climaybe 1.0.0 → 1.3.0

package/src/lib/github-secrets.js

@@ -0,0 +1,263 @@
+import { spawn } from 'node:child_process';
+import { execSync } from 'node:child_process';
+import pc from 'picocolors';
+
+/**
+ * Secret/variable definitions for CI (GitHub Actions or GitLab CI).
+ * condition: 'always' = required for core workflows; 'preview' | 'build' = only when that feature is enabled.
+ */
+export const SECRET_DEFINITIONS = [
+  {
+    name: 'GEMINI_API_KEY',
+    required: true,
+    condition: 'always',
+    description: 'Google Gemini API key for AI-generated changelogs on release',
+    whereToGet:
+      'Google AI Studio: https://aistudio.google.com/apikey — create an API key, then paste it here.',
+  },
+  {
+    name: 'SHOPIFY_STORE_URL',
+    required: false,
+    condition: 'preview_or_build',
+    description: 'Shopify store URL (e.g. your-store.myshopify.com) — preview themes and/or Lighthouse',
+    whereToGet:
+      'Your theme’s store URL in Shopify Admin → Settings → Domains, or use the .myshopify.com URL.',
+  },
+  {
+    name: 'SHOPIFY_CLI_THEME_TOKEN',
+    required: true,
+    condition: 'preview',
+    description: 'Theme access token so CI can push preview themes to your store',
+    whereToGet:
+      'Shopify Partners: your app → Theme library access → Create theme access token. Or: Shopify Admin → Apps → Develop apps → your app → API credentials → Theme access.',
+  },
+  {
+    name: 'SHOP_ACCESS_TOKEN',
+    required: false,
+    condition: 'build',
+    description: 'Store API access token for Lighthouse runs',
+    whereToGet:
+      'Shopify Admin → Settings → Apps and sales channels → Develop apps → your app → API credentials (Admin API or custom app with storefront/build access).',
+  },
+  {
+    name: 'LHCI_GITHUB_APP_TOKEN',
+    required: false,
+    condition: 'build',
+    description: 'Lighthouse CI GitHub App token for posting results as PR comments',
+    whereToGet:
+      'Lighthouse CI GitHub App: https://github.com/apps/lighthouse-ci — install and create a token, or use a Personal Access Token with repo scope.',
+  },
+  {
+    name: 'SHOP_PASSWORD',
+    required: false,
+    condition: 'build',
+    description: 'Store password if your storefront is password-protected (optional)',
+    whereToGet: 'The password visitors enter to access your store (Storefront password in Shopify Admin).',
+  },
+];
+
+/**
+ * Check if GitHub CLI is installed and authenticated.
+ */
+export function isGhAvailable() {
+  try {
+    execSync('gh auth status', { encoding: 'utf-8', stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if the current repo has a GitHub remote (origin pointing to github.com).
+ */
+export function hasGitHubRemote(cwd = process.cwd()) {
+  try {
+    const url = execSync('git remote get-url origin', { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
+    return /github\.com/i.test(url);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * List repository secret names (GitHub). Returns [] on error or if none.
+ */
+export function listGitHubSecrets(cwd = process.cwd()) {
+  try {
+    const out = execSync('gh secret list --json name', { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
+    const data = JSON.parse(out || '[]');
+    return Array.isArray(data) ? data.map((s) => s.name).filter(Boolean) : [];
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * List project CI/CD variable names (GitLab). Returns [] on error or if none.
+ */
+export function listGitLabVariables(cwd = process.cwd()) {
+  try {
+    const out = execSync('glab variable list -F json', { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
+    const data = JSON.parse(out || '[]');
+    if (!Array.isArray(data)) return [];
+    return data.map((v) => v.key ?? v.name ?? v.Key).filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Set a repository secret via gh CLI. Value is passed via stdin to avoid argv exposure.
+ */
+export function setSecret(name, value) {
+  return new Promise((resolve, reject) => {
+    const child = spawn('gh', ['secret', 'set', name], {
+      stdio: ['pipe', 'inherit', 'inherit'],
+    });
+    child.on('error', reject);
+    child.on('close', (code) => (code === 0 ? resolve() : reject(new Error(`gh secret set exited with ${code}`))));
+    child.stdin.write(value, (err) => {
+      if (err) reject(err);
+      else child.stdin.end();
+    });
+  });
+}
+
+/**
+ * Check if GitLab CLI is installed and authenticated.
+ */
+export function isGlabAvailable() {
+  try {
