@oisincoveney/pipeline 3.19.6 → 3.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -34,6 +34,7 @@ declare const submitRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
34
34
  }, z.core.$strict>>;
35
35
  name: z.ZodOptional<z.ZodString>;
36
36
  namespace: z.ZodString;
37
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
37
38
  payloadJson: z.ZodString;
38
39
  serviceAccountName: z.ZodOptional<z.ZodString>;
39
40
  scheduleYaml: z.ZodString;
@@ -68,6 +69,7 @@ declare const submitDynamicRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
68
69
  }, z.core.$strict>>;
69
70
  name: z.ZodOptional<z.ZodString>;
70
71
  namespace: z.ZodString;
72
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
71
73
  payloadJson: z.ZodString;
72
74
  serviceAccountName: z.ZodOptional<z.ZodString>;
73
75
  workflowId: z.ZodString;
@@ -48,6 +48,7 @@ const submitRunnerArgoWorkflowBaseOptionShape = {
48
48
  mcpGatewayAuth: mcpGatewayAuthOptionSchema.optional(),
49
49
  name: z.string().min(1).optional(),
50
50
  namespace: z.string().min(1),
51
+ npmRegistryAuthSecretName: z.string().min(1).optional(),
51
52
  payloadJson: z.string().min(1),
52
53
  serviceAccountName: z.string().min(1).optional()
53
54
  };
@@ -113,6 +114,7 @@ function submitRunnerArgoWorkflowEffect(rawOptions, dependencies) {
113
114
  labels,
114
115
  name: options.name,
115
116
  namespace: options.namespace,
117
+ npmRegistryAuthSecretName: options.npmRegistryAuthSecretName,
116
118
  payloadConfigMapName,
117
119
  plan: compiled.plan,
118
120
  scheduleConfigMapName: scheduleArtifactConfigMapName,
@@ -215,6 +217,7 @@ function submitDynamicRunnerArgoWorkflowEffect(rawOptions, dependencies) {
215
217
  labels,
216
218
  name: options.name,
217
219
  namespace: options.namespace,
220
+ npmRegistryAuthSecretName: options.npmRegistryAuthSecretName,
218
221
  payloadConfigMapName,
219
222
  serviceAccountName: options.serviceAccountName,
220
223
  workflowId: options.workflowId
@@ -12,8 +12,12 @@ function resolveOptionalSecretRef(flags, fromGlobalConfig) {
12
12
  };
13
13
  return fromGlobalConfig;
14
14
  }
15
+ function resolveOptionalSecretName(flags, fromGlobalConfig) {
16
+ if (flags.skip) return;
17
+ return flags.secretName ?? fromGlobalConfig;
18
+ }
15
19
  function addMokaSubmitOptions(command) {
16
- return addRunnerArgoOptions(command.option("--quick", "submit the compact graph").option("--command", "treat input after -- as explicit argv").option("--schedule <path>", "approved schedule YAML to submit").option("--event-url <url>", "runner event sink URL").option("--open-pr", "append an open-pull-request delivery node (preview-labelled PR)").option("--task <text>", "task description for command-mode metadata").option("--db-auth-secret-name <name>", "override momokaya.submit.dbAuth secret name").option("--db-auth-secret-key <key>", "override momokaya.submit.dbAuth secret key").option("--skip-db-auth", "omit MOKA_DB_URL injection regardless of global config").option("--mcp-gateway-auth-secret-name <name>", "override momokaya.submit.mcpGatewayAuth secret name").option("--mcp-gateway-auth-secret-key <key>", "override momokaya.submit.mcpGatewayAuth secret key").option("--skip-mcp-gateway-auth", "omit PIPELINE_MCP_GATEWAY_AUTHORIZATION injection regardless of global config"), { kubeconfig: true });
20
+ return addRunnerArgoOptions(command.option("--quick", "submit the compact graph").option("--command", "treat input after -- as explicit argv").option("--schedule <path>", "approved schedule YAML to submit").option("--event-url <url>", "runner event sink URL").option("--open-pr", "append an open-pull-request delivery node (preview-labelled PR)").option("--task <text>", "task description for command-mode metadata").option("--db-auth-secret-name <name>", "override momokaya.submit.dbAuth secret name").option("--db-auth-secret-key <key>", "override momokaya.submit.dbAuth secret key").option("--skip-db-auth", "omit MOKA_DB_URL injection regardless of global config").option("--mcp-gateway-auth-secret-name <name>", "override momokaya.submit.mcpGatewayAuth secret name").option("--mcp-gateway-auth-secret-key <key>", "override momokaya.submit.mcpGatewayAuth secret key").option("--skip-mcp-gateway-auth", "omit PIPELINE_MCP_GATEWAY_AUTHORIZATION injection regardless of global config").option("--npm-registry-auth-secret-name <name>", "override momokaya.submit.npmRegistryAuthSecretName").option("--skip-npm-registry-auth", "omit the /root/.npmrc mount regardless of global config"), { kubeconfig: true });
