climaybe 1.3.0 → 1.3.3

package/README.md

@@ -210,14 +210,14 @@ Add the following secrets to your GitHub repository (or use **GitLab CI/CD varia
 |--------|----------|-------------|
 | `GEMINI_API_KEY` | Yes | Google Gemini API key for changelog generation |
 | `SHOPIFY_STORE_URL` | Set from config | Store URL is set automatically from the store domain(s) you add during init (no prompt). |
-| `SHOPIFY_CLI_THEME_TOKEN` | Yes* | Theme access token for preview workflows (required when preview is enabled). |
+| `SHOPIFY_THEME_ACCESS_TOKEN` | Yes* | Theme access token for preview workflows (required when preview is enabled). |
 | `SHOP_ACCESS_TOKEN` | Optional* | Required only when optional build workflows are enabled (Lighthouse) |
 | `LHCI_GITHUB_APP_TOKEN` | Optional* | Required only when optional build workflows are enabled (Lighthouse) |
 | `SHOP_PASSWORD` | Optional | Used by Lighthouse action when your store requires password auth |
 
 **Store URL:** During `climaybe init` (or `add-store`), store URL secret(s) are set from your configured store domain(s); you are only prompted for the theme token.
 
-**Multi-store:** Per-store secrets `SHOPIFY_STORE_URL_<ALIAS>` and `SHOPIFY_CLI_THEME_TOKEN_<ALIAS>` — the URL is set from config; you must provide the theme token per store. `<ALIAS>` is uppercase with hyphens as underscores (e.g. `voldt-norway` → `SHOPIFY_STORE_URL_VOLDT_NORWAY`).
+**Multi-store:** Per-store secrets `SHOPIFY_STORE_URL_<ALIAS>` and `SHOPIFY_THEME_ACCESS_TOKEN_<ALIAS>` — the URL is set from config; you must provide the theme token per store. `<ALIAS>` is uppercase with hyphens as underscores (e.g. `voldt-norway` → `SHOPIFY_STORE_URL_VOLDT_NORWAY`).
 
 ## Directory Structure (Multi-store)
 

package/bin/cli.js

@@ -1,5 +1,13 @@
 #!/usr/bin/env node
 
+import { createRequire } from 'node:module';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
 import { run } from '../src/index.js';
 
-run(process.argv);
+// Resolve version from package.json next to this bin (works with npm link / global install)
+const require = createRequire(import.meta.url);
+const binDir = dirname(fileURLToPath(import.meta.url));
+const pkg = require(join(binDir, '..', 'package.json'));
+
+run(process.argv, pkg.version);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "climaybe",
-  "version": "1.3.0",
+  "version": "1.3.3",
   "description": "Shopify CI/CD CLI — scaffolds workflows, branch strategy, and store config for single-store and multi-store theme repos",
   "type": "module",
   "bin": {

package/src/commands/add-store.js

@@ -1,5 +1,5 @@
 import pc from 'picocolors';
-import { promptNewStore, promptConfigureCISecrets, promptUpdateExistingSecrets, promptSecretValue } from '../lib/prompts.js';
+import { promptNewStore, promptConfigureCISecrets, promptUpdateExistingSecrets, promptSecretValue, promptTestThemeToken } from '../lib/prompts.js';
 import { readConfig, addStoreToConfig, getStoreAliases, getMode, isPreviewWorkflowsEnabled, isBuildWorkflowsEnabled } from '../lib/config.js';
 import { createStoreBranches } from '../lib/git.js';
 import { scaffoldWorkflows } from '../lib/workflows.js';
@@ -13,6 +13,7 @@ import {
   listGitLabVariables,
   getStoreUrlSecretForNewStore,
   getSecretsToPromptForNewStore,
+  validateThemeAccessToken,
   setSecret,
   setGitLabVariable,
 } from '../lib/github-secrets.js';
@@ -109,15 +110,29 @@ export async function addStoreCommand() {
         for (let i = 0; i < secretsToPrompt.length; i++) {
           const secret = secretsToPrompt[i];
           const value = await promptSecretValue(secret, i, total);
-          if (value) {
-            try {
-              await setter.set(secret.name, value);
-              console.log(pc.green(`  Set ${secret.name}.`));
-              setCount++;
-            } catch (err) {
-              console.log(pc.red(`  Failed to set ${secret.name}: ${err.message}`));
+          if (!value) continue;
+
+          const isThemeToken = secret.name === 'SHOPIFY_THEME_ACCESS_TOKEN' || secret.name.startsWith('SHOPIFY_THEME_ACCESS_TOKEN_');
+          if (isThemeToken && store.domain) {
+            const doTest = await promptTestThemeToken();
+            if (doTest) {
+              const result = await validateThemeAccessToken(store.domain, value);
+              if (!result.ok) {
+                console.log(pc.red(`  Token test failed: ${result.error}`));
+                console.log(pc.dim('  Secret not set. You can add it later in repo Settings → Secrets.'));
+                continue;
+              }
+              console.log(pc.green('  Token validated against store.'));
             }
           }
+
+          try {
+            await setter.set(secret.name, value);
+            console.log(pc.green(`  Set ${secret.name}.`));
+            setCount++;
+          } catch (err) {
+            console.log(pc.red(`  Failed to set ${secret.name}: ${err.message}`));
+          }
         }
         if (setCount > 0) {
           console.log(pc.green(`\n  Done. ${setCount} secret(s) set for store "${store.alias}".\n`));

