@ossy/cli 0.16.10 → 0.16.12

package/README.md

@@ -49,18 +49,26 @@ Details:
 cd packages/my-website
 npx @ossy/cli publish \
   --username <github-username> \
-  --authentication <token> \
+  --authentication <github-or-deploy-token> \
+  --cms-authentication <ossy-api-jwt> \
   --platforms-path ../infrastructure/platforms.json \
   --deployments-path ../infrastructure/deployments.json
 ```
 
+- **`--cms-authentication`** — Ossy **API JWT** (from the app’s API tokens) for `POST /resource-templates` and site-artifacts. If omitted, **`--authentication`** is used for CMS calls too (only works when that value is already a valid Ossy JWT). In GitHub Actions, set repo secret **`OSSY_API_KEY`** and pass **`--cms-authentication`** explicitly; the deploy token is usually **not** valid for the API.
+
+### Unifying deploy and CMS authentication (future)
+
+**`--authentication`** and **`--cms-authentication`** exist because **`deployment deploy`** (via **`@ossy/deployment-tools`**) and the **Ossy HTTP API** currently expect **different** credentials (e.g. GitHub / queue token vs Ossy-signed JWT). They could be merged into **one** flag (or a single env secret in CI) if either: (1) deploy is **no longer** invoked from the CLI and **`publish`** is only CMS/API work, or (2) the deploy path is changed to accept the **same** Ossy-issued token the API uses. That lines up with [**Future direction**](#future-direction-planned) (platform-driven rollouts instead of queue + dual tokens).
+
+API and worker packages can use the same pattern: a minimal **`src/config.js`** with string-literal **`domain`** (and optional **`platform`**) matching **`deployments.json`**, then run **`publish`** from **`packages/api`** or **`packages/worker`** with **`--skip-resource-templates`** and **`--skip-site-artifacts`** (no website `workspaceId` / `build/` flow).
+
 - **`--domain` / `--platform`** — Optional if `src/config.js` contains string literals `domain: '…'` and `platform: '…'` (or `targetDeploymentPlatform`).
 - **`--config`** — Path to another `config.js` if not `./src/config.js`.
 - If `platform` is omitted but `domain` is set (from flags or config), it is inferred from `deployments.json` when that domain appears under exactly one `targetDeploymentPlatform`.
 - **`--all`** — Runs `deployment deploy-all` for the platform; requires `--platform` or `platform` in config.
 - **Resource templates** — After a successful deploy, the CLI reads **`workspaceId`** / **`resourceTemplates`** from `./src/config.js` (or `--config`) using the **static extraction** described above (not `import()`). If **`workspaceId`** is set and **`resourceTemplates`** is a non-empty array, they are **POST**ed to **`{api}/resource-templates`** with the **`workspaceId`** header (same as the CMS). Skipped when **`--skip-resource-templates`** is set, or when `workspaceId` / `resourceTemplates` are missing or not extractable.
 - **Site artifacts** — Uses the same **static `workspaceId` / `apiUrl` extraction** as resource templates. If **`workspaceId`** is set and **`build/`** exists next to `src/` (i.e. run **`npm run build`** first), the CLI calls **`/site-artifacts/presign-batch`**, **PUT**s each file to S3, then **`/site-artifacts/commit-batch`** so a **`@ossy/platform/site-artifact-batch`** resource is created in the CMS. Skipped with **`--skip-site-artifacts`**, when there is no **`build/`**, or when **`workspaceId`** is missing. Override the build output directory with **`--site-artifacts-build-dir`** (absolute or cwd-relative).
-- **`--cms-authentication`** — Optional token used only for CMS/API steps (templates + site artifacts); defaults to **`--authentication`** (deployment token).
 - **`--api-url`** — Optional API base for CMS calls (e.g. `https://api.ossy.se/api/v0`). Otherwise **`OSSY_API_URL`**, else an **absolute** `apiUrl` from config, else `https://api.ossy.se/api/v0`. Relative app `apiUrl` values (e.g. `/@ossy`) are ignored unless you pass **`--api-url`** or set **`OSSY_API_URL`**.
 
 Requires network access so `npx` can run `@ossy/deployment-tools`.
@@ -102,7 +110,7 @@ jobs:
       - name: Upload
         run: |
           npx --yes @ossy/cli cms upload \
-            --authentication ${{ secrets.CMS_API_TOKEN }} \
+            --authentication ${{ secrets.OSSY_API_KEY }} \
             --config src/config.js
 ```
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ossy/cli",
-  "version": "0.16.10",
+  "version": "0.16.12",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/ossy-se/packages.git"
@@ -18,7 +18,7 @@
   "bin": "./src/index.js",
   "dependencies": {
     "@babel/parser": "^7.28.6",
-    "@ossy/app": "^0.15.10",
+    "@ossy/app": "^0.15.12",
     "arg": "^5.0.2",
     "glob": "^10.3.10"
   },
@@ -30,5 +30,5 @@
     "/src",
     "README.md"
   ],
-  "gitHead": "cc54553550674b98f8a53bb3249307e06c4daa82"
+  "gitHead": "1da35d94f324f917d5ea790f838ce8e50214730e"
 }

