@pagopa/dx-cli 0.16.3 → 0.18.1

package/dist/adapters/azure/__tests__/cloud-account-service.test.js

@@ -93,3 +93,38 @@ describe("getTerraformBackend", () => {
         }));
     });
 });
+describe("isInitialized", () => {
+    test("returns true when both bootstrap identity and common Key Vault exist", async ({ cloudAccountService, }) => {
+        // First call: identity query → found
+        queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
+        // Second call: key vault query → found
+        queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
+        const result = await cloudAccountService.isInitialized("sub-1", {
+            name: "dev",
+            prefix: "dx",
+        });
+        expect(result).toBe(true);
+    });
+    test("returns false when bootstrap identity exists but common Key Vault does not", async ({ cloudAccountService, }) => {
+        // First call: identity query → found
+        queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
+        // Second call: key vault query → not found
+        queryResources.mockResolvedValueOnce({ data: [], totalRecords: 0 });
+        const result = await cloudAccountService.isInitialized("sub-1", {
+            name: "dev",
+            prefix: "dx",
+        });
+        expect(result).toBe(false);
+    });
+    test("returns false when common Key Vault exists but bootstrap identity does not", async ({ cloudAccountService, }) => {
+        // First call: identity query → not found
+        queryResources.mockResolvedValueOnce({ data: [], totalRecords: 0 });
+        // Second call: key vault query → found
+        queryResources.mockResolvedValueOnce({ data: [], totalRecords: 1 });
+        const result = await cloudAccountService.isInitialized("sub-1", {
+            name: "dev",
+            prefix: "dx",
+        });
+        expect(result).toBe(false);
+    });
+});

package/dist/adapters/azure/cloud-account-service.d.ts

@@ -2,6 +2,7 @@ import type { TokenCredential } from "@azure/identity";
 import { z } from "zod/v4";
 import { CloudAccount, type CloudAccountService } from "../../domain/cloud-account.js";
 import { type EnvironmentId } from "../../domain/environment.js";
+import { GitHubAppCredentials } from "../../domain/github.js";
 import { type TerraformBackend } from "../../domain/remote-backend.js";
 export declare const resourceGraphDataSchema: z.ZodObject<{
     location: z.ZodEnum<{
@@ -16,7 +17,7 @@ export declare class AzureCloudAccountService implements CloudAccountService {
     constructor(credential: TokenCredential);
     getTerraformBackend(cloudAccountId: CloudAccount["id"], { name, prefix }: EnvironmentId): Promise<TerraformBackend | undefined>;
     hasUserPermissionToInitialize(cloudAccountId: CloudAccount["id"]): Promise<boolean>;
-    initialize(cloudAccount: CloudAccount, { name, prefix }: EnvironmentId, tags?: Record<string, string>): Promise<void>;
+    initialize(cloudAccount: CloudAccount, { name, prefix }: EnvironmentId, runnerAppCredentials: GitHubAppCredentials, tags?: Record<string, string>): Promise<void>;
     isInitialized(cloudAccountId: CloudAccount["id"], { name, prefix }: EnvironmentId): Promise<boolean>;
     provisionTerraformBackend(cloudAccount: CloudAccount, { name, prefix }: EnvironmentId, tags?: Record<string, string>): Promise<TerraformBackend>;
 }

