@vaharoni/devops 1.3.0 → 1.3.2

package/dist/{chunk-N2NFRGJO.js → chunk-JQGPJAPS.js}

@@ -1,6 +1,6 @@
 import {
   getConst
-} from "./chunk-HXGGJIAS.js";
+} from "./chunk-VZ6XNNUH.js";
 
 // src/app-support/crypto/aes.ts
 import crypto from "crypto";

package/dist/{chunk-OFUEFG64.js → chunk-STUOTOGE.js}

@@ -2,7 +2,7 @@ import {
   getConst,
   getImageData,
   globEnvYamlFiles
-} from "./chunk-HXGGJIAS.js";
+} from "./chunk-VZ6XNNUH.js";
 
 // src/cli/common.ts
 import chalk from "chalk";

package/dist/{chunk-HXGGJIAS.js → chunk-VZ6XNNUH.js}

@@ -10,6 +10,7 @@ var SUPPORTED_LANGUAGES = ["python", "node"];
 var constFileSchema = z.object({
   "project-name": z.string(),
   "registry-infra": z.enum(["digitalocean", "gcp", "harbor"]),
+  "image-pull-secret-name": z.string().optional(),
   "image-versions-to-keep": z.number().optional(),
   "registry-base-url": z.string(),
   "registry-image-path-prefix": z.string().optional(),

package/dist/devops.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env bun
 import {
   InternalToken
-} from "./chunk-N2NFRGJO.js";
+} from "./chunk-JQGPJAPS.js";
 import {
   CLICommandParser,
   CommandExecutor,
@@ -24,7 +24,7 @@ import {
   printUsageAndExit,
   secretName,
   upsertConfigMapCommand
-} from "./chunk-OFUEFG64.js";
+} from "./chunk-STUOTOGE.js";
 import {
   IGNORED_PATHS,
   __export,
@@ -36,7 +36,7 @@ import {
   getWorkspace,
   globEnvYamlFiles,
   workspaceDirectoryForLanguage
-} from "./chunk-HXGGJIAS.js";
+} from "./chunk-VZ6XNNUH.js";
 
 // src/devops.ts
 import { globSync as globSync2 } from "glob";
@@ -386,8 +386,8 @@ function setWorkspaceScale(monorepoEnv, image2, workspaceName, replicaCount) {
   }
   const { scale: _scale, ...rest } = getImageConfigMap(monorepoEnv, image2);
   const parsedScale = deserializeImageConfigMapKey(monorepoEnv, image2, "scale");
-  const isApplicable2 = setK8sScale(monorepoEnv, workspaceName, replicaCount);
-  if (!isApplicable2) return;
+  const isApplicable = setK8sScale(monorepoEnv, workspaceName, replicaCount);
+  if (!isApplicable) return;
   updateImageConfigMap(monorepoEnv, image2, {
     ...rest,
     scale: JSON.stringify({
@@ -2067,22 +2067,18 @@ function run11(cmdObj) {
 }
 var job = { oneLiner: oneLiner11, keyExamples: keyExamples11, run: run11 };
 
