create-svc 0.1.62 → 0.1.64

package/README.md

@@ -20,16 +20,19 @@ npm: <https://www.npmjs.com/package/create-svc>
 ## Usage
 
 ```bash
-service create my-service
+service new my-service
 ```
 
 That creates `./my-service` by default. To write somewhere else while keeping
 the service id as `my-service`, pass `--dir`:
 
 ```bash
-service create my-service --dir /Users/andrewho/repos/projects/my-service
+service new my-service --dir /Users/andrewho/repos/projects/my-service
 ```
 
+`service create <service_id>` remains an alias for `service new <service_id>`
+when you are outside a generated service repo.
+
 Inside a generated service repo, the same command operates that repo:
 
 ```bash
@@ -47,7 +50,7 @@ npm install -g create-svc@latest
 For the strict one-command production path:
 
 ```bash
-service create my-service --yes
+service new my-service --yes
 ```
 
 By default, that scaffolds the repo, installs dependencies, runs the generated
@@ -75,14 +78,14 @@ Without publishing to npm:
 ```bash
 bun install
 bun link
-service create my-service
+service new my-service
 ```
 
 For faster iteration against your working tree:
 
 ```bash
 bun link
-service create my-service
+service new my-service
 ```
 
 During scaffold, the generator can discover:
@@ -166,7 +169,7 @@ The generated microservice domain is a small waitlist/launch service example wit
 ```bash
 bun install
 bun test src scripts
-bun run index.ts create my-service
+bun run index.ts new my-service
 ```
 
 Validate the generated service matrix against local Docker Compose Postgres and

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.62",
+  "version": "0.1.64",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",
@@ -14,6 +14,7 @@
     "src",
     "templates",
     "!bin/generated",
+    "!src/.cloudrun*.yaml",
     "!templates/**/node_modules",
     "README.md"
   ],

package/src/cli.test.ts

@@ -72,6 +72,7 @@ test("formatScaffoldHelp is compact and starts at usage", () => {
   expect(help.startsWith("Usage:\n")).toBeTrue();
   expect(help).not.toContain("\n\n\n");
   expect(help).not.toContain("│");
+  expect(help).toContain("service new <service_id> [options]");
   expect(help).toContain("service create <service_id> [options]");
   expect(help).toContain("--dir <path>");
 });

package/src/cli.ts

@@ -199,10 +199,19 @@ function formatCompletionSummary(config: ScaffoldConfig, targetDir: string, gitR
     `  Auth issuer: https://auth.anmho.com/api/auth`,
     `  Auth resource: api://${config.serviceName}`,
     `  Auth token URL: https://auth.anmho.com/api/auth/oauth2/token`,
-    `  Temporal: disabled by default`,
-    `  Temporal address: localhost:7233`,
-    `  Temporal task queue: ${config.serviceName}`,
-    `  Temporal API key secret: ${config.serviceName}-temporal-api-key`,
+    ...(config.target === "workers"
+      ? [
+          `  Trigger.dev task: ${config.serviceName}-waitlist-follow-up`,
+          `  Trigger.dev project env: TRIGGER_PROJECT_REF`,
+          `  Trigger.dev deploy env: TRIGGER_ACCESS_TOKEN`,
+          `  Trigger.dev secret env: TRIGGER_SECRET_KEY`,
+        ]
+      : [
+          `  Temporal: enabled by default`,
+          `  Temporal address: localhost:7233`,
+          `  Temporal task queue: ${config.serviceName}`,
+          `  Temporal API key secret: ${config.serviceName}-temporal-api-key`,
+        ]),
     config.runtime === "go" ? `  Go module: ${config.modulePath}` : undefined,
     "",
     config.autoDeploy ? "Verified production after deploy:" : "After deploy, verify production with:",
@@ -1218,11 +1227,13 @@ function printHelp() {
 export function formatScaffoldHelp() {
   return [
     "Usage:",
