@vaharoni/devops 1.2.18 → 1.3.1

package/dist/{chunk-RZ46YYZZ.js → chunk-6FEVIEFY.js}

@@ -9,7 +9,8 @@ import { z } from "zod";
 var SUPPORTED_LANGUAGES = ["python", "node"];
 var constFileSchema = z.object({
   "project-name": z.string(),
-  "infra": z.enum(["hetzner", "digitalocean", "gcloud"]),
+  "registry-infra": z.enum(["digitalocean", "gcp", "harbor"]),
+  "use-image-pull-secret": z.boolean().optional(),
   "image-versions-to-keep": z.number().optional(),
   "registry-base-url": z.string(),
   "registry-image-path-prefix": z.string().optional(),

package/dist/{chunk-WKP7EQNU.js → chunk-QOZ6NZJC.js}

@@ -2,7 +2,7 @@ import {
   getConst,
   getImageData,
   globEnvYamlFiles
-} from "./chunk-RZ46YYZZ.js";
+} from "./chunk-6FEVIEFY.js";
 
 // src/cli/common.ts
 import chalk from "chalk";

package/dist/{chunk-N7EX3HJH.js → chunk-UZAJJUGJ.js}

@@ -1,6 +1,6 @@
 import {
   getConst
-} from "./chunk-RZ46YYZZ.js";
+} from "./chunk-6FEVIEFY.js";
 
 // src/app-support/crypto/aes.ts
 import crypto from "crypto";

package/dist/devops.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env bun
 import {
   InternalToken
-} from "./chunk-N7EX3HJH.js";
+} from "./chunk-UZAJJUGJ.js";
 import {
   CLICommandParser,
   CommandExecutor,
@@ -24,7 +24,7 @@ import {
   printUsageAndExit,
   secretName,
   upsertConfigMapCommand
-} from "./chunk-WKP7EQNU.js";
+} from "./chunk-QOZ6NZJC.js";
 import {
   IGNORED_PATHS,
   __export,
@@ -36,7 +36,7 @@ import {
   getWorkspace,
   globEnvYamlFiles,
   workspaceDirectoryForLanguage
-} from "./chunk-RZ46YYZZ.js";
+} from "./chunk-6FEVIEFY.js";
 
 // src/devops.ts
 import { globSync as globSync2 } from "glob";
@@ -1103,7 +1103,7 @@ var consoleCommand = { command: "console", oneLiner: oneLiner6, keyExamples: key
 
 // src/cli/core/constant.ts
 var oneLiner7 = "Prints to stdout a constant from constant.yaml";
-var keyExamples7 = `$ devops constant infra`;
+var keyExamples7 = `$ devops constant registry-infra`;
 var usage7 = `
 ${oneLiner7}
 
