@oisincoveney/pipeline 3.19.6 → 3.20.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/argo-submit.d.ts +2 -0
- package/dist/argo-submit.js +3 -0
- package/dist/cli/submit-options.js +9 -1
- package/dist/moka-global-config.d.ts +1 -0
- package/dist/moka-global-config.js +1 -0
- package/dist/moka-submit.d.ts +5 -0
- package/dist/moka-submit.js +1 -0
- package/dist/remote/argo/model.d.ts +2 -0
- package/dist/remote/argo/model.js +1 -0
- package/dist/remote/argo/storage.js +27 -6
- package/dist/remote/submit/argo-submission.d.ts +1 -0
- package/dist/remote/submit/argo-submission.js +1 -0
- package/docs/operator-guide.md +7 -0
- package/package.json +2 -1
package/dist/argo-submit.d.ts
CHANGED
|
@@ -34,6 +34,7 @@ declare const submitRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
|
|
|
34
34
|
}, z.core.$strict>>;
|
|
35
35
|
name: z.ZodOptional<z.ZodString>;
|
|
36
36
|
namespace: z.ZodString;
|
|
37
|
+
npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
|
|
37
38
|
payloadJson: z.ZodString;
|
|
38
39
|
serviceAccountName: z.ZodOptional<z.ZodString>;
|
|
39
40
|
scheduleYaml: z.ZodString;
|
|
@@ -68,6 +69,7 @@ declare const submitDynamicRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
|
|
|
68
69
|
}, z.core.$strict>>;
|
|
69
70
|
name: z.ZodOptional<z.ZodString>;
|
|
70
71
|
namespace: z.ZodString;
|
|
72
|
+
npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
|
|
71
73
|
payloadJson: z.ZodString;
|
|
72
74
|
serviceAccountName: z.ZodOptional<z.ZodString>;
|
|
73
75
|
workflowId: z.ZodString;
|
package/dist/argo-submit.js
CHANGED
|
@@ -48,6 +48,7 @@ const submitRunnerArgoWorkflowBaseOptionShape = {
|
|
|
48
48
|
mcpGatewayAuth: mcpGatewayAuthOptionSchema.optional(),
|
|
49
49
|
name: z.string().min(1).optional(),
|
|
50
50
|
namespace: z.string().min(1),
|
|
51
|
+
npmRegistryAuthSecretName: z.string().min(1).optional(),
|
|
51
52
|
payloadJson: z.string().min(1),
|
|
52
53
|
serviceAccountName: z.string().min(1).optional()
|
|
53
54
|
};
|
|
@@ -113,6 +114,7 @@ function submitRunnerArgoWorkflowEffect(rawOptions, dependencies) {
|
|
|
113
114
|
labels,
|
|
114
115
|
name: options.name,
|
|
115
116
|
namespace: options.namespace,
|
|
117
|
+
npmRegistryAuthSecretName: options.npmRegistryAuthSecretName,
|
|
116
118
|
payloadConfigMapName,
|
|
117
119
|
plan: compiled.plan,
|
|
118
120
|
scheduleConfigMapName: scheduleArtifactConfigMapName,
|
|
@@ -215,6 +217,7 @@ function submitDynamicRunnerArgoWorkflowEffect(rawOptions, dependencies) {
|
|
|
215
217
|
labels,
|
|
216
218
|
name: options.name,
|
|
217
219
|
namespace: options.namespace,
|
|
220
|
+
npmRegistryAuthSecretName: options.npmRegistryAuthSecretName,
|
|
218
221
|
payloadConfigMapName,
|
|
219
222
|
serviceAccountName: options.serviceAccountName,
|
|
220
223
|
workflowId: options.workflowId
|
|
@@ -12,8 +12,12 @@ function resolveOptionalSecretRef(flags, fromGlobalConfig) {
|
|
|
12
12
|
};
|
|
13
13
|
return fromGlobalConfig;
|
|
14
14
|
}
|
|
15
|
+
function resolveOptionalSecretName(flags, fromGlobalConfig) {
|
|
16
|
+
if (flags.skip) return;
|
|
17
|
+
return flags.secretName ?? fromGlobalConfig;
|
|
18
|
+
}
|
|
15
19
|
function addMokaSubmitOptions(command) {
|
|
16
|
-
