climaybe 1.1.0 → 1.3.1

package/README.md

@@ -182,6 +182,8 @@ Enabled via `climaybe init` prompt (`Enable build + Lighthouse workflows?`).
 
 All version bumps update `config/settings_schema.json` automatically.
 
+**Full specification:** For detailed versioning rules, local dev flow, hotfix behavior, and alignment with the external CI/CD doc, see **[CI/CD Reference](docs/CI_CD_REFERENCE.md)**.
+
 ## File Sync Rules (Multi-store)
 
 **Synced between root and `stores/<alias>/`:**
@@ -202,30 +204,20 @@ All version bumps update `config/settings_schema.json` automatically.
 
 ## GitHub Secrets
 
-Add the following secret to your GitHub repository:
+Add the following secrets to your GitHub repository (or use **GitLab CI/CD variables** if you use GitLab). You can configure them during `climaybe init` via the GitHub or GitLab CLI.
 
 | Secret | Required | Description |
 |--------|----------|-------------|
 | `GEMINI_API_KEY` | Yes | Google Gemini API key for changelog generation |
-| `SHOPIFY_STORE_URL` | Optional* | Required only when optional preview workflows are enabled |
-| `SHOPIFY_CLI_THEME_TOKEN` | Optional* | Required only when optional preview workflows are enabled |
-| `SHOP_STORE` | Optional* | Required only when optional build workflows are enabled (Lighthouse) |
+| `SHOPIFY_STORE_URL` | Set from config | Store URL is set automatically from the store domain(s) you add during init (no prompt). |
+| `SHOPIFY_CLI_THEME_TOKEN` | Yes* | Theme access token for preview workflows (required when preview is enabled). |
 | `SHOP_ACCESS_TOKEN` | Optional* | Required only when optional build workflows are enabled (Lighthouse) |
 | `LHCI_GITHUB_APP_TOKEN` | Optional* | Required only when optional build workflows are enabled (Lighthouse) |
 | `SHOP_PASSWORD` | Optional | Used by Lighthouse action when your store requires password auth |
 
-For multi-store deploy PR links, you can optionally define store-scoped secrets:
-
-- `SHOPIFY_STORE_URL_<ALIAS>`
-- `SHOPIFY_CLI_THEME_TOKEN_<ALIAS>`
-
-`<ALIAS>` must be uppercase with hyphens converted to underscores.  
-Example: alias `voldt-norway` → `SHOPIFY_STORE_URL_VOLDT_NORWAY`.
-
-Preview workflows also support the same scoped secret pattern and will use:
+**Store URL:** During `climaybe init` (or `add-store`), store URL secret(s) are set from your configured store domain(s); you are only prompted for the theme token.
 
-1. `SHOPIFY_*_<ALIAS>`
-2. fallback to `SHOPIFY_*` (default)
+**Multi-store:** Per-store secrets `SHOPIFY_STORE_URL_<ALIAS>` and `SHOPIFY_CLI_THEME_TOKEN_<ALIAS>` — the URL is set from config; you must provide the theme token per store. `<ALIAS>` is uppercase with hyphens as underscores (e.g. `voldt-norway` → `SHOPIFY_STORE_URL_VOLDT_NORWAY`).
 
 ## Directory Structure (Multi-store)
 
@@ -250,6 +242,15 @@ Preview workflows also support the same scoped secret pattern and will use:
 └── .github/workflows/
 ```
 
+## Releases and versioning
+
+- **Branch:** Single default branch `main`. Feature branches open as PRs into `main`.
+- **Versioning:** [SemVer](https://semver.org/). Versions are **bumped automatically** when PRs are merged to `main` using [conventional commits](https://www.conventionalcommits.org/): `fix:` → patch, `feat:` → minor, `BREAKING CHANGE` or `feat!:` → major.
+- **Flow:** Merge to `main` → [Release version](.github/workflows/release-version.yml) runs semantic-release (bumps `package.json`, pushes tag) → tag push triggers [Release](.github/workflows/release.yml) (tests + publish to npm). Requires `NPM_TOKEN` secret for npm publish.
+- **CI:** Every PR and push to `main` runs tests on Node 20 and 22 ([CI workflow](.github/workflows/ci.yml)).
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for branch, PR, and conventional-commit details.