@@ -1741,12 +1741,12 @@ async function createFiles() {
   }
   tc.enableSubtitution(".devops/config/images.yaml");
   tc.setMessageGenerator(".envrc", envrcMessage);
-  const gitIgnore = gitIgnoreContent(userChoices.infraVariant, userChoices.usePython);
+  const gitIgnore = gitIgnoreContent(userChoices.infraPreset, userChoices.usePython);
   tc.addGeneratedFile(".gitignore", gitIgnore);
   tc.setMessageGenerator(".gitignore", gitignoreMessageGen(gitIgnore));
-  tc.addCopiedFolder(`infra-variants/${userChoices.infraVariant}`, ".");
+  tc.addCopiedFolder(`infra-variants/${userChoices.infraPreset}`, ".");
   tc.enableSubtitution(".devops/config/constants.yaml");
-  if (userChoices.infraVariant === "hetzner") {
+  if (userChoices.infraPreset === "hetzner") {
     tc.enableSubtitution(".devops/infra/hetzner/harbor-cert.yaml");
     tc.enableSubtitution(".devops/infra/hetzner/harbor-values.yaml");
     tc.enableSubtitution(".devops/infra/hetzner/hcloud-config.yaml");
@@ -1804,12 +1804,12 @@ function packageJsonMessage(usePrisma) {
     "applications/**"${prismaMessage}
   ],`)}`;
 }
-function gitIgnoreContent(infraVariant, usePython) {
+function gitIgnoreContent(infraPreset, usePython) {
   const common = `**/.env*
 config/kubeconfig
 tmp/**
 !tmp/**/.gitkeep`;
-  const gcloud = infraVariant === "gcloud" ? "config/gke_gcloud_auth_plugin_cache" : null;
+  const gcloud = infraPreset === "gcloud" ? "config/gke_gcloud_auth_plugin_cache" : null;
   const python = usePython ? `venv/
 **/__pycache__` : null;
   return [common, gcloud, python].filter(Boolean).join("\n");
@@ -1854,12 +1854,12 @@ function getUserChoices(projectName) {
     },
     {
       type: "list",
-      name: "infraVariant",
-      message: "Where does your cluster run?",
+      name: "infraPreset",
+      message: "Select your infrastructure preset:",
       choices: [
-        { name: "Google Cloud", value: "gcloud" },
-        { name: "Digital Ocean", value: "digitalocean" },
-        { name: "Hetzner", value: "hetzner" }
+        { name: "Google Cloud (GKE + GCP Registry)", value: "gcloud" },
+        { name: "Digital Ocean (DO K8s + DO Registry)", value: "digitalocean" },
+        { name: "Hetzner (Hetzner K8s + Harbor)", value: "hetzner" }
       ]
     },
     {
@@ -1867,21 +1867,21 @@ function getUserChoices(projectName) {
       name: "gcloudProjectId",
       message: "Enter the GCP project ID (default: 'changeme')",
       default: "changeme",
-      when: (answers) => answers.infraVariant === "gcloud"
+      when: (answers) => answers.infraPreset === "gcloud"
     },
     {
       type: "input",
       name: "registryImagePathPrefix",
       message: (answers) => `Enter your Digital Ocean container registry name (default: '${answers.projectName}')`,
       default: (answers) => answers.projectName,
-      when: (answers) => answers.infraVariant === "digitalocean"
+      when: (answers) => answers.infraPreset === "digitalocean"
     },
     {
       type: "input",
       name: "registryBaseUrl",
       message: (answers) => `Enter your registry base URL (default: 'registry.${answers.stagingDomain}')`,
       default: (answers) => `registry.${answers.stagingDomain}`,
-      when: (answers) => answers.infraVariant === "hetzner"
+      when: (answers) => answers.infraPreset === "hetzner"
     },
     {
       type: "confirm",
@@ -2067,22 +2067,21 @@ function run11(cmdObj) {
 }
 var job = { oneLiner: oneLiner11, keyExamples: keyExamples11, run: run11 };
 
-// src/libs/hetzner/reg-secret.ts
+// src/libs/registry/image-pull-secret.ts
+var SECRET_NAME = "external-registry-secret";
+var SOURCE_NAMESPACE = "default";
 function isApplicable() {
-  const infra = getConst("infra");
-  if (infra !== "hetzner") {
-    console.warn(
-      "Setting up registry permissions is only needed for Harbor in a Hetzner setup"
-    );
+  const useImagePullSecret = getConst("use-image-pull-secret");
+  if (!useImagePullSecret) {
     return false;
   }
   return true;
 }
-function copySecretHarborToNamespace(monorepoEnv) {
+function copyRegistrySecretToNamespace(monorepoEnv) {
   if (!isApplicable()) return;
-  const cmd = kubectlCommand("get secret harbor-registry-secret -o json", {
+  const cmd = kubectlCommand(`get secret ${SECRET_NAME} -o json`, {
     monorepoEnv,
-    namespace: "harbor"
+    namespace: SOURCE_NAMESPACE
   });
   const secretStr = new CommandExecutor(cmd, { quiet: true }).exec();
   const secretJson = JSON.parse(secretStr);
@@ -2106,7 +2105,7 @@ function copySecretHarborToNamespace(monorepoEnv) {
 function patchServiceAccountImagePullSecret(monorepoEnv) {
   if (!isApplicable()) return;
   const cmd = kubectlCommand(
-    `patch serviceaccount default -p '{"imagePullSecrets": [{"name": "harbor-registry-secret"}]}'`,
+    `patch serviceaccount default -p '{"imagePullSecrets": [{"name": "${SECRET_NAME}"}]}'`,
     { monorepoEnv }
   );
   new CommandExecutor(cmd, { quiet: true }).exec();
@@ -2127,8 +2126,8 @@ GENERAL USAGE
 
     'create' does the following:
       1. Creates the namepace
-      2. Creates a secret to hold environment variables (used by devops env) and the base cryptographic secret 
-      3. On Hetzner, copies the Harbor secret to the namespace and patches the default service account to use it
+      2. Creates a secret to hold environment variables (used by devops env) and the base cryptographic secret
+      3. If use-image-pull-secret is true, copies the external-registry-secret to the namespace and patches the default service account to use it
 
     'delete' removes the namespace in kubernetes, which deletes all entities within it.
 