-// src/libs/hetzner/reg-secret.ts
-function isApplicable() {
-  const registryInfra = getConst("registry-infra");
-  if (registryInfra !== "harbor") {
-    console.warn(
-      "Setting up registry permissions is only needed for Harbor in a Hetzner setup"
-    );
-    return false;
-  }
-  return true;
+// src/libs/registry/image-pull-secret.ts
+var SOURCE_NAMESPACE = "default";
+function getSecretName() {
+  const secretName2 = getConst("image-pull-secret-name");
+  return secretName2 || null;
 }
-function copySecretHarborToNamespace(monorepoEnv) {
-  if (!isApplicable()) return;
-  const cmd = kubectlCommand("get secret harbor-registry-secret -o json", {
+function copyRegistrySecretToNamespace(monorepoEnv) {
+  const secretName2 = getSecretName();
+  if (!secretName2) return;
+  const cmd = kubectlCommand(`get secret ${secretName2} -o json`, {
     monorepoEnv,
-    namespace: "harbor"
+    namespace: SOURCE_NAMESPACE
   });
   const secretStr = new CommandExecutor(cmd, { quiet: true }).exec();
   const secretJson = JSON.parse(secretStr);
@@ -2104,9 +2100,10 @@ function copySecretHarborToNamespace(monorepoEnv) {
   new CommandExecutor(copyCmd, { quiet: true }).exec();
 }
 function patchServiceAccountImagePullSecret(monorepoEnv) {
-  if (!isApplicable()) return;
+  const secretName2 = getSecretName();
+  if (!secretName2) return;
   const cmd = kubectlCommand(
-    `patch serviceaccount default -p '{"imagePullSecrets": [{"name": "harbor-registry-secret"}]}'`,
+    `patch serviceaccount default -p '{"imagePullSecrets": [{"name": "${secretName2}"}]}'`,
     { monorepoEnv }
   );
   new CommandExecutor(cmd, { quiet: true }).exec();
@@ -2127,8 +2124,8 @@ GENERAL USAGE
 
     'create' does the following:
       1. Creates the namepace
-      2. Creates a secret to hold environment variables (used by devops env) and the base cryptographic secret 
-      3. On Hetzner, copies the Harbor secret to the namespace and patches the default service account to use it
+      2. Creates a secret to hold environment variables (used by devops env) and the base cryptographic secret
+      3. If use-image-pull-secret is true, copies the external-registry-secret to the namespace and patches the default service account to use it
 
     'delete' removes the namespace in kubernetes, which deletes all entities within it.
 
@@ -2143,7 +2140,7 @@ var handlers4 = {
     createNamespace(env2);
     createEmptyEnvSecret(env2);
     patchBaseSecret(env2);
-    copySecretHarborToNamespace(env2);
+    copyRegistrySecretToNamespace(env2);
     patchServiceAccountImagePullSecret(env2);
   },
   delete(opts) {

package/dist/index.d.ts

@@ -5,6 +5,7 @@ type SupportedLanguages = typeof SUPPORTED_LANGUAGES[number];
 declare const constFileSchema: z.ZodObject<{
     "project-name": z.ZodString;
     "registry-infra": z.ZodEnum<["digitalocean", "gcp", "harbor"]>;
+    "image-pull-secret-name": z.ZodOptional<z.ZodString>;
     "image-versions-to-keep": z.ZodOptional<z.ZodNumber>;
     "registry-base-url": z.ZodString;
     "registry-image-path-prefix": z.ZodOptional<z.ZodString>;
@@ -18,6 +19,7 @@ declare const constFileSchema: z.ZodObject<{
     "registry-base-url": string;
     "extra-remote-environments": string[];
     "extra-local-environments": string[];
+    "image-pull-secret-name"?: string | undefined;
     "image-versions-to-keep"?: number | undefined;
     "registry-image-path-prefix"?: string | undefined;
     "cloudrun-artifact-registry-repo-path"?: string | undefined;
@@ -28,6 +30,7 @@ declare const constFileSchema: z.ZodObject<{
     "registry-base-url": string;
     "extra-remote-environments": string[];
     "extra-local-environments": string[];
+    "image-pull-secret-name"?: string | undefined;
     "image-versions-to-keep"?: number | undefined;
     "registry-image-path-prefix"?: string | undefined;
     "cloudrun-artifact-registry-repo-path"?: string | undefined;

package/dist/index.js

@@ -2,7 +2,7 @@ import {
   InternalToken,
   decryptAes256Gcm,
   encryptAes256Gcm
-} from "./chunk-N2NFRGJO.js";
+} from "./chunk-JQGPJAPS.js";
 import {
   SUPPORTED_LANGUAGES,
   constFileSchema,
@@ -10,7 +10,7 @@ import {
   packageFileNodeSchema,
   packageFilePythonSchema,
   workspaces
-} from "./chunk-HXGGJIAS.js";
+} from "./chunk-VZ6XNNUH.js";
 