package/dist/adapters/azure/cloud-account-service.js

@@ -1,8 +1,11 @@
 import { AuthorizationManagementClient } from "@azure/arm-authorization";
+import { KeyVaultManagementClient } from "@azure/arm-keyvault";
 import { ManagedServiceIdentityClient } from "@azure/arm-msi";
 import { ResourceGraphClient } from "@azure/arm-resourcegraph";
 import { ResourceManagementClient } from "@azure/arm-resources";
+import { SubscriptionClient } from "@azure/arm-resources-subscriptions";
 import { StorageManagementClient } from "@azure/arm-storage";
+import { SecretClient } from "@azure/keyvault-secrets";
 import { BlobServiceClient } from "@azure/storage-blob";
 import { getLogger } from "@logtape/logtape";
 import { Client } from "@microsoft/microsoft-graph-client";
@@ -118,7 +121,7 @@ export class AzureCloudAccountService {
             throw error;
         }
     }
-    async initialize(cloudAccount, { name, prefix }, tags = {}) {
+    async initialize(cloudAccount, { name, prefix }, runnerAppCredentials, tags = {}) {
         assert.equal(cloudAccount.csp, "azure", "Cloud account must be Azure");
         assert.ok(isAzureLocation(cloudAccount.defaultLocation), "The default location of the cloud account is not a valid Azure location");
         const logger = getLogger(["gen", "env"]);
@@ -127,7 +130,7 @@ export class AzureCloudAccountService {
             env: environmentShort[name],
             location: locationShort[cloudAccount.defaultLocation],
         };
-        const resourceGroupName = `${prefix}-${short.env}-${short.location}-bootstrap-rg-01`;
+        const resourceGroupName = `${prefix}-${short.env}-${short.location}-common-rg-01`;
         const parameters = {
             location: cloudAccount.defaultLocation,
             tags: {
@@ -137,24 +140,81 @@ export class AzureCloudAccountService {
         };
         await resourceManagementClient.resourceGroups.createOrUpdate(resourceGroupName, parameters);
         logger.debug("Created resource group {resourceGroupName} in subscription {subscriptionId}", { resourceGroupName, subscriptionId: cloudAccount.id });
-        const msiClient = new ManagedServiceIdentityClient(this.#credential, cloudAccount.id);
-        const identityName = `${prefix}-${short.env}-${short.location}-bootstrap-id-01`;
-        await msiClient.userAssignedIdentities.createOrUpdate(resourceGroupName, identityName, parameters);
-        logger.debug("Created identity {identityName} in subscription {subscriptionId}", { identityName, subscriptionId: cloudAccount.id });
+        try {
+            const identityName = `${prefix}-${short.env}-${short.location}-bootstrap-id-01`;
+            const msiClient = new ManagedServiceIdentityClient(this.#credential, cloudAccount.id);
+            await msiClient.userAssignedIdentities.createOrUpdate(resourceGroupName, identityName, parameters);
+            logger.debug("Created identity {identityName} in subscription {subscriptionId}", { identityName, subscriptionId: cloudAccount.id });
+            // Retrieve tenant ID from the subscription
+            const subscriptionClient = new SubscriptionClient(this.#credential);
+            const subscription = await subscriptionClient.subscriptions.get(cloudAccount.id);
+            assert.ok(subscription.tenantId, "Subscription tenant ID is undefined");
+            const kvClient = new KeyVaultManagementClient(this.#credential, cloudAccount.id);
+            const keyVaultName = `${prefix}-${short.env}-${short.location}-common-kv-01`;
+            const secretsProtectionEnabled = short.env === "p";
+            await kvClient.vaults.beginCreateOrUpdateAndWait(resourceGroupName, keyVaultName, {
+                location: cloudAccount.defaultLocation,
+                properties: {
+                    enabledForDiskEncryption: true,
+                    enablePurgeProtection: secretsProtectionEnabled ? true : undefined,
+                    enableRbacAuthorization: true,
+                    sku: {
+                        family: "A",
+                        name: "standard",
+                    },
+                    softDeleteRetentionInDays: secretsProtectionEnabled ? 14 : 7,
+                    tenantId: subscription.tenantId,
+                },
+                tags: {
+                    Environment: name,
+                    ...tags,
+                },
+            });
+            logger.debug("Created key vault {keyVaultName} in subscription {subscriptionId}", { keyVaultName, subscriptionId: cloudAccount.id });
+            const secretClient = new SecretClient(`https://${keyVaultName}.vault.azure.net/`, this.#credential);
+            await Promise.all([
+                secretClient.setSecret("github-runner-app-id", runnerAppCredentials.id),
+                secretClient.setSecret("github-runner-app-installation-id", runnerAppCredentials.installationId),
+                secretClient.setSecret("github-runner-app-key", runnerAppCredentials.key),
+            ]);
+            logger.debug("Created secrets in key vault {keyVaultName} in subscription {subscriptionId}", { keyVaultName, subscriptionId: cloudAccount.id });
+        }
+        catch (cause) {
+            // Cleanup resource group if initialization fails
+            await resourceManagementClient.resourceGroups.beginDeleteAndWait(resourceGroupName);
+            logger.debug("Deleted resource group {resourceGroupName} in subscription {subscriptionId} due to initialization failure", { resourceGroupName, subscriptionId: cloudAccount.id });
+            if (cause instanceof Error) {
+                logger.error(cause.message);
+            }
+            throw new Error(`Error during the initialization of the cloud account`, {
+                cause,
+            });
+        }
     }
     async isInitialized(cloudAccountId, { name, prefix }) {
         const allLocations = Object.values(locationShort).join("|");
         const shortEnv = environmentShort[name];
-        const resourceName = `${prefix}-${shortEnv}-(${allLocations})-bootstrap-id-(0[1-9]|[1-9]\\d)`;
-        const query = `resources
+        const identityResourceName = `${prefix}-${shortEnv}-(${allLocations})-bootstrap-id-(0[1-9]|[1-9]\\d)`;
+        const identityQuery = `resources
              | where type == 'microsoft.managedidentity/userassignedidentities'
-             | where name matches regex @'${resourceName}'
+             | where name matches regex @'${identityResourceName}'
             `;
-        const result = await this.#resourceGraphClient.resources({
-            query,
-            subscriptions: [cloudAccountId],
-        });
-        const initialized = result.totalRecords > 0;
+        const keyVaultResourceName = `${prefix}-${shortEnv}-(${allLocations})-common-kv-(0[1-9]|[1-9]\\d)`;
+        const keyVaultQuery = `resources
+             | where type == 'microsoft.keyvault/vaults'
+             | where name matches regex @'${keyVaultResourceName}'
+            `;
+        const [identityResult, keyVaultResult] = await Promise.all([
+            this.#resourceGraphClient.resources({
+                query: identityQuery,
+                subscriptions: [cloudAccountId],
+            }),
+            this.#resourceGraphClient.resources({
+                query: keyVaultQuery,
+                subscriptions: [cloudAccountId],
+            }),
+        ]);
+        const initialized = identityResult.totalRecords > 0 && keyVaultResult.totalRecords > 0;
         const logger = getLogger(["gen", "env"]);
         logger.debug("subscription {subscriptionId} initialized: {initialized}", {
             initialized,

