@invarn/cibuild 1.3.16 → 1.3.18

package/dist/src/commands/reset.js

@@ -0,0 +1,81 @@
+/**
+ * Reset command — removes all files and folders created by cibuild.
+ */
+import { existsSync, readFileSync, writeFileSync, rmSync } from 'node:fs';
+import { resolve } from 'node:path';
+import prompts from 'prompts';
+/** Paths that cibuild creates, relative to project root. */
+const CIBUILD_PATHS = [
+    '.ci',
+    '.cibuild-secrets.json',
+    '.ci-builds',
+    '.ci-cache',
+    'ci.config.json',
+];
+/** Lines that `ci init` appends to .gitignore. */
+const GITIGNORE_ENTRIES = [
+    '.cibuild-secrets.json',
+    '.ci/.envstore.json',
+    '.ci/keys/',
+];
+export async function handleResetCommand(options = {}) {
+    const cwd = process.cwd();
+    // Discover what actually exists
+    const existing = CIBUILD_PATHS
+        .map((p) => ({ rel: p, abs: resolve(cwd, p) }))
+        .filter(({ abs }) => existsSync(abs));
+    const gitignorePath = resolve(cwd, '.gitignore');
+    const hasGitignoreEntries = existsSync(gitignorePath) && hasAnyEntry(gitignorePath);
+    if (existing.length === 0 && !hasGitignoreEntries) {
+        console.log('Nothing to reset — no cibuild files found.');
+        return;
+    }
+    // Show what will be removed
+    console.log('\nThe following will be removed:\n');
+    for (const { rel } of existing) {
+        console.log(`  • ${rel}`);
+    }
+    if (hasGitignoreEntries) {
+        console.log('  • cibuild entries from .gitignore');
+    }
+    console.log('');
+    // Confirm unless --force
+    if (!options.force) {
+        const { confirmed } = await prompts({
+            type: 'confirm',
+            name: 'confirmed',
+            message: 'Are you sure? This cannot be undone.',
+            initial: false,
+        });
+        if (!confirmed) {
+            console.log('\n❌ Cancelled');
+            return;
+        }
+    }
+    // Remove paths
+    for (const { rel, abs } of existing) {
+        rmSync(abs, { recursive: true, force: true });
+        console.log(`  Removed ${rel}`);
+    }
+    // Clean .gitignore
+    if (hasGitignoreEntries) {
+        cleanGitignore(gitignorePath);
+        console.log('  Cleaned .gitignore');
+    }
+    console.log('\n✅ Reset complete\n');
+}
+function hasAnyEntry(gitignorePath) {
+    const content = readFileSync(gitignorePath, 'utf-8');
+    return GITIGNORE_ENTRIES.some((entry) => content.split('\n').includes(entry));
+}
+function cleanGitignore(gitignorePath) {
+    const lines = readFileSync(gitignorePath, 'utf-8').split('\n');
+    const filtered = lines.filter((line) => !GITIGNORE_ENTRIES.includes(line));
+    // Remove trailing blank lines left over from removal
+    while (filtered.length > 0 && filtered[filtered.length - 1] === '') {
+        filtered.pop();
+    }
+    const result = filtered.length > 0 ? filtered.join('\n') + '\n' : '';
+    writeFileSync(gitignorePath, result);
+}
+//# sourceMappingURL=reset.js.map

package/dist/src/commands/secrets-sync-workflow.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Sync local .cibuild-secrets.json keys into a GitHub Actions workflow YAML.
+ *
+ * Updates the job `env:` block so the encoded secret names match exactly
+ * what `ci secrets upload` pushes to the GitHub environment.
+ *
+ * Also regenerates the node -e script that reconstructs .cibuild-secrets.json
+ * from the encoded environment variables.
+ */
+export interface SyncWorkflowOptions {
+    workflowPath: string;
+    dryRun: boolean;
+}
+export declare function handleSecretsSyncWorkflowCommand(options: SyncWorkflowOptions): Promise<void>;
+//# sourceMappingURL=secrets-sync-workflow.d.ts.map

