@ossy/cli 0.16.13 → 1.0.1

package/README.md

@@ -20,7 +20,7 @@ npx @ossy/cli dev
 npx @ossy/cli build
 ```
 
-Options: `--pages`, `--config`, `--destination`. See `@ossy/app` for details.
+Options: e.g. `--config` for `src/config.js`. See `packages/app/README.md` for app build behavior.
 
 ## Publish (container / website)
 
@@ -43,23 +43,22 @@ The explicit **`deployment deploy`** step (SQS / deployment queue from **`@ossy/
 
 ---
 
-Details:
+### Authentication
+
+**`publish`** requires **`--authentication` / `-a`** or **`OSSY_API_KEY`**: the **Ossy API JWT** (workspace API token). That same value is used for post-deploy CMS calls (resource templates, site artifacts).
+
+Container deploys assume **Amazon ECR** in **`deployments.json`** (`registry` like `123456789012.dkr.ecr.eu-north-1.amazonaws.com`, **`image`** unchanged). The **worker** always pulls with **IAM** (`aws ecr get-login-password`); nothing in the queue carries a registry password. For **`docker push` from CI**, call **`POST /api/v0/registry/ecr/push-credentials`** with the same JWT and **`workspaceId`**, then **`docker login`** / **`docker push`**.
 
 ```bash
 cd packages/my-website
+export OSSY_API_KEY=<ossy-api-jwt>   # or pass --authentication <ossy-api-jwt>
+
 npx @ossy/cli publish \
-  --username <github-username> \
-  --authentication <github-or-deploy-token> \
-  --cms-authentication <ossy-api-jwt> \
   --platforms-path ../infrastructure/platforms.json \
-  --deployments-path ../infrastructure/deployments.json
+  --deployments-path "../infrastructure/deployments/**/*.json"
 ```
 
-- **`--cms-authentication`** — Ossy **API JWT** (from the app’s API tokens) for `POST /resource-templates` and site-artifacts. If omitted, **`--authentication`** is used for CMS calls too (only works when that value is already a valid Ossy JWT). In GitHub Actions, set repo secret **`OSSY_API_KEY`** and pass **`--cms-authentication`** explicitly; the deploy token is usually **not** valid for the API.
-
-### Unifying deploy and CMS authentication (future)
-
-**`--authentication`** and **`--cms-authentication`** exist because **`deployment deploy`** (via **`@ossy/deployment-tools`**) and the **Ossy HTTP API** currently expect **different** credentials (e.g. GitHub / queue token vs Ossy-signed JWT). They could be merged into **one** flag (or a single env secret in CI) if either: (1) deploy is **no longer** invoked from the CLI and **`publish`** is only CMS/API work, or (2) the deploy path is changed to accept the **same** Ossy-issued token the API uses. That lines up with [**Future direction**](#future-direction-planned) (platform-driven rollouts instead of queue + dual tokens).
+**Non-ECR container registries** are not supported; container rows in **`deployments.json`** must use **ECR** and a **`registry`** endpoint as described above.
 
 API and worker packages can use the same pattern: a minimal **`src/config.js`** with string-literal **`domain`** (and optional **`platform`**) matching **`deployments.json`**, then run **`publish`** from **`packages/api`** or **`packages/worker`** with **`--skip-resource-templates`** and **`--skip-site-artifacts`** (no website `workspaceId` / `build/` flow).
 
@@ -77,9 +76,12 @@ Requires network access so `npx` can run `@ossy/deployment-tools`.
 
 Upload resource templates to your workspace so they can be used in the UI.
 
+Prefer **`--authentication` / `-a`** for the **Ossy API JWT** (same as **`publish`**); it matches **`OSSY_API_KEY`** in CI.
+
 ```bash
-npx @ossy/cli cms upload --authentication <cms-api-token> --config src/config.js
+npx @ossy/cli cms upload --authentication <ossy-api-jwt> --config src/config.js
 # optional: --api-url https://api.ossy.se/api/v0  (or set OSSY_API_URL)
+# In CI you may omit --authentication when OSSY_API_KEY is set
 ```
 
 When **`--config`** is omitted, **`./src/config.js`** is used if it exists (same as **`publish`**).
@@ -128,7 +130,7 @@ When **`--config`** is omitted, **`./src/config.js`** is used if it exists.