@@ -2143,7 +2142,7 @@ var handlers4 = {
     createNamespace(env2);
     createEmptyEnvSecret(env2);
     patchBaseSecret(env2);
-    copySecretHarborToNamespace(env2);
+    copyRegistrySecretToNamespace(env2);
     patchServiceAccountImagePullSecret(env2);
   },
   delete(opts) {
@@ -2322,8 +2321,8 @@ function stargGarbageCollection(registryName) {
   new CommandExecutor(cmd).exec();
 }
 function prune(registryFullName, repoName, image2) {
-  const infra = getConst("infra");
-  if (infra !== "digitalocean") {
+  const registryInfra = getConst("registry-infra");
+  if (registryInfra !== "digitalocean") {
     console.warn(
       "Pruning is only supported for the DigitalOcean container registry"
     );
@@ -2375,7 +2374,7 @@ USAGE
   Prunes the repository of old images to enforce the "image-versions-to-keep" constant in config/constants.yaml:
     devops registry prune <image> --env <env>
 
-    This is only relevant when the "infra" constant is set to "digitalocean".
+    This is only relevant when the "registry-infra" constant is set to "digitalocean".
 
 EXAMPLES
     ${keyExamples14}

package/dist/index.d.ts

@@ -4,7 +4,8 @@ declare const SUPPORTED_LANGUAGES: readonly ["python", "node"];
 type SupportedLanguages = typeof SUPPORTED_LANGUAGES[number];
 declare const constFileSchema: z.ZodObject<{
     "project-name": z.ZodString;
-    infra: z.ZodEnum<["hetzner", "digitalocean", "gcloud"]>;
+    "registry-infra": z.ZodEnum<["digitalocean", "gcp", "harbor"]>;
+    "use-image-pull-secret": z.ZodOptional<z.ZodBoolean>;
     "image-versions-to-keep": z.ZodOptional<z.ZodNumber>;
     "registry-base-url": z.ZodString;
     "registry-image-path-prefix": z.ZodOptional<z.ZodString>;
@@ -14,20 +15,22 @@ declare const constFileSchema: z.ZodObject<{
     extensions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
 }, "strip", z.ZodTypeAny, {
     "project-name": string;
-    infra: "hetzner" | "digitalocean" | "gcloud";
+    "registry-infra": "digitalocean" | "gcp" | "harbor";
     "registry-base-url": string;
     "extra-remote-environments": string[];
     "extra-local-environments": string[];
+    "use-image-pull-secret"?: boolean | undefined;
     "image-versions-to-keep"?: number | undefined;
     "registry-image-path-prefix"?: string | undefined;
     "cloudrun-artifact-registry-repo-path"?: string | undefined;
     extensions?: string[] | undefined;
 }, {
     "project-name": string;
-    infra: "hetzner" | "digitalocean" | "gcloud";
+    "registry-infra": "digitalocean" | "gcp" | "harbor";
     "registry-base-url": string;
     "extra-remote-environments": string[];
     "extra-local-environments": string[];
+    "use-image-pull-secret"?: boolean | undefined;
     "image-versions-to-keep"?: number | undefined;
     "registry-image-path-prefix"?: string | undefined;
     "cloudrun-artifact-registry-repo-path"?: string | undefined;

package/dist/index.js

@@ -2,7 +2,7 @@ import {
   InternalToken,
   decryptAes256Gcm,
   encryptAes256Gcm
-} from "./chunk-N7EX3HJH.js";
+} from "./chunk-UZAJJUGJ.js";
 import {
   SUPPORTED_LANGUAGES,
   constFileSchema,
@@ -10,7 +10,7 @@ import {
   packageFileNodeSchema,
   packageFilePythonSchema,
   workspaces
-} from "./chunk-RZ46YYZZ.js";
+} from "./chunk-6FEVIEFY.js";
 