package/dist/src/commands/secrets-sync-workflow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-sync-workflow.d.ts","sourceRoot":"","sources":["../../../src/commands/secrets-sync-workflow.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,OAAO,CAAC;CACjB;AAyFD,wBAAsB,gCAAgC,CACpD,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,IAAI,CAAC,CAsNf"}

package/dist/src/commands/secrets-sync-workflow.js

@@ -0,0 +1,255 @@
+/**
+ * Sync local .cibuild-secrets.json keys into a GitHub Actions workflow YAML.
+ *
+ * Updates the job `env:` block so the encoded secret names match exactly
+ * what `ci secrets upload` pushes to the GitHub environment.
+ *
+ * Also regenerates the node -e script that reconstructs .cibuild-secrets.json
+ * from the encoded environment variables.
+ */
+import * as fs from 'fs';
+import { SecretsManager } from '../yaml/secrets-manager.js';
+import { encodeSecretName } from './secrets-upload.js';
+function collectEncodedSecrets(sm) {
+    const secrets = [];
+    // Global secrets
+    const globalSecrets = sm.getAll(); // no workflow → global only
+    for (const name of Object.keys(globalSecrets)) {
+        secrets.push({
+            encoded: encodeSecretName(name),
+            original: name,
+        });
+    }
+    // Workflow-specific secrets
+    const data = sm.data;
+    for (const [workflow, vars] of Object.entries(data.workflows)) {
+        for (const name of Object.keys(vars)) {
+            secrets.push({
+                encoded: encodeSecretName(name, workflow),
+                original: name,
+                workflow,
+            });
+        }
+    }
+    return secrets;
+}
+/**
+ * Build the node -e script that reconstructs .cibuild-secrets.json from env vars.
+ */
+function buildSecretsScript(secrets) {
+    // Group secrets by workflow
+    const global = [];
+    const byWorkflow = new Map();
+    for (const s of secrets) {
+        if (s.workflow) {
+            if (!byWorkflow.has(s.workflow))
+                byWorkflow.set(s.workflow, []);
+            byWorkflow.get(s.workflow).push(s);
+        }
+        else {
+            global.push(s);
+        }
+    }
+    // Build the JSON object literal
+    const globalEntries = global
+        .map((s) => `                  ...(process.env.${s.encoded} && { ${s.original}: process.env.${s.encoded} }),`)
+        .join('\n');
+    const workflowBlocks = [];
+    for (const [wf, wfSecrets] of byWorkflow) {
+        const entries = wfSecrets
+            .map((s) => `                    ...(process.env.${s.encoded} && { ${s.original}: process.env.${s.encoded} }),`)
+            .join('\n');
+        workflowBlocks.push(`                "${wf}": {\n${entries}\n                }`);
+    }
+    const workflowsObj = workflowBlocks.length > 0
+        ? `{\n${workflowBlocks.join(',\n')}\n              }`
+        : '{}';
+    const globalObj = globalEntries
+        ? `{\n${globalEntries}\n              }`
+        : '{}';
+    return [
+        `node -e '`,
+        `            const s = JSON.stringify({`,
+        `              global: ${globalObj},`,
+        `              workflows: ${workflowsObj}`,
+        `            }, null, 2);`,
+        `            require("fs").writeFileSync(process.argv[1], s);`,
+        `          ' "$SECRETS_TMP"`,
+    ].join('\n');
+}
+export async function handleSecretsSyncWorkflowCommand(options) {
+    const { workflowPath, dryRun } = options;
+    if (!fs.existsSync(workflowPath)) {
+        console.error(`Error: Workflow file not found: ${workflowPath}`);
+        process.exit(1);
+    }
