@oisincoveney/pipeline 3.19.6 → 3.20.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -34,6 +34,7 @@ declare const submitRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
34
34
  }, z.core.$strict>>;
35
35
  name: z.ZodOptional<z.ZodString>;
36
36
  namespace: z.ZodString;
37
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
37
38
  payloadJson: z.ZodString;
38
39
  serviceAccountName: z.ZodOptional<z.ZodString>;
39
40
  scheduleYaml: z.ZodString;
@@ -68,12 +69,14 @@ declare const submitDynamicRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
68
69
  }, z.core.$strict>>;
69
70
  name: z.ZodOptional<z.ZodString>;
70
71
  namespace: z.ZodString;
72
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
71
73
  payloadJson: z.ZodString;
72
74
  serviceAccountName: z.ZodOptional<z.ZodString>;
73
75
  workflowId: z.ZodString;
74
76
  }, z.core.$strict>;
75
77
  declare const commandScheduleOptionsSchema: z.ZodObject<{
76
78
  command: z.ZodArray<z.ZodString>;
79
+ deliverPullRequest: z.ZodDefault<z.ZodBoolean>;
77
80
  generatedAt: z.ZodDefault<z.ZodDate>;
78
81
  scheduleId: z.ZodOptional<z.ZodString>;
79
82
  task: z.ZodString;
@@ -1,6 +1,7 @@
1
1
  import { ArgoGraphCompilerError, compileArgoExecutionGraph } from "./argo-graph.js";
2
2
  import { dbAuthOptionSchema, mcpGatewayAuthOptionSchema } from "./remote/argo/model.js";
3
3
  import { brokerAuthOptionSchema } from "./credentials/broker.js";
4
+ import { appendPullRequestDelivery } from "./schedule/passes/open-pull-request.js";
4
5
  import { compileScheduleArtifact, parseScheduleArtifact } from "./planning/generate.js";
5
6
  import { parseRunnerCommandPayload, runnerCommandPayloadSchema } from "./runner-command-contract.js";
6
7
  import { buildRunnerTaskDescriptor } from "./runner-command/task-descriptor.js";
@@ -48,6 +49,7 @@ const submitRunnerArgoWorkflowBaseOptionShape = {
48
49
  mcpGatewayAuth: mcpGatewayAuthOptionSchema.optional(),
49
50
  name: z.string().min(1).optional(),
50
51
  namespace: z.string().min(1),
52
+ npmRegistryAuthSecretName: z.string().min(1).optional(),
51
53
  payloadJson: z.string().min(1),
52
54
  serviceAccountName: z.string().min(1).optional()
53
55
  };
@@ -61,6 +63,7 @@ const submitDynamicRunnerArgoWorkflowOptionsSchema = z.object({
61
63
  }).strict().refine(hasWorkflowName, { message: "Argo submit options must declare name or generateName" });
62
64
  const commandScheduleOptionsSchema = z.object({
63
65
  command: z.array(z.string().min(1)).min(1),
66
+ deliverPullRequest: z.boolean().default(false),
64
67
  generatedAt: z.date().default(() => /* @__PURE__ */ new Date()),
65
68
  scheduleId: scheduleIdSchema.optional(),
66
69
  task: z.string().min(1)
@@ -113,6 +116,7 @@ function submitRunnerArgoWorkflowEffect(rawOptions, dependencies) {
113
116
  labels,
114
117
  name: options.name,
115
118
  namespace: options.namespace,
119
+ npmRegistryAuthSecretName: options.npmRegistryAuthSecretName,
116
120
  payloadConfigMapName,
117
121
  plan: compiled.plan,
118
122
  scheduleConfigMapName: scheduleArtifactConfigMapName,
@@ -215,6 +219,7 @@ function submitDynamicRunnerArgoWorkflowEffect(rawOptions, dependencies) {
215
219
  labels,
216
220
  name: options.name,
217
221
  namespace: options.namespace,
222
+ npmRegistryAuthSecretName: options.npmRegistryAuthSecretName,
218
223
  payloadConfigMapName,
219
224
  serviceAccountName: options.serviceAccountName,