package/src/commands/init.js

@@ -7,9 +7,10 @@ import {
   promptConfigureCISecrets,
   promptUpdateExistingSecrets,
   promptSecretValue,
+  promptTestThemeToken,
 } from '../lib/prompts.js';
 import { readConfig, writeConfig } from '../lib/config.js';
-import { ensureGitRepo, ensureInitialCommit, ensureStagingBranch, createStoreBranches } from '../lib/git.js';
+import { ensureGitRepo, ensureInitialCommit, ensureStagingBranch, createStoreBranches, getSuggestedTagForRelease } from '../lib/git.js';
 import { scaffoldWorkflows } from '../lib/workflows.js';
 import { createStoreDirectories } from '../lib/store-sync.js';
 import {
@@ -21,6 +22,8 @@ import {
   listGitLabVariables,
   getStoreUrlSecretsFromConfig,
   getSecretsToPrompt,
+  getStoreUrlForThemeTokenSecret,
+  validateThemeAccessToken,
   setSecret,
   setGitLabVariable,
 } from '../lib/github-secrets.js';
@@ -93,10 +96,12 @@ async function runInitFlow() {
   console.log(pc.dim(`  Preview workflows: ${enablePreviewWorkflows ? 'enabled' : 'disabled'}`));
   console.log(pc.dim(`  Build workflows: ${enableBuildWorkflows ? 'enabled' : 'disabled'}`));
 
+  const suggestedTag = getSuggestedTagForRelease();
+  const tagLabel = suggestedTag === 'v1.0.0' ? 'Tag your first release' : 'Tag your next release';
   console.log(pc.dim('\n  Next steps:'));
   console.log(pc.dim('    1. Add GEMINI_API_KEY to your CI secrets (or configure below)'));
   console.log(pc.dim('    2. Push to GitHub/GitLab and start using the branching workflow'));
-  console.log(pc.dim('    3. Tag your first release: git tag v1.0.0\n'));
+  console.log(pc.dim(`    3. ${tagLabel}: git tag ${suggestedTag}\n`));
 
   const ciHost = await promptConfigureCISecrets();
   if (ciHost === 'skip') return;
@@ -167,15 +172,32 @@ async function runInitFlow() {
   for (let i = 0; i < secretsToPrompt.length; i++) {
     const secret = secretsToPrompt[i];
     const value = await promptSecretValue(secret, i, total);
-    if (value) {
-      try {
-        await setter.set(secret.name, value);
-        console.log(pc.green(`  Set ${secret.name}.`));
-        setCount++;
-      } catch (err) {
-        console.log(pc.red(`  Failed to set ${secret.name}: ${err.message}`));
+    if (!value) continue;
+
+    const isThemeToken =
+      secret.name === 'SHOPIFY_THEME_ACCESS_TOKEN' || secret.name.startsWith('SHOPIFY_THEME_ACCESS_TOKEN_');
+    const storeUrl = isThemeToken ? getStoreUrlForThemeTokenSecret(secret.name, stores) : null;
+
+    if (storeUrl) {
+      const doTest = await promptTestThemeToken();
+      if (doTest) {
+        const result = await validateThemeAccessToken(storeUrl, value);
+        if (!result.ok) {
+          console.log(pc.red(`  Token test failed: ${result.error}`));
+          console.log(pc.dim('  Secret not set. You can add it later in repo Settings → Secrets.'));
+          continue;
+        }
+        console.log(pc.green('  Token validated against store.'));
       }
     }
+
+    try {
+      await setter.set(secret.name, value);
+      console.log(pc.green(`  Set ${secret.name}.`));
+      setCount++;
+    } catch (err) {
+      console.log(pc.red(`  Failed to set ${secret.name}: ${err.message}`));
+    }
   }
   if (setCount > 0) {
     console.log(pc.green(`\n  Done. ${setCount} secret(s) set for this repository.\n`));
@@ -186,13 +208,13 @@ export async function initCommand() {
   console.log(pc.bold('\n  climaybe — Shopify CI/CD Setup\n'));
 
   const existing = readConfig();
-  const alreadyInited = existing?.stores && Object.keys(existing.stores).length > 0;
+  const hasConfig = existing != null && typeof existing === 'object';
 