package/dist/adapters/commander/commands/add.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Add command - Scaffold new components into existing workspaces
+ *
+ * This module implements the `dx add` command which allows developers to scaffold
+ * new components into their existing workspace following DevEx guidelines.
+ *
+ * Currently supported components:
+ * - environment: Add a new deployment environment to the project
+ */
+import { Command } from "commander";
+export declare const makeAddCommand: () => Command;

package/dist/adapters/commander/commands/add.js

@@ -0,0 +1,27 @@
+/**
+ * Add command - Scaffold new components into existing workspaces
+ *
+ * This module implements the `dx add` command which allows developers to scaffold
+ * new components into their existing workspace following DevEx guidelines.
+ *
+ * Currently supported components:
+ * - environment: Add a new deployment environment to the project
+ */
+import { Command } from "commander";
+import { ResultAsync } from "neverthrow";
+import { getPlopInstance, runDeploymentEnvironmentGenerator, } from "../../plop/index.js";
+import { checkPreconditions } from "./init.js";
+const addEnvironmentAction = () => checkPreconditions()
+    .andThen(() => ResultAsync.fromPromise(getPlopInstance(), () => new Error("Failed to initialize plop")))
+    .andThen((plop) => ResultAsync.fromPromise(runDeploymentEnvironmentGenerator(plop), () => new Error("Failed to run the deployment environment generator")));
+export const makeAddCommand = () => new Command()
+    .name("add")
+    .description("Add a new component to your workspace")
+    .addCommand(new Command("environment")
+    .description("Add a new deployment environment")
+    .action(async function () {
+    const result = await addEnvironmentAction();
+    if (result.isErr()) {
+        this.error(result.error.message);
+    }
+}));