220
225
  workflowId: options.workflowId
@@ -268,7 +273,7 @@ function workflowSubmitResult(response, workflow, base) {
268
273
  function buildCommandScheduleYaml(rawOptions) {
269
274
  const options = commandScheduleOptionsSchema.parse(rawOptions);
270
275
  const scheduleId = options.scheduleId ?? `custom-${randomBytes(8).toString("hex")}`;
271
- return stringify({
276
+ const artifact = {
272
277
  generated_at: options.generatedAt.toISOString(),
273
278
  kind: "pipeline-schedule",
274
279
  root_workflow: "root",
@@ -281,7 +286,8 @@ function buildCommandScheduleYaml(rawOptions) {
281
286
  id: "command",
282
287
  kind: "command"
283
288
  }] } }
284
- });
289
+ };
290
+ return stringify(appendPullRequestDelivery(options.deliverPullRequest, artifact));
285
291
  }
286
292
  function normalizeRunnerPayloadForSubmit(input) {
287
293
  const repository = normalizeRunnerRepositoryForSubmit(input.payload.repository);
@@ -12,8 +12,12 @@ function resolveOptionalSecretRef(flags, fromGlobalConfig) {
12
12
  };
13
13
  return fromGlobalConfig;
14
14
  }
15
+ function resolveOptionalSecretName(flags, fromGlobalConfig) {
16
+ if (flags.skip) return;
17
+ return flags.secretName ?? fromGlobalConfig;
18
+ }
15
19
  function addMokaSubmitOptions(command) {
16
- return addRunnerArgoOptions(command.option("--quick", "submit the compact graph").option("--command", "treat input after -- as explicit argv").option("--schedule <path>", "approved schedule YAML to submit").option("--event-url <url>", "runner event sink URL").option("--open-pr", "append an open-pull-request delivery node (preview-labelled PR)").option("--task <text>", "task description for command-mode metadata").option("--db-auth-secret-name <name>", "override momokaya.submit.dbAuth secret name").option("--db-auth-secret-key <key>", "override momokaya.submit.dbAuth secret key").option("--skip-db-auth", "omit MOKA_DB_URL injection regardless of global config").option("--mcp-gateway-auth-secret-name <name>", "override momokaya.submit.mcpGatewayAuth secret name").option("--mcp-gateway-auth-secret-key <key>", "override momokaya.submit.mcpGatewayAuth secret key").option("--skip-mcp-gateway-auth", "omit PIPELINE_MCP_GATEWAY_AUTHORIZATION injection regardless of global config"), { kubeconfig: true });
20
+ return addRunnerArgoOptions(command.option("--quick", "submit the compact graph").option("--command", "treat input after -- as explicit argv").option("--schedule <path>", "approved schedule YAML to submit").option("--event-url <url>", "runner event sink URL").option("--open-pr", "append an open-pull-request delivery node (preview-labelled PR)").option("--task <text>", "task description for command-mode metadata").option("--db-auth-secret-name <name>", "override momokaya.submit.dbAuth secret name").option("--db-auth-secret-key <key>", "override momokaya.submit.dbAuth secret key").option("--skip-db-auth", "omit MOKA_DB_URL injection regardless of global config").option("--mcp-gateway-auth-secret-name <name>", "override momokaya.submit.mcpGatewayAuth secret name").option("--mcp-gateway-auth-secret-key <key>", "override momokaya.submit.mcpGatewayAuth secret key").option("--skip-mcp-gateway-auth", "omit PIPELINE_MCP_GATEWAY_AUTHORIZATION injection regardless of global config").option("--npm-registry-auth-secret-name <name>", "override momokaya.submit.npmRegistryAuthSecretName").option("--skip-npm-registry-auth", "omit the /root/.npmrc mount regardless of global config"), { kubeconfig: true });
