
-    runs-on: ubuntu-latest
-    steps:
-      - id: meta
-        run: |
-          if [ "\${{ github.event_name }}" = "pull_request" ]; then
-            echo "alias=pr-\${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
-            echo "sha=\${{ github.event.pull_request.head.sha }}" >> "$GITHUB_OUTPUT"
-          else
-            REF="\${GITHUB_REF#refs/heads/env/}"
-            echo "alias=$(echo "$REF" | sed 's|[^a-z0-9-]|-|g')" >> "$GITHUB_OUTPUT"
-            echo "sha=\${{ github.sha }}" >> "$GITHUB_OUTPUT"
-          fi
-      - uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: \${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
-          private-key: \${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
-          owner: decocms
-          repositories: deco-start
-      - env:
-          GH_TOKEN: \${{ steps.app-token.outputs.token }}
-        run: |
-          gh workflow run preview.yml \\
-            --repo decocms/deco-start \\
-            --ref v3 \\
-            -f site_owner=\${GITHUB_REPOSITORY%%/*} \\
-            -f site_name=\${GITHUB_REPOSITORY##*/} \\
-            -f site_sha=\${{ steps.meta.outputs.sha }} \\
-            -f alias=\${{ steps.meta.outputs.alias }} \\
-            -f pr_number=\${{ github.event.pull_request.number || '' }}
-`;
-
-const REGEN_BLOCKS_YML = `name: Regenerate blocks.gen.json
-
-# Thin caller for decocms/deco-start's central regen-blocks workflow.
-# This one stays as workflow_call: it runs in the caller's runner context
-# (writes back to the storefront repo) and needs no Cloudflare credentials.
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - ".deco/blocks/**"
-
-permissions:
-  contents: write
-
-jobs:
-  regen:
-    uses: decocms/deco-start/.github/workflows/regen-blocks.yml@v3
-    secrets: inherit
-`;
-
-const SYNC_SECRETS_YML = `name: Sync worker secrets
-
-# Triggers decocms/deco-start's central sync-secrets workflow via App-token.
-# The actual SECRET_* values live in deco-start's '\${repo-basename}-secrets'
-# environment, NOT in this repo. See deco-start's deploy/README.md.
-
-on:
-  workflow_dispatch:
-    inputs:
-      mode:
-        description: "dry-run = print diff only | apply = set secrets on worker"
-        required: true
-        default: "dry-run"
-        type: choice
-        options: [dry-run, apply]
-
-permissions:
-  contents: read
-
-jobs:
-  trigger:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: \${{ secrets.DECOCMS_DEPLOYER_APP_ID }}
-          private-key: \${{ secrets.DECOCMS_DEPLOYER_APP_PRIVATE_KEY }}
-          owner: decocms
-          repositories: deco-start
-      - env:
-          GH_TOKEN: \${{ steps.app-token.outputs.token }}
-        run: |
-          gh workflow run sync-secrets.yml \\
-            --repo decocms/deco-start \\
-            --ref v3 \\
-            -f site_name=\${GITHUB_REPOSITORY##*/} \\
-            -f mode=\${{ inputs.mode }}
-`;
-
-export function generateGithubWorkflows(): Record<string, string> {
-  return {
-    ".github/workflows/deploy.yml": DEPLOY_YML,
-    ".github/workflows/preview.yml": PREVIEW_YML,
-    ".github/workflows/regen-blocks.yml": REGEN_BLOCKS_YML,
-    ".github/workflows/sync-secrets.yml": SYNC_SECRETS_YML,
-  };
-}