package/dist/adapters/commander/commands/init.d.ts

@@ -1,5 +1,7 @@
 import { Command } from "commander";
+import { ResultAsync } from "neverthrow";
 import { GitHubService } from "../../../domain/github.js";
+export declare const checkPreconditions: () => ResultAsync<string, Error>;
 type InitCommandDependencies = {
     gitHubService: GitHubService;
 };

package/dist/adapters/commander/commands/init.js

@@ -49,7 +49,7 @@ const ensureAzLogin = async () => {
     return user.name;
 };
 const checkAzLogin = () => withSpinner("Check Azure login status...", (userName) => `You are logged in to Azure (${userName})`, "Please log in to Azure CLI using `az login` before running this command.", ensureAzLogin());
-const checkPreconditions = () => checkTerraformCliIsInstalled().andThen(() => checkAzLogin());
+export const checkPreconditions = () => checkTerraformCliIsInstalled().andThen(() => checkAzLogin());
 const createRemoteRepository = ({ repoName, repoOwner, }) => {
     const logger = getLogger(["dx-cli", "init"]);
     const repo$ = tf$({ cwd: path.resolve("infra", "repository") });

package/dist/adapters/commander/index.js

@@ -1,4 +1,5 @@
 import { Command } from "commander";
+import { makeAddCommand } from "./commands/add.js";
 import { makeCodemodCommand, } from "./commands/codemod.js";
 import { makeDoctorCommand } from "./commands/doctor.js";
 import { makeInfoCommand } from "./commands/info.js";
@@ -12,6 +13,7 @@ export const makeCli = (deps, config, cliDeps, version) => {
     program.addCommand(makeInitCommand(deps));
     program.addCommand(makeSavemoneyCommand());
     program.addCommand(makeInfoCommand(deps));
+    program.addCommand(makeAddCommand());
     return program;
 };
 export const exitWithError = (command) => (error) => {