+    "  service new <service_id> [options]",
     "  service create <service_id> [options]",
     "",
     "Examples:",
-    "  service create waitlist-api --target cloudrun --runtime bun --framework hono",
-    "  service create waitlist-api --auto-deploy",
+    "  service new waitlist-api --target cloudrun --runtime bun --framework hono",
+    "  service new waitlist-api --auto-deploy",
+    "  service create waitlist-api --yes",
     "",
     "Options:",
     "  --dir <path>                    Output directory; defaults to ./<service_id>",

package/src/naming.test.ts

@@ -32,6 +32,12 @@ test("compactDatabaseName switches to underscores", () => {
   expect(compactDatabaseName("preview-worker")).toBe("preview_worker");
 });
 
+test("deriveLocalPostgresPort stays out of ephemeral port ranges", () => {
+  const port = Number(deriveLocalPostgresPort("preview-worker"));
+  expect(port).toBeGreaterThanOrEqual(15432);
+  expect(port).toBeLessThan(16432);
+});
+
 test("buildGcpProjectOptions puts the shared services project first", () => {
   const options = buildGcpProjectOptions("preview-worker", "anmho-preview-worker", "preview-worker", [
     { projectId: "anmho-existing", name: "existing" },

package/src/naming.ts

@@ -81,7 +81,7 @@ export function compactDatabaseName(serviceName: string) {
 export function deriveLocalPostgresPort(serviceName: string) {
   const normalized = slugify(serviceName) || "my-service";
   const hash = Number.parseInt(shortHash(normalized).slice(0, 4), 16);
-  return String(55000 + (hash % 1000));
+  return String(15432 + (hash % 1000));
 }
 
 export function deriveDefaults(serviceName: string) {

package/src/scaffold.test.ts

@@ -212,7 +212,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(makefile).toContain("$(ATLAS) migrate lint --env local --latest 1");
       expect(makefile).toContain("bun run ./scripts/ensure-local-db.ts");
       expect(makefile).toContain("bun run ./scripts/wait-for-db.ts");
-      expect(makefile).toContain("bun run ./scripts/dev.ts go run ./cmd/server");
+      expect(makefile).toContain("bun run ./scripts/dev.ts go run ./cmd/server --worker go run ./cmd/worker");
       expect(await Bun.file(join(generatedRoot, "atlas.hcl")).exists()).toBeTrue();
       const atlasConfig = await Bun.file(join(generatedRoot, "atlas.hcl")).text();
       expect(atlasConfig).toContain('revisions_schema = "public"');
@@ -224,7 +224,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       const packageJson = await Bun.file(join(generatedRoot, "package.json")).text();
       expect(packageJson).toContain('"@anmho/authctl": "0.1.1"');
       expect(packageJson).toContain("@temporalio/worker");
-      expect(packageJson).toContain('"dev": "bun run ./scripts/dev.ts bun run ./src/index.ts"');
+      expect(packageJson).toContain('"dev": "bun run ./scripts/dev.ts bun run ./src/index.ts --worker bun run ./src/worker.ts"');
       expect(packageJson).toContain('"gen": "bun run ./scripts/codegen.ts"');
       expect(packageJson).toContain('"service": "service"');
       expect(packageJson).toContain('"migrate": "service migrate"');
@@ -356,6 +356,11 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
   expect(packageJson).toContain('"auth": "service auth"');
   expect(packageJson).toContain('"wrangler"');
   expect(packageJson).toContain('"pg"');
+  expect(packageJson).toContain('"@trigger.dev/sdk"');
+  expect(packageJson).toContain('"trigger.dev"');
+  expect(packageJson).toContain('"trigger": "trigger"');
+  expect(packageJson).toContain('"trigger:dev": "trigger dev"');
+  expect(packageJson).toContain('"trigger:deploy": "trigger deploy"');
 
   const wranglerConfig = await Bun.file(join(generatedRoot, "wrangler.toml")).text();