 
 | Argument | Description | Required |
 |----------|-------------|----------|
-| --authentication, -a | Your CMS API token | Yes (upload only) |
+| --authentication, -a | **Ossy API JWT** (primary; same role as **`OSSY_API_KEY`**) | Yes (upload only) |
 | --config, -c | App config (`workspaceId`, `resourceTemplates`, …) | Optional if `./src/config.js` exists |
 | --api-url | API base URL for upload (`…/api/v0`) | No |
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ossy/cli",
-  "version": "0.16.13",
+  "version": "1.0.1",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/ossy-se/packages.git"
@@ -18,7 +18,7 @@
   "bin": "./src/index.js",
   "dependencies": {
     "@babel/parser": "^7.28.6",
-    "@ossy/app": "^0.15.13",
+    "@ossy/app": "^1.0.1",
     "arg": "^5.0.2",
     "glob": "^10.3.10"
   },
@@ -30,5 +30,5 @@
     "/src",
     "README.md"
   ],
-  "gitHead": "280ce1f62d7daf721909ac5eabe4181991e00456"
+  "gitHead": "e5276fdb5dedf68b966d851077461b188c613241"
 }

package/src/cms/cli.js

@@ -22,11 +22,15 @@ const upload = (options) => {
     '--api-url': String,
   }, { argv: options })
 
-  const token = parsedArgs['--authentication']
+  const token =
+    parsedArgs['--authentication'] || process.env.OSSY_API_KEY
   const apiUrlFlag = parsedArgs['--api-url']
 
   if (!token) {
-    logError({ message: '[@ossy/cli] No token provided. Use --authentication or -a' })
+    logError({
+      message:
+        '[@ossy/cli] No token provided. Use --authentication / -a or set OSSY_API_KEY',
+    })
     process.exit(1)
   }
 

package/src/cms/upload-resource-templates.js

@@ -19,8 +19,8 @@ export function requireCmsAuthentication (token, label) {
   if (!normalized) {
     throw new Error(
       `[@ossy/cli] publish: ${label} needs a non-empty Ossy API JWT. ` +
-        'Pass --cms-authentication with a token from the Ossy app (API tokens), or set the OSSY_API_KEY secret in CI. ' +
-        'The GitHub token used for --authentication (container deploy) is not accepted by the API.'
+        'Pass --authentication with a token from the Ossy app (API tokens), or set OSSY_API_KEY in CI. ' +
+        'Non-API deploy tokens are not accepted by the Ossy API.'
     )
   }
   return normalized

package/src/index.js

@@ -3,17 +3,22 @@ import { build, dev } from '@ossy/app'
 import * as Cms from './cms/cli.js'
 import * as Init from './init/cli.js'
 import { publish } from './publish/cli.js'
+import * as Registry from './registry/cli.js'
 
 const [,, command, ...restArgs] = process.argv
 
 if (!command) {
   console.error(
-    '[@ossy/cli] No command provided. Usage: ossy dev | build [--worker] | publish | init | cms <subcommand>'
+    '[@ossy/cli] No command provided. Usage: ossy dev | build [--worker] | publish | registry <subcommand> | init | cms <subcommand>'
   )
   process.exit(1)
 }
 
 const run = async () => {
+  if (command === 'registry') {
+    await Registry.handler(restArgs)
+    return
+  }
   if (command === 'cms') {
     Cms.handler(restArgs)
     return

package/src/publish/cli.js

@@ -9,6 +9,7 @@ import {
 } from './resolve-config.js'
 import { maybeUploadResourceTemplatesAfterPublish } from './resource-templates-after-publish.js'
 import { maybeUploadSiteArtifactsAfterPublish } from './site-artifacts-after-publish.js'
+import { requireCmsAuthentication } from '../cms/upload-resource-templates.js'
 
 const DEPLOYMENT_TOOLS = '@ossy/deployment-tools'
 
@@ -16,8 +17,6 @@ function runNpxDeploymentTools (deploymentArgs) {
   const args = ['--yes', DEPLOYMENT_TOOLS, 'deployment', ...deploymentArgs]
   logInfo({ message: `[@ossy/cli] publish: npx ${DEPLOYMENT_TOOLS} deployment ${deploymentArgs[0]} …` })
   return new Promise((resolvePromise, reject) => {
-    // Do not use shell: true — Node joins argv unsafely for sh -c (breaks scoped
-    // package names like @ossy/deployment-tools) and triggers DEP0190 on recent Node.
     const npx = process.platform === 'win32' ? 'npx.cmd' : 'npx'
     const child = spawn(npx, args, { stdio: 'inherit' })
     child.on('error', reject)
@@ -31,11 +30,13 @@ function runNpxDeploymentTools (deploymentArgs) {
 /**
  * Publish container deployments: default = one site (`deployment deploy`);
  * `--all` = `deployment deploy-all` for the platform.