 // src/app-support/discovery/dev-discovery-loader.ts
 var _portLookupByServiceName = null;

package/dist/plugins.js

@@ -5,8 +5,8 @@ import {
   kubectlCommand,
   pkgRoot,
   printUsageAndExit
-} from "./chunk-OFUEFG64.js";
-import "./chunk-HXGGJIAS.js";
+} from "./chunk-STUOTOGE.js";
+import "./chunk-VZ6XNNUH.js";
 
 // src/plugins.ts
 import path from "path";

package/dist/src/target-templates/infra-variants/digitalocean/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to DigitalOcean K8s
         uses: ./.github/actions/k8s/connect-to-digitalocean-k8s@v1
@@ -42,16 +42,16 @@ jobs:
         with:
           access_token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to DOCR)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -67,7 +67,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to DigitalOcean K8s
         uses: ./.github/actions/k8s/connect-to-digitalocean-k8s@v1
@@ -80,22 +80,22 @@ jobs:
         with:
           access_token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to DOCR)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/dist/src/target-templates/infra-variants/gcloud/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to GKE
         uses: ./.github/actions/k8s/connect-to-gke@v1
@@ -40,22 +40,22 @@ jobs:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
 
       - name: Connect to Artifact Registry
-        uses: ./.github/actions/registry/connect-to-artifact-registry@v1
+        uses: ./.github/actions/registry/connect-to-artifact-registry-with-sa@v1
         with:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
           project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
           region: ${{ secrets.GCLOUD_ARTIFACT_REGISTRY_REGION }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to service account key)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -71,7 +71,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to GKE
         uses: ./.github/actions/k8s/connect-to-gke@v1
@@ -82,28 +82,28 @@ jobs:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
 
       - name: Connect to Artifact Registry
-        uses: ./.github/actions/registry/connect-to-artifact-registry@v1
+        uses: ./.github/actions/registry/connect-to-artifact-registry-with-sa@v1
         with:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
           project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
           region: ${{ secrets.GCLOUD_ARTIFACT_REGISTRY_REGION }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to service account key)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/dist/src/target-templates/infra-variants/hetzner/.devops/config/constants.yaml

@@ -4,6 +4,10 @@ project-name: $PROJECT_NAME
 # Registry infrastructure: digitalocean, gcp, or harbor
 registry-infra: harbor
 
+# When set, devops namespace create will copy this secret from default namespace
+# and patch the default service account to use it. See docs/infra/RegistrySetup.md for details.
+image-pull-secret-name: $PROJECT_NAME-registry-secret
+
 # Only relevant for Digital Ocean. Determines the number of versions to keep for each docker image.
 image-versions-to-keep: 5
 

package/dist/src/target-templates/infra-variants/hetzner/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to Hetzner K8s
         uses: ./.github/actions/k8s/connect-to-hetzner-k8s@v1
@@ -42,16 +42,16 @@ jobs:
           harbor_user: ${{ secrets.HARBOR_USER }}
           harbor_password: ${{ secrets.HARBOR_PASSWORD }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to Harbor)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -67,7 +67,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to Hetzner K8s
         uses: ./.github/actions/k8s/connect-to-hetzner-k8s@v1
@@ -80,22 +80,22 @@ jobs:
           harbor_user: ${{ secrets.HARBOR_USER }}
           harbor_password: ${{ secrets.HARBOR_PASSWORD }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to Harbor)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/dist/src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry-with-oidc@v1/action.yaml