-  if (alreadyInited) {
+  if (hasConfig) {
     const { reinit } = await prompts({
       type: 'confirm',
       name: 'reinit',
-      message: 'This repo already has a climaybe config. Reinitialize? This will remove your current stores and workflow settings.',
+      message: 'This repo already has a climaybe config. Clear everything and reinitialize from scratch?',
       initial: false,
     });
     if (!reinit) {

package/src/index.js

@@ -7,14 +7,15 @@ import { updateWorkflowsCommand } from './commands/update-workflows.js';
 
 /**
  * Create the CLI program (for testing and for run).
+ * @param {string} [version] - Version string (from bin/cli.js when run as CLI; from package.json in tests).
  */
-export function createProgram() {
+export function createProgram(version = '0.0.0') {
   const program = new Command();
 
   program
     .name('climaybe')
     .description('Shopify CI/CD CLI — scaffolds workflows, branch strategy, and store config')
-    .version('1.0.0');
+    .version(version);
 
   program
     .command('init')
@@ -51,6 +52,6 @@ export function createProgram() {
   return program;
 }
 
-export function run(argv) {
-  createProgram().parse(argv);
+export function run(argv, version) {
+  createProgram(version).parse(argv);
 }

package/src/lib/config.js

@@ -1,5 +1,6 @@
 import { readFileSync, writeFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
+import { getLatestTagVersion } from './git.js';
 
 const PKG = 'package.json';
 
@@ -45,9 +46,16 @@ export function readConfig(cwd = process.cwd()) {
 export function writeConfig(config, cwd = process.cwd()) {
   let pkg = readPkg(cwd);
   if (!pkg) {
+    let version = '1.0.0';
+    try {
+      const fromTags = getLatestTagVersion(cwd);
+      if (fromTags) version = fromTags;
+    } catch {
+      // not a git repo or no tags
+    }
     pkg = {
       name: 'shopify-theme',
-      version: '1.0.0',
+      version,
       private: true,
       config: {},
     };

package/src/lib/git.js

@@ -106,3 +106,31 @@ export function ensureGitRepo(cwd = process.cwd()) {
     console.log(pc.green('  Initialized git repository.'));
   }
 }
+
+/**
+ * Get the latest tag version (e.g. "1.2.3") from v* tags, or null if none.
+ * Sorts by version so v2.0.0 > v1.9.9.
+ */
+export function getLatestTagVersion(cwd = process.cwd()) {
+  try {
+    const out = exec('git tag -l "v*" --sort=-v:refname', cwd);
+    const first = out.split(/\n/)[0]?.trim();
+    if (!first || !first.startsWith('v')) return null;
+    const match = first.replace(/^v/, '').match(/^(\d+)\.(\d+)\.(\d+)(?:-|$)/);
+    return match ? `${match[1]}.${match[2]}.${match[3]}` : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Suggested tag for next release: v1.0.0 if no tags, else next patch (e.g. v1.2.3 → v1.2.4).
+ */
+export function getSuggestedTagForRelease(cwd = process.cwd()) {
+  const latest = getLatestTagVersion(cwd);
+  if (!latest) return 'v1.0.0';
+  const parts = latest.split('.').map(Number);
+  if (parts.length < 3) return 'v1.0.0';
+  parts[2] += 1;
+  return `v${parts[0]}.${parts[1]}.${parts[2]}`;
+}

package/src/lib/github-secrets.js

@@ -1,5 +1,4 @@
-import { spawn } from 'node:child_process';
-import { execSync } from 'node:child_process';
+import { spawn, spawnSync, execSync } from 'node:child_process';
 import pc from 'picocolors';
 