+
 ## License
 
 MIT — Electric Maybe

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "climaybe",
-  "version": "1.1.0",
+  "version": "1.3.1",
   "description": "Shopify CI/CD CLI — scaffolds workflows, branch strategy, and store config for single-store and multi-store theme repos",
   "type": "module",
   "bin": {
@@ -29,9 +29,46 @@
   },
   "bugs": "https://github.com/electricmaybe/climaybe/issues",
   "homepage": "https://github.com/electricmaybe/climaybe#readme",
+  "scripts": {
+    "test": "node scripts/run-tests.js 2>&1 | tee test.log",
+    "prepare": "husky"
+  },
+  "release": {
+    "branches": [
+      "main"
+    ],
+    "plugins": [
+      "@semantic-release/commit-analyzer",
+      "@semantic-release/release-notes-generator",
+      [
+        "@semantic-release/npm",
+        {
+          "npmPublish": false
+        }
+      ],
+      [
+        "@semantic-release/git",
+        {
+          "assets": [
+            "package.json",
+            "package-lock.json"
+          ],
+          "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+        }
+      ]
+    ]
+  },
   "dependencies": {
-    "commander": "^13.1.0",
+    "commander": "^14.0.3",
     "picocolors": "^1.1.1",
     "prompts": "^2.4.2"
+  },
+  "devDependencies": {
+    "@commitlint/cli": "^20.4.4",
+    "@commitlint/config-conventional": "^20.4.4",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/npm": "^13.1.5",
+    "husky": "^9.1.7",
+    "semantic-release": "^25.0.3"
   }
 }

package/src/commands/add-store.js

@@ -1,9 +1,21 @@
 import pc from 'picocolors';
-import { promptNewStore } from '../lib/prompts.js';
+import { promptNewStore, promptConfigureCISecrets, promptUpdateExistingSecrets, promptSecretValue } from '../lib/prompts.js';
 import { readConfig, addStoreToConfig, getStoreAliases, getMode, isPreviewWorkflowsEnabled, isBuildWorkflowsEnabled } from '../lib/config.js';
 import { createStoreBranches } from '../lib/git.js';
 import { scaffoldWorkflows } from '../lib/workflows.js';
 import { createStoreDirectories } from '../lib/store-sync.js';
+import {
+  isGhAvailable,
+  hasGitHubRemote,
+  isGlabAvailable,
+  hasGitLabRemote,
+  listGitHubSecrets,
+  listGitLabVariables,
+  getStoreUrlSecretForNewStore,
+  getSecretsToPromptForNewStore,
+  setSecret,
+  setGitLabVariable,
+} from '../lib/github-secrets.js';
 
 export async function addStoreCommand() {
   console.log(pc.bold('\n  climaybe — Add Store\n'));
@@ -54,4 +66,63 @@ export async function addStoreCommand() {
   console.log(pc.bold(pc.green('\n  Store added successfully!\n')));
   console.log(pc.dim(`  New branches: staging-${store.alias}, live-${store.alias}`));
   console.log(pc.dim(`  Store dir: stores/${store.alias}/\n`));
+
+  // If preview workflows are on, offer to set this store's CI secrets (multi-store uses per-store secrets)
+  if (includePreview) {
+    const ciHost = await promptConfigureCISecrets();
+    if (ciHost !== 'skip') {
+      const setter =
+        ciHost === 'github'
+          ? { check: isGhAvailable, checkRemote: hasGitHubRemote, set: setSecret, name: 'GitHub' }
+          : { check: isGlabAvailable, checkRemote: hasGitLabRemote, set: setGitLabVariable, name: 'GitLab' };
+
+      if (!setter.check()) {
+        console.log(pc.yellow(`  ${setter.name} CLI is not installed or not logged in. Add secrets manually in repo Settings.`));
+      } else if (!setter.checkRemote()) {
+        console.log(pc.yellow('  No ' + setter.name + ' remote (origin). Add secrets manually after pushing.'));
+      } else {
+        let setCount = 0;
+        const { name: urlName, value: urlValue } = getStoreUrlSecretForNewStore(store);
+        try {
+          await setter.set(urlName, urlValue);
+          console.log(pc.green(`  Set ${urlName} (from store config).`));
+          setCount++;
+        } catch (err) {
+          console.log(pc.red(`  Failed to set ${urlName}: ${err.message}`));
+        }
+
+        const secretsToPrompt = getSecretsToPromptForNewStore(store);
+        const existingNames = ciHost === 'github' ? listGitHubSecrets() : listGitLabVariables();
+        const namesWeWillPrompt = new Set(secretsToPrompt.map((s) => s.name));
+        const alreadySet = existingNames.filter((n) => namesWeWillPrompt.has(n));
+        if (alreadySet.length > 0) {
+          const doUpdate = await promptUpdateExistingSecrets(alreadySet);
+          if (!doUpdate) {
+            if (setCount > 0) {
+              console.log(pc.green(`\n  Done. ${setCount} secret(s) set for store "${store.alias}".\n`));
+            }
+            return;
+          }