package/dist/adapters/octokit/__tests__/index.test.js

@@ -3,7 +3,7 @@ import { RequestError } from "octokit";
 import { SemVer } from "semver";
 import { beforeEach, describe, expect, it } from "vitest";
 import { mockDeep, mockReset } from "vitest-mock-extended";
-import { PullRequest, Repository, RepositoryNotFoundError, } from "../../../domain/github.js";
+import { FileNotFoundError, PullRequest, Repository, RepositoryNotFoundError, } from "../../../domain/github.js";
 import { fetchLatestRelease, fetchLatestTag } from "../index.js";
 import { OctokitGitHubService } from "../index.js";
 const makeEnv = () => {
@@ -14,6 +14,7 @@ const makeEnv = () => {
         mockOctokit,
     };
 };
+// eslint-disable-next-line max-lines-per-function
 describe("OctokitGitHubService", () => {
     describe("getRepository", () => {
         it("should return a Repository when the repository exists", async () => {
@@ -140,6 +141,222 @@ describe("OctokitGitHubService", () => {
             await expect(githubService.createPullRequest(params)).rejects.toThrowError("Failed to create pull request in pagopa/dx");
         });
     });
+    describe("getFileContent", () => {
+        it("should return file content and sha when file exists", async () => {
+            const { githubService, mockOctokit } = makeEnv();
+            const params = {
+                owner: "pagopa",
+                path: "src/test.tf",
+                ref: "main",
+                repo: "test-repo",
+            };
+            const fileContent = "test content";
+            const mockResponse = {
+                data: {
+                    content: Buffer.from(fileContent).toString("base64"),
+                    sha: "abc123sha",
+                    type: "file",
+                },
+            };
+            mockOctokit.rest.repos.getContent.mockResolvedValue(mockResponse);
+            const result = await githubService.getFileContent(params);
+            expect(result.content).toBe(fileContent);
+            expect(result.sha).toBe("abc123sha");
+            expect(mockOctokit.rest.repos.getContent).toHaveBeenCalledWith({
+                owner: params.owner,
+                path: params.path,
+                ref: params.ref,
+                repo: params.repo,
+            });
+        });
+        it("should throw FileNotFoundError when file does not exist (404)", async () => {
+            const { githubService, mockOctokit } = makeEnv();
+            const params = {
+                owner: "pagopa",
+                path: "non-existent.tf",
+                repo: "test-repo",
+            };
+            const error = new RequestError("Not Found", 404, {
+                request: {
+                    headers: {},
+                    method: "GET",
+                    url: "https://api.github.com/repos/pagopa/test-repo/contents/non-existent.tf",
+                },
+                response: {
+                    data: { message: "Not Found" },
+                    headers: {},
+                    status: 404,
+                    url: "https://api.github.com/repos/pagopa/test-repo/contents/non-existent.tf",
+                },
+            });
+            mockOctokit.rest.repos.getContent.mockRejectedValue(error);
+            await expect(githubService.getFileContent(params)).rejects.toThrow(FileNotFoundError);
+            await expect(githubService.getFileContent(params)).rejects.toThrowError("File not found: non-existent.tf");
+        });
+        it("should throw an error when API call fails", async () => {
+            const { githubService, mockOctokit } = makeEnv();
+            const params = {
+                owner: "pagopa",
+                path: "src/test.tf",
+                repo: "test-repo",
+            };
+            const error = new RequestError("Server Error", 500, {
+                request: {
+                    headers: {},
+                    method: "GET",
+                    url: "https://api.github.com/repos/pagopa/test-repo/contents/src/test.tf",
+                },
+                response: {
+                    data: { message: "Server Error" },
+                    headers: {},
+                    status: 500,
+                    url: "https://api.github.com/repos/pagopa/test-repo/contents/src/test.tf",
+                },
+            });
+            mockOctokit.rest.repos.getContent.mockRejectedValue(error);
+            await expect(githubService.getFileContent(params)).rejects.toThrowError("Failed to get file content: src/test.tf");
+        });
+    });
+    describe("createBranch", () => {
+        it("should create a new branch from an existing ref", async () => {
+            const { githubService, mockOctokit } = makeEnv();
+            const params = {
+                branchName: "feats/new-feature",
+                fromRef: "main",
+                owner: "pagopa",
+                repo: "test-repo",
+            };
+            const refResponse = {
+                data: {
+                    object: {
+                        sha: "mainbranchsha123",
+                    },
+                },
+            };
+            mockOctokit.rest.git.getRef.mockResolvedValue(refResponse);
+            mockOctokit.rest.git.createRef.mockResolvedValue({});
+            await githubService.createBranch(params);
