@kitsy/cnos-docs 1.6.0 → 1.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/docs/cli/build.mdx +1 -0
  2. package/docs/guides/ci-cd.mdx +18 -2
  3. package/docs/guides/containers-and-actions.mdx +136 -0
  4. package/docs/guides/generated-env-files.mdx +2 -0
  5. package/manifest.yml +2 -0
  6. package/package.json +1 -1
package/docs/cli/build.mdx CHANGED
@@ -13,6 +13,7 @@ cnos build browser --to .cnos-browser.json
13
13
  cnos build env --profile local --to .env.local
14
14
  cnos build env --profile stage --to .env.stage
15
15
  cnos build public --framework vite --to .env.production
16
+ cnos build env --profile local-domain --format docker-env --to .docker/runtime/current.env
16
17
  ```
17
18
 
18
19
  Targets:
package/docs/guides/ci-cd.mdx CHANGED
@@ -8,9 +8,10 @@ description: Use CNOS in build and deploy pipelines without committing generated
8
8
  Common patterns:
9
9
 
10
10
  ```bash
11
- cnos export env --profile stage --to .env.stage
12
- cnos export env --public --framework vite --profile stage --to .env.stage
11
+ cnos build env --profile stage --to .env.stage
12
+ cnos build public --framework vite --profile stage --to .env.stage
13
13
  cnos run --profile stage -- pnpm build
14
+ cnos build server --profile prod --to dist/.cnos-server.json
14
15
  ```
15
16
 
16
17
  For CI-backed vaults:
@@ -19,3 +20,18 @@ For CI-backed vaults:
19
20
  cnos vault create github-ci --provider github-secrets --no-passphrase
20
21
  cnos secret set app.token APP_TOKEN --vault github-ci
21
22
  ```
23
+
24
+ GitHub Actions example:
25
+
26
+ ```yaml
27
+ - name: Install deps
28
+ run: pnpm install --frozen-lockfile
29
+
30
+ - name: Build CNOS env
31
+ run: cnos build env --profile stage --to .env.stage
32
+
33
+ - name: Build app
34
+ run: pnpm build
35
+ ```
36
+
37
+ Use `cnos run` when you do not need an intermediate env file. Use `cnos build env` or `cnos build public` when the build tool or deploy step expects a file artifact.
package/docs/guides/containers-and-actions.mdx ADDED
@@ -0,0 +1,136 @@
1
+ ---
2
+ title: Containers, Kubernetes, and GitHub Actions
3
+ description: Use CNOS-generated artifacts in Docker, Docker Compose, Kubernetes, and GitHub Actions without making .env files the source of truth.
4
+ ---
5
+
6
+ # Containers, Kubernetes, and GitHub Actions
7
+
8
+ CNOS should stay the source of truth. Containers and pipelines should consume derived artifacts.
9
+
10
+ Use these patterns:
11
+
12
+ - `cnos build env` when the runtime expects flat env vars
13
+ - `cnos build server` when a server runtime should consume a CNOS projection artifact
14
+ - `cnos run` when a child process should get CNOS directly at launch time
15
+
16
+ ## Docker
17
+
18
+ Generate a Docker-friendly env file:
19
+
20
+ ```bash
21
+ cnos build env --profile local-domain --format docker-env --to .docker/runtime/current.env
22
+ ```
23
+
24
+ That file is a derived artifact. Keep it gitignored.
