create-svc 0.1.10 → 0.1.11

package/templates/root/scripts/cloudrun/lib.ts

@@ -1,244 +0,0 @@
-import { config, manifestEnv } from "./config";
-
-type CommandOptions = {
-  allowFailure?: boolean;
-  capture?: boolean;
-  input?: string;
-};
-
-const decoder = new TextDecoder();
-
-export function requireCommand(name: string) {
-  if (!Bun.which(name)) {
-    throw new Error(`missing required command: ${name}`);
-  }
-}
-
-export function run(command: string, args: string[], options: CommandOptions = {}) {
-  const result = Bun.spawnSync([command, ...args], {
-    cwd: process.cwd(),
-    env: process.env,
-    stdin: options.input,
-    stdout: options.capture || options.allowFailure ? "pipe" : "inherit",
-    stderr: options.capture || options.allowFailure ? "pipe" : "inherit",
-  });
-
-  const stdout = result.stdout ? decoder.decode(result.stdout).trim() : "";
-  const stderr = result.stderr ? decoder.decode(result.stderr).trim() : "";
-
-  if (!result.success && !options.allowFailure) {
-    throw new Error([`command failed: ${command} ${args.join(" ")}`, stdout, stderr].filter(Boolean).join("\n"));
-  }
-
-  return {
-    success: result.success,
-    stdout,
-    stderr,
-    exitCode: result.exitCode,
-  };
-}
-
-export function gcloud(args: string[], options: CommandOptions = {}) {
-  return run("gcloud", args, options);
-}
-
-export function gh(args: string[], options: CommandOptions = {}) {
-  return run("gh", args, options);
-}
-
-export function ensureServiceAccount(email: string) {
-  if (gcloud(["iam", "service-accounts", "describe", email, "--project", config.projectId], { allowFailure: true }).success) {
-    return;
-  }
-
-  const accountId = email.split("@")[0] ?? email;
-  gcloud(["iam", "service-accounts", "create", accountId, "--project", config.projectId, "--display-name", accountId]);
-}
-
-export function ensureProjectRole(member: string, role: string) {
-  gcloud(["projects", "add-iam-policy-binding", config.projectId, "--member", member, "--role", role]);
-}
-
-export function ensureServiceAccountRole(serviceAccount: string, member: string, role: string) {
-  gcloud([
-    "iam",
-    "service-accounts",
-    "add-iam-policy-binding",
-    serviceAccount,
-    "--project",
-    config.projectId,
-    "--member",
-    member,
-    "--role",
-    role,
-  ]);
-}
-
-export function ensureSecret(secretName: string, bootstrapEnv: string) {
-  if (gcloud(["secrets", "describe", secretName, "--project", config.projectId], { allowFailure: true }).success) {
-    return;
-  }
-
-  const value = process.env[bootstrapEnv]?.trim() ?? "";
-  if (!value) {
-    throw new Error(`missing bootstrap value for secret ${secretName}; set ${bootstrapEnv}`);
-  }
-
-  gcloud(["secrets", "create", secretName, "--project", config.projectId, "--replication-policy", "automatic"]);
-  gcloud(["secrets", "versions", "add", secretName, "--project", config.projectId, "--data-file=-"], { input: value });
-}
-
-export function ensureSecretAccessor(secretName: string, member: string) {
-  gcloud(["secrets", "add-iam-policy-binding", secretName, "--project", config.projectId, "--member", member, "--role", "roles/secretmanager.secretAccessor"]);
-}
-
-export function projectNumber() {
-  return gcloud(["projects", "describe", config.projectId, "--format=value(projectNumber)"], { capture: true }).stdout;
-}
-
-export function workloadIdentityPoolResource() {
-  return `projects/${projectNumber()}/locations/global/workloadIdentityPools/${config.workloadIdentityPoolId}`;
-}
-
-export function workloadIdentityProviderResource() {
-  return `${workloadIdentityPoolResource()}/providers/${config.workloadIdentityProviderId}`;
-}
-
-export function ensureWorkloadIdentityPool() {
-  if (
-    gcloud(["iam", "workload-identity-pools", "describe", config.workloadIdentityPoolId, "--project", config.projectId, "--location", "global"], {
-      allowFailure: true,
-    }).success
-  ) {
-    return;
-  }
-
-  gcloud([
-    "iam",
-    "workload-identity-pools",
-    "create",
-    config.workloadIdentityPoolId,
-    "--project",
-    config.projectId,
-    "--location",
-    "global",
-    "--display-name",
-    "GitHub Actions",
-  ]);
-}
-
-export function ensureWorkloadIdentityProvider() {
-  if (
-    gcloud(
-      [
-        "iam",
-        "workload-identity-pools",
-        "providers",
-        "describe",
-        config.workloadIdentityProviderId,
-        "--project",
-        config.projectId,
-        "--location",
-        "global",
-        "--workload-identity-pool",
-        config.workloadIdentityPoolId,
-      ],
-      { allowFailure: true }
-    ).success
-  ) {
-    return;
-  }
-
-  gcloud([
-    "iam",
-    "workload-identity-pools",
-    "providers",
-    "create-oidc",
-    config.workloadIdentityProviderId,
-    "--project",
-    config.projectId,
-    "--location",
-    "global",
-    "--workload-identity-pool",
-    config.workloadIdentityPoolId,
-    "--display-name",
-    `${config.serviceName} GitHub`,
-    "--issuer-uri",
-    "https://token.actions.githubusercontent.com",
-    "--attribute-mapping",
-    "google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner",
-    "--attribute-condition",
-    `assertion.repository=='${config.githubRepo}'`,
-  ]);
-}
-
-export function setGithubVariable(name: string, value: string) {
-  gh(["variable", "set", name, "--repo", config.githubRepo, "--body", value]);
-}
-
-export function setGithubSecret(name: string, value: string) {
-  gh(["secret", "set", name, "--repo", config.githubRepo], { input: value });
-}
-
-export function ensureArtifactRepository() {
-  if (
-    gcloud(
-      ["artifacts", "repositories", "describe", config.artifactRepository, "--project", config.projectId, "--location", config.region],
-      { allowFailure: true }
-    ).success
-  ) {
-    return;
-  }
-
-  gcloud([
-    "artifacts",
-    "repositories",
-    "create",
-    config.artifactRepository,
-    "--project",
-    config.projectId,
-    "--location",
-    config.region,
-    "--repository-format",
-    "docker",
-  ]);
-}
-
-export function imageTag() {
-  const gitSha = run("git", ["rev-parse", "--short", "HEAD"], { allowFailure: true, capture: true }).stdout;
-  return gitSha || `${Date.now()}`;
-}
-
-export function imageUrl(tag = imageTag()) {
-  return `${config.region}-docker.pkg.dev/${config.projectId}/${config.artifactRepository}/${config.serviceName}:${tag}`;
-}
-
-export async function renderManifest(image: string) {
-  const template = await Bun.file(new URL("../../service.yaml", import.meta.url)).text();
-  const values = {
-    ...manifestEnv,
-    IMAGE_URL: image,
-  };
-
-  return template.replace(/\$\{([A-Z0-9_]+)\}/g, (_, key: string) => {
-    const value = values[key as keyof typeof values];
-    if (!value) {
-      throw new Error(`missing manifest value for ${key}`);
-    }
-    return value;
-  });
-}
-
-export async function writeRenderedManifest(image: string) {
-  const rendered = await renderManifest(image);
-  const path = new URL("../../.cloudrun.rendered.yaml", import.meta.url);
-  await Bun.write(path, rendered);
-  return path;
-}
-
-export function serviceUrl() {
-  return gcloud(
-    ["run", "services", "describe", config.serviceName, "--project", config.projectId, "--region", config.region, "--format=value(status.url)"],
-    { capture: true }
-  ).stdout;
-}