@@ -0,0 +1,29 @@
+name: "Connect to Artifact Registry with OIDC"
+description: "Authenticates to Google Artifact Registry using Workload Identity Federation (OIDC)"
+inputs:
+  project_id:
+    description: "Google Cloud project ID"
+    required: true
+  project_number:
+    description: "Google Cloud project number"
+    required: true
+  region:
+    description: "Google Cloud region where the Artifact Registry is located"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Auth to GCP via OIDC
+      uses: google-github-actions/auth@v2
+      with:
+        workload_identity_provider: projects/${{ inputs.project_number }}/locations/global/workloadIdentityPools/github/providers/github-oidc
+        service_account: gha-deployer@${{ inputs.project_id }}.iam.gserviceaccount.com
+        project_id: ${{ inputs.project_id }}
+
+    - name: Setup gcloud
+      uses: google-github-actions/setup-gcloud@v2
+
+    - name: Configure docker to use Artifact Registry
+      shell: bash
+      run: gcloud auth configure-docker ${{ inputs.region }}-docker.pkg.dev --quiet
+    

package/{src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry@v1 → dist/src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry-with-sa@v1}/action.yaml

@@ -1,5 +1,5 @@
-name: "Connect to Artifact Registry"
-description: "Authenticates to Google Artifact Registry"
+name: "Connect to Artifact Registry with Service Account"
+description: "Authenticates to Google Artifact Registry using a service account JSON key"
 inputs:
   service_account_key:
     description: "Google Cloud service account key in JSON format"

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@vaharoni/devops",
   "type": "module",
-  "version": "1.3.0",
+  "version": "1.3.2",
   "description": "Devops utility",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",

package/src/cli/core/namespace.ts

@@ -1,8 +1,8 @@
 import { CLICommandParser, printUsageAndExit, StrongParams } from "../../../src/cli/common";
 import {
-  copySecretHarborToNamespace,
+  copyRegistrySecretToNamespace,
   patchServiceAccountImagePullSecret,
-} from "../../../src/libs/hetzner/reg-secret";
+} from "../../../src/libs/registry/image-pull-secret";
 import { checkEnvSetup, createEmptyEnvSecret, createNamespace, deleteNamespace, patchBaseSecret } from "../../libs/k8s-namespace";
 
 const oneLiner = "Creates the basic prerequisites for a monorepo";
@@ -20,8 +20,8 @@ GENERAL USAGE
 
     'create' does the following:
       1. Creates the namepace
-      2. Creates a secret to hold environment variables (used by devops env) and the base cryptographic secret 
-      3. On Hetzner, copies the Harbor secret to the namespace and patches the default service account to use it
+      2. Creates a secret to hold environment variables (used by devops env) and the base cryptographic secret
+      3. If use-image-pull-secret is true, copies the external-registry-secret to the namespace and patches the default service account to use it
 
     'delete' removes the namespace in kubernetes, which deletes all entities within it.
 
@@ -37,7 +37,7 @@ const handlers = {
     createNamespace(env);
     createEmptyEnvSecret(env);
     patchBaseSecret(env);
-    copySecretHarborToNamespace(env);
+    copyRegistrySecretToNamespace(env);
     patchServiceAccountImagePullSecret(env);
   },
   delete (opts: StrongParams) {

package/src/libs/{hetzner/reg-secret.ts → registry/image-pull-secret.ts}

@@ -3,23 +3,20 @@ import { getConst } from "../config";
 import { envToNamespace } from "../k8s-constants";
 import { kubectlCommand } from "../k8s-helpers";
 
-function isApplicable() {
-  const registryInfra = getConst("registry-infra");
-  if (registryInfra !== "harbor") {
-    console.warn(
-      "Setting up registry permissions is only needed for Harbor in a Hetzner setup"
-    );
-    return false;
-  }
-  return true;
+const SOURCE_NAMESPACE = "default";
+
+function getSecretName(): string | null {
+  const secretName = getConst("image-pull-secret-name");
+  return secretName || null;
 }
 
-export function copySecretHarborToNamespace(monorepoEnv: string) {
-  if (!isApplicable()) return;
+export function copyRegistrySecretToNamespace(monorepoEnv: string) {
+  const secretName = getSecretName();
+  if (!secretName) return;
 