17
21
  }
18
22
  function runMokaSubmitFromCli(input, flags) {
19
23
  const cwd = process.env.PIPELINE_TARGET_PATH ?? process.cwd();
@@ -68,6 +72,10 @@ function mokaCommonSubmitOptions(input) {
68
72
  kubeconfigPath: input.flags.kubeconfig ?? momokaya?.kubernetes.kubeconfig,
69
73
  name: input.flags.name,
70
74
  namespace: input.flags.namespace ?? momokaya?.kubernetes.namespace,
75
+ npmRegistryAuthSecretName: resolveOptionalSecretName({
76
+ secretName: input.flags.npmRegistryAuthSecretName,
77
+ skip: input.flags.skipNpmRegistryAuth
78
+ }, momokaya?.submit.npmRegistryAuthSecretName),
71
79
  serviceAccountName: input.flags.serviceAccount ?? momokaya?.submit.serviceAccountName,
72
80
  worktreePath: input.cwd
73
81
  };
@@ -33,6 +33,7 @@ declare const mokaGlobalConfigSchema: z.ZodObject<{
33
33
  gitCredentialsSecretName: z.ZodString;
34
34
  githubAuthSecretName: z.ZodString;
35
35
  imagePullSecretName: z.ZodString;
36
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
36
37
  serviceAccountName: z.ZodString;
37
38
  }, z.core.$strict>;
38
39
  }, z.core.$strict>;
@@ -26,6 +26,7 @@ const mokaSubmitGlobalConfigSchema = z.object({
26
26
  gitCredentialsSecretName: z.string().min(1),
27
27
  githubAuthSecretName: z.string().min(1),
28
28
  imagePullSecretName: z.string().min(1),
29
+ npmRegistryAuthSecretName: z.string().min(1).optional(),
29
30
  serviceAccountName: z.string().min(1)
30
31
  }).strict();
31
32
  const mokaKubernetesGlobalConfigSchema = z.object({
@@ -201,6 +201,7 @@ declare const mokaSubmitBaseOptionsSchema: z.ZodObject<{
201
201
  kubeconfigPath: z.ZodOptional<z.ZodString>;
202
202
  name: z.ZodOptional<z.ZodString>;
203
203
  namespace: z.ZodOptional<z.ZodString>;
204
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
204
205
  repository: z.ZodOptional<z.ZodObject<{
205
206
  baseBranch: z.ZodString;
206
207
  headBranch: z.ZodOptional<z.ZodString>;
@@ -315,6 +316,7 @@ declare const mokaGraphSubmitOptionsSchema: z.ZodObject<{
315
316
  kubeconfigPath: z.ZodOptional<z.ZodString>;
316
317
  name: z.ZodOptional<z.ZodString>;
317
318
  namespace: z.ZodOptional<z.ZodString>;
319
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
318
320
  repository: z.ZodOptional<z.ZodObject<{
319
321
  baseBranch: z.ZodString;
320
322
  headBranch: z.ZodOptional<z.ZodString>;
@@ -446,6 +448,7 @@ declare const mokaCommandSubmitOptionsSchema: z.ZodObject<{
446
448
  kubeconfigPath: z.ZodOptional<z.ZodString>;
447
449
  name: z.ZodOptional<z.ZodString>;
448
450
  namespace: z.ZodOptional<z.ZodString>;
451
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
449
452
  repository: z.ZodOptional<z.ZodObject<{
450
453
  baseBranch: z.ZodString;
451
454
  headBranch: z.ZodOptional<z.ZodString>;
@@ -572,6 +575,7 @@ declare const mokaSubmitOptionsSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
572
575
  kubeconfigPath: z.ZodOptional<z.ZodString>;
573
576
  name: z.ZodOptional<z.ZodString>;
574
577
  namespace: z.ZodOptional<z.ZodString>;
578
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
575
579
  repository: z.ZodOptional<z.ZodObject<{
576
580
  baseBranch: z.ZodString;
577
581
  headBranch: z.ZodOptional<z.ZodString>;
@@ -702,6 +706,7 @@ declare const mokaSubmitOptionsSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