 /**
@@ -24,12 +23,12 @@ export const SECRET_DEFINITIONS = [
       'Your theme’s store URL in Shopify Admin → Settings → Domains, or use the .myshopify.com URL.',
   },
   {
-    name: 'SHOPIFY_CLI_THEME_TOKEN',
+    name: 'SHOPIFY_THEME_ACCESS_TOKEN',
     required: true,
     condition: 'preview',
-    description: 'Theme access token so CI can push preview themes to your store',
+    description: 'Theme access token so CI can push preview themes (password from Shopify Theme Access app)',
     whereToGet:
-      'Shopify Partners: your app → Theme library access → Create theme access token. Or: Shopify Admin → Apps → Develop apps → your app → API credentials → Theme access.',
+      'Install the Theme Access app from Shopify: it gives you a password — that password is your theme access token.',
   },
   {
     name: 'SHOP_ACCESS_TOKEN',
@@ -80,12 +79,31 @@ export function hasGitHubRemote(cwd = process.cwd()) {
   }
 }
 
+/**
+ * Get GitHub repo as "owner/repo" from origin remote. Returns null if not a GitHub URL or parse fails.
+ * Used to pass -R to gh when the repo has multiple remotes.
+ */
+export function getGitHubRepoSpec(cwd = process.cwd()) {
+  try {
+    const url = execSync('git remote get-url origin', { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
+    // https://github.com/owner/repo[.git] or git@github.com:owner/repo[.git]
+    const m = url.match(/github\.com[/:]([^/]+)\/([^/]+?)(?:\.git)?$/i);
+    return m ? `${m[1]}/${m[2]}` : null;
+  } catch {
+    return null;
+  }
+}
+
 /**
  * List repository secret names (GitHub). Returns [] on error or if none.
  */
 export function listGitHubSecrets(cwd = process.cwd()) {
   try {
-    const out = execSync('gh secret list --json name', { cwd, encoding: 'utf-8', stdio: 'pipe' }).trim();
+    const repo = getGitHubRepoSpec(cwd);
+    const args = ['secret', 'list', '--json', 'name'];
+    if (repo) args.push('-R', repo);
+    const result = spawnSync('gh', args, { cwd, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    const out = (result.stdout || '').trim();
     const data = JSON.parse(out || '[]');
     return Array.isArray(data) ? data.map((s) => s.name).filter(Boolean) : [];
   } catch {
@@ -109,11 +127,16 @@ export function listGitLabVariables(cwd = process.cwd()) {
 
 /**
  * Set a repository secret via gh CLI. Value is passed via stdin to avoid argv exposure.
+ * Uses -R owner/repo from origin when available so gh works with multiple remotes.
  */
-export function setSecret(name, value) {
+export function setSecret(name, value, cwd = process.cwd()) {
   return new Promise((resolve, reject) => {
-    const child = spawn('gh', ['secret', 'set', name], {
+    const repo = getGitHubRepoSpec(cwd);
+    const args = ['secret', 'set', name];
+    if (repo) args.push('-R', repo);
+    const child = spawn('gh', args, {
       stdio: ['pipe', 'inherit', 'inherit'],
+      cwd,
     });
     child.on('error', reject);
     child.on('close', (code) => (code === 0 ? resolve() : reject(new Error(`gh secret set exited with ${code}`))));
@@ -174,6 +197,44 @@ export function aliasToSecretSuffix(alias) {
   return String(alias).replace(/-/g, '_').toUpperCase();
 }
 
+/**
+ * Get store domain for a theme token secret name (single or SHOPIFY_THEME_ACCESS_TOKEN_<ALIAS>).
+ * Returns store domain or null if not found.
+ */
+export function getStoreUrlForThemeTokenSecret(secretName, stores = []) {
+  if (!stores.length) return null;
+  if (secretName === 'SHOPIFY_THEME_ACCESS_TOKEN') return stores[0]?.domain ?? null;
+  if (!secretName.startsWith('SHOPIFY_THEME_ACCESS_TOKEN_')) return null;
+  const suffix = secretName.replace('SHOPIFY_THEME_ACCESS_TOKEN_', '');
+  const store = stores.find((s) => aliasToSecretSuffix(s.alias) === suffix);
+  return store?.domain ?? null;
+}
+
+/**
+ * Test theme access token against the store (read-only list). Never logs or persists the token.
+ * Returns { ok: true } or { ok: false, error: string }. Safe to call; token only sent to Shopify CLI.
+ */
+export function validateThemeAccessToken(storeUrl, token) {
+  if (!storeUrl || !token) return { ok: false, error: 'Missing store URL or token' };
+  return new Promise((resolve) => {
+    const child = spawn('shopify', ['theme', 'list', '--store', storeUrl, '--password', token], {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      env: { ...process.env },
+    });
+    let stderr = '';
+    child.stderr?.on('data', (chunk) => {
+      stderr += String(chunk);
+    });
+    child.on('error', (err) => {
+      resolve({ ok: false, error: err.code === 'ENOENT' ? 'Shopify CLI not installed (npm install -g @shopify/cli @shopify/theme)' : err.message });
+    });
+    child.on('close', (code) => {
+      if (code === 0) resolve({ ok: true });
+      else resolve({ ok: false, error: stderr.trim() || `Exit code ${code}` });
+    });
+  });
+}
+
 /**
  * Store URL secrets are set from config (store domains added during init), not prompted.
  * Returns [{ name, value }] for SHOPIFY_STORE_URL and/or SHOPIFY_STORE_URL_<ALIAS>.
@@ -202,7 +263,7 @@ export function getStoreUrlSecretsFromConfig({ enablePreviewWorkflows, enableBui
 