return addRunnerArgoOptions(command.option("--quick", "submit the compact graph").option("--command", "treat input after -- as explicit argv").option("--schedule <path>", "approved schedule YAML to submit").option("--event-url <url>", "runner event sink URL").option("--open-pr", "append an open-pull-request delivery node (preview-labelled PR)").option("--task <text>", "task description for command-mode metadata").option("--db-auth-secret-name <name>", "override momokaya.submit.dbAuth secret name").option("--db-auth-secret-key <key>", "override momokaya.submit.dbAuth secret key").option("--skip-db-auth", "omit MOKA_DB_URL injection regardless of global config").option("--mcp-gateway-auth-secret-name <name>", "override momokaya.submit.mcpGatewayAuth secret name").option("--mcp-gateway-auth-secret-key <key>", "override momokaya.submit.mcpGatewayAuth secret key").option("--skip-mcp-gateway-auth", "omit PIPELINE_MCP_GATEWAY_AUTHORIZATION injection regardless of global config"), { kubeconfig: true });
|
|
20
|
+
return addRunnerArgoOptions(command.option("--quick", "submit the compact graph").option("--command", "treat input after -- as explicit argv").option("--schedule <path>", "approved schedule YAML to submit").option("--event-url <url>", "runner event sink URL").option("--open-pr", "append an open-pull-request delivery node (preview-labelled PR)").option("--task <text>", "task description for command-mode metadata").option("--db-auth-secret-name <name>", "override momokaya.submit.dbAuth secret name").option("--db-auth-secret-key <key>", "override momokaya.submit.dbAuth secret key").option("--skip-db-auth", "omit MOKA_DB_URL injection regardless of global config").option("--mcp-gateway-auth-secret-name <name>", "override momokaya.submit.mcpGatewayAuth secret name").option("--mcp-gateway-auth-secret-key <key>", "override momokaya.submit.mcpGatewayAuth secret key").option("--skip-mcp-gateway-auth", "omit PIPELINE_MCP_GATEWAY_AUTHORIZATION injection regardless of global config").option("--npm-registry-auth-secret-name <name>", "override momokaya.submit.npmRegistryAuthSecretName").option("--skip-npm-registry-auth", "omit the /root/.npmrc mount regardless of global config"), { kubeconfig: true });
|
|
17
21
|
}
|
|
18
22
|
function runMokaSubmitFromCli(input, flags) {
|
|
19
23
|
const cwd = process.env.PIPELINE_TARGET_PATH ?? process.cwd();
|
|
@@ -68,6 +72,10 @@ function mokaCommonSubmitOptions(input) {
|
|
|
68
72
|
kubeconfigPath: input.flags.kubeconfig ?? momokaya?.kubernetes.kubeconfig,
|
|
69
73
|
name: input.flags.name,
|
|
70
74
|
namespace: input.flags.namespace ?? momokaya?.kubernetes.namespace,
|
|
75
|
+
npmRegistryAuthSecretName: resolveOptionalSecretName({
|
|
76
|
+
secretName: input.flags.npmRegistryAuthSecretName,
|
|
77
|
+
skip: input.flags.skipNpmRegistryAuth
|
|
78
|
+
}, momokaya?.submit.npmRegistryAuthSecretName),
|
|
71
79
|
serviceAccountName: input.flags.serviceAccount ?? momokaya?.submit.serviceAccountName,
|
|
72
80
|
worktreePath: input.cwd
|
|
73
81
|
};
|
|
@@ -33,6 +33,7 @@ declare const mokaGlobalConfigSchema: z.ZodObject<{
|
|
|
33
33
|
gitCredentialsSecretName: z.ZodString;
|
|
34
34
|
githubAuthSecretName: z.ZodString;
|
|
35
35
|
imagePullSecretName: z.ZodString;
|
|
36
|
+
npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
|
|
36
37
|
serviceAccountName: z.ZodString;
|
|
37
38
|
}, z.core.$strict>;
|
|
38
39
|
}, z.core.$strict>;
|
|
@@ -26,6 +26,7 @@ const mokaSubmitGlobalConfigSchema = z.object({
|
|
|
26
26
|
gitCredentialsSecretName: z.string().min(1),
|
|
27
27
|
githubAuthSecretName: z.string().min(1),
|
|
28
28
|
imagePullSecretName: z.string().min(1),
|
|
29
|
+
npmRegistryAuthSecretName: z.string().min(1).optional(),
|
|
29
30
|
serviceAccountName: z.string().min(1)
|
|
30
31
|