 // src/app-support/discovery/dev-discovery-loader.ts
 var _portLookupByServiceName = null;

package/dist/plugins.js

@@ -5,8 +5,8 @@ import {
   kubectlCommand,
   pkgRoot,
   printUsageAndExit
-} from "./chunk-WKP7EQNU.js";
-import "./chunk-RZ46YYZZ.js";
+} from "./chunk-QOZ6NZJC.js";
+import "./chunk-6FEVIEFY.js";
 
 // src/plugins.ts
 import path from "path";

package/dist/src/target-templates/infra-variants/digitalocean/.devops/config/constants.yaml

@@ -1,8 +1,8 @@
 # These will be used when generating kubernetes entities
 project-name: $PROJECT_NAME
 
-# Supported: hetzner, digitalocean, or gcloud
-infra: digitalocean
+# Registry infrastructure: digitalocean, gcp, or harbor
+registry-infra: digitalocean
 
 # Only relevant for Digital Ocean. Determines the number of versions to keep for each docker image.
 image-versions-to-keep: 5

package/dist/src/target-templates/infra-variants/digitalocean/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to DigitalOcean K8s
         uses: ./.github/actions/k8s/connect-to-digitalocean-k8s@v1
@@ -42,16 +42,16 @@ jobs:
         with:
           access_token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to DOCR)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -67,7 +67,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to DigitalOcean K8s
         uses: ./.github/actions/k8s/connect-to-digitalocean-k8s@v1
@@ -80,22 +80,22 @@ jobs:
         with:
           access_token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to DOCR)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/dist/src/target-templates/infra-variants/gcloud/.devops/config/constants.yaml

@@ -1,8 +1,8 @@
 # These will be used when generating kubernetes entities
 project-name: $PROJECT_NAME
 
-# Supported: hetzner, digitalocean, or gcloud
-infra: gcloud
+# Registry infrastructure: digitalocean, gcp, or harbor
+registry-infra: gcp
 
 registry-base-url: gcr.io
 # What comes before <image-name>:<tag>. Can be empty.

package/dist/src/target-templates/infra-variants/gcloud/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to GKE
         uses: ./.github/actions/k8s/connect-to-gke@v1
@@ -40,22 +40,22 @@ jobs:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
 
       - name: Connect to Artifact Registry
-        uses: ./.github/actions/registry/connect-to-artifact-registry@v1
+        uses: ./.github/actions/registry/connect-to-artifact-registry-with-sa@v1
         with:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
           project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
           region: ${{ secrets.GCLOUD_ARTIFACT_REGISTRY_REGION }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to service account key)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -71,7 +71,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to GKE
         uses: ./.github/actions/k8s/connect-to-gke@v1
@@ -82,28 +82,28 @@ jobs:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
 
       - name: Connect to Artifact Registry
-        uses: ./.github/actions/registry/connect-to-artifact-registry@v1
+        uses: ./.github/actions/registry/connect-to-artifact-registry-with-sa@v1
         with:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
           project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
           region: ${{ secrets.GCLOUD_ARTIFACT_REGISTRY_REGION }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to service account key)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/dist/src/target-templates/infra-variants/hetzner/.devops/config/constants.yaml

@@ -1,8 +1,12 @@
 # These will be used when generating kubernetes entities
 project-name: $PROJECT_NAME
 
-# Supported: hetzner, digitalocean, or gcloud
-infra: hetzner
+# Registry infrastructure: digitalocean, gcp, or harbor
+registry-infra: harbor
+
+# When true, devops namespace create will copy external-registry-secret from default namespace
+# and patch the default service account to use it. See docs/infra/RegistrySetup.md for details.
+use-image-pull-secret: true
 
 # Only relevant for Digital Ocean. Determines the number of versions to keep for each docker image.
 image-versions-to-keep: 5

package/dist/src/target-templates/infra-variants/hetzner/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to Hetzner K8s
         uses: ./.github/actions/k8s/connect-to-hetzner-k8s@v1
@@ -42,16 +42,16 @@ jobs:
           harbor_user: ${{ secrets.HARBOR_USER }}
           harbor_password: ${{ secrets.HARBOR_PASSWORD }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to Harbor)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -67,7 +67,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to Hetzner K8s
         uses: ./.github/actions/k8s/connect-to-hetzner-k8s@v1
@@ -80,22 +80,22 @@ jobs:
           harbor_user: ${{ secrets.HARBOR_USER }}
           harbor_password: ${{ secrets.HARBOR_PASSWORD }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to Harbor)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/dist/src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry-with-oidc@v1/action.yaml