 /**
  * Get secrets we need to prompt for (excludes store URLs; those are set from config).
- * Theme token(s) are required when preview is enabled.
+ * Theme token(s) are required when preview is enabled. In multi-store, all Shopify tokens are per-store.
  */
 export function getSecretsToPrompt({ enablePreviewWorkflows, enableBuildWorkflows, mode = 'single', stores = [] }) {
   const isMulti = mode === 'multi' && stores.length > 1;
@@ -216,23 +277,46 @@ export function getSecretsToPrompt({ enablePreviewWorkflows, enableBuildWorkflow
     return false;
   });
 
-  const dropPreviewGeneric =
-    isMulti && enablePreviewWorkflows
-      ? (s) => s.name !== 'SHOPIFY_CLI_THEME_TOKEN'
+  // Multi-store: drop generic Shopify tokens; we prompt per-store below
+  const dropForMulti =
+    isMulti
+      ? (s) =>
+          s.name !== 'SHOPIFY_THEME_ACCESS_TOKEN' &&
+          s.name !== 'SHOP_ACCESS_TOKEN' &&
+          s.name !== 'SHOP_PASSWORD'
       : () => true;
 
-  let list = base.filter(dropPreviewGeneric);
+  let list = base.filter(dropForMulti);
 
-  if (isMulti && enablePreviewWorkflows) {
+  // Multi-store: prompt per store (theme token, then access token + password if build) so user configures one store at a time
+  if (isMulti) {
     for (const store of stores) {
       const suffix = aliasToSecretSuffix(store.alias);
-      list.push({
-        name: `SHOPIFY_CLI_THEME_TOKEN_${suffix}`,
-        required: true,
-        description: `Store ${store.alias}: Theme access token for CI (staging/live use this for ${store.alias})`,
-        whereToGet:
-          'Shopify Partners or Admin → Apps → Develop apps → your app → Theme access for this store.',
-      });
+      if (enablePreviewWorkflows) {
+        list.push({
+          name: `SHOPIFY_THEME_ACCESS_TOKEN_${suffix}`,
+          required: true,
+          description: `Store ${store.alias}: Theme access token (password from Theme Access app)`,
+          whereToGet: 'Theme Access app in Shopify — the password it gives is the token for this store.',
+        });
+      }
+      if (enableBuildWorkflows) {
+        list.push(
+          {
+            name: `SHOP_ACCESS_TOKEN_${suffix}`,
+            required: false,
+            description: `Store ${store.alias}: API access token for Lighthouse`,
+            whereToGet:
+              'Shopify Admin → Develop apps → your app → API credentials (Admin/storefront access).',
+          },
+          {
+            name: `SHOP_PASSWORD_${suffix}`,
+            required: false,
+            description: `Store ${store.alias}: Storefront password if protected (optional)`,
+            whereToGet: 'Storefront password in Shopify Admin for this store.',
+          }
+        );
+      }
     }
   }
 
@@ -247,17 +331,28 @@ export function getStoreUrlSecretForNewStore(store) {
 }
 
 /**
- * Per-store secret to prompt for when adding a store (theme token only; URL is set from store.domain).
+ * Per-store secrets to prompt for when adding a store (URL is set from store.domain).
  */
 export function getSecretsToPromptForNewStore(store) {
   const suffix = aliasToSecretSuffix(store.alias);
   return [
     {
-      name: `SHOPIFY_CLI_THEME_TOKEN_${suffix}`,
+      name: `SHOPIFY_THEME_ACCESS_TOKEN_${suffix}`,
       required: true,
-      description: `Store ${store.alias}: Theme access token for CI (staging/live use this for ${store.alias})`,
-      whereToGet:
-        'Shopify Partners or Admin → Apps → Develop apps → your app → Theme access for this store.',
+      description: `Store ${store.alias}: Theme access token (password from Theme Access app)`,
+      whereToGet: 'Theme Access app in Shopify — the password it gives is the token for this store.',
+    },
+    {
+      name: `SHOP_ACCESS_TOKEN_${suffix}`,
+      required: false,
+      description: `Store ${store.alias}: API access token for Lighthouse (if using build workflows)`,
+      whereToGet: 'Shopify Admin → Develop apps → your app → API credentials.',
+    },
+    {
+      name: `SHOP_PASSWORD_${suffix}`,
+      required: false,
+      description: `Store ${store.alias}: Storefront password if protected (optional)`,
+      whereToGet: 'Storefront password in Shopify Admin for this store.',
     },
   ];
 }