+ *
+ * Requires **`--authentication`** (Ossy API JWT) or **`OSSY_API_KEY`**. Container
+ * deployments target **ECR** (`registry` in deployments JSON); the worker pulls
+ * with **IAM** (`aws ecr get-login-password`). No registry password is sent on the queue.
  */
 export async function publish (options) {
   const parsedArgs = arg({
-    '--username': String,
-    '-u': '--username',
     '--authentication': String,
     '-a': '--authentication',
     '--domain': String,
@@ -53,20 +54,28 @@ export async function publish (options) {
     '--skip-site-artifacts': Boolean,
     '--site-artifacts-build-dir': String,
     '--api-url': String,
-    '--cms-authentication': String
   }, { argv: options })
 
-  const username = parsedArgs['--username']
-  const authentication = parsedArgs['--authentication']
   const platformsPath = parsedArgs['--platforms-path']
   const deploymentsPath = parsedArgs['--deployments-path']
 
-  if (!username || !authentication) {
+  const apiUrlForTemplates = parsedArgs['--api-url']
+
+  let apiToken
+  try {
+    apiToken = requireCmsAuthentication(
+      parsedArgs['--authentication'] || process.env.OSSY_API_KEY,
+      'publish'
+    )
+  } catch (e) {
     logError({
-      message: '[@ossy/cli] publish: --username (-u) and --authentication (-a) are required.'
+      message:
+        e?.message
+        || '[@ossy/cli] publish: pass --authentication (-a) or set OSSY_API_KEY (Ossy API JWT).',
     })
     process.exit(1)
   }
+
   if (!platformsPath || !deploymentsPath) {
     logError({
       message: '[@ossy/cli] publish: --platforms-path (-pp) and --deployments-path (-dp) are required.'
@@ -86,9 +95,6 @@ export async function publish (options) {
   const skipResourceTemplates = parsedArgs['--skip-resource-templates']
   const skipSiteArtifacts = parsedArgs['--skip-site-artifacts']
   const siteArtifactsBuildDir = parsedArgs['--site-artifacts-build-dir']
-  const apiUrlForTemplates = parsedArgs['--api-url']
-  const cmsAuthentication =
-    parsedArgs['--cms-authentication'] || authentication
 
   const fromConfig = configPath ? readWebsiteConfigDeployFields(configPath) : {}
 
@@ -103,8 +109,6 @@ export async function publish (options) {
     logInfo({ message: `[@ossy/cli] publish --all: platform=${targetPlatform}` })
     await runNpxDeploymentTools([
       'deploy-all',
-      '-u', username,
-      '-a', authentication,
       '-p', targetPlatform,
       '--platforms-path', platformsPath,
       '--deployments-path', deploymentsPath,
@@ -112,14 +116,14 @@ export async function publish (options) {
     if (!skipResourceTemplates && configPath) {
       await maybeUploadResourceTemplatesAfterPublish({
         configPath,
-        cmsToken: cmsAuthentication,
+        cmsToken: apiToken,
         apiUrlFlag: apiUrlForTemplates,
       })
     }
     if (!skipSiteArtifacts && configPath) {
       await maybeUploadSiteArtifactsAfterPublish({
         configPath,
-        cmsToken: cmsAuthentication,
+        cmsToken: apiToken,
         apiUrlFlag: apiUrlForTemplates,
         buildDir: siteArtifactsBuildDir,
       })
@@ -152,8 +156,6 @@ export async function publish (options) {
 
   await runNpxDeploymentTools([
     'deploy',
-    '-u', username,
-    '-a', authentication,
     '-d', targetDomain,
     '-p', targetPlatform,
     '--platforms-path', platformsPath,
@@ -163,14 +165,14 @@ export async function publish (options) {
   if (!skipResourceTemplates && configPath) {
     await maybeUploadResourceTemplatesAfterPublish({
       configPath,
-      cmsToken: cmsAuthentication,
+      cmsToken: apiToken,
       apiUrlFlag: apiUrlForTemplates,
     })
   }
   if (!skipSiteArtifacts && configPath) {
     await maybeUploadSiteArtifactsAfterPublish({
       configPath,
-      cmsToken: cmsAuthentication,
+      cmsToken: apiToken,
       apiUrlFlag: apiUrlForTemplates,
       buildDir: siteArtifactsBuildDir,
     })

package/src/publish/resource-templates-after-publish.js

@@ -63,7 +63,7 @@ export async function maybeUploadResourceTemplatesAfterPublish ({
         : ''
     const hint401 =
       response.status === 401
-        ? ' Use an Ossy API JWT with --cms-authentication (repo secret OSSY_API_KEY in CI), not the GitHub deploy token.'
+        ? ' Use an Ossy API JWT with --authentication (or OSSY_API_KEY in CI), not a non-API deploy token.'