+        }
+        const total = secretsToPrompt.length;
+        console.log(pc.cyan(`\n  Configure ${total} secret(s) for store "${store.alias}" (theme token required).\n`));
+        for (let i = 0; i < secretsToPrompt.length; i++) {
+          const secret = secretsToPrompt[i];
+          const value = await promptSecretValue(secret, i, total);
+          if (value) {
+            try {
+              await setter.set(secret.name, value);
+              console.log(pc.green(`  Set ${secret.name}.`));
+              setCount++;
+            } catch (err) {
+              console.log(pc.red(`  Failed to set ${secret.name}: ${err.message}`));
+            }
+          }
+        }
+        if (setCount > 0) {
+          console.log(pc.green(`\n  Done. ${setCount} secret(s) set for store "${store.alias}".\n`));
+        }
+      }
+    }
+  }
 }

package/src/commands/init.js

@@ -1,22 +1,35 @@
+import prompts from 'prompts';
 import pc from 'picocolors';
-import { promptStoreLoop, promptPreviewWorkflows, promptBuildWorkflows } from '../lib/prompts.js';
+import {
+  promptStoreLoop,
+  promptPreviewWorkflows,
+  promptBuildWorkflows,
+  promptConfigureCISecrets,
+  promptUpdateExistingSecrets,
+  promptSecretValue,
+} from '../lib/prompts.js';
 import { readConfig, writeConfig } from '../lib/config.js';
 import { ensureGitRepo, ensureInitialCommit, ensureStagingBranch, createStoreBranches } from '../lib/git.js';
 import { scaffoldWorkflows } from '../lib/workflows.js';
 import { createStoreDirectories } from '../lib/store-sync.js';
+import {
+  isGhAvailable,
+  hasGitHubRemote,
+  isGlabAvailable,
+  hasGitLabRemote,
+  listGitHubSecrets,
+  listGitLabVariables,
+  getStoreUrlSecretsFromConfig,
+  getSecretsToPrompt,
+  setSecret,
+  setGitLabVariable,
+} from '../lib/github-secrets.js';
 
-export async function initCommand() {
-  console.log(pc.bold('\n  climaybe — Shopify CI/CD Setup\n'));
-
-  // Guard: check if already initialized
-  const existing = readConfig();
-  if (existing?.stores && Object.keys(existing.stores).length > 0) {
-    console.log(pc.yellow('  This repo already has a climaybe config.'));
-    console.log(pc.dim('  Use "climaybe add-store" to add more stores.'));
-    console.log(pc.dim('  Use "climaybe update-workflows" to refresh workflows.\n'));
-    return;
-  }
-
+/**
+ * Run the full init flow: prompts, config write, git, branches, workflows.
+ * Used by both init (when not already inited or user confirms reinit) and reinit.
+ */
+async function runInitFlow() {
   // 1. Collect stores from user
   const stores = await promptStoreLoop();
   const mode = stores.length > 1 ? 'multi' : 'single';
@@ -81,7 +94,119 @@ export async function initCommand() {
   console.log(pc.dim(`  Build workflows: ${enableBuildWorkflows ? 'enabled' : 'disabled'}`));
 
   console.log(pc.dim('\n  Next steps:'));
-  console.log(pc.dim('    1. Add GEMINI_API_KEY to your GitHub repo secrets'));
-  console.log(pc.dim('    2. Push to GitHub and start using the branching workflow'));
+  console.log(pc.dim('    1. Add GEMINI_API_KEY to your CI secrets (or configure below)'));
+  console.log(pc.dim('    2. Push to GitHub/GitLab and start using the branching workflow'));
   console.log(pc.dim('    3. Tag your first release: git tag v1.0.0\n'));
+
+  const ciHost = await promptConfigureCISecrets();
+  if (ciHost === 'skip') return;
+
+  const secretsToPrompt = getSecretsToPrompt({
+    enablePreviewWorkflows,
+    enableBuildWorkflows,
+    mode,
+    stores,
+  });
+  const total = secretsToPrompt.length;
+  const setter =
+    ciHost === 'github'
+      ? { check: isGhAvailable, checkRemote: hasGitHubRemote, set: setSecret, name: 'GitHub' }
+      : { check: isGlabAvailable, checkRemote: hasGitLabRemote, set: setGitLabVariable, name: 'GitLab' };
+
+  if (!setter.check()) {
+    const installUrl = ciHost === 'github' ? 'https://cli.github.com/' : 'https://gitlab.com/gitlab-org/cli';
+    console.log(pc.yellow(`  ${setter.name} CLI is not installed or not logged in.`));
+    console.log(pc.dim(`  Install: ${installUrl} — then run ${ciHost === 'github' ? 'gh' : 'glab'} auth login`));
+    console.log(
+      pc.dim(
+        ciHost === 'github'
+          ? '  You can add secrets later in the repo: Settings → Secrets and variables → Actions.\n'
+          : '  You can add variables later in the repo: Settings → CI/CD → Variables.\n'
+      )
+    );
+    return;
+  }
+  if (!setter.checkRemote()) {
+    console.log(pc.yellow('  This repo has no ' + setter.name + ' remote (origin).'));