package/src/lib/prompts.js

@@ -225,3 +225,16 @@ export async function promptSecretValue(secret, index, total) {
   if (!trimmed && !secret.required) return null;
   return trimmed || null;
 }
+
+/**
+ * Ask whether to test the theme token against the store now. Returns true to test, false to skip.
+ */
+export async function promptTestThemeToken() {
+  const { test } = await prompts({
+    type: 'confirm',
+    name: 'test',
+    message: 'Test this token against the store now?',
+    initial: true,
+  });
+  return !!test;
+}

package/src/workflows/multi/pr-to-live.yml

@@ -22,7 +22,7 @@ jobs:
       pull-requests: write
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      SHOPIFY_CLI_THEME_TOKEN: ${{ secrets.SHOPIFY_CLI_THEME_TOKEN }}
+      SHOPIFY_THEME_ACCESS_TOKEN: ${{ secrets.SHOPIFY_THEME_ACCESS_TOKEN }}
     steps:
       - uses: actions/checkout@v4
 
@@ -72,8 +72,8 @@ jobs:
 
       - name: Create PR to live branch
         env:
-          SHOPIFY_CLI_THEME_TOKEN_SCOPED: ${{ secrets[format('SHOPIFY_CLI_THEME_TOKEN_{0}', steps.alias.outputs.alias_secret)] }}
-          SHOPIFY_CLI_THEME_TOKEN_DEFAULT: ${{ secrets.SHOPIFY_CLI_THEME_TOKEN }}
+          SHOPIFY_THEME_ACCESS_TOKEN_SCOPED: ${{ secrets[format('SHOPIFY_THEME_ACCESS_TOKEN_{0}', steps.alias.outputs.alias_secret)] }}
+          SHOPIFY_THEME_ACCESS_TOKEN_DEFAULT: ${{ secrets.SHOPIFY_THEME_ACCESS_TOKEN }}
         run: |
           STAGING="${{ steps.alias.outputs.staging_branch }}"
           LIVE="${{ steps.alias.outputs.live_branch }}"
@@ -81,7 +81,7 @@ jobs:
           DOMAIN="${{ steps.store.outputs.domain }}"
           STAGING_THEME_ID=""
           REPO_NAME="${GITHUB_REPOSITORY#*/}"
-          SHOPIFY_TOKEN="${SHOPIFY_CLI_THEME_TOKEN_SCOPED:-$SHOPIFY_CLI_THEME_TOKEN_DEFAULT}"
+          SHOPIFY_TOKEN="${SHOPIFY_THEME_ACCESS_TOKEN_SCOPED:-$SHOPIFY_THEME_ACCESS_TOKEN_DEFAULT}"
 
           # Check if live branch exists
           if ! git ls-remote --heads origin "$LIVE" | grep -q "$LIVE"; then

package/src/workflows/preview/pr-update.yml

@@ -69,19 +69,19 @@ jobs:
       - name: Validate Shopify credentials
         env:
           SHOPIFY_STORE_URL_SCOPED: ${{ secrets[format('SHOPIFY_STORE_URL_{0}', steps.resolve.outputs.alias_secret)] }}
-          SHOPIFY_CLI_THEME_TOKEN_SCOPED: ${{ secrets[format('SHOPIFY_CLI_THEME_TOKEN_{0}', steps.resolve.outputs.alias_secret)] }}
+          SHOPIFY_THEME_ACCESS_TOKEN_SCOPED: ${{ secrets[format('SHOPIFY_THEME_ACCESS_TOKEN_{0}', steps.resolve.outputs.alias_secret)] }}
           SHOPIFY_STORE_URL_DEFAULT: ${{ secrets.SHOPIFY_STORE_URL }}
-          SHOPIFY_CLI_THEME_TOKEN_DEFAULT: ${{ secrets.SHOPIFY_CLI_THEME_TOKEN }}
+          SHOPIFY_THEME_ACCESS_TOKEN_DEFAULT: ${{ secrets.SHOPIFY_THEME_ACCESS_TOKEN }}
         run: |
           SHOPIFY_STORE_URL="${SHOPIFY_STORE_URL_SCOPED:-$SHOPIFY_STORE_URL_DEFAULT}"
-          SHOPIFY_CLI_THEME_TOKEN="${SHOPIFY_CLI_THEME_TOKEN_SCOPED:-$SHOPIFY_CLI_THEME_TOKEN_DEFAULT}"
+          SHOPIFY_THEME_ACCESS_TOKEN="${SHOPIFY_THEME_ACCESS_TOKEN_SCOPED:-$SHOPIFY_THEME_ACCESS_TOKEN_DEFAULT}"
 