702
706
  kubeconfigPath: z.ZodOptional<z.ZodString>;
703
707
  name: z.ZodOptional<z.ZodString>;
704
708
  namespace: z.ZodOptional<z.ZodString>;
709
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
705
710
  repository: z.ZodOptional<z.ZodObject<{
706
711
  baseBranch: z.ZodString;
707
712
  headBranch: z.ZodOptional<z.ZodString>;
@@ -70,6 +70,7 @@ const mokaSubmitBaseOptionsSchema = z.object({
70
70
  kubeconfigPath: z.string().min(1).optional(),
71
71
  name: z.string().min(1).optional(),
72
72
  namespace: z.string().min(1).optional(),
73
+ npmRegistryAuthSecretName: z.string().min(1).optional(),
73
74
  repository: runnerRepositoryContextSchema.optional(),
74
75
  run: runnerRunIdentitySchema.optional(),
75
76
  serviceAccountName: z.string().min(1).optional()
@@ -16,7 +16,7 @@ import { integrateParallelWriteFanout } from "../schedule/passes/drain-merge.js"
16
16
  import { canonicalizeGeneratedScheduleIds } from "../schedule/passes/ids.js";
17
17
  import { SCHEDULE_PASS_ORDER } from "../schedule/passes/index.js";
18
18
  import { applyNodeCatalogModelFallbacks } from "../schedule/passes/models.js";
19
- import { appendPullRequestDelivery } from "../schedule/passes/open-pull-request.js";
19
+ import { appendPullRequestDelivery, isPullRequestDeliveryEnabled } from "../schedule/passes/open-pull-request.js";
20
20
  import { namespaceScheduleWorkflows } from "../schedule/passes/references.js";
21
21
  import { plannerPrompt, plannerRepairPrompt } from "../schedule/prompts.js";
22
22
  import { parseDocument, stringify } from "yaml";
@@ -131,7 +131,7 @@ async function generateScheduleArtifactInMemory(options) {
131
131
  });
132
132
  const generatedArtifact = await planScheduleArtifact(baseline, policy.planner_profile, options, planningContext);
133
133
  assertSchedulePassOrder();
134
- const artifact = hydrateScheduleTaskContexts(canonicalizeGeneratedScheduleIds(applyNodeCatalogModelFallbacks(options.config, policy.node_catalog, appendPullRequestDelivery(options.config, integrateParallelWriteFanout(options.config, addGeneratedImplementationCoverage(options.config, generatedArtifact))))), planningContext);
134
+ const artifact = hydrateScheduleTaskContexts(canonicalizeGeneratedScheduleIds(applyNodeCatalogModelFallbacks(options.config, policy.node_catalog, appendPullRequestDelivery(isPullRequestDeliveryEnabled(options.config), integrateParallelWriteFanout(options.config, addGeneratedImplementationCoverage(options.config, generatedArtifact))))), planningContext);
135
135
  validateScheduleArtifact(options.config, artifact, planningContext);
136
136
  compileScheduleArtifact(options.config, artifact, options.worktreePath);
137
137
  return {
@@ -32,6 +32,7 @@ declare const buildRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
32
32
  }, z.core.$strict>>;
33
33
  name: z.ZodOptional<z.ZodString>;
34
34
  namespace: z.ZodString;
35
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
35
36
  payloadConfigMapKey: z.ZodDefault<z.ZodString>;
36
37
  payloadConfigMapName: z.ZodString;
37
38
  resources: z.ZodOptional<z.ZodObject<{
@@ -79,6 +80,7 @@ declare const buildDynamicRunnerArgoWorkflowOptionsSchema: z.ZodObject<{
79
80
  }, z.core.$strict>>;
80
81
  name: z.ZodOptional<z.ZodString>;
81
82
  namespace: z.ZodString;
83
+ npmRegistryAuthSecretName: z.ZodOptional<z.ZodString>;
82
84
  payloadConfigMapKey: z.ZodDefault<z.ZodString>;