-  const cmd = kubectlCommand("get secret harbor-registry-secret -o json", {
+  const cmd = kubectlCommand(`get secret ${secretName} -o json`, {
     monorepoEnv,
-    namespace: "harbor",
+    namespace: SOURCE_NAMESPACE,
   });
   const secretStr = new CommandExecutor(cmd, { quiet: true }).exec();
   const secretJson = JSON.parse(secretStr);
@@ -44,10 +41,11 @@ export function copySecretHarborToNamespace(monorepoEnv: string) {
 }
 
 export function patchServiceAccountImagePullSecret(monorepoEnv: string) {
-  if (!isApplicable()) return;
+  const secretName = getSecretName();
+  if (!secretName) return;
 
   const cmd = kubectlCommand(
-    `patch serviceaccount default -p '{"imagePullSecrets": [{"name": "harbor-registry-secret"}]}'`,
+    `patch serviceaccount default -p '{"imagePullSecrets": [{"name": "${secretName}"}]}'`,
     { monorepoEnv }
   );
   new CommandExecutor(cmd, { quiet: true }).exec();

package/src/target-templates/infra-variants/digitalocean/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to DigitalOcean K8s
         uses: ./.github/actions/k8s/connect-to-digitalocean-k8s@v1
@@ -42,16 +42,16 @@ jobs:
         with:
           access_token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to DOCR)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -67,7 +67,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to DigitalOcean K8s
         uses: ./.github/actions/k8s/connect-to-digitalocean-k8s@v1
@@ -80,22 +80,22 @@ jobs:
         with:
           access_token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to DOCR)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/src/target-templates/infra-variants/gcloud/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to GKE
         uses: ./.github/actions/k8s/connect-to-gke@v1
@@ -40,22 +40,22 @@ jobs:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
 
       - name: Connect to Artifact Registry
-        uses: ./.github/actions/registry/connect-to-artifact-registry@v1
+        uses: ./.github/actions/registry/connect-to-artifact-registry-with-sa@v1
         with:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
           project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
           region: ${{ secrets.GCLOUD_ARTIFACT_REGISTRY_REGION }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to service account key)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -71,7 +71,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to GKE
         uses: ./.github/actions/k8s/connect-to-gke@v1
@@ -82,28 +82,28 @@ jobs:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
 
       - name: Connect to Artifact Registry
-        uses: ./.github/actions/registry/connect-to-artifact-registry@v1
+        uses: ./.github/actions/registry/connect-to-artifact-registry-with-sa@v1
         with:
           service_account_key: ${{ secrets.GCLOUD_SA_KEY }}
           project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
           region: ${{ secrets.GCLOUD_ARTIFACT_REGISTRY_REGION }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to service account key)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/src/target-templates/infra-variants/hetzner/.devops/config/constants.yaml

@@ -4,6 +4,10 @@ project-name: $PROJECT_NAME
 # Registry infrastructure: digitalocean, gcp, or harbor
 registry-infra: harbor
 
+# When set, devops namespace create will copy this secret from default namespace
+# and patch the default service account to use it. See docs/infra/RegistrySetup.md for details.
+image-pull-secret-name: $PROJECT_NAME-registry-secret
+
 # Only relevant for Digital Ocean. Determines the number of versions to keep for each docker image.
 image-versions-to-keep: 5
 

package/src/target-templates/infra-variants/hetzner/.github/workflows/k8s-build.yaml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: read
   packages: read
-  # For deploying images to Cloud Run
+  # For OIDC authentication to GCP
   # id-token: write
 
 jobs:
@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to Hetzner K8s
         uses: ./.github/actions/k8s/connect-to-hetzner-k8s@v1
@@ -42,16 +42,16 @@ jobs:
           harbor_user: ${{ secrets.HARBOR_USER }}
           harbor_password: ${{ secrets.HARBOR_PASSWORD }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to Harbor)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Build image
-        uses: ./.github/actions/build-image@v1
+        uses: ./.github/actions/common/build-image@v1
         with:
           image_name: ${{ matrix.image_name }}
           cache_path: ${{ matrix.cache_path || '/root/.bun/install/cache' }}
@@ -67,7 +67,7 @@ jobs:
           fetch-depth: 50
 