           if [ -z "$SHOPIFY_STORE_URL" ]; then
             echo "No store URL secret found. Expected SHOPIFY_STORE_URL_${{ steps.resolve.outputs.alias_secret }} or SHOPIFY_STORE_URL."
             exit 1
           fi
-          if [ -z "$SHOPIFY_CLI_THEME_TOKEN" ]; then
-            echo "No theme token secret found. Expected SHOPIFY_CLI_THEME_TOKEN_${{ steps.resolve.outputs.alias_secret }} or SHOPIFY_CLI_THEME_TOKEN."
+          if [ -z "$SHOPIFY_THEME_ACCESS_TOKEN" ]; then
+            echo "No theme token secret found. Expected SHOPIFY_THEME_ACCESS_TOKEN_${{ steps.resolve.outputs.alias_secret }} or SHOPIFY_THEME_ACCESS_TOKEN."
             exit 1
           fi
           echo "Shopify credentials are configured for alias: ${{ steps.resolve.outputs.alias }}"
@@ -94,7 +94,7 @@ jobs:
       store_alias: ${{ needs.validate-environment.outputs.store_alias }}
     secrets:
       SHOPIFY_STORE_URL: ${{ secrets[format('SHOPIFY_STORE_URL_{0}', needs.validate-environment.outputs.store_alias_secret)] || secrets.SHOPIFY_STORE_URL }}
-      SHOPIFY_CLI_THEME_TOKEN: ${{ secrets[format('SHOPIFY_CLI_THEME_TOKEN_{0}', needs.validate-environment.outputs.store_alias_secret)] || secrets.SHOPIFY_CLI_THEME_TOKEN }}
+      SHOPIFY_THEME_ACCESS_TOKEN: ${{ secrets[format('SHOPIFY_THEME_ACCESS_TOKEN_{0}', needs.validate-environment.outputs.store_alias_secret)] || secrets.SHOPIFY_THEME_ACCESS_TOKEN }}
 
   rename-theme:
     needs: [share-theme, extract-pr-number, validate-environment]
@@ -106,7 +106,7 @@ jobs:
       store_alias: ${{ needs.validate-environment.outputs.store_alias }}
     secrets:
       SHOPIFY_STORE_URL: ${{ secrets[format('SHOPIFY_STORE_URL_{0}', needs.validate-environment.outputs.store_alias_secret)] || secrets.SHOPIFY_STORE_URL }}
-      SHOPIFY_CLI_THEME_TOKEN: ${{ secrets[format('SHOPIFY_CLI_THEME_TOKEN_{0}', needs.validate-environment.outputs.store_alias_secret)] || secrets.SHOPIFY_CLI_THEME_TOKEN }}
+      SHOPIFY_THEME_ACCESS_TOKEN: ${{ secrets[format('SHOPIFY_THEME_ACCESS_TOKEN_{0}', needs.validate-environment.outputs.store_alias_secret)] || secrets.SHOPIFY_THEME_ACCESS_TOKEN }}
 
   comment-on-pr:
     needs: [share-theme, rename-theme, extract-pr-number, validate-environment]

package/src/workflows/preview/reusable-cleanup-themes.yml

@@ -29,17 +29,17 @@ jobs:
         id: cleanup
         env:
           SHOPIFY_STORE_URL: ${{ secrets.SHOPIFY_STORE_URL }}
-          SHOPIFY_CLI_THEME_TOKEN: ${{ secrets.SHOPIFY_CLI_THEME_TOKEN }}
+          SHOPIFY_THEME_ACCESS_TOKEN: ${{ secrets.SHOPIFY_THEME_ACCESS_TOKEN }}
           PR_NUMBER: ${{ inputs.pr_number }}
         run: |
-          if [ -z "$SHOPIFY_STORE_URL" ] || [ -z "$SHOPIFY_CLI_THEME_TOKEN" ]; then
+          if [ -z "$SHOPIFY_STORE_URL" ] || [ -z "$SHOPIFY_THEME_ACCESS_TOKEN" ]; then
             echo "Missing Shopify secrets."
             exit 1
           fi
 