package/src/cms/upload-resource-templates.js

@@ -1,3 +1,31 @@
+/**
+ * Strips optional `Bearer ` prefix. The Ossy API expects the raw JWT in `Authorization`.
+ * @param {string | undefined} token
+ * @returns {string}
+ */
+export function normalizeAuthorizationToken (token) {
+  const t = String(token ?? '').trim()
+  if (!t) return ''
+  return t.replace(/^Bearer\s+/i, '').trim()
+}
+
+/**
+ * @param {string | undefined} token
+ * @param {string} label e.g. "Resource template upload"
+ * @returns {string} normalized JWT
+ */
+export function requireCmsAuthentication (token, label) {
+  const normalized = normalizeAuthorizationToken(token)
+  if (!normalized) {
+    throw new Error(
+      `[@ossy/cli] publish: ${label} needs a non-empty Ossy API JWT. ` +
+        'Pass --cms-authentication with a token from the Ossy app (API tokens), or set the OSSY_API_KEY secret in CI. ' +
+        'The GitHub token used for --authentication (container deploy) is not accepted by the API.'
+    )
+  }
+  return normalized
+}
+
 /**
  * POST workspace-imported resource templates to the Ossy API.
  * @param {{ apiBaseUrl: string, token: string, workspaceId: string, resourceTemplates: unknown[] }} opts
@@ -11,10 +39,11 @@ export function postResourceTemplates ({
 }) {
   const base = apiBaseUrl.replace(/\/$/, '')
   const url = `${base}/resource-templates`
+  const auth = normalizeAuthorizationToken(token)
   return fetch(url, {
     method: 'POST',
     headers: {
-      Authorization: token,
+      Authorization: auth,
       'Content-Type': 'application/json',
       workspaceId,
     },

package/src/publish/resource-templates-after-publish.js

@@ -2,6 +2,7 @@ import { logInfo } from '../log.js'
 import { readPublishFieldsFromWebsiteConfig } from './load-website-config.js'
 import {
   postResourceTemplates,
+  requireCmsAuthentication,
   resolveApiBaseUrlForUpload,
 } from '../cms/upload-resource-templates.js'
 
@@ -37,20 +38,35 @@ export async function maybeUploadResourceTemplatesAfterPublish ({
     envVar: process.env.OSSY_API_URL,
     configApiUrl: config?.apiUrl,
   })
+  const uploadUrl = `${apiBaseUrl.replace(/\/$/, '')}/resource-templates`
+  const authToken = requireCmsAuthentication(
+    cmsToken,
+    'Resource template upload'
+  )
 
-  logInfo({ message: '[@ossy/cli] publish: uploading resource templates…' })
+  logInfo({
+    message: `[@ossy/cli] publish: uploading resource templates → POST ${uploadUrl}`,
+  })
 
   const response = await postResourceTemplates({
     apiBaseUrl,
-    token: cmsToken,
+    token: authToken,
     workspaceId,
     resourceTemplates,
   })
 
   if (!response.ok) {
     const text = await response.text().catch(() => '')
+    const hint404 =
+      response.status === 404
+        ? ` Wrong host or path: requested ${uploadUrl}. Confirm OSSY_API_URL / --api-url points at the Ossy API base including /api/v0.`
+        : ''
+    const hint401 =
+      response.status === 401
+        ? ' Use an Ossy API JWT with --cms-authentication (repo secret OSSY_API_KEY in CI), not the GitHub deploy token.'
+        : ''
     throw new Error(
-      `Resource template upload failed: HTTP ${response.status}${
+      `Resource template upload failed: HTTP ${response.status}${hint404}${hint401}${
         text ? ` — ${text.slice(0, 200)}` : ''
       }`
     )

package/src/publish/site-artifacts-after-publish.js

@@ -3,7 +3,11 @@ import { existsSync } from 'fs'
 import path from 'path'
 import { logInfo } from '../log.js'
 import { readPublishFieldsFromWebsiteConfig } from './load-website-config.js'
-import { resolveApiBaseUrlForUpload } from '../cms/upload-resource-templates.js'
+import {
+  normalizeAuthorizationToken,
+  requireCmsAuthentication,
+  resolveApiBaseUrlForUpload,
+} from '../cms/upload-resource-templates.js'
 
 const MAX_FILES = 200
 
@@ -68,7 +72,7 @@ export async function collectBuildFiles (buildDir) {
 
 function workspaceHeaders (token, workspaceId) {
   return {
-    Authorization: token,
+    Authorization: normalizeAuthorizationToken(token),
     'Content-Type': 'application/json',
     workspaceId,
   }
@@ -123,11 +127,16 @@ export async function maybeUploadSiteArtifactsAfterPublish ({
     )
   }
 
+  const authToken = requireCmsAuthentication(
+    cmsToken,
+    'Site artifact upload'
+  )
+
   logInfo({ message: `[@ossy/cli] publish: uploading ${files.length} site artifact file(s) to CMS…` })
 
   const presignRes = await fetch(`${apiBaseUrl}/site-artifacts/presign-batch`, {
     method: 'POST',
-    headers: workspaceHeaders(cmsToken, workspaceId),
+    headers: workspaceHeaders(authToken, workspaceId),
     body: JSON.stringify({
       files: files.map((f) => ({
         path: f.relativePath,
@@ -182,7 +191,7 @@ export async function maybeUploadSiteArtifactsAfterPublish ({
 
   const commitRes = await fetch(`${apiBaseUrl}/site-artifacts/commit-batch`, {
     method: 'POST',
-    headers: workspaceHeaders(cmsToken, workspaceId),
+    headers: workspaceHeaders(authToken, workspaceId),
     body: JSON.stringify({
       batchId,
       paths: files.map((f) => f.relativePath),