   expect(wranglerConfig).toContain('name = "dns-api"');
@@ -364,6 +369,8 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
   expect(wranglerConfig).toContain('binding = "HYPERDRIVE"');
   expect(wranglerConfig).toContain('AUTH_ENABLED = "true"');
   expect(wranglerConfig).toContain('AUTH_AUDIENCE = "api://dns-api"');
+  expect(wranglerConfig).toContain('TRIGGER_TASK_ID = "dns-api-waitlist-follow-up"');
+  expect(wranglerConfig).toContain('TRIGGER_API_URL = "https://api.trigger.dev"');
   expect(wranglerConfig).not.toContain("[triggers]");
   expect(wranglerConfig).not.toContain("crons");
   const authSource = await Bun.file(join(generatedRoot, "src", "auth.ts")).text();
@@ -375,15 +382,20 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
   expect(entrypoint).toContain("/v1/admin/waitlist");
   expect(entrypoint).toContain('app.use("/v1/*", authMiddleware())');
   expect(entrypoint).toContain("createStorage(context.env)");
-  expect(entrypoint).toContain("scheduled");
+  expect(entrypoint).toContain("dispatchWaitlistFollowUp");
+  expect(entrypoint).not.toContain("scheduled");
   const readme = await Bun.file(join(generatedRoot, "README.md")).text();
   expect(readme).toContain("Cloudflare Workers");
   expect(readme).toContain("Hyperdrive binding for Neon-backed Postgres persistence");
+  expect(readme).toContain("Trigger.dev task dispatch");
   expect(readme).not.toContain("Cloud Run");
   const serviceConfig = await Bun.file(join(generatedRoot, "service.jsonc")).text();
   expect(serviceConfig).toContain('"target": "workers"');
   expect(serviceConfig).toContain('"hostname": "api.dns-api.anmho.com"');
   expect(serviceConfig).toContain('"database_name": "dns_api"');
+  expect(serviceConfig).toContain('"trigger_dev"');
+  expect(serviceConfig).toContain('"access_token_env": "TRIGGER_ACCESS_TOKEN"');
+  expect(serviceConfig).toContain('"waitlist_task_id": "dns-api-waitlist-follow-up"');
   const makefile = await Bun.file(join(generatedRoot, "Makefile")).text();
   expect(makefile).toContain('no generated code for workers');
   expect(makefile).toContain("auth:");
@@ -392,6 +404,9 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
   expect(await Bun.file(join(generatedRoot, "scripts", "authctl.ts")).exists()).toBeFalse();
   expect(await Bun.file(join(generatedRoot, "src", "auth.ts")).exists()).toBeTrue();
   expect(await Bun.file(join(generatedRoot, "src", "storage.ts")).exists()).toBeTrue();
+  expect(await Bun.file(join(generatedRoot, "src", "trigger.ts")).exists()).toBeTrue();
+  expect(await Bun.file(join(generatedRoot, "trigger.config.ts")).exists()).toBeTrue();
+  expect(await Bun.file(join(generatedRoot, "trigger", "waitlist-follow-up.ts")).exists()).toBeTrue();
   expect(await Bun.file(join(generatedRoot, "scripts", "workers", "cli.ts")).exists()).toBeFalse();
   expect(await Bun.file(join(generatedRoot, "scripts", "cloudrun", "cli.ts")).exists()).toBeFalse();
   expect(await Bun.file(join(generatedRoot, "scripts", "dev.ts")).exists()).toBeTrue();
@@ -403,6 +418,7 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
   expect(await Bun.file(join(generatedRoot, "docker-compose.yml")).exists()).toBeTrue();
   expect(await Bun.file(join(generatedRoot, "src", "db", "repository.ts")).exists()).toBeFalse();
   expect(await Bun.file(join(generatedRoot, "src", "temporal", "worker.ts")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "src", "worker.ts")).exists()).toBeFalse();
   expect(await Bun.file(join(generatedRoot, "scripts", "codegen.ts")).exists()).toBeFalse();
 
   const previewWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "preview.yml")).text();

package/src/scaffold.ts