25
+
26
+ For a production-style local preview flow:
27
+
28
+ ```bash
29
+ pnpm build:local-domain:all
30
+ cnos build env --profile local-domain --format docker-env --to .docker/runtime/current.env
31
+ docker compose up --build
32
+ ```
33
+
34
+ Use this when:
35
+ - your image or emulator runtime expects env vars
36
+ - you want one fixed runtime env file per profile
37
+ - the build already consumed the same CNOS profile
38
+
39
+ ## Docker Compose
40
+
41
+ Recommended compose pattern:
42
+
43
+ ```yaml
44
+ services:
45
+ app:
46
+ env_file:
47
+ - ./.docker/runtime/current.env
48
+ ```
49
+
50
+ This keeps runtime env injection explicit and lets the same CNOS profile drive:
51
+ - the build step
52
+ - the container runtime
53
+ - local emulators
54
+
55
+ For browser builds behind nginx or another proxy:
56
+ - build the app first with `cnos run --profile <name> -- pnpm build`
57
+ - then feed compose/runtime with `cnos build env --format docker-env`
58
+
59
+ ## Kubernetes
60
+
61
+ Use CNOS to render the env payload before applying manifests:
62
+
63
+ ```bash
64
+ cnos build env --profile stage --format yaml --to k8s/generated/app-config.yaml
65
+ ```
66
+
67
+ Or generate a flat env file and convert it into a ConfigMap or Secret with your existing tooling:
68
+
69
+ ```bash
70
+ cnos build env --profile stage --format dotenv --to .artifacts/stage.env
71
+ kubectl create configmap app-config --from-env-file=.artifacts/stage.env --dry-run=client -o yaml
72
+ ```
73
+
74
+ Rules:
75
+ - do not make Kubernetes manifests the source of truth for application config
76
+ - do not embed decrypted CNOS secret values into build artifacts by default
77
+ - prefer runtime secret providers or platform-native secrets for secret plaintext
78
+
79
+ ## GitHub Actions
80
+
81
+ Two good patterns exist.
82
+
83
+ ### 1. Build with direct CNOS injection
84
+
85
+ ```yaml
86
+ - name: Install deps
87
+ run: pnpm install --frozen-lockfile
88
+
89
+ - name: Build with CNOS
90
+ run: cnos run --profile stage -- pnpm build
91
+ ```
92
+
93
+ ### 2. Materialize an env artifact first
94
+
95
+ ```yaml
96
+ - name: Build CNOS env file
97
+ run: cnos build env --profile stage --to .env.stage
98
+
99
+ - name: Build app
100
+ run: pnpm build
101
+ ```
102
+
103
+ For browser-only frameworks:
104
+
105
+ ```yaml
106
+ - name: Build public env for Vite
107
+ run: cnos build public --framework vite --profile stage --to .env.stage
108
+ ```
109
+
110
+ For Next:
111
+
112
+ ```yaml
113
+ - name: Build public env for Next
114
+ run: cnos build public --framework next --profile prod --to .env.production
115
+ ```
116
+
117
+ For server packaging:
118
+
119
+ ```yaml
120
+ - name: Build server projection
121
+ run: cnos build server --profile prod --to dist/.cnos-server.json
122
+ ```
123
+
124
+ ## Secret handling
125
+
126
+ Keep this split clear:
127
+
128
+ - non-secret config can become a build or runtime artifact
129
+ - decrypted secret plaintext should not become a build artifact by default
130
+
131
+ Use:
132
+ - CNOS vault refs
133
+ - platform env injection
134
+ - runtime secret hydration
135
+
136
+ Do not rely on generated env files for secret rotation-sensitive server secrets unless you deliberately accept that tradeoff.
package/docs/guides/generated-env-files.mdx CHANGED
@@ -15,6 +15,7 @@ Use generated env files as a **bridge**, not as the source of truth.
15
15
  cnos build env --profile local --to .env.local
16
16
  cnos build env --profile stage --to .env.stage
17
17
  cnos build env --profile prod --to .env.prod
18
+ cnos build env --profile local-domain --format docker-env --to .docker/runtime/current.env
18
19
  ```
19
20
 
20
21
  ## Watched dev loop
@@ -36,3 +37,4 @@ cnos build env --public --framework next --profile prod --to .env.production
36
37
  - keep generated `.env.*` files gitignored
37
38
  - migrate app code toward direct CNOS reads over time
38
39
  - keep secrets on runtime/vault flows instead of materializing them into env files by default
40
+ - use `docker-env` when Docker or Docker Compose expects a runtime env file
package/manifest.yml CHANGED
@@ -29,6 +29,8 @@ sidebar:
29
29
  label: SSR Projects
30
30
  - path: guides/ci-cd
31
31
  label: CI/CD Pipelines
32
+ - path: guides/containers-and-actions
33
+ label: Containers and Actions
32
34
  - path: guides/workspaces
33
35
  label: Workspaces and Monorepos
34
36
  - path: guides/profiles
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kitsy/cnos-docs",
3
- "version": "1.6.0",
3
+ "version": "1.6.1",
4
4
  "description": "Source-of-truth CNOS documentation content for Astro Starlight and other static docs consumers.",
5
5
  "type": "module",
6
6
  "exports": {