17
21
  }
18
22
  function runMokaSubmitFromCli(input, flags) {
19
23
  const cwd = process.env.PIPELINE_TARGET_PATH ?? process.cwd();
@@ -68,6 +72,10 @@ function mokaCommonSubmitOptions(input) {
68
72
  kubeconfigPath: input.flags.kubeconfig ?? momokaya?.kubernetes.kubeconfig,
69
73
  name: input.flags.name,
70
74
  namespace: input.flags.namespace ?? momokaya?.kubernetes.namespace,
75
+ npmRegistryAuthSecretName: resolveOptionalSecretName({
76
+ secretName: input.flags.npmRegistryAuthSecretName,
77
+ skip: input.flags.skipNpmRegistryAuth
78
+ }, momokaya?.submit.npmRegistryAuthSecretName),
71
79
  serviceAccountName: input.flags.serviceAccount ?? momokaya?.submit.serviceAccountName,
72
80
  worktreePath: input.cwd
73
81
  };
@@ -33,6 +33,7 @@ declare const mokaGlobalConfigSchema: z.ZodObject<{
33
33
  gitCredentialsSecretName: z.ZodString;
34
34
  githubAuthSecretName: z.ZodString;
35
35
  imagePullSecretName: z.ZodString;
36
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
36
37
  serviceAccountName: z.ZodString;
37
38
  }, z.core.$strict>;
38
39
  }, z.core.$strict>;
@@ -26,6 +26,7 @@ const mokaSubmitGlobalConfigSchema = z.object({
26
26
  gitCredentialsSecretName: z.string().min(1),
27
27
  githubAuthSecretName: z.string().min(1),
28
28
  imagePullSecretName: z.string().min(1),
29
+ npmRegistryAuthSecretName: z.string().min(1).optional(),
29
30
  serviceAccountName: z.string().min(1)
30
31
  }).strict();
31
32
  const mokaKubernetesGlobalConfigSchema = z.object({
@@ -201,6 +201,7 @@ declare const mokaSubmitBaseOptionsSchema: z.ZodObject<{
201
201
  kubeconfigPath: z.ZodOptional<z.ZodString>;
202
202
  name: z.ZodOptional<z.ZodString>;
203
203
  namespace: z.ZodOptional<z.ZodString>;
204
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
204
205
  repository: z.ZodOptional<z.ZodObject<{
205
206
  baseBranch: z.ZodString;
206
207
  headBranch: z.ZodOptional<z.ZodString>;
@@ -315,6 +316,7 @@ declare const mokaGraphSubmitOptionsSchema: z.ZodObject<{
315
316
  kubeconfigPath: z.ZodOptional<z.ZodString>;
316
317
  name: z.ZodOptional<z.ZodString>;
317
318
  namespace: z.ZodOptional<z.ZodString>;
319
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
318
320
  repository: z.ZodOptional<z.ZodObject<{
319
321
  baseBranch: z.ZodString;
320
322
  headBranch: z.ZodOptional<z.ZodString>;
@@ -446,6 +448,7 @@ declare const mokaCommandSubmitOptionsSchema: z.ZodObject<{
446
448
  kubeconfigPath: z.ZodOptional<z.ZodString>;
447
449
  name: z.ZodOptional<z.ZodString>;
448
450
  namespace: z.ZodOptional<z.ZodString>;
451
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
449
452
  repository: z.ZodOptional<z.ZodObject<{
450
453
  baseBranch: z.ZodString;
451
454
  headBranch: z.ZodOptional<z.ZodString>;
@@ -572,6 +575,7 @@ declare const mokaSubmitOptionsSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
572
575
  kubeconfigPath: z.ZodOptional<z.ZodString>;
573
576
  name: z.ZodOptional<z.ZodString>;
574
577
  namespace: z.ZodOptional<z.ZodString>;
578
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
575
579
  repository: z.ZodOptional<z.ZodObject<{
576
580
  baseBranch: z.ZodString;
577
581
  headBranch: z.ZodOptional<z.ZodString>;
@@ -702,6 +706,7 @@ declare const mokaSubmitOptionsSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
702
706
  kubeconfigPath: z.ZodOptional<z.ZodString>;
703
707
  name: z.ZodOptional<z.ZodString>;