+    execSync('glab auth status', { encoding: 'utf-8', stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if the current repo has a GitLab remote (origin pointing to gitlab.com or common self-hosted hosts).
+ */
+export function hasGitLabRemote(cwd = process.cwd()) {
+  try {
+    const url = execSync('git remote get-url origin', { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
+    return /gitlab\.com|gitlab\./i.test(url);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Set a project CI/CD variable via glab CLI. Value is passed via stdin to avoid argv exposure.
+ */
+export function setGitLabVariable(name, value) {
+  return new Promise((resolve, reject) => {
+    const child = spawn('glab', ['variable', 'set', name, '--masked'], {
+      stdio: ['pipe', 'inherit', 'inherit'],
+    });
+    child.on('error', reject);
+    child.on('close', (code) =>
+      code === 0 ? resolve() : reject(new Error(`glab variable set exited with ${code}`))
+    );
+    child.stdin.write(value, (err) => {
+      if (err) reject(err);
+      else child.stdin.end();
+    });
+  });
+}
+
+/**
+ * Convert store alias to secret suffix (e.g. voldt-norway → VOLDT_NORWAY).
+ */
+export function aliasToSecretSuffix(alias) {
+  return String(alias).replace(/-/g, '_').toUpperCase();
+}
+
+/**
+ * Store URL secrets are set from config (store domains added during init), not prompted.
+ * Returns [{ name, value }] for SHOPIFY_STORE_URL and/or SHOPIFY_STORE_URL_<ALIAS>.
+ */
+export function getStoreUrlSecretsFromConfig({ enablePreviewWorkflows, enableBuildWorkflows, mode = 'single', stores = [] }) {
+  if (stores.length === 0) return [];
+  const isMulti = mode === 'multi' && stores.length > 1;
+  const out = [];
+
+  if (isMulti && enablePreviewWorkflows) {
+    for (const store of stores) {
+      out.push({ name: `SHOPIFY_STORE_URL_${aliasToSecretSuffix(store.alias)}`, value: store.domain });
+    }
+  }
+  if (!isMulti && (enablePreviewWorkflows || enableBuildWorkflows)) {
+    out.push({ name: 'SHOPIFY_STORE_URL', value: stores[0].domain });
+  }
+  if (isMulti && enableBuildWorkflows) {
+    const defaultDomain = stores[0]?.domain;
+    if (defaultDomain && !out.some((s) => s.name === 'SHOPIFY_STORE_URL')) {
+      out.push({ name: 'SHOPIFY_STORE_URL', value: defaultDomain });
+    }
+  }
+  return out;
+}
+
+/**
+ * Get secrets we need to prompt for (excludes store URLs; those are set from config).
+ * Theme token(s) are required when preview is enabled.
+ */
+export function getSecretsToPrompt({ enablePreviewWorkflows, enableBuildWorkflows, mode = 'single', stores = [] }) {
+  const isMulti = mode === 'multi' && stores.length > 1;
+
+  const base = SECRET_DEFINITIONS.filter((s) => {
+    if (s.name === 'SHOPIFY_STORE_URL') return false; // set from config
+    if (s.condition === 'always') return true;
+    if (s.condition === 'preview_or_build') return enablePreviewWorkflows || enableBuildWorkflows;
+    if (s.condition === 'preview' && enablePreviewWorkflows) return true;
+    if (s.condition === 'build' && enableBuildWorkflows) return true;
+    return false;
+  });
+
+  const dropPreviewGeneric =
+    isMulti && enablePreviewWorkflows
+      ? (s) => s.name !== 'SHOPIFY_CLI_THEME_TOKEN'
+      : () => true;
+
+  let list = base.filter(dropPreviewGeneric);
+
+  if (isMulti && enablePreviewWorkflows) {
+    for (const store of stores) {
+      const suffix = aliasToSecretSuffix(store.alias);
+      list.push({
+        name: `SHOPIFY_CLI_THEME_TOKEN_${suffix}`,
+        required: true,
+        description: `Store ${store.alias}: Theme access token for CI (staging/live use this for ${store.alias})`,
+        whereToGet:
+          'Shopify Partners or Admin → Apps → Develop apps → your app → Theme access for this store.',
+      });
+    }
+  }
+
+  return list;
+}
+
+/**
+ * Store URL for a new store (set from store.domain, no prompt).
+ */
+export function getStoreUrlSecretForNewStore(store) {
+  return { name: `SHOPIFY_STORE_URL_${aliasToSecretSuffix(store.alias)}`, value: store.domain };
+}
+
+/**
+ * Per-store secret to prompt for when adding a store (theme token only; URL is set from store.domain).
+ */
+export function getSecretsToPromptForNewStore(store) {
+  const suffix = aliasToSecretSuffix(store.alias);
+  return [
+    {
+      name: `SHOPIFY_CLI_THEME_TOKEN_${suffix}`,
+      required: true,
+      description: `Store ${store.alias}: Theme access token for CI (staging/live use this for ${store.alias})`,
+      whereToGet:
+        'Shopify Partners or Admin → Apps → Develop apps → your app → Theme access for this store.',
+    },
+  ];
+}