+            expect(mockOctokit.rest.git.getRef).toHaveBeenCalledWith({
+                owner: params.owner,
+                ref: "heads/main",
+                repo: params.repo,
+            });
+            expect(mockOctokit.rest.git.createRef).toHaveBeenCalledWith({
+                owner: params.owner,
+                ref: "refs/heads/feats/new-feature",
+                repo: params.repo,
+                sha: "mainbranchsha123",
+            });
+        });
+        it("should throw an error when branch creation fails", async () => {
+            const { githubService, mockOctokit } = makeEnv();
+            const params = {
+                branchName: "feats/new-feature",
+                fromRef: "main",
+                owner: "pagopa",
+                repo: "test-repo",
+            };
+            const refResponse = {
+                data: {
+                    object: {
+                        sha: "mainbranchsha123",
+                    },
+                },
+            };
+            const error = new RequestError("Reference already exists", 422, {
+                request: {
+                    headers: {},
+                    method: "POST",
+                    url: "https://api.github.com/repos/pagopa/test-repo/git/refs",
+                },
+                response: {
+                    data: { message: "Reference already exists" },
+                    headers: {},
+                    status: 422,
+                    url: "https://api.github.com/repos/pagopa/test-repo/git/refs",
+                },
+            });
+            mockOctokit.rest.git.getRef.mockResolvedValue(refResponse);
+            mockOctokit.rest.git.createRef.mockRejectedValue(error);
+            await expect(githubService.createBranch(params)).rejects.toThrowError("Failed to create branch: feats/new-feature");
+        });
+        it("should throw an error when source ref does not exist", async () => {
+            const { githubService, mockOctokit } = makeEnv();
+            const params = {
+                branchName: "feats/new-feature",
+                fromRef: "non-existent",
+                owner: "pagopa",
+                repo: "test-repo",
+            };
+            const error = new RequestError("Not Found", 404, {
+                request: {
+                    headers: {},
+                    method: "GET",
+                    url: "https://api.github.com/repos/pagopa/test-repo/git/ref/heads/non-existent",
+                },
+                response: {
+                    data: { message: "Not Found" },
+                    headers: {},
+                    status: 404,
+                    url: "https://api.github.com/repos/pagopa/test-repo/git/ref/heads/non-existent",
+                },
+            });
+            mockOctokit.rest.git.getRef.mockRejectedValue(error);
+            await expect(githubService.createBranch(params)).rejects.toThrowError("Failed to create branch: feats/new-feature");
+        });
+    });
+    describe("updateFile", () => {
+        it("should update a file successfully", async () => {
+            const { githubService, mockOctokit } = makeEnv();
+            const params = {
+                branch: "feats/new-feature",
+                content: "updated content",
+                message: "Update file",
+                owner: "pagopa",
+                path: "src/test.tf",
+                repo: "test-repo",
+                sha: "existingfilesha123",
+            };
+            mockOctokit.rest.repos.createOrUpdateFileContents.mockResolvedValue({});
+            await githubService.updateFile(params);
+            expect(mockOctokit.rest.repos.createOrUpdateFileContents).toHaveBeenCalledWith({
+                branch: params.branch,
+                content: Buffer.from(params.content).toString("base64"),
+                message: params.message,
+                owner: params.owner,
+                path: params.path,
+                repo: params.repo,
+                sha: params.sha,
+            });
+        });
+        it("should throw an error when file update fails", async () => {
+            const { githubService, mockOctokit } = makeEnv();
+            const params = {
+                branch: "feats/new-feature",
+                content: "updated content",
+                message: "Update file",
+                owner: "pagopa",
+                path: "src/test.tf",
+                repo: "test-repo",
+                sha: "wrongsha",
+            };
+            const error = new RequestError("Conflict", 409, {
+                request: {
+                    headers: {},
+                    method: "PUT",
+                    url: "https://api.github.com/repos/pagopa/test-repo/contents/src/test.tf",
+                },
+                response: {
+                    data: { message: "Conflict" },
+                    headers: {},
+                    status: 409,
+                    url: "https://api.github.com/repos/pagopa/test-repo/contents/src/test.tf",
+                },
+            });
+            mockOctokit.rest.repos.createOrUpdateFileContents.mockRejectedValue(error);
+            await expect(githubService.updateFile(params)).rejects.toThrowError("Failed to update file: src/test.tf");
+        });
+    });
 });
 describe("octokit adapter", () => {
     const owner = "test-owner";