@@ -0,0 +1,29 @@
+name: "Connect to Artifact Registry with OIDC"
+description: "Authenticates to Google Artifact Registry using Workload Identity Federation (OIDC)"
+inputs:
+  project_id:
+    description: "Google Cloud project ID"
+    required: true
+  project_number:
+    description: "Google Cloud project number"
+    required: true
+  region:
+    description: "Google Cloud region where the Artifact Registry is located"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Auth to GCP via OIDC
+      uses: google-github-actions/auth@v2
+      with:
+        workload_identity_provider: projects/${{ inputs.project_number }}/locations/global/workloadIdentityPools/github/providers/github-oidc
+        service_account: gha-deployer@${{ inputs.project_id }}.iam.gserviceaccount.com
+        project_id: ${{ inputs.project_id }}
+
+    - name: Setup gcloud
+      uses: google-github-actions/setup-gcloud@v2
+
+    - name: Configure docker to use Artifact Registry
+      shell: bash
+      run: gcloud auth configure-docker ${{ inputs.region }}-docker.pkg.dev --quiet
+    

package/{src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry@v1 → dist/src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry-with-sa@v1}/action.yaml

@@ -1,5 +1,5 @@
-name: "Connect to Artifact Registry"
-description: "Authenticates to Google Artifact Registry"
+name: "Connect to Artifact Registry with Service Account"
+description: "Authenticates to Google Artifact Registry using a service account JSON key"
 inputs:
   service_account_key:
     description: "Google Cloud service account key in JSON format"

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@vaharoni/devops",
   "type": "module",
-  "version": "1.2.18",
+  "version": "1.3.1",
   "description": "Devops utility",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",

package/src/cli/core/constant.ts

@@ -2,7 +2,7 @@ import { getConst } from "../../libs/config";
 import { CLICommandParser, printUsageAndExit } from "../common";
 
 const oneLiner = "Prints to stdout a constant from constant.yaml";
-const keyExamples = `$ devops constant infra`;
+const keyExamples = `$ devops constant registry-infra`;
 
 const usage = `
 ${oneLiner}

package/src/cli/core/init.ts

@@ -3,7 +3,6 @@ import { InitGenerator, type InitGeneratorFileInfo } from "../../libs/init-gener
 import { CLICommandParser, printUsageAndExit } from "../common";
 import chalk from "chalk";
 import fs from 'fs-extra';
-import type { ConstFileSchema } from "../../types";
 
 const oneLiner =
   "Initializes the devops utility by copying template files to the current folder";
@@ -40,14 +39,14 @@ async function createFiles() {
   tc.setMessageGenerator(".envrc", envrcMessage);
 
   // gitignore
-  const gitIgnore = gitIgnoreContent(userChoices.infraVariant, userChoices.usePython)
+  const gitIgnore = gitIgnoreContent(userChoices.infraPreset, userChoices.usePython)
   tc.addGeneratedFile(".gitignore", gitIgnore);
   tc.setMessageGenerator(".gitignore", gitignoreMessageGen(gitIgnore));
 
   // Infra variants
-  tc.addCopiedFolder(`infra-variants/${userChoices.infraVariant}`, ".");
+  tc.addCopiedFolder(`infra-variants/${userChoices.infraPreset}`, ".");
   tc.enableSubtitution(".devops/config/constants.yaml");
-  if (userChoices.infraVariant === "hetzner") {
+  if (userChoices.infraPreset === "hetzner") {
     tc.enableSubtitution(".devops/infra/hetzner/harbor-cert.yaml");
     tc.enableSubtitution(".devops/infra/hetzner/harbor-values.yaml");
     tc.enableSubtitution(".devops/infra/hetzner/hcloud-config.yaml");
@@ -119,13 +118,13 @@ function packageJsonMessage(usePrisma: boolean) {
   ],`)}`
 }
 
-function gitIgnoreContent(infraVariant: UserChoices["infraVariant"], usePython: boolean) {
+function gitIgnoreContent(infraPreset: InfraPreset, usePython: boolean) {
   const common = `**/.env*
 config/kubeconfig
 tmp/**
 !tmp/**/.gitkeep`;
 