+    const sm = new SecretsManager();
+    const allNames = sm.getAllSecretNames();
+    if (allNames.length === 0) {
+        console.error('Error: No secrets found. Use "ci secrets add" to add secrets first.');
+        process.exit(1);
+    }
+    const encodedSecrets = collectEncodedSecrets(sm);
+    if (encodedSecrets.length === 0) {
+        console.log('No secrets to sync (all values are empty).');
+        return;
+    }
+    const content = fs.readFileSync(workflowPath, 'utf-8');
+    const lines = content.split('\n');
+    // --- Update env: block ---
+    // Find the env: block under the first job
+    let envBlockStart = -1;
+    let envBlockIndent = 0;
+    for (let i = 0; i < lines.length; i++) {
+        const match = lines[i].match(/^(\s+)env:\s*$/);
+        if (match) {
+            envBlockStart = i;
+            envBlockIndent = match[1].length;
+            break;
+        }
+    }
+    if (envBlockStart === -1) {
+        // No env: block found — insert one before the first job's `steps:` line
+        for (let i = 0; i < lines.length; i++) {
+            const stepsMatch = lines[i].match(/^(\s+)steps:\s*$/);
+            if (stepsMatch) {
+                envBlockIndent = stepsMatch[1].length;
+                const pad = ' '.repeat(envBlockIndent);
+                const entryPad = ' '.repeat(envBlockIndent + 2);
+                const envLine = `${pad}env:`;
+                const secretLines = encodedSecrets.map((s) => `${entryPad}${s.encoded}: \${{ secrets.${s.encoded} }}`);
+                lines.splice(i, 0, envLine, ...secretLines);
+                break;
+            }
+        }
+        const newContent = lines.join('\n');
+        if (dryRun) {
+            console.log(`\nDry run — would add env: block with ${encodedSecrets.length} secret(s) to ${workflowPath}\n`);
+            console.log('Run without --dry-run to apply changes.');
+            return;
+        }
+        fs.writeFileSync(workflowPath, newContent, 'utf-8');
+        console.log(`\n✅ Added env: block with ${encodedSecrets.length} secret(s) to ${workflowPath}`);
+        return;
+    }
+    // Find the extent of the env block (lines with indentation > envBlockIndent)
+    const entryIndent = envBlockIndent + 2;
+    let envBlockEnd = envBlockStart + 1;
+    while (envBlockEnd < lines.length) {
+        const line = lines[envBlockEnd];
+        // Empty lines could be inside the block or trailing — peek ahead
+        if (line.trim() === '') {
+            // Check if there's a non-empty line after this that's still in the block
+            let nextNonEmpty = envBlockEnd + 1;
+            while (nextNonEmpty < lines.length && lines[nextNonEmpty].trim() === '') {
+                nextNonEmpty++;
+            }
+            if (nextNonEmpty < lines.length) {
+                const nextIndent = lines[nextNonEmpty].match(/^(\s*)/)?.[1].length ?? 0;
+                if (nextIndent > envBlockIndent) {
+                    // Still inside the block — include this blank line
+                    envBlockEnd++;
+                    continue;
+                }
+            }
+            // Trailing blank line(s) — don't consume them
+            break;
+        }
+        // Check indentation — if it's at or below the env: level, we're past the block
+        const lineIndent = line.match(/^(\s*)/)?.[1].length ?? 0;
+        if (lineIndent <= envBlockIndent)
+            break;
+        envBlockEnd++;
+    }
+    // Build set of original secret names to remove old non-encoded entries
+    const originalSecretNames = new Set(encodedSecrets.map((s) => s.original));