}).strict();
|
|
31
32
|
const mokaKubernetesGlobalConfigSchema = z.object({
|
package/dist/moka-submit.d.ts
CHANGED
|
@@ -201,6 +201,7 @@ declare const mokaSubmitBaseOptionsSchema: z.ZodObject<{
|
|
|
201
201
|
kubeconfigPath: z.ZodOptional<z.ZodString>;
|
|
202
202
|
name: z.ZodOptional<z.ZodString>;
|
|
203
203
|
namespace: z.ZodOptional<z.ZodString>;
|
|
204
|
+
npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
|
|
204
205
|
repository: z.ZodOptional<z.ZodObject<{
|
|
205
206
|
baseBranch: z.ZodString;
|
|
206
207
|
headBranch: z.ZodOptional<z.ZodString>;
|
|
@@ -315,6 +316,7 @@ declare const mokaGraphSubmitOptionsSchema: z.ZodObject<{
|
|
|
315
316
|
kubeconfigPath: z.ZodOptional<z.ZodString>;
|
|
316
317
|
name: z.ZodOptional<z.ZodString>;
|
|
317
318
|
namespace: z.ZodOptional<z.ZodString>;
|
|
319
|
+
npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
|
|
318
320
|
repository: z.ZodOptional<z.ZodObject<{
|
|
319
321
|
baseBranch: z.ZodString;
|
|
320
322
|
headBranch: z.ZodOptional<z.ZodString>;
|
|
@@ -446,6 +448,7 @@ declare const mokaCommandSubmitOptionsSchema: z.ZodObject<{
|
|
|
446
448
|
kubeconfigPath: z.ZodOptional<z.ZodString>;
|
|
447
449
|
name: z.ZodOptional<z.ZodString>;
|
|
448
450
|
namespace: z.ZodOptional<z.ZodString>;
|
|
451
|
+
npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
|
|
449
452
|
repository: z.ZodOptional<z.ZodObject<{
|
|
450
453
|
baseBranch: z.ZodString;
|
|
451
454
|
headBranch: z.ZodOptional<z.ZodString>;
|
|
@@ -572,6 +575,7 @@ declare const mokaSubmitOptionsSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
|
|
|
572
575
|
kubeconfigPath: z.ZodOptional<z.ZodString>;
|
|
573
576
|
name: z.ZodOptional<z.ZodString>;
|
|
574
577
|
namespace: z.ZodOptional<z.ZodString>;
|
|
578
|
+
npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
|
|
575
579
|
repository: z.ZodOptional<z.ZodObject<{
|
|
576
580
|
baseBranch: z.ZodString;
|
|
577
581
|
headBranch: z.ZodOptional<z.ZodString>;
|
|
@@ -702,6 +706,7 @@ declare const mokaSubmitOptionsSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
|
|
|
702
706
|
kubeconfigPath: z.ZodOptional<z.ZodString>;
|
|
703
707
|
name: z.ZodOptional<z.ZodString>;
|
|
704
708
|
namespace: z.ZodOptional<z.ZodString>;
|
|
709
|
+
npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
|
|
705
710
|
repository: z.ZodOptional<z.ZodObject<{
|
|
706
711
|
baseBranch: z.ZodString;
|
|
707
712
|
headBranch: z.ZodOptional<z.ZodString>;
|
package/dist/moka-submit.js
CHANGED
|
@@ -70,6 +70,7 @@ const mokaSubmitBaseOptionsSchema = z.object({
|
|
|
70
70
|
kubeconfigPath: z.string().min(1).optional(),
|
|
71
71
|
name: z.string().min(1).optional(),
|
|
72
72
|
namespace: z.string().min(1).optional(),
|
|
73
|
+
npmRegistryAuthSecretName: z.string().min(1).optional(),
|
|
73
74
|
repository: runnerRepositoryContextSchema.optional(),
|
|
74
75
|
run: runnerRunIdentitySchema.optional(),
|
|
75
76
|
serviceAccountName: z.string().min(1).optional()
|
|
@@ -32,6 +32,7 @@ declare const buildRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
|
|
|
32
32
|
}, z.core.$strict>>;
|
|
33
33
|
name: z.ZodOptional<z.ZodString>;
|
|
34
34
|
namespace: z.ZodString;
|
|
35
|
+
npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
|
|
35
36
|
payloadConfigMapKey: z.ZodDefault<z.ZodString>;
|
|
36
37
|
payloadConfigMapName: z.ZodString;
|
|
37
38
|
resources: z.ZodOptional<z.ZodObject<{
|
|
@@ -79,6 +80,7 @@ declare const buildDynamicRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