package/src/lib/prompts.js

@@ -6,7 +6,7 @@ import pc from 'picocolors';
  * "voldt-staging.myshopify.com" → "voldt-staging"
  */
 export function extractAlias(domain) {
-  return domain.replace(/\.myshopify\.com$/i, '').trim();
+  return domain.trim().replace(/\.myshopify\.com$/i, '').trim();
 }
 
 /**
@@ -14,9 +14,24 @@ export function extractAlias(domain) {
  * Appends ".myshopify.com" if not present.
  */
 export function normalizeDomain(input) {
-  const trimmed = input.trim().toLowerCase();
-  if (trimmed.endsWith('.myshopify.com')) return trimmed;
-  return `${trimmed}.myshopify.com`;
+  const cleaned = input
+    .trim()
+    .toLowerCase()
+    .replace(/^https?:\/\//, '')
+    .replace(/\/.*$/, '')
+    .replace(/\s+/g, '');
+
+  if (!cleaned) return '';
+  if (cleaned.endsWith('.myshopify.com')) return cleaned;
+  return `${cleaned}.myshopify.com`;
+}
+
+/**
+ * Validate normalized Shopify store domain format.
+ * Expected: "<subdomain>.myshopify.com"
+ */
+export function isValidShopifyDomain(domain) {
+  return /^[a-z0-9][a-z0-9-]*\.myshopify\.com$/.test(domain);
 }
 
 /**
@@ -29,13 +44,20 @@ export async function promptStore(defaultDomain = '') {
     name: 'domain',
     message: 'Store URL',
     initial: defaultDomain,
-    validate: (v) =>
-      v.trim().length > 0 ? true : 'Store URL is required',
+    validate: (v) => {
+      if (v.trim().length === 0) return 'Store URL is required';
+      const normalized = normalizeDomain(v);
+      if (!normalized || !isValidShopifyDomain(normalized)) {
+        return 'Enter a valid Shopify domain (e.g. voldt-staging.myshopify.com)';
+      }
+      return true;
+    },
   });
 
   if (!domain) return null;
 
   const normalized = normalizeDomain(domain);
+  if (!isValidShopifyDomain(normalized)) return null;
   const suggestedAlias = extractAlias(normalized);
 
   const { alias } = await prompts({
@@ -98,6 +120,34 @@ export async function promptStoreLoop() {
   return stores;
 }
 