       - name: Setup prerequesites
-        uses: ./.github/actions/setup-prereq@v1
+        uses: ./.github/actions/common/setup-prereq@v1
 
       - name: Connect to Hetzner K8s
         uses: ./.github/actions/k8s/connect-to-hetzner-k8s@v1
@@ -80,22 +80,22 @@ jobs:
           harbor_user: ${{ secrets.HARBOR_USER }}
           harbor_password: ${{ secrets.HARBOR_PASSWORD }}
 
-      # For deploying images to Cloud Run
-      # - name: Connect to Cloud Run
-      #   uses: ./.github/actions/connect-to-cloud-run@v1
+      # For GCP Artifact Registry with OIDC (alternative to Harbor)
+      # - name: Connect to Artifact Registry with OIDC
+      #   uses: ./.github/actions/registry/connect-to-artifact-registry-with-oidc@v1
       #   with:
       #     project_id: ${{ vars.GCP_PROJECT_ID }}
       #     project_number: ${{ vars.GCP_PROJECT_NUMBER }}
       #     region: ${{ vars.GCP_ARTIFACT_REGISTRY_REGION }}
 
       - name: Run DB Migrate
-        uses: ./.github/actions/db-migrate@v1
+        uses: ./.github/actions/common/db-migrate@v1
 
       # Repeat per image (it checks if the image is affected and deploys it if it is)
       - name: Deploy main node
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-node" }
 
       - name: Deploy main python
-        uses: ./.github/actions/deploy-image-k8s@v1
+        uses: ./.github/actions/common/deploy-image-k8s@v1
         with: { "image_name": "main-python" }

package/src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry-with-oidc@v1/action.yaml

@@ -0,0 +1,29 @@
+name: "Connect to Artifact Registry with OIDC"
+description: "Authenticates to Google Artifact Registry using Workload Identity Federation (OIDC)"
+inputs:
+  project_id:
+    description: "Google Cloud project ID"
+    required: true
+  project_number:
+    description: "Google Cloud project number"
+    required: true
+  region:
+    description: "Google Cloud region where the Artifact Registry is located"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Auth to GCP via OIDC
+      uses: google-github-actions/auth@v2
+      with:
+        workload_identity_provider: projects/${{ inputs.project_number }}/locations/global/workloadIdentityPools/github/providers/github-oidc
+        service_account: gha-deployer@${{ inputs.project_id }}.iam.gserviceaccount.com
+        project_id: ${{ inputs.project_id }}
+
+    - name: Setup gcloud
+      uses: google-github-actions/setup-gcloud@v2
+
+    - name: Configure docker to use Artifact Registry
+      shell: bash
+      run: gcloud auth configure-docker ${{ inputs.region }}-docker.pkg.dev --quiet
+    

package/{dist/src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry@v1 → src/target-templates/lang-variants-common/typescript/.github/actions/registry/connect-to-artifact-registry-with-sa@v1}/action.yaml

@@ -1,5 +1,5 @@
-name: "Connect to Artifact Registry"
-description: "Authenticates to Google Artifact Registry"
+name: "Connect to Artifact Registry with Service Account"
+description: "Authenticates to Google Artifact Registry using a service account JSON key"
 inputs:
   service_account_key:
     description: "Google Cloud service account key in JSON format"

package/src/types/index.ts

@@ -8,6 +8,7 @@ export type SupportedLanguages = typeof SUPPORTED_LANGUAGES[number];
 export const constFileSchema = z.object({
   "project-name": z.string(),
   "registry-infra": z.enum(["digitalocean", "gcp", "harbor"]),
+  "image-pull-secret-name": z.string().optional(),
   "image-versions-to-keep": z.number().optional(),
   "registry-base-url": z.string(),
   "registry-image-path-prefix": z.string().optional(),