package/templates/root/service.yaml

@@ -1,50 +0,0 @@
-apiVersion: serving.knative.dev/v1
-kind: Service
-metadata:
-  name: ${SERVICE_NAME}
-  annotations:
-    run.googleapis.com/ingress: all
-spec:
-  template:
-    spec:
-      serviceAccountName: ${RUNTIME_SERVICE_ACCOUNT}
-      containerConcurrency: 80
-      containers:
-        - image: ${IMAGE_URL}
-          ports:
-            - name: h2c
-              containerPort: 8080
-          env:
-            - name: VAULT_ADDR
-              value: ${VAULT_ADDR}
-            - name: VAULT_SECRET_PATH
-              value: ${VAULT_SECRET_PATH}
-            - name: VAULT_SECRET_KEY
-              value: ${VAULT_SECRET_KEY}
-            - name: CLOUDFLARE_ZONE_ID
-              value: ${CLOUDFLARE_ZONE_ID}
-            - name: VAULT_ROLE_ID_FILE
-              value: /var/run/secrets/vault-role-id/value
-            - name: VAULT_SECRET_ID_FILE
-              value: /var/run/secrets/vault-secret-id/value
-          volumeMounts:
-            - name: vault-role-id
-              mountPath: /var/run/secrets/vault-role-id
-            - name: vault-secret-id
-              mountPath: /var/run/secrets/vault-secret-id
-      volumes:
-        - name: vault-role-id
-          secret:
-            secretName: ${VAULT_ROLE_ID_SECRET}
-            items:
-              - key: latest
-                path: value
-        - name: vault-secret-id
-          secret:
-            secretName: ${VAULT_SECRET_ID_SECRET}
-            items:
-              - key: latest
-                path: value
-  traffic:
-    - latestRevision: true
-      percent: 100