+    console.log(pc.dim('  Add a remote and push first, then add secrets/variables in the repo Settings.\n'));
+    return;
+  }
+
+  const existingNames =
+    ciHost === 'github' ? listGitHubSecrets() : listGitLabVariables();
+  const namesWeWillPrompt = new Set(secretsToPrompt.map((s) => s.name));
+  const alreadySet = existingNames.filter((n) => namesWeWillPrompt.has(n));
+  if (alreadySet.length > 0) {
+    const doUpdate = await promptUpdateExistingSecrets(alreadySet);
+    if (!doUpdate) {
+      console.log(pc.dim('\n  Skipping. Existing secrets left unchanged.\n'));
+      return;
+    }
+  }
+
+  let setCount = 0;
+
+  // Set store URL(s) from config (domains already added during init) — no prompt
+  const storeUrlSecrets = getStoreUrlSecretsFromConfig({
+    enablePreviewWorkflows,
+    enableBuildWorkflows,
+    mode,
+    stores,
+  });
+  for (const { name, value } of storeUrlSecrets) {
+    try {
+      await setter.set(name, value);
+      console.log(pc.green(`  Set ${name} (from store config).`));
+      setCount++;
+    } catch (err) {
+      console.log(pc.red(`  Failed to set ${name}: ${err.message}`));
+    }
+  }
+
+  console.log(pc.cyan(`\n  Configure ${total} ${setter.name} secret(s)/variable(s). Leave optional ones blank to skip.\n`));
+  for (let i = 0; i < secretsToPrompt.length; i++) {
+    const secret = secretsToPrompt[i];
+    const value = await promptSecretValue(secret, i, total);
+    if (value) {
+      try {
+        await setter.set(secret.name, value);
+        console.log(pc.green(`  Set ${secret.name}.`));
+        setCount++;
+      } catch (err) {
+        console.log(pc.red(`  Failed to set ${secret.name}: ${err.message}`));
+      }
+    }
+  }
+  if (setCount > 0) {
+    console.log(pc.green(`\n  Done. ${setCount} secret(s) set for this repository.\n`));
+  }
+}
+
+export async function initCommand() {
+  console.log(pc.bold('\n  climaybe — Shopify CI/CD Setup\n'));
+
+  const existing = readConfig();
+  const hasConfig = existing != null && typeof existing === 'object';
+
+  if (hasConfig) {
+    const { reinit } = await prompts({
+      type: 'confirm',
+      name: 'reinit',
+      message: 'This repo already has a climaybe config. Clear everything and reinitialize from scratch?',
+      initial: false,
+    });
+    if (!reinit) {
+      console.log(pc.dim('  Use "climaybe add-store" to add more stores.'));
+      console.log(pc.dim('  Use "climaybe update-workflows" to refresh workflows.'));
+      console.log(pc.dim('  Use "climaybe reinit" to reinitialize from scratch.\n'));
+      return;
+    }
+  }
+
+  await runInitFlow();
+}
+
+export async function reinitCommand() {
+  console.log(pc.bold('\n  climaybe — Reinitialize CI/CD Setup\n'));
+  await runInitFlow();
 }

package/src/index.js

@@ -1,23 +1,38 @@
+import { createRequire } from 'node:module';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
 import { Command } from 'commander';
-import { initCommand } from './commands/init.js';
+import { initCommand, reinitCommand } from './commands/init.js';
 import { addStoreCommand } from './commands/add-store.js';
 import { switchCommand } from './commands/switch.js';
 import { syncCommand } from './commands/sync.js';
 import { updateWorkflowsCommand } from './commands/update-workflows.js';
 
-export function run(argv) {
+const require = createRequire(import.meta.url);
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const { version } = require(join(__dirname, '..', 'package.json'));
+
+/**
+ * Create the CLI program (for testing and for run).
+ */
+export function createProgram() {
   const program = new Command();
 
   program
     .name('climaybe')
     .description('Shopify CI/CD CLI — scaffolds workflows, branch strategy, and store config')
-    .version('1.0.0');
+    .version(version);
 
   program
     .command('init')
     .description('Initialize CI/CD setup for a Shopify theme repo')
     .action(initCommand);
 
+  program
+    .command('reinit')
+    .description('Reinitialize CI/CD setup (removes existing config and re-scaffolds workflows)')
+    .action(reinitCommand);
+
   program
     .command('add-store')
     .description('Add a new store to an existing multi-store config')
@@ -40,5 +55,9 @@ export function run(argv) {
     .description('Refresh GitHub Actions workflows from latest bundled templates')
     .action(updateWorkflowsCommand);
 
-  program.parse(argv);
+  return program;
+}
+
+export function run(argv) {
+  createProgram().parse(argv);
 }

package/src/lib/config.js

@@ -14,6 +14,7 @@ function pkgPath(cwd = process.cwd()) {
 /**
  * Read the full package.json from a target repo.