-  const gcloud = infraVariant === 'gcloud' 
+  const gcloud = infraPreset === 'gcloud'
     ? 'config/gke_gcloud_auth_plugin_cache'
     : null;
 
@@ -156,11 +155,13 @@ ${chalk.yellow(content)}`;
   }
 }
 
+type InfraPreset = "gcloud" | "digitalocean" | "hetzner";
+
 type UserChoices = {
   projectName: string;
   stagingDomain: string;
   productionDomain: string;
-  infraVariant: ConstFileSchema["infra"];
+  infraPreset: InfraPreset;
   gcloudProjectId?: string;
   registryImagePathPrefix?: string;
   registryBaseUrl?: string;
@@ -193,12 +194,12 @@ function getUserChoices(projectName: string | undefined): Promise<UserChoices> {
     },
     {
       type: "list",
-      name: "infraVariant",
-      message: "Where does your cluster run?",
+      name: "infraPreset",
+      message: "Select your infrastructure preset:",
       choices: [
-        { name: "Google Cloud", value: "gcloud" },
-        { name: "Digital Ocean", value: "digitalocean" },
-        { name: "Hetzner", value: "hetzner" },
+        { name: "Google Cloud (GKE + GCP Registry)", value: "gcloud" },
+        { name: "Digital Ocean (DO K8s + DO Registry)", value: "digitalocean" },
+        { name: "Hetzner (Hetzner K8s + Harbor)", value: "hetzner" },
       ],
     },
     {
@@ -206,21 +207,21 @@ function getUserChoices(projectName: string | undefined): Promise<UserChoices> {
       name: "gcloudProjectId",
       message: "Enter the GCP project ID (default: 'changeme')",
       default: "changeme",
-      when: (answers) => answers.infraVariant === "gcloud",
+      when: (answers) => answers.infraPreset === "gcloud",
     },
     {
       type: "input",
       name: "registryImagePathPrefix",
       message: (answers) => `Enter your Digital Ocean container registry name (default: '${answers.projectName}')`,
       default: (answers) => answers.projectName,
-      when: (answers) => answers.infraVariant === "digitalocean",
+      when: (answers) => answers.infraPreset === "digitalocean",
     },
     {
       type: "input",
       name: "registryBaseUrl",
       message: (answers) => `Enter your registry base URL (default: 'registry.${answers.stagingDomain}')`,
       default: (answers) => `registry.${answers.stagingDomain}`,
-      when: (answers) => answers.infraVariant === "hetzner",
+      when: (answers) => answers.infraPreset === "hetzner",
     },
     {
       type: "confirm",

package/src/cli/core/namespace.ts

@@ -1,8 +1,8 @@
 import { CLICommandParser, printUsageAndExit, StrongParams } from "../../../src/cli/common";
 import {
-  copySecretHarborToNamespace,
+  copyRegistrySecretToNamespace,
   patchServiceAccountImagePullSecret,
-} from "../../../src/libs/hetzner/reg-secret";
+} from "../../../src/libs/registry/image-pull-secret";
 import { checkEnvSetup, createEmptyEnvSecret, createNamespace, deleteNamespace, patchBaseSecret } from "../../libs/k8s-namespace";
 
 const oneLiner = "Creates the basic prerequisites for a monorepo";
@@ -20,8 +20,8 @@ GENERAL USAGE
 
     'create' does the following:
       1. Creates the namepace
-      2. Creates a secret to hold environment variables (used by devops env) and the base cryptographic secret 
-      3. On Hetzner, copies the Harbor secret to the namespace and patches the default service account to use it
+      2. Creates a secret to hold environment variables (used by devops env) and the base cryptographic secret
+      3. If use-image-pull-secret is true, copies the external-registry-secret to the namespace and patches the default service account to use it
 
     'delete' removes the namespace in kubernetes, which deletes all entities within it.
 
@@ -37,7 +37,7 @@ const handlers = {
     createNamespace(env);
     createEmptyEnvSecret(env);
     patchBaseSecret(env);
-    copySecretHarborToNamespace(env);
+    copyRegistrySecretToNamespace(env);
     patchServiceAccountImagePullSecret(env);
   },
   delete (opts: StrongParams) {

package/src/cli/core/registry.ts

@@ -35,7 +35,7 @@ USAGE
   Prunes the repository of old images to enforce the "image-versions-to-keep" constant in config/constants.yaml:
     devops registry prune <image> --env <env>
 
-    This is only relevant when the "infra" constant is set to "digitalocean".
+    This is only relevant when the "registry-infra" constant is set to "digitalocean".
 