+    // Collect existing non-secret env entries (keep them, including blank lines)
+    const existingEntries = [];
+    for (let i = envBlockStart + 1; i < envBlockEnd; i++) {
+        const line = lines[i];
+        // Preserve blank lines between entries
+        if (line.trim() === '') {
+            existingEntries.push(line);
+            continue;
+        }
+        // Remove old CIBUILD_S__ / CIBUILD_SW__ entries (we'll regenerate them)
+        if (line.match(/^\s+CIBUILD_S(W)?__/))
+            continue;
+        // Remove old non-encoded entries that match a known secret name
+        const keyMatch = line.match(/^\s+(\w+):\s/);
+        if (keyMatch && originalSecretNames.has(keyMatch[1]))
+            continue;
+        existingEntries.push(line);
+    }
+    // Trim trailing blank lines from existing entries (we add a clean separator)
+    while (existingEntries.length > 0 && existingEntries[existingEntries.length - 1].trim() === '') {
+        existingEntries.pop();
+    }
+    // Build new secret entries
+    const pad = ' '.repeat(entryIndent);
+    const newSecretLines = encodedSecrets.map((s) => `${pad}${s.encoded}: \${{ secrets.${s.encoded} }}`);
+    // Reassemble
+    const newEnvBlock = [
+        lines[envBlockStart], // "    env:"
+        ...existingEntries,
+        ...newSecretLines,
+    ];
+    // --- Update node -e script ---
+    // Find the node -e block that builds .cibuild-secrets.json
+    let nodeScriptStart = -1;
+    let nodeScriptEnd = -1;
+    for (let i = 0; i < lines.length; i++) {
+        if (lines[i].match(/node\s+-e\s+'/)) {
+            nodeScriptStart = i;
+        }
+        if (nodeScriptStart !== -1 && nodeScriptEnd === -1 && lines[i].match(/'\s+"\$SECRETS_TMP"/)) {
+            nodeScriptEnd = i + 1;
+            break;
+        }
+    }
+    // Splice the file back together
+    const result = [];
+    for (let i = 0; i < lines.length; i++) {
+        if (i >= envBlockStart && i < envBlockEnd) {
+            if (i === envBlockStart) {
+                result.push(...newEnvBlock);
+            }
+            // skip old lines
+            continue;
+        }
+        if (nodeScriptStart !== -1 && i >= nodeScriptStart && i < nodeScriptEnd) {
+            if (i === nodeScriptStart) {
+                // Rebuild node script with encoded env var names
+                result.push(`${' '.repeat(10)}${buildSecretsScript(encodedSecrets)}`);
+            }
+            continue;
+        }
+        result.push(lines[i]);
+    }
+    const newContent = result.join('\n');
+    if (dryRun) {
+        console.log(`\nDry run — would sync ${encodedSecrets.length} secret(s) to ${workflowPath}:\n`);
+        for (const s of encodedSecrets) {
+            const label = s.workflow
+                ? `workflow:${s.workflow} → ${s.original}`
+                : `global → ${s.original}`;
+            console.log(`  ${label}  →  ${s.encoded}`);
+        }
+        console.log(`\nEnv block preview:\n`);
+        for (const line of newEnvBlock) {
+            console.log(line);
+        }
+        console.log('\nRun without --dry-run to apply changes.');
+        return;
+    }
+    fs.writeFileSync(workflowPath, newContent, 'utf-8');
+    console.log(`\n✅ Synced ${encodedSecrets.length} secret(s) to ${workflowPath}\n`);
+    for (const s of encodedSecrets) {
+        const label = s.workflow
+            ? `workflow:${s.workflow} → ${s.original}`
+            : `global → ${s.original}`;
+        console.log(`  ${label}  →  ${s.encoded}`);
+    }
+    console.log('');
+}
+//# sourceMappingURL=secrets-sync-workflow.js.map