  * Returns null if it doesn't exist.
+ * @public (used by tests)
  */
 export function readPkg(cwd = process.cwd()) {
   const p = pkgPath(cwd);

package/src/lib/git.js

@@ -4,6 +4,11 @@ import pc from 'picocolors';
 const exec = (cmd, cwd = process.cwd()) =>
   execSync(cmd, { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
 
+function isExpectedGitError(err, patterns) {
+  const text = [err.message, err.stderr].filter(Boolean).join(' ');
+  return patterns.some((p) => text.includes(p));
+}
+
 /**
  * Check if current directory is a git repo.
  */
@@ -11,7 +16,10 @@ export function isGitRepo(cwd = process.cwd()) {
   try {
     exec('git rev-parse --is-inside-work-tree', cwd);
     return true;
-  } catch {
+  } catch (err) {
+    if (!isExpectedGitError(err, ['not a git repository'])) {
+      console.error(err);
+    }
     return false;
   }
 }
@@ -30,7 +38,10 @@ export function branchExists(name, cwd = process.cwd()) {
   try {
     exec(`git rev-parse --verify ${name}`, cwd);
     return true;
-  } catch {
+  } catch (err) {
+    if (!isExpectedGitError(err, ['Needed a single revision'])) {
+      console.error(err);
+    }
     return false;
   }
 }
@@ -71,7 +82,14 @@ export function ensureStagingBranch(cwd = process.cwd()) {
 export function ensureInitialCommit(cwd = process.cwd()) {
   try {
     exec('git rev-parse HEAD', cwd);
-  } catch {
+  } catch (err) {
+    const expectedNoCommit = isExpectedGitError(err, [
+      'unknown revision',
+      'path not in the working tree',
+    ]);
+    if (!expectedNoCommit) {
+      console.error(err);
+    }
     // No commits yet — create an initial one
     exec('git add -A', cwd);
     exec('git commit -m "chore: initial commit" --allow-empty', cwd);

package/src/lib/github-secrets.js

@@ -0,0 +1,286 @@
+import { spawn, spawnSync, execSync } from 'node:child_process';
+import pc from 'picocolors';
+
+/**
+ * Secret/variable definitions for CI (GitHub Actions or GitLab CI).
+ * condition: 'always' = required for core workflows; 'preview' | 'build' = only when that feature is enabled.
+ */
+export const SECRET_DEFINITIONS = [
+  {
+    name: 'GEMINI_API_KEY',
+    required: true,
+    condition: 'always',
+    description: 'Google Gemini API key for AI-generated changelogs on release',
+    whereToGet:
+      'Google AI Studio: https://aistudio.google.com/apikey — create an API key, then paste it here.',
+  },
+  {
+    name: 'SHOPIFY_STORE_URL',
+    required: false,
+    condition: 'preview_or_build',
+    description: 'Shopify store URL (e.g. your-store.myshopify.com) — preview themes and/or Lighthouse',
+    whereToGet:
+      'Your theme’s store URL in Shopify Admin → Settings → Domains, or use the .myshopify.com URL.',
+  },
+  {
+    name: 'SHOPIFY_CLI_THEME_TOKEN',
+    required: true,
+    condition: 'preview',
+    description: 'Theme access token so CI can push preview themes to your store',
+    whereToGet:
+      'Shopify Partners: your app → Theme library access → Create theme access token. Or: Shopify Admin → Apps → Develop apps → your app → API credentials → Theme access.',
+  },
+  {
+    name: 'SHOP_ACCESS_TOKEN',
+    required: false,
+    condition: 'build',
+    description: 'Store API access token for Lighthouse runs',
+    whereToGet:
+      'Shopify Admin → Settings → Apps and sales channels → Develop apps → your app → API credentials (Admin API or custom app with storefront/build access).',
+  },
+  {
+    name: 'LHCI_GITHUB_APP_TOKEN',
+    required: false,
+    condition: 'build',
+    description: 'Lighthouse CI GitHub App token for posting results as PR comments',
+    whereToGet:
+      'Lighthouse CI GitHub App: https://github.com/apps/lighthouse-ci — install and create a token, or use a Personal Access Token with repo scope.',
+  },
+  {
+    name: 'SHOP_PASSWORD',
+    required: false,
+    condition: 'build',
+    description: 'Store password if your storefront is password-protected (optional)',
+    whereToGet: 'The password visitors enter to access your store (Storefront password in Shopify Admin).',
+  },
+];
+
+/**
+ * Check if GitHub CLI is installed and authenticated.
+ */
+export function isGhAvailable() {
+  try {
+    execSync('gh auth status', { encoding: 'utf-8', stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if the current repo has a GitHub remote (origin pointing to github.com).