@@ -113,6 +113,7 @@ function shouldSkipForTarget(target: DeployTarget, templateKind: "shared" | "var
     return (
       relativePath.startsWith("src/db/") ||
       relativePath.startsWith("src/temporal/") ||
+      relativePath === "src/worker.ts" ||
       relativePath.startsWith("src/waitlist/") ||
       relativePath.startsWith("test/") ||
       relativePath.startsWith("migrations/") ||
@@ -230,6 +231,10 @@ function buildReplacements(config: ScaffoldConfig) {
     AUTH_ISSUER: authIssuer,
     AUTH_AUDIENCE: authAudience,
     AUTH_JWKS_URL: authJwksUrl,
+    TEMPORAL_ENABLED: "true",
+    TEMPORAL_ADDRESS: "localhost:7233",
+    TEMPORAL_NAMESPACE: "default",
+    TEMPORAL_TASK_QUEUE: config.serviceName,
     LOCAL_DATABASE_NAME: localDatabaseName,
     LOCAL_DATABASE_PORT: localDatabasePort,
     LOCAL_DATABASE_USER: "postgres",
@@ -318,6 +323,11 @@ async function writeLocalEnvFile(targetDir: string, replacements: Record<string,
       "# This file is user-owned after scaffold and is gitignored.",
       "",
       "DATABASE_URL=postgres://{{LOCAL_DATABASE_USER}}:{{LOCAL_DATABASE_PASSWORD}}@127.0.0.1:{{LOCAL_DATABASE_PORT}}/{{LOCAL_DATABASE_NAME}}?sslmode=disable",
+      "TEMPORAL_ENABLED={{TEMPORAL_ENABLED}}",
+      "TEMPORAL_ADDRESS={{TEMPORAL_ADDRESS}}",
+      "TEMPORAL_NAMESPACE={{TEMPORAL_NAMESPACE}}",
+      "TEMPORAL_TASK_QUEUE={{TEMPORAL_TASK_QUEUE}}",
+      "",
       "",
       "VAULT_SECRET_MOUNT=secret",
       "VAULT_AUTHCTL_ACCESS_PATH=prod/apps/auth/authctl/cloudflare-access",

package/src/service-runtime/authctl.ts

@@ -54,6 +54,10 @@ export function defaultAuthResourceServerArgs() {
 export function runAuthCommand(args: string[]) {
   const [subject, action, ...rest] = args;
 
+  if (!subject || subject === "--help" || subject === "-h" || subject === "help") {
+    return formatAuthHelp();
+  }
+
   if (!subject || subject === "doctor") {
     const result = runAuthDoctor();
     if (!result.hasAuthctl) {
@@ -104,12 +108,40 @@ export function runAuthCommand(args: string[]) {
   }
 
   if (subject === "token") {
+    if (action === "--help" || action === "-h" || action === "help") {
+      return formatAuthTokenHelp();
+    }
     return mintAuthToken(parseTokenOptions([action, ...rest].filter(Boolean) as string[]));
   }
 
   throw new Error("Usage: service auth <doctor|resource-server|client|token> [args]");
 }
 
+function formatAuthHelp() {
+  return [
+    "Usage: service auth <doctor|resource-server|client|token> [args]",
+    "",
+    "Commands:",
+    "  doctor           Check authctl availability",
+    "  resource-server  Manage this service auth resource server",
+    "  client           Create or manage service client credentials",
+    "  token            Mint a bearer token for protected API checks",
+  ].join("\n");
+}
+
+function formatAuthTokenHelp() {
+  return [
+    "Usage: service auth token [options]",
+    "",
+    "Options:",
+    "  --scope <scope>      Request an additional or replacement scope; repeatable",
+    "  --resource <uri>     Token resource; defaults to this service audience",
+    "  --audience <value>   Optional audience parameter",
+    "  --json               Print the full token response",
+    "  --help, -h           Show this message",
+  ].join("\n");
+}
+
 export function ensureAuthResourceServer() {
   const command = ensureResourceServerCommandAvailable();
   authctl([command.subject, command.mutationAction, ...defaultAuthResourceServerArgs(), "--json"], { quiet: true });

package/src/service-runtime/cloudrun/bootstrap.ts

@@ -79,19 +79,18 @@ export async function prepareGcpProject() {
 
 function publishTemporalSecrets() {