package/dist/src/commands/secrets-upload.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Upload local .cibuild-secrets.json to GitHub Secrets (in a GitHub environment).
+ *
+ * Encoding scheme:
+ *   global secret "VAR"              → CIBUILD_S__VAR
+ *   workflow "my-wf" secret "VAR"    → CIBUILD_SW__MY_WF__VAR
+ *
+ * Uses `gh` CLI for all GitHub API interactions.
+ */
+export declare function encodeSecretName(varName: string, workflow?: string): string;
+export declare function decodeSecretName(encoded: string): {
+    varName: string;
+    workflow?: string;
+} | null;
+export interface SecretsUploadOptions {
+    envName: string;
+    repo?: string;
+    dryRun: boolean;
+}
+export declare function handleSecretsUploadCommand(options: SecretsUploadOptions): Promise<void>;
+//# sourceMappingURL=secrets-upload.d.ts.map

package/dist/src/commands/secrets-upload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-upload.d.ts","sourceRoot":"","sources":["../../../src/commands/secrets-upload.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAWH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,CAM3E;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAiB/F;AAwDD,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,wBAAsB,0BAA0B,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,CAqF7F"}

package/dist/src/commands/secrets-upload.js

@@ -0,0 +1,177 @@
+/**
+ * Upload local .cibuild-secrets.json to GitHub Secrets (in a GitHub environment).
+ *
+ * Encoding scheme:
+ *   global secret "VAR"              → CIBUILD_S__VAR
+ *   workflow "my-wf" secret "VAR"    → CIBUILD_SW__MY_WF__VAR
+ *
+ * Uses `gh` CLI for all GitHub API interactions.
+ */
+import { execSync } from 'child_process';
+import { existsSync } from 'fs';
+import { resolve } from 'path';
+import { SecretsManager } from '../yaml/secrets-manager.js';
+import { handleSecretsSyncWorkflowCommand } from './secrets-sync-workflow.js';
+const GLOBAL_PREFIX = 'CIBUILD_S__';
+const WORKFLOW_PREFIX = 'CIBUILD_SW__';
+export function encodeSecretName(varName, workflow) {
+    if (workflow) {
+        const encodedWorkflow = workflow.toUpperCase().replace(/-/g, '_');
+        return `${WORKFLOW_PREFIX}${encodedWorkflow}__${varName}`;
+    }
+    return `${GLOBAL_PREFIX}${varName}`;
+}
+export function decodeSecretName(encoded) {
+    if (encoded.startsWith(WORKFLOW_PREFIX)) {
+        const rest = encoded.slice(WORKFLOW_PREFIX.length);
+        const sepIdx = rest.indexOf('__');
+        if (sepIdx === -1)
+            return null;
+        const encodedWorkflow = rest.slice(0, sepIdx);
+        const varName = rest.slice(sepIdx + 2);
+        if (!varName)
+            return null;
+        const workflow = encodedWorkflow.toLowerCase().replace(/_/g, '-');
+        return { varName, workflow };
+    }
+    if (encoded.startsWith(GLOBAL_PREFIX)) {
+        const varName = encoded.slice(GLOBAL_PREFIX.length);
+        if (!varName)
+            return null;
+        return { varName };
+    }
+    return null;
+}
+function ensureGhCli() {
+    try {
+        execSync('gh --version', { stdio: 'pipe' });
+    }
+    catch {
+        console.error('Error: GitHub CLI (gh) is required.');
+        console.error('  macOS:  brew install gh');
+        console.error('  Other:  https://cli.github.com/');
+        process.exit(1);
+    }
+    try {
+        execSync('gh auth status', { stdio: 'pipe' });
+    }
+    catch {
+        console.error('Error: Not authenticated with GitHub CLI. Run "gh auth login" first.');
+        process.exit(1);
+    }
+}
+function getRepo(repoArg) {
+    if (repoArg)
+        return repoArg;
+    try {
+        const result = execSync('gh repo view --json nameWithOwner -q .nameWithOwner', {
+            stdio: ['pipe', 'pipe', 'pipe'],
+            encoding: 'utf-8',
+        });
+        return result.trim();
+    }
+    catch {
+        console.error('Error: Could not detect repository. Use --repo <owner/repo> or run from a git repo.');
+        process.exit(1);
+    }
+}
+function ensureEnvironment(repo, envName) {
+    try {
+        execSync(`gh api -X PUT repos/${repo}/environments/${envName}`, { stdio: 'pipe' });