704
708
  namespace: z.ZodOptional<z.ZodString>;
709
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
705
710
  repository: z.ZodOptional<z.ZodObject<{
706
711
  baseBranch: z.ZodString;
707
712
  headBranch: z.ZodOptional<z.ZodString>;
@@ -70,6 +70,7 @@ const mokaSubmitBaseOptionsSchema = z.object({
70
70
  kubeconfigPath: z.string().min(1).optional(),
71
71
  name: z.string().min(1).optional(),
72
72
  namespace: z.string().min(1).optional(),
73
+ npmRegistryAuthSecretName: z.string().min(1).optional(),
73
74
  repository: runnerRepositoryContextSchema.optional(),
74
75
  run: runnerRunIdentitySchema.optional(),
75
76
  serviceAccountName: z.string().min(1).optional()
@@ -32,6 +32,7 @@ declare const buildRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
32
32
  }, z.core.$strict>>;
33
33
  name: z.ZodOptional<z.ZodString>;
34
34
  namespace: z.ZodString;
35
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
35
36
  payloadConfigMapKey: z.ZodDefault<z.ZodString>;
36
37
  payloadConfigMapName: z.ZodString;
37
38
  resources: z.ZodOptional<z.ZodObject<{
@@ -79,6 +80,7 @@ declare const buildDynamicRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
79
80
  }, z.core.$strict>>;
80
81
  name: z.ZodOptional<z.ZodString>;
81
82
  namespace: z.ZodString;
83
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
82
84
  payloadConfigMapKey: z.ZodDefault<z.ZodString>;
83
85
  payloadConfigMapName: z.ZodString;
84
86
  resources: z.ZodOptional<z.ZodObject<{
@@ -198,6 +198,7 @@ const runnerArgoWorkflowBaseOptionsSchema = z.object({
198
198
  mcpGatewayAuth: mcpGatewayAuthOptionSchema.optional(),
199
199
  name: z.string().min(1).optional(),
200
200
  namespace: kubernetesNameSchema,
201
+ npmRegistryAuthSecretName: kubernetesNameSchema.optional(),
201
202
  payloadConfigMapKey: z.string().min(1).default("payload.json"),
202
203
  payloadConfigMapName: kubernetesNameSchema,
203
204
  resources: argoWorkflowResourceRequirementsSchema.optional(),
@@ -32,9 +32,7 @@ function runnerWorkflowStorage(options, tasks) {
32
32
  readOnly: true,
33
33
  subPath: "schedule.yaml"
34
34
  }];
35
- appendEventAuthStorage(options, volumes, volumeMounts);
36
- appendGitCredentialsStorage(options, volumes, volumeMounts);
37
- appendGithubAuthStorage(options, volumes, volumeMounts);
35
+ appendSharedSecretStorage(options, volumes, volumeMounts);
38
36
  return {
39
37
  volumeMounts: z.array(argoWorkflowVolumeMountSchema).parse(volumeMounts),
40
38
  volumes: z.array(argoWorkflowVolumeSchema).parse(volumes)
@@ -43,14 +41,18 @@ function runnerWorkflowStorage(options, tasks) {
43
41
  function dynamicRunnerWorkflowStorage(options) {
44
42
  const volumes = [runnerPayloadVolume(options)];
45
43
  const volumeMounts = [runnerPayloadVolumeMount()];
46
- appendEventAuthStorage(options, volumes, volumeMounts);
47
- appendGitCredentialsStorage(options, volumes, volumeMounts);
48
- appendGithubAuthStorage(options, volumes, volumeMounts);
44
+ appendSharedSecretStorage(options, volumes, volumeMounts);
49
45
  return {
50
46
  volumeMounts: z.array(argoWorkflowVolumeMountSchema).parse(volumeMounts),
51
47
  volumes: z.array(argoWorkflowVolumeSchema).parse(volumes)
52
48
  };
53
49
  }
50
+ function appendSharedSecretStorage(options, volumes, volumeMounts) {
51
+ appendEventAuthStorage(options, volumes, volumeMounts);
52
+ appendGitCredentialsStorage(options, volumes, volumeMounts);
53
+ appendGithubAuthStorage(options, volumes, volumeMounts);
54
+ appendNpmRegistryAuthStorage(options, volumes, volumeMounts);
55
+ }
54
56
  function runnerPayloadVolume(options) {
55
57
  return {
56
58
  configMap: {
@@ -123,5 +125,24 @@ function appendGithubAuthStorage(options, volumes, volumeMounts) {
123
125
  subPath: "hosts.yml"
124
126
  });
125
127
  }
128
+ function appendNpmRegistryAuthStorage(options, volumes, volumeMounts) {
129
+ if (!options.npmRegistryAuthSecretName) return;
130
+ volumes.push({
131
+ name: "npm-registry-auth",