           THEME_LIST=$(shopify theme list \
             --store "$SHOPIFY_STORE_URL" \
-            --password "$SHOPIFY_CLI_THEME_TOKEN" \
+            --password "$SHOPIFY_THEME_ACCESS_TOKEN" \
             --json 2>/dev/null || echo "[]")
 
           DELETED_COUNT=0
@@ -52,7 +52,7 @@ jobs:
             if printf "%s" "$THEME_NAME" | grep -q "PR${PR_NUMBER}"; then
               if shopify theme delete \
                 --store "$SHOPIFY_STORE_URL" \
-                --password "$SHOPIFY_CLI_THEME_TOKEN" \
+                --password "$SHOPIFY_THEME_ACCESS_TOKEN" \
                 --force \
                 --theme "$THEME_ID" 2>/dev/null; then
                 DELETED_COUNT=$((DELETED_COUNT + 1))

package/src/workflows/preview/reusable-rename-theme.yml

@@ -26,7 +26,7 @@ on:
     secrets:
       SHOPIFY_STORE_URL:
         required: false
-      SHOPIFY_CLI_THEME_TOKEN:
+      SHOPIFY_THEME_ACCESS_TOKEN:
         required: false
 
 jobs:
@@ -39,7 +39,7 @@ jobs:
       - name: Rename theme
         env:
           SHOPIFY_STORE_URL: ${{ secrets.SHOPIFY_STORE_URL }}
-          SHOPIFY_CLI_THEME_TOKEN: ${{ secrets.SHOPIFY_CLI_THEME_TOKEN }}
+          SHOPIFY_THEME_ACCESS_TOKEN: ${{ secrets.SHOPIFY_THEME_ACCESS_TOKEN }}
           THEME_ID: ${{ inputs.theme_id }}
           THEME_NAME: ${{ inputs.theme_name }}
           PR_NUMBER: ${{ inputs.pr_number }}
@@ -48,7 +48,7 @@ jobs:
             echo "Missing theme_id/theme_name."
             exit 1
           fi
-          if [ -z "$SHOPIFY_STORE_URL" ] || [ -z "$SHOPIFY_CLI_THEME_TOKEN" ]; then
+          if [ -z "$SHOPIFY_STORE_URL" ] || [ -z "$SHOPIFY_THEME_ACCESS_TOKEN" ]; then
             echo "Missing Shopify store URL/token for rename."
             exit 1
           fi
@@ -58,7 +58,7 @@ jobs:
 
           if shopify theme rename \
             --store "$SHOPIFY_STORE_URL" \
-            --password "$SHOPIFY_CLI_THEME_TOKEN" \
+            --password "$SHOPIFY_THEME_ACCESS_TOKEN" \
             --theme "$THEME_ID" \
             --name "$NEW_THEME_NAME" 2>&1; then
             echo "Rename succeeded with password auth."

package/src/workflows/preview/reusable-share-theme.yml

@@ -28,7 +28,7 @@ on:
     secrets:
       SHOPIFY_STORE_URL:
         required: false
-      SHOPIFY_CLI_THEME_TOKEN:
+      SHOPIFY_THEME_ACCESS_TOKEN:
         required: false
 
 jobs:
@@ -56,16 +56,16 @@ jobs:
         id: share
         env:
           SHOPIFY_STORE_URL: ${{ secrets.SHOPIFY_STORE_URL }}
-          SHOPIFY_CLI_THEME_TOKEN: ${{ secrets.SHOPIFY_CLI_THEME_TOKEN }}
+          SHOPIFY_THEME_ACCESS_TOKEN: ${{ secrets.SHOPIFY_THEME_ACCESS_TOKEN }}
         run: |
-          if [ -z "$SHOPIFY_STORE_URL" ] || [ -z "$SHOPIFY_CLI_THEME_TOKEN" ]; then
+          if [ -z "$SHOPIFY_STORE_URL" ] || [ -z "$SHOPIFY_THEME_ACCESS_TOKEN" ]; then
             echo "Missing Shopify secrets."
             exit 1
           fi
 
           OUTPUT=$(shopify theme share \
             --store "$SHOPIFY_STORE_URL" \
-            --password "$SHOPIFY_CLI_THEME_TOKEN" 2>&1)
+            --password "$SHOPIFY_THEME_ACCESS_TOKEN" 2>&1)
           STATUS=$?
 
           echo "$OUTPUT"