 EXAMPLES
     ${keyExamples}

package/src/libs/digital-ocean/container-reg.ts

@@ -63,8 +63,8 @@ export function prune(
   repoName: string,
   image: string
 ) {
-  const infra = getConst("infra");
-  if (infra !== "digitalocean") {
+  const registryInfra = getConst("registry-infra");
+  if (registryInfra !== "digitalocean") {
     console.warn(
       "Pruning is only supported for the DigitalOcean container registry"
     );

package/src/libs/{hetzner/reg-secret.ts → registry/image-pull-secret.ts}

@@ -3,23 +3,23 @@ import { getConst } from "../config";
 import { envToNamespace } from "../k8s-constants";
 import { kubectlCommand } from "../k8s-helpers";
 
+const SECRET_NAME = "external-registry-secret";
+const SOURCE_NAMESPACE = "default";
+
 function isApplicable() {
-  const infra = getConst("infra");
-  if (infra !== "hetzner") {
-    console.warn(
-      "Setting up registry permissions is only needed for Harbor in a Hetzner setup"
-    );
+  const useImagePullSecret = getConst("use-image-pull-secret");
+  if (!useImagePullSecret) {
     return false;
   }
   return true;
 }
 
-export function copySecretHarborToNamespace(monorepoEnv: string) {
+export function copyRegistrySecretToNamespace(monorepoEnv: string) {
   if (!isApplicable()) return;
 
-  const cmd = kubectlCommand("get secret harbor-registry-secret -o json", {
+  const cmd = kubectlCommand(`get secret ${SECRET_NAME} -o json`, {
     monorepoEnv,
-    namespace: "harbor",
+    namespace: SOURCE_NAMESPACE,
   });
   const secretStr = new CommandExecutor(cmd, { quiet: true }).exec();
   const secretJson = JSON.parse(secretStr);
@@ -47,7 +47,7 @@ export function patchServiceAccountImagePullSecret(monorepoEnv: string) {
   if (!isApplicable()) return;
 
   const cmd = kubectlCommand(
-    `patch serviceaccount default -p '{"imagePullSecrets": [{"name": "harbor-registry-secret"}]}'`,
+    `patch serviceaccount default -p '{"imagePullSecrets": [{"name": "${SECRET_NAME}"}]}'`,
     { monorepoEnv }
   );
   new CommandExecutor(cmd, { quiet: true }).exec();

package/src/target-templates/infra-variants/digitalocean/.devops/config/constants.yaml

@@ -1,8 +1,8 @@
 # These will be used when generating kubernetes entities
 project-name: $PROJECT_NAME
 
-# Supported: hetzner, digitalocean, or gcloud
-infra: digitalocean
+# Registry infrastructure: digitalocean, gcp, or harbor
+registry-infra: digitalocean
 
 # Only relevant for Digital Ocean. Determines the number of versions to keep for each docker image.
 image-versions-to-keep: 5

package/src/target-templates/infra-variants/digitalocean/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to DigitalOcean K8s
         uses: ./.github/actions/k8s/connect-to-digitalocean-k8s@v1
@@ -42,16 +42,16 @@ jobs:
         with:
           access_token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to DOCR)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -67,7 +67,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to DigitalOcean K8s
         uses: ./.github/actions/k8s/connect-to-digitalocean-k8s@v1
@@ -80,22 +80,22 @@ jobs:
         with:
           access_token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to DOCR)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/src/target-templates/infra-variants/gcloud/.devops/config/constants.yaml

@@ -1,8 +1,8 @@
 # These will be used when generating kubernetes entities
 project-name: $PROJECT_NAME
 
-# Supported: hetzner, digitalocean, or gcloud
-infra: gcloud
+# Registry infrastructure: digitalocean, gcp, or harbor
+registry-infra: gcp
 
 registry-base-url: gcr.io
 # What comes before <image-name>:<tag>. Can be empty.

package/src/target-templates/infra-variants/gcloud/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to GKE
         uses: ./.github/actions/k8s/connect-to-gke@v1
@@ -40,22 +40,22 @@ jobs:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
 