83
85
  payloadConfigMapName: z.ZodString;
84
86
  resources: z.ZodOptional<z.ZodObject<{
@@ -198,6 +198,7 @@ const runnerArgoWorkflowBaseOptionsSchema = z.object({
198
198
  mcpGatewayAuth: mcpGatewayAuthOptionSchema.optional(),
199
199
  name: z.string().min(1).optional(),
200
200
  namespace: kubernetesNameSchema,
201
+ npmRegistryAuthSecretName: kubernetesNameSchema.optional(),
201
202
  payloadConfigMapKey: z.string().min(1).default("payload.json"),
202
203
  payloadConfigMapName: kubernetesNameSchema,
203
204
  resources: argoWorkflowResourceRequirementsSchema.optional(),
@@ -32,9 +32,7 @@ function runnerWorkflowStorage(options, tasks) {
32
32
  readOnly: true,
33
33
  subPath: "schedule.yaml"
34
34
  }];
35
- appendEventAuthStorage(options, volumes, volumeMounts);
36
- appendGitCredentialsStorage(options, volumes, volumeMounts);
37
- appendGithubAuthStorage(options, volumes, volumeMounts);
35
+ appendSharedSecretStorage(options, volumes, volumeMounts);
38
36
  return {
39
37
  volumeMounts: z.array(argoWorkflowVolumeMountSchema).parse(volumeMounts),
40
38
  volumes: z.array(argoWorkflowVolumeSchema).parse(volumes)
@@ -43,14 +41,18 @@ function runnerWorkflowStorage(options, tasks) {
43
41
  function dynamicRunnerWorkflowStorage(options) {
44
42
  const volumes = [runnerPayloadVolume(options)];
45
43
  const volumeMounts = [runnerPayloadVolumeMount()];
46
- appendEventAuthStorage(options, volumes, volumeMounts);
47
- appendGitCredentialsStorage(options, volumes, volumeMounts);
48
- appendGithubAuthStorage(options, volumes, volumeMounts);
44
+ appendSharedSecretStorage(options, volumes, volumeMounts);
49
45
  return {
50
46
  volumeMounts: z.array(argoWorkflowVolumeMountSchema).parse(volumeMounts),
51
47
  volumes: z.array(argoWorkflowVolumeSchema).parse(volumes)
52
48
  };
53
49
  }
50
+ function appendSharedSecretStorage(options, volumes, volumeMounts) {
51
+ appendEventAuthStorage(options, volumes, volumeMounts);
52
+ appendGitCredentialsStorage(options, volumes, volumeMounts);
53
+ appendGithubAuthStorage(options, volumes, volumeMounts);
54
+ appendNpmRegistryAuthStorage(options, volumes, volumeMounts);
55
+ }
54
56
  function runnerPayloadVolume(options) {
55
57
  return {
56
58
  configMap: {
@@ -123,5 +125,24 @@ function appendGithubAuthStorage(options, volumes, volumeMounts) {
123
125
  subPath: "hosts.yml"
124
126
  });
125
127
  }
128
+ function appendNpmRegistryAuthStorage(options, volumes, volumeMounts) {
129
+ if (!options.npmRegistryAuthSecretName) return;
130
+ volumes.push({
131
+ name: "npm-registry-auth",
132
+ secret: {
133
+ items: [{
134
+ key: "npmrc",
135
+ path: "npmrc"
136
+ }],
137
+ secretName: options.npmRegistryAuthSecretName
138
+ }
139
+ });
140
+ volumeMounts.push({
141
+ mountPath: "/root/.npmrc",
142
+ name: "npm-registry-auth",
143
+ readOnly: true,
144
+ subPath: "npmrc"
145
+ });
146
+ }
126
147
  //#endregion
127
148
  export { dynamicRunnerWorkflowStorage, runnerWorkflowStorage };
@@ -26,6 +26,7 @@ interface MokaWorkflowSubmitOptions {
26
26
  };
27
27
  name?: string;
28
28
  namespace: string;
29
+ npmRegistryAuthSecretName?: string;
29
30
  payloadJson: string;
30
31
  scheduleYaml?: string;
31
32
  serviceAccountName?: string;
@@ -54,6 +54,7 @@ function workflowSubmitOptions(options) {
54
54
  kubeconfigPath: options.kubeconfigPath,
55
55
  name: options.name,
56
56