132
+ secret: {
133
+ items: [{
134
+ key: "npmrc",
135
+ path: "npmrc"
136
+ }],
137
+ secretName: options.npmRegistryAuthSecretName
138
+ }
139
+ });
140
+ volumeMounts.push({
141
+ mountPath: "/root/.npmrc",
142
+ name: "npm-registry-auth",
143
+ readOnly: true,
144
+ subPath: "npmrc"
145
+ });
146
+ }
126
147
  //#endregion
127
148
  export { dynamicRunnerWorkflowStorage, runnerWorkflowStorage };
@@ -26,6 +26,7 @@ interface MokaWorkflowSubmitOptions {
26
26
  };
27
27
  name?: string;
28
28
  namespace: string;
29
+ npmRegistryAuthSecretName?: string;
29
30
  payloadJson: string;
30
31
  scheduleYaml?: string;
31
32
  serviceAccountName?: string;
@@ -54,6 +54,7 @@ function workflowSubmitOptions(options) {
54
54
  kubeconfigPath: options.kubeconfigPath,
55
55
  name: options.name,
56
56
  namespace: requireSubmitOption(options.namespace, "namespace"),
57
+ npmRegistryAuthSecretName: options.npmRegistryAuthSecretName,
57
58
  serviceAccountName: options.serviceAccountName
58
59
  };
59
60
  }
@@ -236,6 +236,7 @@ momokaya:
236
236
  gitCredentialsSecretName: <git-credentials-secret-name>
237
237
  githubAuthSecretName: <github-auth-secret-name>
238
238
  imagePullSecretName: <image-pull-secret-name>
239
+ npmRegistryAuthSecretName: <npm-registry-auth-secret-name> # optional
239
240
  brokerAuth:
240
241
  secretName: <broker-api-key-secret-name>
241
242
  secretKey: api-key
@@ -334,6 +335,12 @@ Expected namespace resources:
334
335
  - The GitHub CLI auth Secret named by `submit.githubAuthSecretName` with key
335
336
  `hosts.yml`; this Secret is for `gh` and pull request delivery, not git
336
337
  clone/fetch/push authentication
338
+ - Optional: the private-registry auth Secret named by
339
+ `submit.npmRegistryAuthSecretName` with key `npmrc`, mounted at
340
+ `/root/.npmrc`; lets `.moka/bootstrap.sh`'s dependency install step (e.g.
341
+ `nub ci`) authenticate to private-scoped package registries, e.g. GitHub
342
+ Packages. Absent by default — bootstrap then only has public-registry
343
+ access, matching current behavior
337
344
  - A pipeline-console event sink reachable from the pod
338
345
 
339
346
  Credential issuance and rotation are owned by the cluster/infra layer, not by
package/package.json CHANGED
@@ -130,6 +130,7 @@
130
130
  "test:image": "mkdir -p /tmp/pipeline-test && printf '{}' > /tmp/pipeline-test/payload.json && printf 'kind: pipeline-schedule\\nversion: 1\\nschedule_id: smoke\\ngenerated_at: 2026-06-10T00:00:00.000Z\\nsource_entrypoint: custom\\ntask: smoke\\nroot_workflow: root\\nworkflows:\\n root:\\n nodes:\\n - id: smoke\\n kind: command\\n command: [true]\\n' > /tmp/pipeline-test/schedule.yaml && printf '{\"nodeId\":\"smoke\"}' > /tmp/pipeline-test/task.json && printf 'test-token' > /tmp/pipeline-test/event-token && docker build -t pipeline-runner:test . && docker run --rm -v /tmp/pipeline-test/payload.json:/etc/pipeline/payload.json:ro -v /tmp/pipeline-test/schedule.yaml:/etc/pipeline/schedule.yaml:ro -v /tmp/pipeline-test/task.json:/etc/pipeline/task.json:ro -v /tmp/pipeline-test/event-token:/etc/pipeline/event-auth/token:ro pipeline-runner:test runner-command --payload-file /etc/pipeline/payload.json --schedule-file /etc/pipeline/schedule.yaml; test $? -eq 64",
131
131
  "test:dogfood": "vitest run tests/dogfood-installed.test.ts",
132
132
  "test:live-runners": "PIPELINE_LIVE_RUNNERS=1 vitest run tests/dogfood-live-runners.test.ts",
133
+ "local-orbstack:migrate": "nub scripts/local-orbstack/migrate-postgres.ts",
133
134
  "typecheck": "tsc --noEmit",
134
135
  "build": "nub run build:cli",
135
136
  "check": "ultracite check",
@@ -137,7 +138,7 @@
137
138
  "prepack": "nub run build:cli"
138
139
  },
139
140
  "type": "module",
140
- "version": "3.19.6",
141
+ "version": "3.20.0",
141
142
  "description": "Config-driven multi-agent pipeline runner for repository work",
142
143
  "main": "./dist/index.js",
143
144
  "types": "./dist/index.d.ts",