+ */
+export function hasGitHubRemote(cwd = process.cwd()) {
+  try {
+    const url = execSync('git remote get-url origin', { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
+    return /github\.com/i.test(url);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Get GitHub repo as "owner/repo" from origin remote. Returns null if not a GitHub URL or parse fails.
+ * Used to pass -R to gh when the repo has multiple remotes.
+ */
+export function getGitHubRepoSpec(cwd = process.cwd()) {
+  try {
+    const url = execSync('git remote get-url origin', { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
+    // https://github.com/owner/repo[.git] or git@github.com:owner/repo[.git]
+    const m = url.match(/github\.com[/:]([^/]+)\/([^/]+?)(?:\.git)?$/i);
+    return m ? `${m[1]}/${m[2]}` : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * List repository secret names (GitHub). Returns [] on error or if none.
+ */
+export function listGitHubSecrets(cwd = process.cwd()) {
+  try {
+    const repo = getGitHubRepoSpec(cwd);
+    const args = ['secret', 'list', '--json', 'name'];
+    if (repo) args.push('-R', repo);
+    const result = spawnSync('gh', args, { cwd, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const out = (result.stdout || '').trim();
+    const data = JSON.parse(out || '[]');
+    return Array.isArray(data) ? data.map((s) => s.name).filter(Boolean) : [];
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * List project CI/CD variable names (GitLab). Returns [] on error or if none.
+ */
+export function listGitLabVariables(cwd = process.cwd()) {
+  try {
+    const out = execSync('glab variable list -F json', { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
+    const data = JSON.parse(out || '[]');
+    if (!Array.isArray(data)) return [];
+    return data.map((v) => v.key ?? v.name ?? v.Key).filter(Boolean);
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Set a repository secret via gh CLI. Value is passed via stdin to avoid argv exposure.
+ * Uses -R owner/repo from origin when available so gh works with multiple remotes.
+ */
+export function setSecret(name, value, cwd = process.cwd()) {
+  return new Promise((resolve, reject) => {
+    const repo = getGitHubRepoSpec(cwd);
+    const args = ['secret', 'set', name];
+    if (repo) args.push('-R', repo);
+    const child = spawn('gh', args, {
+      stdio: ['pipe', 'inherit', 'inherit'],
+      cwd,
+    });
+    child.on('error', reject);
+    child.on('close', (code) => (code === 0 ? resolve() : reject(new Error(`gh secret set exited with ${code}`))));
+    child.stdin.write(value, (err) => {
+      if (err) reject(err);
+      else child.stdin.end();
+    });
+  });
+}
+
+/**
+ * Check if GitLab CLI is installed and authenticated.
+ */
+export function isGlabAvailable() {
+  try {
+    execSync('glab auth status', { encoding: 'utf-8', stdio: 'pipe' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Check if the current repo has a GitLab remote (origin pointing to gitlab.com or common self-hosted hosts).
+ */
+export function hasGitLabRemote(cwd = process.cwd()) {
+  try {
+    const url = execSync('git remote get-url origin', { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
+    return /gitlab\.com|gitlab\./i.test(url);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Set a project CI/CD variable via glab CLI. Value is passed via stdin to avoid argv exposure.
+ */
+export function setGitLabVariable(name, value) {
+  return new Promise((resolve, reject) => {
+    const child = spawn('glab', ['variable', 'set', name, '--masked'], {
+      stdio: ['pipe', 'inherit', 'inherit'],
+    });
+    child.on('error', reject);
+    child.on('close', (code) =>
+      code === 0 ? resolve() : reject(new Error(`glab variable set exited with ${code}`))
+    );
+    child.stdin.write(value, (err) => {
+      if (err) reject(err);
+      else child.stdin.end();
+    });
+  });
+}
+
+/**
+ * Convert store alias to secret suffix (e.g. voldt-norway → VOLDT_NORWAY).
+ */
+export function aliasToSecretSuffix(alias) {
+  return String(alias).replace(/-/g, '_').toUpperCase();
+}
+
+/**
+ * Store URL secrets are set from config (store domains added during init), not prompted.
+ * Returns [{ name, value }] for SHOPIFY_STORE_URL and/or SHOPIFY_STORE_URL_<ALIAS>.
+ */
+export function getStoreUrlSecretsFromConfig({ enablePreviewWorkflows, enableBuildWorkflows, mode = 'single', stores = [] }) {
+  if (stores.length === 0) return [];
+  const isMulti = mode === 'multi' && stores.length > 1;
+  const out = [];
+
+  if (isMulti && enablePreviewWorkflows) {
+    for (const store of stores) {
+      out.push({ name: `SHOPIFY_STORE_URL_${aliasToSecretSuffix(store.alias)}`, value: store.domain });
+    }
+  }
+  if (!isMulti && (enablePreviewWorkflows || enableBuildWorkflows)) {
+    out.push({ name: 'SHOPIFY_STORE_URL', value: stores[0].domain });
+  }
+  if (isMulti && enableBuildWorkflows) {
+    const defaultDomain = stores[0]?.domain;
+    if (defaultDomain && !out.some((s) => s.name === 'SHOPIFY_STORE_URL')) {
+      out.push({ name: 'SHOPIFY_STORE_URL', value: defaultDomain });
+    }
+  }
+  return out;
+}
+
+/**
+ * Get secrets we need to prompt for (excludes store URLs; those are set from config).