|
|
|
79
80
|
}, z.core.$strict>>;
|
|
80
81
|
name: z.ZodOptional<z.ZodString>;
|
|
81
82
|
namespace: z.ZodString;
|
|
83
|
+
npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
|
|
82
84
|
payloadConfigMapKey: z.ZodDefault<z.ZodString>;
|
|
83
85
|
payloadConfigMapName: z.ZodString;
|
|
84
86
|
resources: z.ZodOptional<z.ZodObject<{
|
|
@@ -198,6 +198,7 @@ const runnerArgoWorkflowBaseOptionsSchema = z.object({
|
|
|
198
198
|
mcpGatewayAuth: mcpGatewayAuthOptionSchema.optional(),
|
|
199
199
|
name: z.string().min(1).optional(),
|
|
200
200
|
namespace: kubernetesNameSchema,
|
|
201
|
+
npmRegistryAuthSecretName: kubernetesNameSchema.optional(),
|
|
201
202
|
payloadConfigMapKey: z.string().min(1).default("payload.json"),
|
|
202
203
|
payloadConfigMapName: kubernetesNameSchema,
|
|
203
204
|
resources: argoWorkflowResourceRequirementsSchema.optional(),
|
|
@@ -32,9 +32,7 @@ function runnerWorkflowStorage(options, tasks) {
|
|
|
32
32
|
readOnly: true,
|
|
33
33
|
subPath: "schedule.yaml"
|
|
34
34
|
}];
|
|
35
|
-
|
|
36
|
-
appendGitCredentialsStorage(options, volumes, volumeMounts);
|
|
37
|
-
appendGithubAuthStorage(options, volumes, volumeMounts);
|
|
35
|
+
appendSharedSecretStorage(options, volumes, volumeMounts);
|
|
38
36
|
return {
|
|
39
37
|
volumeMounts: z.array(argoWorkflowVolumeMountSchema).parse(volumeMounts),
|
|
40
38
|
volumes: z.array(argoWorkflowVolumeSchema).parse(volumes)
|
|
@@ -43,14 +41,18 @@ function runnerWorkflowStorage(options, tasks) {
|
|
|
43
41
|
function dynamicRunnerWorkflowStorage(options) {
|
|
44
42
|
const volumes = [runnerPayloadVolume(options)];
|
|
45
43
|
const volumeMounts = [runnerPayloadVolumeMount()];
|
|
46
|
-
|
|
47
|
-
appendGitCredentialsStorage(options, volumes, volumeMounts);
|
|
48
|
-
appendGithubAuthStorage(options, volumes, volumeMounts);
|
|
44
|
+
appendSharedSecretStorage(options, volumes, volumeMounts);
|
|
49
45
|
return {
|
|
50
46
|
volumeMounts: z.array(argoWorkflowVolumeMountSchema).parse(volumeMounts),
|
|
51
47
|
volumes: z.array(argoWorkflowVolumeSchema).parse(volumes)
|
|
52
48
|
};
|
|
53
49
|
}
|
|
50
|
+
function appendSharedSecretStorage(options, volumes, volumeMounts) {
|
|
51
|
+
appendEventAuthStorage(options, volumes, volumeMounts);
|
|
52
|
+
appendGitCredentialsStorage(options, volumes, volumeMounts);
|
|
53
|
+
appendGithubAuthStorage(options, volumes, volumeMounts);
|
|
54
|
+
appendNpmRegistryAuthStorage(options, volumes, volumeMounts);
|
|
55
|
+
}
|
|
54
56
|
function runnerPayloadVolume(options) {
|
|
55
57
|
return {
|
|
56
58
|
configMap: {
|
|
@@ -123,5 +125,24 @@ function appendGithubAuthStorage(options, volumes, volumeMounts) {
|
|
|
123
125
|
subPath: "hosts.yml"
|
|
124
126
|
});
|
|
125
127
|
}
|
|
128
|
+
function appendNpmRegistryAuthStorage(options, volumes, volumeMounts) {
|
|
129
|
+
if (!options.npmRegistryAuthSecretName) return;
|
|
130
|
+
volumes.push({
|
|
131
|
+
name: "npm-registry-auth",
|
|
132
|
+
secret: {
|
|
133
|
+
items: [{
|
|
134
|
+
key: "npmrc",
|
|
135
|
+
path: "npmrc"
|
|
136
|
+
}],
|
|
137
|
+
secretName: options.npmRegistryAuthSecretName
|
|
138
|
+
}
|
|
139
|
+
});
|
|
140
|
+
volumeMounts.push({
|
|
141
|
+
mountPath: "/root/.npmrc",
|
|
142
|
+
name: "npm-registry-auth",
|
|
143
|
+
readOnly: true,
|
|
144
|
+
subPath: "npmrc"
|
|
145
|
+
});
|
|
146
|
+
}
|
|
126
147
|
//#endregion
|
|
127
148
|
export { dynamicRunnerWorkflowStorage, runnerWorkflowStorage };
|
|
@@ -54,6 +54,7 @@ function workflowSubmitOptions(options) {