+/**
+ * Ask whether preview + cleanup workflows should be scaffolded.
+ */
+export async function promptPreviewWorkflows() {
+  const { enablePreviewWorkflows } = await prompts({
+    type: 'confirm',
+    name: 'enablePreviewWorkflows',
+    message: 'Enable preview + cleanup workflows?',
+    initial: false,
+  });
+
+  return !!enablePreviewWorkflows;
+}
+
+/**
+ * Ask whether build workflows should be scaffolded.
+ */
+export async function promptBuildWorkflows() {
+  const { enableBuildWorkflows } = await prompts({
+    type: 'confirm',
+    name: 'enableBuildWorkflows',
+    message: 'Enable build + Lighthouse workflows?',
+    initial: false,
+  });
+
+  return !!enableBuildWorkflows;
+}
+
 /**
  * Prompt for a single new store (used by add-store command).
  * Takes existing aliases to prevent duplicates.
@@ -115,3 +165,63 @@ export async function promptNewStore(existingAliases = []) {
 
   return store;
 }
+
+/**
+ * Ask which CI host to configure for secrets (after init). Returns 'github' | 'gitlab' | 'skip'.
+ */
+export async function promptConfigureCISecrets() {
+  const { host } = await prompts({
+    type: 'select',
+    name: 'host',
+    message: 'Configure CI secrets / variables now?',
+    choices: [
+      { title: 'GitHub (gh CLI)', value: 'github' },
+      { title: 'GitLab (glab CLI)', value: 'gitlab' },
+      { title: 'Skip', value: 'skip' },
+    ],
+    initial: 0,
+  });
+  return host ?? 'skip';
+}
+
+/**
+ * Ask whether to update existing CI secrets (when some are already set). Returns true to update, false to skip.
+ */
+export async function promptUpdateExistingSecrets(existingNames) {
+  const list = existingNames.length <= 5 ? existingNames.join(', ') : `${existingNames.slice(0, 3).join(', ')} and ${existingNames.length - 3} more`;
+  const { update } = await prompts({
+    type: 'confirm',
+    name: 'update',
+    message: `You already have ${existingNames.length} secret(s) set (${list}). Update them?`,
+    initial: false,
+  });
+  return !!update;
+}
+
+/**
+ * Prompt for a single secret value. Shows name, required/optional, description, and where to get it.
+ * Returns the value string or null if user skips (optional secrets only).
+ */
+export async function promptSecretValue(secret, index, total) {
+  const requiredLabel = secret.required ? pc.red('required') : pc.dim('optional');
+  const message = `[${index + 1}/${total}] ${secret.name} (${requiredLabel})`;
+
+  console.log(pc.cyan(`\n  ${secret.name}`));
+  console.log(pc.dim(`  ${secret.description}`));
+  console.log(pc.dim(`  Where to get: ${secret.whereToGet}`));
+
+  const { value } = await prompts({
+    type: 'password',
+    name: 'value',
+    message,
+    validate: (v) => {
+      if (secret.required && !(v && v.trim())) return 'This secret is required for your workflows.';
+      return true;
+    },
+  });
+
+  if (value === undefined) return null;
+  const trimmed = typeof value === 'string' ? value.trim() : '';
+  if (!trimmed && !secret.required) return null;
+  return trimmed || null;
+}

package/src/lib/workflows.js

@@ -36,7 +36,7 @@ function copyWorkflow(srcDir, fileName, destDir) {
  * but for simplicity we track known filenames instead.
  */
 function getKnownWorkflowFiles() {
-  const dirs = ['shared', 'single', 'multi'];
+  const dirs = ['shared', 'single', 'multi', 'preview', 'build'];
   const files = new Set();
   for (const dir of dirs) {
     const dirPath = join(TEMPLATES_DIR, dir);
@@ -47,6 +47,9 @@ function getKnownWorkflowFiles() {
   return files;
 }
 