+ * Theme token(s) are required when preview is enabled.
+ */
+export function getSecretsToPrompt({ enablePreviewWorkflows, enableBuildWorkflows, mode = 'single', stores = [] }) {
+  const isMulti = mode === 'multi' && stores.length > 1;
+
+  const base = SECRET_DEFINITIONS.filter((s) => {
+    if (s.name === 'SHOPIFY_STORE_URL') return false; // set from config
+    if (s.condition === 'always') return true;
+    if (s.condition === 'preview_or_build') return enablePreviewWorkflows || enableBuildWorkflows;
+    if (s.condition === 'preview' && enablePreviewWorkflows) return true;
+    if (s.condition === 'build' && enableBuildWorkflows) return true;
+    return false;
+  });
+
+  const dropPreviewGeneric =
+    isMulti && enablePreviewWorkflows
+      ? (s) => s.name !== 'SHOPIFY_CLI_THEME_TOKEN'
+      : () => true;
+
+  let list = base.filter(dropPreviewGeneric);
+
+  if (isMulti && enablePreviewWorkflows) {
+    for (const store of stores) {
+      const suffix = aliasToSecretSuffix(store.alias);
+      list.push({
+        name: `SHOPIFY_CLI_THEME_TOKEN_${suffix}`,
+        required: true,
+        description: `Store ${store.alias}: Theme access token for CI (staging/live use this for ${store.alias})`,
+        whereToGet:
+          'Shopify Partners or Admin → Apps → Develop apps → your app → Theme access for this store.',
+      });
+    }
+  }
+
+  return list;
+}
+
+/**
+ * Store URL for a new store (set from store.domain, no prompt).
+ */
+export function getStoreUrlSecretForNewStore(store) {
+  return { name: `SHOPIFY_STORE_URL_${aliasToSecretSuffix(store.alias)}`, value: store.domain };
+}
+
+/**
+ * Per-store secret to prompt for when adding a store (theme token only; URL is set from store.domain).
+ */
+export function getSecretsToPromptForNewStore(store) {
+  const suffix = aliasToSecretSuffix(store.alias);
+  return [
+    {
+      name: `SHOPIFY_CLI_THEME_TOKEN_${suffix}`,
+      required: true,
+      description: `Store ${store.alias}: Theme access token for CI (staging/live use this for ${store.alias})`,
+      whereToGet:
+        'Shopify Partners or Admin → Apps → Develop apps → your app → Theme access for this store.',
+    },
+  ];
+}

package/src/lib/prompts.js

@@ -6,7 +6,7 @@ import pc from 'picocolors';
  * "voldt-staging.myshopify.com" → "voldt-staging"
  */
 export function extractAlias(domain) {
-  return domain.replace(/\.myshopify\.com$/i, '').trim();
+  return domain.trim().replace(/\.myshopify\.com$/i, '').trim();
 }
 
 /**
@@ -165,3 +165,63 @@ export async function promptNewStore(existingAliases = []) {
 
   return store;
 }
+
+/**
+ * Ask which CI host to configure for secrets (after init). Returns 'github' | 'gitlab' | 'skip'.
+ */
+export async function promptConfigureCISecrets() {
+  const { host } = await prompts({
+    type: 'select',
+    name: 'host',
+    message: 'Configure CI secrets / variables now?',
+    choices: [
+      { title: 'GitHub (gh CLI)', value: 'github' },
+      { title: 'GitLab (glab CLI)', value: 'gitlab' },
+      { title: 'Skip', value: 'skip' },
+    ],
+    initial: 0,
+  });
+  return host ?? 'skip';
+}
+
+/**
+ * Ask whether to update existing CI secrets (when some are already set). Returns true to update, false to skip.
+ */
+export async function promptUpdateExistingSecrets(existingNames) {
+  const list = existingNames.length <= 5 ? existingNames.join(', ') : `${existingNames.slice(0, 3).join(', ')} and ${existingNames.length - 3} more`;
+  const { update } = await prompts({
+    type: 'confirm',
+    name: 'update',
+    message: `You already have ${existingNames.length} secret(s) set (${list}). Update them?`,
+    initial: false,
+  });
+  return !!update;
+}
+
+/**
+ * Prompt for a single secret value. Shows name, required/optional, description, and where to get it.
+ * Returns the value string or null if user skips (optional secrets only).