|
|
|
54
54
|
kubeconfigPath: options.kubeconfigPath,
|
|
55
55
|
name: options.name,
|
|
56
56
|
namespace: requireSubmitOption(options.namespace, "namespace"),
|
|
57
|
+
npmRegistryAuthSecretName: options.npmRegistryAuthSecretName,
|
|
57
58
|
serviceAccountName: options.serviceAccountName
|
|
58
59
|
};
|
|
59
60
|
}
|
package/docs/operator-guide.md
CHANGED
|
@@ -236,6 +236,7 @@ momokaya:
|
|
|
236
236
|
gitCredentialsSecretName: <git-credentials-secret-name>
|
|
237
237
|
githubAuthSecretName: <github-auth-secret-name>
|
|
238
238
|
imagePullSecretName: <image-pull-secret-name>
|
|
239
|
+
npmRegistryAuthSecretName: <npm-registry-auth-secret-name> # optional
|
|
239
240
|
brokerAuth:
|
|
240
241
|
secretName: <broker-api-key-secret-name>
|
|
241
242
|
secretKey: api-key
|
|
@@ -334,6 +335,12 @@ Expected namespace resources:
|
|
|
334
335
|
- The GitHub CLI auth Secret named by `submit.githubAuthSecretName` with key
|
|
335
336
|
`hosts.yml`; this Secret is for `gh` and pull request delivery, not git
|
|
336
337
|
clone/fetch/push authentication
|
|
338
|
+
- Optional: the private-registry auth Secret named by
|
|
339
|
+
`submit.npmRegistryAuthSecretName` with key `npmrc`, mounted at
|
|
340
|
+
`/root/.npmrc`; lets `.moka/bootstrap.sh`'s dependency install step (e.g.
|
|
341
|
+
`nub ci`) authenticate to private-scoped package registries, e.g. GitHub
|
|
342
|
+
Packages. Absent by default — bootstrap then only has public-registry
|
|
343
|
+
access, matching current behavior
|
|
337
344
|
- A pipeline-console event sink reachable from the pod
|
|
338
345
|
|
|
339
346
|
Credential issuance and rotation are owned by the cluster/infra layer, not by
|
package/package.json
CHANGED
|
@@ -130,6 +130,7 @@
|
|
|
130
130
|
"test:image": "mkdir -p /tmp/pipeline-test && printf '{}' > /tmp/pipeline-test/payload.json && printf 'kind: pipeline-schedule\\nversion: 1\\nschedule_id: smoke\\ngenerated_at: 2026-06-10T00:00:00.000Z\\nsource_entrypoint: custom\\ntask: smoke\\nroot_workflow: root\\nworkflows:\\n root:\\n nodes:\\n - id: smoke\\n kind: command\\n command: [true]\\n' > /tmp/pipeline-test/schedule.yaml && printf '{\"nodeId\":\"smoke\"}' > /tmp/pipeline-test/task.json && printf 'test-token' > /tmp/pipeline-test/event-token && docker build -t pipeline-runner:test . && docker run --rm -v /tmp/pipeline-test/payload.json:/etc/pipeline/payload.json:ro -v /tmp/pipeline-test/schedule.yaml:/etc/pipeline/schedule.yaml:ro -v /tmp/pipeline-test/task.json:/etc/pipeline/task.json:ro -v /tmp/pipeline-test/event-token:/etc/pipeline/event-auth/token:ro pipeline-runner:test runner-command --payload-file /etc/pipeline/payload.json --schedule-file /etc/pipeline/schedule.yaml; test $? -eq 64",
|
|
131
131
|
"test:dogfood": "vitest run tests/dogfood-installed.test.ts",
|
|
132
132
|
"test:live-runners": "PIPELINE_LIVE_RUNNERS=1 vitest run tests/dogfood-live-runners.test.ts",
|
|
133
|
+
"local-orbstack:migrate": "nub scripts/local-orbstack/migrate-postgres.ts",
|
|
133
134
|
"typecheck": "tsc --noEmit",
|
|
134
135
|
"build": "nub run build:cli",
|
|
135
136
|
"check": "ultracite check",
|
|
@@ -137,7 +138,7 @@
|
|
|
137
138
|
"prepack": "nub run build:cli"
|
|
138
139
|
},
|
|
139
140
|
"type": "module",
|
|
140
|
-
"version": "3.
|
|
141
|
+
"version": "3.20.0",
|
|
141
142
|
"description": "Config-driven multi-agent pipeline runner for repository work",
|
|
142
143
|
"main": "./dist/index.js",
|
|
143
144
|
"types": "./dist/index.d.ts",
|