+/** Deprecated workflow filenames to remove when scaffolding (renamed or replaced). */
+const DEPRECATED_WORKFLOW_FILES = ['hotfix-backport.yml'];
+
 /**
  * Remove previously scaffolded climaybe workflows from target.
  */
@@ -56,7 +59,7 @@ function cleanWorkflows(cwd = process.cwd()) {
 
   const known = getKnownWorkflowFiles();
   for (const file of readdirSync(dest)) {
-    if (known.has(file)) {
+    if (known.has(file) || DEPRECATED_WORKFLOW_FILES.includes(file)) {
       rmSync(join(dest, file));
     }
   }
@@ -67,7 +70,8 @@ function cleanWorkflows(cwd = process.cwd()) {
  * - Always copies shared/ workflows.
  * - Copies single/ or multi/ (+ single/) based on mode.
  */
-export function scaffoldWorkflows(mode = 'single', cwd = process.cwd()) {
+export function scaffoldWorkflows(mode = 'single', options = {}, cwd = process.cwd()) {
+  const { includePreview = false, includeBuild = false } = options;
   const dest = ghWorkflowsDir(cwd);
   mkdirSync(dest, { recursive: true });
 
@@ -93,7 +97,23 @@ export function scaffoldWorkflows(mode = 'single', cwd = process.cwd()) {
     }
   }
 
+  if (includePreview) {
+    const previewDir = join(TEMPLATES_DIR, 'preview');
+    for (const f of listYmls(previewDir)) {
+      copyWorkflow(previewDir, f, dest);
+    }
+  }
+
+  if (includeBuild) {
+    const buildDir = join(TEMPLATES_DIR, 'build');
+    for (const f of listYmls(buildDir)) {
+      copyWorkflow(buildDir, f, dest);
+    }
+  }
+
   const total = readdirSync(dest).filter((f) => f.endsWith('.yml')).length;
   console.log(pc.green(`  Scaffolded ${total} workflow(s) → .github/workflows/`));
   console.log(pc.dim(`  Mode: ${mode}-store`));
+  console.log(pc.dim(`  Preview workflows: ${includePreview ? 'enabled' : 'disabled'}`));
+  console.log(pc.dim(`  Build workflows: ${includeBuild ? 'enabled' : 'disabled'}`));
 }