+    }
+    catch (err) {
+        console.error(`Error: Could not create environment "${envName}". Check that you have admin access to ${repo}.`);
+        if (err instanceof Error)
+            console.error(err.message);
+        process.exit(1);
+    }
+}
+function uploadSecret(repo, envName, name, value) {
+    try {
+        execSync(`gh secret set ${name} --env ${envName} --repo ${repo}`, {
+            input: value,
+            stdio: ['pipe', 'pipe', 'pipe'],
+        });
+        return true;
+    }
+    catch (err) {
+        console.error(`  Failed to upload "${name}": ${err instanceof Error ? err.message : String(err)}`);
+        return false;
+    }
+}
+export async function handleSecretsUploadCommand(options) {
+    const { envName, dryRun } = options;
+    if (!dryRun) {
+        ensureGhCli();
+    }
+    const sm = new SecretsManager();
+    const allNames = sm.getAllSecretNames();
+    if (allNames.length === 0) {
+        console.error('Error: No secrets found. Use "ci secrets add" to add secrets first.');
+        process.exit(1);
+    }
+    // Build list of encoded secrets to upload
+    const toUpload = [];
+    // Global secrets
+    const globalSecrets = sm.getAll(); // no workflow → global only
+    for (const [name, value] of Object.entries(globalSecrets)) {
+        if (!value)
+            continue;
+        toUpload.push({
+            encoded: encodeSecretName(name),
+            value,
+            label: `global → ${name}`,
+        });
+    }
+    // Workflow-specific secrets (only those that differ from global)
+    const data = sm.data;
+    for (const [workflow, vars] of Object.entries(data.workflows)) {
+        if (workflow.includes('_')) {
+            console.warn(`  Warning: Workflow "${workflow}" contains underscores, which may cause ambiguity when decoding.`);
+        }
+        for (const [name, value] of Object.entries(vars)) {
+            if (!value)
+                continue;
+            toUpload.push({
+                encoded: encodeSecretName(name, workflow),
+                value,
+                label: `workflow:${workflow} → ${name}`,
+            });
+        }
+    }
+    if (toUpload.length === 0) {
+        console.log('No secrets to upload (all values are empty).');
+        return;
+    }
+    const repo = dryRun ? (options.repo || '<auto-detected>') : getRepo(options.repo);
+    if (dryRun) {
+        console.log(`\nDry run — would upload ${toUpload.length} secret(s) to environment "${envName}" in ${repo}:\n`);
+        for (const s of toUpload) {
+            console.log(`  ${s.label}  →  ${s.encoded}`);
+        }
+        console.log('\nRun without --dry-run to upload.');
+        return;
+    }
+    console.log(`\nUploading ${toUpload.length} secret(s) to environment "${envName}" in ${repo}...\n`);
+    ensureEnvironment(repo, envName);
+    let failed = 0;
+    for (const s of toUpload) {
+        process.stdout.write(`  ${s.label}  →  ${s.encoded} ... `);
+        if (uploadSecret(repo, envName, s.encoded, s.value)) {
+            console.log('✓');
+        }
+        else {
+            failed++;
+        }
+    }
+    console.log(`\nDone. ${toUpload.length - failed}/${toUpload.length} secrets uploaded.`);
+    if (failed > 0) {
+        process.exit(1);
+    }
+    // Auto-sync workflow if .github/workflows/ci.yml exists
+    const workflowPath = resolve(process.cwd(), '.github', 'workflows', 'ci.yml');
+    if (existsSync(workflowPath)) {
+        await handleSecretsSyncWorkflowCommand({ workflowPath, dryRun: false });
+    }
+}
+//# sourceMappingURL=secrets-upload.js.map

package/dist/src/commands/secrets-upload.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Tests for secrets-upload encode/decode and SecretsManager structured env var reading
+ */
+export {};
+//# sourceMappingURL=secrets-upload.test.d.ts.map

package/dist/src/commands/secrets-upload.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-upload.test.d.ts","sourceRoot":"","sources":["../../../src/commands/secrets-upload.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/src/commands/secrets-upload.test.js