  namespace: requireSubmitOption(options.namespace, "namespace"),
57
+ npmRegistryAuthSecretName: options.npmRegistryAuthSecretName,
57
58
  serviceAccountName: options.serviceAccountName
58
59
  };
59
60
  }
@@ -27,6 +27,7 @@ function compileMokaCommandSubmitPlan(options, runId) {
27
27
  const task = commandTask(options);
28
28
  const scheduleYaml = buildCommandScheduleYaml({
29
29
  command: options.commandArgv,
30
+ deliverPullRequest: options.delivery.pullRequest,
30
31
  scheduleId: runId,
31
32
  task: taskDescription(task)
32
33
  });
@@ -109,12 +109,17 @@ function pushHeadBranch(git, headBranch) {
109
109
  function submitPullRequest(prCtx, context) {
110
110
  if (prCtx.mode === "update-existing-pr") return handleExistingPr(prCtx.headBranch, prCtx.label, context);
111
111
  return Effect.gen(function* () {
112
- const createResult = yield* runGhPrCreate(yield* CommandExecutor, prCtx, extractPrTitle(prCtx.task), context);
113
- if (createResult.exitCode === 0) return openPrSuccess(extractPrUrl(createResult.output), "opened");
112
+ const executor = yield* CommandExecutor;
113
+ const createResult = yield* runGhPrCreate(executor, prCtx, extractPrTitle(prCtx.task), context);
114
+ if (createResult.exitCode === 0) return yield* labelCreatedPr(executor, prCtx, createResult, context);
114
115
  if (isPrAlreadyExistsError(createResult.output)) return yield* handleExistingPr(prCtx.headBranch, prCtx.label, context);
115
116
  return createResult;
116
117
  });
117
118
  }
119
+ function labelCreatedPr(executor, prCtx, createResult, context) {
120
+ const url = extractPrUrl(createResult.output);
121
+ return runGhPrEdit(executor, prCtx.headBranch, prCtx.label, context).pipe(Effect.map((editResult) => editResult.exitCode === 0 ? openPrSuccess(url, "opened") : openPrSuccess(url, "opened", [`open-pull-request: label '${prCtx.label}' not applied — ${editResult.output || `gh pr edit exited ${editResult.exitCode}`}`])));
122
+ }
118
123
  function runGhPrCreate(executor, prCtx, title, context) {
119
124
  return executor.execute(buildGhPrCreateArgs(prCtx, title), context).pipe(Effect.catch((e) => Effect.succeed(openPrFailure(errorMessage(e)))));
120
125
  }
@@ -143,9 +148,7 @@ function buildGhPrCreateArgs(prCtx, title) {
143
148
  "--title",
144
149
  title,
145
150
  "--body",
146
- `Opened by moka run ${prCtx.runId}`,
147
- "--label",
148
- prCtx.label
151
+ `Opened by moka run ${prCtx.runId}`
149
152
  ];
150
153
  }
151
154
  function buildGhPrEditArgs(headBranch, label) {
@@ -164,9 +167,9 @@ function isPrAlreadyExistsError(output) {
164
167
  function extractPrUrl(output) {
165
168
  return output.split(NEWLINE_RE).map((l) => l.trim()).find((l) => l.startsWith("https://")) ?? output.trim();
166
169
  }
167
- function openPrSuccess(url, action) {
170
+ function openPrSuccess(url, action, extraEvidence = []) {
168
171
  return {
169
- evidence: [`open-pull-request: PR ${action} — ${url}`],
172
+ evidence: [`open-pull-request: PR ${action} — ${url}`, ...extraEvidence],
170
173
  exitCode: 0,
171
174
  output: JSON.stringify({
172
175
  action,
@@ -25,8 +25,8 @@ function buildPrNode(terminalIds, usedIds) {
25
25
  };
26
26
  }
27
27
  /** Append a final open-pull-request node to the root workflow when enabled. */
28
- function appendPullRequestDelivery(config, artifact) {
29
- if (!isPullRequestDeliveryEnabled(config)) return artifact;
28