package/src/workflows/build/build-pipeline.yml

@@ -0,0 +1,57 @@
+# climaybe — Build Pipeline (Optional Build Package)
+
+name: Build Pipeline
+
+on:
+  push:
+    branches: [main, staging, develop]
+
+jobs:
+  build:
+    uses: ./.github/workflows/reusable-build.yml
+
+  lighthouse-ci:
+    runs-on: ubuntu-latest
+    needs: [build]
+    env:
+      SHOPIFY_STORE_URL: ${{ secrets.SHOPIFY_STORE_URL }}
+      SHOP_ACCESS_TOKEN: ${{ secrets.SHOP_ACCESS_TOKEN }}
+      LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }}
+    steps:
+      - name: Check conditions and log skip reason
+        run: |
+          SKIP_REASONS=()
+
+          if [ "${{ github.ref }}" != "refs/heads/main" ] && [ "${{ github.ref }}" != "refs/heads/staging" ]; then
+            SKIP_REASONS+=("Not on main or staging branch (current: ${{ github.ref }})")
+          fi
+
+          if [ -z "$SHOPIFY_STORE_URL" ] || [ -z "$SHOP_ACCESS_TOKEN" ] || [ -z "$LHCI_GITHUB_APP_TOKEN" ]; then
+            SKIP_REASONS+=("Missing required secrets: SHOPIFY_STORE_URL, SHOP_ACCESS_TOKEN, or LHCI_GITHUB_APP_TOKEN")
+          fi
+
+          if [ ${#SKIP_REASONS[@]} -gt 0 ]; then
+            echo "Lighthouse CI skipped"
+            echo "Reasons:"
+            for reason in "${SKIP_REASONS[@]}"; do
+              echo "  - $reason"
+            done
+            exit 0
+          fi
+
+          echo "All conditions met, proceeding with Lighthouse CI"
+
+      - name: Checkout code
+        if: env.SHOPIFY_STORE_URL != '' && env.SHOP_ACCESS_TOKEN != '' && env.LHCI_GITHUB_APP_TOKEN != '' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
+        uses: actions/checkout@v4
+
+      - name: Lighthouse
+        if: env.SHOPIFY_STORE_URL != '' && env.SHOP_ACCESS_TOKEN != '' && env.LHCI_GITHUB_APP_TOKEN != '' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
+        uses: shopify/lighthouse-ci-action@v1
+        with:
+          store: ${{ secrets.SHOPIFY_STORE_URL }}
+          access_token: ${{ secrets.SHOP_ACCESS_TOKEN }}
+          password: ${{ secrets.SHOP_PASSWORD }}
+          lhci_github_app_token: ${{ secrets.LHCI_GITHUB_APP_TOKEN }}
+          lhci_min_score_performance: 0.9
+          lhci_min_score_accessibility: 0.9

package/src/workflows/build/create-release.yml

@@ -0,0 +1,52 @@
+name: Create Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Create release archive
+        run: |
+          mkdir release-temp
+          mkdir -p .sys/release-notes
+
+          TAG_NAME=${GITHUB_REF#refs/tags/}
+          cp release-notes.md ".sys/release-notes/release-note-${TAG_NAME}.md"
+
+          for dir in assets layout locales sections snippets config; do
+            mkdir -p "release-temp/$dir"
+            find "$dir" -type f ! -name "*.md" -exec cp --parents {} release-temp/ \;
+          done
+
+          mkdir -p release-temp/templates
+          find templates -type f ! -name "*.md" ! -name "page.test-*" -exec cp --parents {} release-temp/ \;
+
+          find release-temp -type f -name "*.liquid" -exec sed -i '
+            /{% comment %}/{
+              N
+              /{% comment %}\s*\nINTERNAL/{
+                :a
+                N
+                /{% endcomment %}/!ba
+                d
+              }
+            }' {} \;
+
+          cd release-temp
+          zip -r ../release.zip ./*
+          cd ..
+          rm -rf release-temp
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: release.zip
+          body_path: release-notes.md
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package/src/workflows/build/reusable-build.yml

@@ -0,0 +1,52 @@
+name: Build
+
+on:
+  workflow_call:
+    outputs:
+      build-success:
+        description: "Whether build was successful"
+        value: ${{ jobs.build.outputs.success }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    outputs:
+      success: ${{ steps.build.outputs.success }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+          cache: "npm"
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build scripts
+        run: node build-scripts.js
+
+      - name: Run Tailwind build
+        id: build
+        run: |
+          NODE_ENV=production npx @tailwindcss/cli -i _styles/main.css -o assets/style.css --minify
+          echo "success=true" >> $GITHUB_OUTPUT
+
+      - name: Commit and push changes
+        run: |
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          BRANCH_NAME=${{ github.head_ref || github.ref_name }}
+          git fetch origin "$BRANCH_NAME" || echo "Branch does not exist yet"
+          git checkout -B "$BRANCH_NAME" "origin/$BRANCH_NAME" 2>/dev/null || git checkout -B "$BRANCH_NAME"
+          git add -f assets/index.js assets/style.css
+          if git diff --staged --quiet; then
+            echo "No changes to commit"
+          else
+            git commit -m "Update compiled assets (JavaScript and CSS)"
+            git push origin "$BRANCH_NAME"
+          fi