package/templates/root/test/go.test.ts

@@ -1,19 +0,0 @@
-import { expect, test } from "bun:test";
-
-const decoder = new TextDecoder();
-
-test(
-  "go test ./...",
-  { timeout: 60_000 },
-  () => {
-  const result = Bun.spawnSync(["go", "test", "./..."], {
-    cwd: process.cwd(),
-    stdout: "pipe",
-    stderr: "pipe",
-    env: process.env,
-  });
-
-  const output = [decoder.decode(result.stdout), decoder.decode(result.stderr)].join("").trim();
-  expect(result.exitCode, output || "go test ./... failed").toBe(0);
-  }
-);

package/templates/shared/scripts/cloudrun/integrations.ts

@@ -1,111 +0,0 @@
-import { homedir } from "node:os";
-import { join } from "node:path";
-import { config } from "./config";
-import {
-  addSecretVersion,
-  ensureSecretAccessor,
-  runtimeSecretNames,
-  type DeploymentTarget,
-} from "./lib";
-
-type ProviderSecret = {
-  envName: keyof ReturnType<typeof runtimeSecretNames>;
-  provider: string;
-  field: string;
-};
-
-const PROVIDER_SECRETS: ProviderSecret[] = [
-  { envName: "CLERK_SECRET_KEY", provider: "clerk", field: "secret_key" },
-  { envName: "CLERK_WEBHOOK_SECRET", provider: "clerk", field: "webhook_secret" },
-  { envName: "STRIPE_SECRET_KEY", provider: "stripe", field: "secret_key" },
-  { envName: "STRIPE_WEBHOOK_SECRET", provider: "stripe", field: "webhook_secret" },
-  { envName: "REVENUECAT_API_KEY", provider: "revenuecat", field: "api_key" },
-  { envName: "REVENUECAT_WEBHOOK_SECRET", provider: "revenuecat", field: "webhook_secret" },
-  { envName: "RESEND_API_KEY", provider: "resend", field: "api_key" },
-  { envName: "POSTHOG_API_KEY", provider: "posthog", field: "api_key" },
-];
-
-export async function publishProviderRuntimeSecrets(target: DeploymentTarget) {
-  const secretNames = runtimeSecretNames(target);
-  const missing: string[] = [];
-
-  for (const secret of PROVIDER_SECRETS) {
-    const value = await resolveProviderSecret(secret);
-    if (!value) {
-      missing.push(formatMissingSecret(secret));
-      continue;
-    }
-
-    addSecretVersion(secretNames[secret.envName], value);
-    ensureSecretAccessor(secretNames[secret.envName], `serviceAccount:${config.runtimeServiceAccount}`);
-  }
-
-  if (missing.length > 0) {
-    throw new Error(
-      [
-        "Provider bootstrap credentials are required for the strict production bootstrap path.",
-        "Set the missing environment variables or write the matching Vault fields, then rerun the same bootstrap/deploy command.",
-        ...missing.map((item) => `- ${item}`),
-      ].join("\n")
-    );
-  }
-}
-
-async function resolveProviderSecret(secret: ProviderSecret) {
-  const direct = process.env[secret.envName]?.trim();
-  if (direct) {
-    return direct;
-  }
-
-  const addr = process.env.VAULT_ADDR?.trim() ?? "";
-  const token = await resolveVaultToken();
-  if (!addr || !token) {
-    return "";
-  }
-
-  const mount = process.env.VAULT_SECRET_MOUNT?.trim() ?? "secret";
-  const path = providerVaultPath(secret.provider);
-  const normalizedAddr = addr.replace(/\/+$/g, "");
-  const normalizedMount = mount.replace(/^\/+|\/+$/g, "");
-  const response = await fetch(`${normalizedAddr}/v1/${normalizedMount}/data/${path}`, {
-    headers: {
-      "X-Vault-Token": token,
-    },
-  });
-
-  if (!response.ok) {
-    return "";
-  }
-
-  const payload = (await response.json()) as {
-    data?: {
-      data?: Record<string, string | undefined>;
-    };
-  };
-
-  return payload.data?.data?.[secret.field]?.trim() ?? "";
-}
-
-async function resolveVaultToken() {
-  const direct = process.env.VAULT_TOKEN?.trim();
-  if (direct) {
-    return direct;
-  }
-
-  const tokenFile = process.env.VAULT_TOKEN_FILE?.trim() || join(process.env.HOME?.trim() || homedir(), ".vault-token");
-
-  try {
-    return (await Bun.file(tokenFile).text()).trim();
-  } catch {
-    return "";
-  }
-}
-
-function providerVaultPath(provider: string) {
-  const override = process.env[`VAULT_${provider.toUpperCase()}_PATH`]?.trim();
-  return (override || `prod/providers/${provider}`).replace(/^\/+/g, "");
-}
-
-function formatMissingSecret(secret: ProviderSecret) {
-  return `${secret.envName} or Vault secret/${providerVaultPath(secret.provider)} field ${secret.field}`;
-}