@@ -0,0 +1,60 @@
+/**
+ * Tests for secrets-upload encode/decode and SecretsManager structured env var reading
+ */
+import { describe, test, expect } from '@jest/globals';
+import { encodeSecretName, decodeSecretName } from './secrets-upload.js';
+describe('secrets-upload encoding', () => {
+    describe('encodeSecretName', () => {
+        test('should encode global secret', () => {
+            expect(encodeSecretName('SLACK_WEBHOOK')).toBe('CIBUILD_S__SLACK_WEBHOOK');
+        });
+        test('should encode workflow secret', () => {
+            expect(encodeSecretName('KEYSTORE_PASS', 'release')).toBe('CIBUILD_SW__RELEASE__KEYSTORE_PASS');
+        });
+        test('should encode workflow with hyphens', () => {
+            expect(encodeSecretName('API_KEY', 'staging-java-17')).toBe('CIBUILD_SW__STAGING_JAVA_17__API_KEY');
+        });
+    });
+    describe('decodeSecretName', () => {
+        test('should decode global secret', () => {
+            const result = decodeSecretName('CIBUILD_S__SLACK_WEBHOOK');
+            expect(result).toEqual({ varName: 'SLACK_WEBHOOK' });
+        });
+        test('should decode workflow secret', () => {
+            const result = decodeSecretName('CIBUILD_SW__RELEASE__KEYSTORE_PASS');
+            expect(result).toEqual({ varName: 'KEYSTORE_PASS', workflow: 'release' });
+        });
+        test('should decode workflow with hyphens (converted from underscores)', () => {
+            const result = decodeSecretName('CIBUILD_SW__STAGING_JAVA_17__API_KEY');
+            expect(result).toEqual({ varName: 'API_KEY', workflow: 'staging-java-17' });
+        });
+        test('should return null for unrelated env var', () => {
+            expect(decodeSecretName('HOME')).toBeNull();
+            expect(decodeSecretName('PATH')).toBeNull();
+            expect(decodeSecretName('CIBUILD_GIT_BRANCH')).toBeNull();
+        });
+        test('should return null for malformed prefix-only keys', () => {
+            expect(decodeSecretName('CIBUILD_S__')).toBeNull();
+            expect(decodeSecretName('CIBUILD_SW__')).toBeNull();
+            expect(decodeSecretName('CIBUILD_SW__RELEASE')).toBeNull();
+        });
+    });
+    describe('roundtrip encode/decode', () => {
+        test('global secret roundtrips correctly', () => {
+            const encoded = encodeSecretName('MY_SECRET');
+            const decoded = decodeSecretName(encoded);
+            expect(decoded).toEqual({ varName: 'MY_SECRET' });
+        });
+        test('workflow secret roundtrips correctly', () => {
+            const encoded = encodeSecretName('MY_SECRET', 'my-workflow');
+            const decoded = decodeSecretName(encoded);
+            expect(decoded).toEqual({ varName: 'MY_SECRET', workflow: 'my-workflow' });
+        });
+        test('workflow with multiple hyphens roundtrips correctly', () => {
+            const encoded = encodeSecretName('DB_PASS', 'staging-java-17');
+            const decoded = decodeSecretName(encoded);
+            expect(decoded).toEqual({ varName: 'DB_PASS', workflow: 'staging-java-17' });
+        });
+    });
+});
+//# sourceMappingURL=secrets-upload.test.js.map

package/dist/src/config.d.ts

@@ -0,0 +1,3 @@
+import type { CIConfig } from "./types.js";
+export declare function loadConfig(configPath?: string): CIConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/src/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAmB3C,wBAAgB,UAAU,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,QAAQ,CA6BxD"}