         : ''
     throw new Error(
       `Resource template upload failed: HTTP ${response.status}${hint404}${hint401}${

package/src/registry/cli.js

@@ -0,0 +1,16 @@
+import { ecrPushCredentials } from './ecr-push-credentials.js'
+
+/**
+ * @param {string[]} args argv after `registry`
+ */
+export async function handler (args) {
+  const [sub, ...rest] = args
+  if (sub === 'ecr-push-credentials') {
+    await ecrPushCredentials(rest)
+    return
+  }
+  console.error(
+    '[@ossy/cli] registry: unknown subcommand. Usage: registry ecr-push-credentials [--format json|github-actions] ...'
+  )
+  process.exit(1)
+}

package/src/registry/ecr-push-credentials.js

@@ -0,0 +1,108 @@
+import arg from 'arg'
+import { appendFileSync } from 'fs'
+import { requireCmsAuthentication } from '../cms/upload-resource-templates.js'
+
+const DEFAULT_API_URL = 'https://api.ossy.se/api/v0'
+
+/**
+ * POST /registry/ecr/push-credentials and print docker/registry fields.
+ *
+ * @param {string[]} options argv after `registry ecr-push-credentials`
+ */
+export async function ecrPushCredentials (options) {
+  const parsed = arg(
+    {
+      '--authentication': String,
+      '-a': '--authentication',
+      '--workspace-id': String,
+      '-w': '--workspace-id',
+      '--api-url': String,
+      '--format': String,
+    },
+    { argv: options }
+  )
+
+  let token
+  try {
+    token = requireCmsAuthentication(
+      parsed['--authentication'] || process.env.OSSY_API_KEY,
+      'registry ecr-push-credentials'
+    )
+  } catch (e) {
+    console.error(e?.message || '[@ossy/cli] registry ecr-push-credentials: need --authentication (-a) or OSSY_API_KEY')
+    process.exit(1)
+  }
+
+  const workspaceId = parsed['--workspace-id'] || process.env.OSSY_WORKSPACE_ID || ''
+  if (!workspaceId.trim()) {
+    console.error('[@ossy/cli] registry ecr-push-credentials: pass --workspace-id (-w) or set OSSY_WORKSPACE_ID')
+    process.exit(1)
+  }
+
+  const apiUrl = (parsed['--api-url'] || process.env.OSSY_API_URL || DEFAULT_API_URL).replace(/\/$/, '')
+  const format = parsed['--format'] || 'json'
+
+  const res = await fetch(`${apiUrl}/registry/ecr/push-credentials`, {
+    method: 'POST',
+    headers: {
+      authorization: token,
+      workspaceId: workspaceId.trim(),
+      'content-type': 'application/json',
+    },
+    body: '{}',
+  })
+
+  const text = await res.text()
+  let data
+  try {
+    data = JSON.parse(text)
+  } catch {
+    console.error(`[@ossy/cli] registry ecr-push-credentials: non-JSON response (${res.status})`)
+    console.error(text)
+    process.exit(1)
+  }
+
+  if (!res.ok) {
+    console.error(`[@ossy/cli] registry ecr-push-credentials: HTTP ${res.status}`)
+    console.error(text)
+    process.exit(1)
+  }
+
+  const { registry, username, password, expiresAt } = data
+  if (
+    typeof registry !== 'string' ||
+    !registry ||
+    typeof username !== 'string' ||
+    !username ||
+    typeof password !== 'string' ||
+    !password
+  ) {
+    console.error('[@ossy/cli] registry ecr-push-credentials: invalid response (expected registry, username, password)')
+    console.error(JSON.stringify(data))
+    process.exit(1)
+  }
+
+  if (format === 'github-actions') {
+    const out = process.env.GITHUB_OUTPUT
+    if (!out) {
+      console.error('[@ossy/cli] registry ecr-push-credentials: --format github-actions requires GITHUB_OUTPUT')
+      process.exit(1)
+    }
+    console.log(`::add-mask::${password}`)
+    appendFileSync(out, `registry=${registry}\n`, 'utf8')
+    appendFileSync(out, `username=${username}\n`, 'utf8')
+    appendFileSync(out, `password=${password}\n`, 'utf8')
+    if (expiresAt != null) {
+      appendFileSync(out, `expires_at=${String(expiresAt)}\n`, 'utf8')
+    }
+    return
+  }
+
+  if (format === 'json') {
+    console.log(JSON.stringify({ registry, username, password, expiresAt }, null, 2))
+    return
+  }
+
+  console.error(`[@ossy/cli] registry ecr-push-credentials: unknown --format ${format} (use json or github-actions)`)
+  process.exit(1)
+}