+ function appendPullRequestDelivery(enabled, artifact) {
29
+ if (!enabled) return artifact;
30
30
  const rootWorkflow = artifact.workflows[artifact.root_workflow];
31
31
  if (!rootWorkflow) return artifact;
32
32
  const nodes = rootWorkflow.nodes;
@@ -46,4 +46,4 @@ function appendPullRequestDelivery(config, artifact) {
46
46
  };
47
47
  }
48
48
  //#endregion
49
- export { appendPullRequestDelivery };
49
+ export { appendPullRequestDelivery, isPullRequestDeliveryEnabled };
@@ -236,6 +236,7 @@ momokaya:
236
236
  gitCredentialsSecretName: <git-credentials-secret-name>
237
237
  githubAuthSecretName: <github-auth-secret-name>
238
238
  imagePullSecretName: <image-pull-secret-name>
239
+ npmRegistryAuthSecretName: <npm-registry-auth-secret-name> # optional
239
240
  brokerAuth:
240
241
  secretName: <broker-api-key-secret-name>
241
242
  secretKey: api-key
@@ -334,6 +335,12 @@ Expected namespace resources:
334
335
  - The GitHub CLI auth Secret named by `submit.githubAuthSecretName` with key
335
336
  `hosts.yml`; this Secret is for `gh` and pull request delivery, not git
336
337
  clone/fetch/push authentication
338
+ - Optional: the private-registry auth Secret named by
339
+ `submit.npmRegistryAuthSecretName` with key `npmrc`, mounted at
340
+ `/root/.npmrc`; lets `.moka/bootstrap.sh`'s dependency install step (e.g.
341
+ `nub ci`) authenticate to private-scoped package registries, e.g. GitHub
342
+ Packages. Absent by default — bootstrap then only has public-registry
343
+ access, matching current behavior
337
344
  - A pipeline-console event sink reachable from the pod
338
345
 
339
346
  Credential issuance and rotation are owned by the cluster/infra layer, not by
package/package.json CHANGED
@@ -130,6 +130,7 @@
130
130
  "test:image": "mkdir -p /tmp/pipeline-test && printf '{}' > /tmp/pipeline-test/payload.json && printf 'kind: pipeline-schedule\\nversion: 1\\nschedule_id: smoke\\ngenerated_at: 2026-06-10T00:00:00.000Z\\nsource_entrypoint: custom\\ntask: smoke\\nroot_workflow: root\\nworkflows:\\n root:\\n nodes:\\n - id: smoke\\n kind: command\\n command: [true]\\n' > /tmp/pipeline-test/schedule.yaml && printf '{\"nodeId\":\"smoke\"}' > /tmp/pipeline-test/task.json && printf 'test-token' > /tmp/pipeline-test/event-token && docker build -t pipeline-runner:test . && docker run --rm -v /tmp/pipeline-test/payload.json:/etc/pipeline/payload.json:ro -v /tmp/pipeline-test/schedule.yaml:/etc/pipeline/schedule.yaml:ro -v /tmp/pipeline-test/task.json:/etc/pipeline/task.json:ro -v /tmp/pipeline-test/event-token:/etc/pipeline/event-auth/token:ro pipeline-runner:test runner-command --payload-file /etc/pipeline/payload.json --schedule-file /etc/pipeline/schedule.yaml; test $? -eq 64",
131
131
  "test:dogfood": "vitest run tests/dogfood-installed.test.ts",
132
132
  "test:live-runners": "PIPELINE_LIVE_RUNNERS=1 vitest run tests/dogfood-live-runners.test.ts",
133
+ "local-orbstack:migrate": "nub scripts/local-orbstack/migrate-postgres.ts",
133
134
  "typecheck": "tsc --noEmit",
134
135
  "build": "nub run build:cli",
135
136
  "check": "ultracite check",
@@ -137,7 +138,7 @@
137
138
  "prepack": "nub run build:cli"
138
139
  },
139
140
  "type": "module",
140
- "version": "3.19.6",
141
+ "version": "3.20.1",
141
142
  "description": "Config-driven multi-agent pipeline runner for repository work",
142
143
  "main": "./dist/index.js",
143
144
  "types": "./dist/index.d.ts",