+ */
+export async function promptSecretValue(secret, index, total) {
+  const requiredLabel = secret.required ? pc.red('required') : pc.dim('optional');
+  const message = `[${index + 1}/${total}] ${secret.name} (${requiredLabel})`;
+
+  console.log(pc.cyan(`\n  ${secret.name}`));
+  console.log(pc.dim(`  ${secret.description}`));
+  console.log(pc.dim(`  Where to get: ${secret.whereToGet}`));
+
+  const { value } = await prompts({
+    type: 'password',
+    name: 'value',
+    message,
+    validate: (v) => {
+      if (secret.required && !(v && v.trim())) return 'This secret is required for your workflows.';
+      return true;
+    },
+  });
+
+  if (value === undefined) return null;
+  const trimmed = typeof value === 'string' ? value.trim() : '';
+  if (!trimmed && !secret.required) return null;
+  return trimmed || null;
+}

package/src/workflows/build/build-pipeline.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build]
     env:
-      SHOP_STORE: ${{ secrets.SHOP_STORE }}
+      SHOPIFY_STORE_URL: ${{ secrets.SHOPIFY_STORE_URL }}
       SHOP_ACCESS_TOKEN: ${{ secrets.SHOP_ACCESS_TOKEN }}
       LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }}
     steps:
@@ -26,8 +26,8 @@ jobs:
             SKIP_REASONS+=("Not on main or staging branch (current: ${{ github.ref }})")
           fi
 
-          if [ -z "$SHOP_STORE" ] || [ -z "$SHOP_ACCESS_TOKEN" ] || [ -z "$LHCI_GITHUB_APP_TOKEN" ]; then
-            SKIP_REASONS+=("Missing required secrets: SHOP_STORE, SHOP_ACCESS_TOKEN, or LHCI_GITHUB_APP_TOKEN")
+          if [ -z "$SHOPIFY_STORE_URL" ] || [ -z "$SHOP_ACCESS_TOKEN" ] || [ -z "$LHCI_GITHUB_APP_TOKEN" ]; then
+            SKIP_REASONS+=("Missing required secrets: SHOPIFY_STORE_URL, SHOP_ACCESS_TOKEN, or LHCI_GITHUB_APP_TOKEN")
           fi
 
           if [ ${#SKIP_REASONS[@]} -gt 0 ]; then
@@ -42,14 +42,14 @@ jobs:
           echo "All conditions met, proceeding with Lighthouse CI"
 
       - name: Checkout code
-        if: env.SHOP_STORE != '' && env.SHOP_ACCESS_TOKEN != '' && env.LHCI_GITHUB_APP_TOKEN != '' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
+        if: env.SHOPIFY_STORE_URL != '' && env.SHOP_ACCESS_TOKEN != '' && env.LHCI_GITHUB_APP_TOKEN != '' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
         uses: actions/checkout@v4
 
       - name: Lighthouse
-        if: env.SHOP_STORE != '' && env.SHOP_ACCESS_TOKEN != '' && env.LHCI_GITHUB_APP_TOKEN != '' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
+        if: env.SHOPIFY_STORE_URL != '' && env.SHOP_ACCESS_TOKEN != '' && env.LHCI_GITHUB_APP_TOKEN != '' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
         uses: shopify/lighthouse-ci-action@v1
         with:
-          store: ${{ secrets.SHOP_STORE }}
+          store: ${{ secrets.SHOPIFY_STORE_URL }}
           access_token: ${{ secrets.SHOP_ACCESS_TOKEN }}
           password: ${{ secrets.SHOP_PASSWORD }}
           lhci_github_app_token: ${{ secrets.LHCI_GITHUB_APP_TOKEN }}

package/src/workflows/preview/pr-update.yml

@@ -29,11 +29,12 @@ jobs:
             const fs = require('fs');
             const pkg = JSON.parse(fs.readFileSync('./package.json', 'utf8'));
             const stores = pkg?.config?.stores || {};
+            const defaultStoreRaw = pkg?.config?.default_store;
             const normalize = (v) => String(v || '')
               .toLowerCase()
               .replace(/^https?:\\/\\//, '')
               .replace(/\\/.*$/, '');
-            const defaultStore = normalize(pkg?.config?.default_store);
+            const defaultStore = normalize(defaultStoreRaw);
             let alias = '';
             if (defaultStore) {
               for (const [k, d] of Object.entries(stores)) {
@@ -46,6 +47,13 @@ jobs:
             if (!alias) {
               alias = Object.keys(stores)[0] || '';
             }
+            if (!alias && defaultStore) {
+              const subdomain = defaultStore.split('.')[0] || 'default';
+              alias = subdomain.replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-') || 'default';
+            }
+            if (!alias) {
+              alias = 'default';
+            }
             process.stdout.write(alias);
           ")