       - name: Connect to Artifact Registry
-        uses: ./.github/actions/registry/connect-to-artifact-registry@v1
+        uses: ./.github/actions/registry/connect-to-artifact-registry-with-sa@v1
         with:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
           project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
           region: ${{ secrets.GCLOUD_ARTIFACT_REGISTRY_REGION }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to service account key)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -71,7 +71,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to GKE
         uses: ./.github/actions/k8s/connect-to-gke@v1
@@ -82,28 +82,28 @@ jobs:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
 
       - name: Connect to Artifact Registry
-        uses: ./.github/actions/registry/connect-to-artifact-registry@v1
+        uses: ./.github/actions/registry/connect-to-artifact-registry-with-sa@v1
         with:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
           project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
           region: ${{ secrets.GCLOUD_ARTIFACT_REGISTRY_REGION }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to service account key)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/src/target-templates/infra-variants/hetzner/.devops/config/constants.yaml

@@ -1,8 +1,12 @@
 # These will be used when generating kubernetes entities
 project-name: $PROJECT_NAME
 
-# Supported: hetzner, digitalocean, or gcloud
-infra: hetzner
+# Registry infrastructure: digitalocean, gcp, or harbor
+registry-infra: harbor
+
+# When true, devops namespace create will copy external-registry-secret from default namespace
+# and patch the default service account to use it. See docs/infra/RegistrySetup.md for details.
+use-image-pull-secret: true
 
 # Only relevant for Digital Ocean. Determines the number of versions to keep for each docker image.
 image-versions-to-keep: 5

package/src/target-templates/infra-variants/hetzner/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to Hetzner K8s
         uses: ./.github/actions/k8s/connect-to-hetzner-k8s@v1
@@ -42,16 +42,16 @@ jobs:
           harbor_user: ${{ secrets.HARBOR_USER }}
           harbor_password: ${{ secrets.HARBOR_PASSWORD }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to Harbor)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -67,7 +67,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to Hetzner K8s
         uses: ./.github/actions/k8s/connect-to-hetzner-k8s@v1
@@ -80,22 +80,22 @@ jobs:
           harbor_user: ${{ secrets.HARBOR_USER }}
           harbor_password: ${{ secrets.HARBOR_PASSWORD }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to Harbor)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry-with-oidc@v1/action.yaml

@@ -0,0 +1,29 @@
+name: "Connect to Artifact Registry with OIDC"
+description: "Authenticates to Google Artifact Registry using Workload Identity Federation (OIDC)"
+inputs:
+  project_id:
+    description: "Google Cloud project ID"
+    required: true
+  project_number:
+    description: "Google Cloud project number"
+    required: true
+  region:
+    description: "Google Cloud region where the Artifact Registry is located"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Auth to GCP via OIDC
+      uses: google-github-actions/auth@v2
+      with:
+        workload_identity_provider: projects/${{ inputs.project_number }}/locations/global/workloadIdentityPools/github/providers/github-oidc
+        service_account: gha-deployer@${{ inputs.project_id }}.iam.gserviceaccount.com
+        project_id: ${{ inputs.project_id }}
+
+    - name: Setup gcloud
+      uses: google-github-actions/setup-gcloud@v2
+
+    - name: Configure docker to use Artifact Registry
+      shell: bash
+      run: gcloud auth configure-docker ${{ inputs.region }}-docker.pkg.dev --quiet
+    

package/{dist/src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry@v1 → src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry-with-sa@v1}/action.yaml

@@ -1,5 +1,5 @@
-name: "Connect to Artifact Registry"
-description: "Authenticates to Google Artifact Registry"
+name: "Connect to Artifact Registry with Service Account"
+description: "Authenticates to Google Artifact Registry using a service account JSON key"
 inputs:
   service_account_key:
     description: "Google Cloud service account key in JSON format"

package/src/types/index.ts

@@ -7,7 +7,8 @@ export type SupportedLanguages = typeof SUPPORTED_LANGUAGES[number];
 
 export const constFileSchema = z.object({
   "project-name": z.string(),
-  "infra": z.enum(["hetzner", "digitalocean", "gcloud"]),
+  "registry-infra": z.enum(["digitalocean", "gcp", "harbor"]),
+  "use-image-pull-secret": z.boolean().optional(),
   "image-versions-to-keep": z.number().optional(),
   "registry-base-url": z.string(),
   "registry-image-path-prefix": z.string().optional(),