package/dist/adapters/octokit/index.d.ts

@@ -1,6 +1,6 @@
 import { ResultAsync } from "neverthrow";
 import { Octokit } from "octokit";
-import { GitHubService, PullRequest, Repository } from "../../domain/github.js";
+import { CreateBranchParams, FileContent, GetFileContentParams, GitHubService, PullRequest, Repository, UpdateFileParams } from "../../domain/github.js";
 type GitHubReleaseParam = {
     client: Octokit;
     owner: string;
@@ -9,6 +9,7 @@ type GitHubReleaseParam = {
 export declare class OctokitGitHubService implements GitHubService {
     #private;
     constructor(octokit: Octokit);
+    createBranch(params: CreateBranchParams): Promise<void>;
     createPullRequest(params: {
         base: string;
         body: string;
@@ -17,7 +18,9 @@ export declare class OctokitGitHubService implements GitHubService {
         repo: string;
         title: string;
     }): Promise<PullRequest>;
+    getFileContent(params: GetFileContentParams): Promise<FileContent>;
     getRepository(owner: string, name: string): Promise<Repository>;
+    updateFile(params: UpdateFileParams): Promise<void>;
 }
 export declare const getGitHubPAT: () => Promise<string | undefined>;
 export declare const fetchLatestTag: ({ client, owner, repo }: GitHubReleaseParam) => ResultAsync<import("semver").SemVer | null, Error>;

package/dist/adapters/octokit/index.js

@@ -3,12 +3,34 @@ import { ResultAsync } from "neverthrow";
 import { RequestError } from "octokit";
 import semverParse from "semver/functions/parse.js";
 import semverSort from "semver/functions/sort.js";
-import { PullRequest, Repository, RepositoryNotFoundError, } from "../../domain/github.js";
+import { FileNotFoundError, PullRequest, Repository, RepositoryNotFoundError, } from "../../domain/github.js";
 export class OctokitGitHubService {
     #octokit;
     constructor(octokit) {
         this.#octokit = octokit;
     }
+    async createBranch(params) {
+        try {
+            // Get the SHA of the source branch
+            const { data: refData } = await this.#octokit.rest.git.getRef({
+                owner: params.owner,
+                ref: `heads/${params.fromRef}`,
+                repo: params.repo,
+            });
+            // Create the new branch
+            await this.#octokit.rest.git.createRef({
+                owner: params.owner,
+                ref: `refs/heads/${params.branchName}`,
+                repo: params.repo,
+                sha: refData.object.sha,
+            });
+        }
+        catch (error) {
+            throw new Error(`Failed to create branch: ${params.branchName}`, {
+                cause: error,
+            });
+        }
+    }
     async createPullRequest(params) {
         try {
             const { data } = await this.#octokit.rest.pulls.create({
@@ -27,6 +49,30 @@ export class OctokitGitHubService {
             });
         }
     }
+    async getFileContent(params) {
+        try {
+            const { data } = await this.#octokit.rest.repos.getContent({
+                owner: params.owner,
+                path: params.path,
+                ref: params.ref,
+                repo: params.repo,
+            });
+            // GitHub API returns an array for directories, single object for files
+            if (Array.isArray(data) || data.type !== "file") {
+                throw new Error(`Path ${params.path} is not a file`);
+            }
+            const content = Buffer.from(data.content, "base64").toString("utf-8");
+            return { content, sha: data.sha };
+        }
+        catch (error) {
+            if (error instanceof RequestError && error.status === 404) {
+                throw new FileNotFoundError(params.path);
+            }
+            throw new Error(`Failed to get file content: ${params.path}`, {
+                cause: error,
+            });
+        }
+    }
     async getRepository(owner, name) {
         try {
             const { data } = await this.#octokit.rest.repos.get({
@@ -44,6 +90,24 @@ export class OctokitGitHubService {
             });
         }
     }
+    async updateFile(params) {
+        try {
+            await this.#octokit.rest.repos.createOrUpdateFileContents({
+                branch: params.branch,
+                content: Buffer.from(params.content).toString("base64"),
+                message: params.message,
+                owner: params.owner,
+                path: params.path,
+                repo: params.repo,
+                sha: params.sha,
+            });
+        }
+        catch (error) {
+            throw new Error(`Failed to update file: ${params.path}`, {
+                cause: error,
+            });
+        }
+    }
 }
 // Follow the same order of precedence of gh cli
 // https://cli.github.com/manual/gh_help_environment

package/dist/adapters/pagopa-technology/__tests__/authorization.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for the PagoPA technology authorization adapter.
+ */
+export {};