   const temporal = resolveTemporalRuntimeConfig();
-  const apiKey = process.env.TEMPORAL_API_KEY?.trim();
-  if (!apiKey || !temporal.apiKeySecretName) {
+  if (!temporal.apiKey || !temporal.apiKeySecretName) {
     return "No Temporal API key configured";
   }
 
-  addSecretVersion(temporal.apiKeySecretName, apiKey);
+  addSecretVersion(temporal.apiKeySecretName, temporal.apiKey);
   ensureSecretAccessor(temporal.apiKeySecretName, `serviceAccount:${config.runtimeServiceAccount}`);
   return temporal.apiKeySecretName;
 }
 
 function shouldPublishTemporalSecrets() {
   const temporal = resolveTemporalRuntimeConfig();
-  return Boolean(process.env.TEMPORAL_API_KEY?.trim() && temporal.apiKeySecretName);
+  return Boolean(temporal.enabled && temporal.apiKey && temporal.apiKeySecretName);
 }
 
 if (import.meta.main) {

package/src/service-runtime/cloudrun/cleanup.ts

@@ -29,7 +29,12 @@ import {
 } from "./lib";
 
 function matchesServiceResource(name: string) {
-  return name === config.serviceName || name.startsWith(`${config.serviceName}-pr-`) || name.startsWith(`${config.serviceName}-dev-`);
+  return (
+    name === config.serviceName ||
+    name === `${config.serviceName}-worker` ||
+    name.startsWith(`${config.serviceName}-pr-`) ||
+    name.startsWith(`${config.serviceName}-dev-`)
+  );
 }
 
 function matchesSecretResource(name: string) {

package/src/service-runtime/cloudrun/cli.ts

@@ -1,6 +1,6 @@
 #!/usr/bin/env bun
 
-import { mkdir } from "node:fs/promises";
+import { mkdir, readdir } from "node:fs/promises";
 import { ensureAuthClient, ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
 import { stopLocalDev } from "../local-dev";
 import { bootstrap, prepareGcpProject } from "./bootstrap";
@@ -42,7 +42,6 @@ export async function main(argv = Bun.argv.slice(2)) {
       await runStep("Provisioning auth client", () => ensureAuthClient());
       const bootstrapResult = await bootstrap({ skipProjectSetup: true });
       const databaseUrl = bootstrapResult.databaseUrl;
-      await runStep("Applying production migrations", () => runLanguageTask("migrate", { DATABASE_URL: databaseUrl }));
       const origin = await deploy(["--ci"], { bootstrapResult });
       await runOptionalBunScript("seed", { DATABASE_URL: databaseUrl });
       return `Created ${origin}`;
@@ -51,6 +50,10 @@ export async function main(argv = Bun.argv.slice(2)) {
   }
 
   if (command === "deploy") {
+    if (hasHelpFlag(rest)) {
+      console.log(formatHelp());
+      return;
+    }
     await runMain("Deploy", () => deploy(rest));
     return;
   }
@@ -118,6 +121,10 @@ export async function main(argv = Bun.argv.slice(2)) {
   throw new Error(`Unknown command: ${command}\n\n${formatHelp()}`);
 }
 
+function hasHelpFlag(args: string[]) {
+  return args.includes("--help") || args.includes("-h") || args.includes("help");
+}
+
 function formatHelp() {
   return [
     "Usage:",
@@ -272,16 +279,16 @@ async function runDoctor() {
       if (!(await Bun.file("./buf.yaml").exists())) {
         throw new Error("missing buf.yaml");
       }
-      if (!(await Bun.file("./protos/waitlist/v1/waitlist.proto").exists())) {
-        throw new Error("missing waitlist proto");
+      const protoFiles = await findFiles("./protos", ".proto");
+      if (protoFiles.length === 0) {
+        throw new Error("missing ConnectRPC proto");
       }
-      return "waitlist proto present";
+      return `${protoFiles.length} proto file(s) present`;
     });
     await record(results, "Buf CLI", "warn", () => checkCommand("buf"));
     await record(results, "generated SDK artifacts", "warn", async () => {
-      const bunGen = await Bun.file("./gen/protos/waitlist/v1/waitlist_pb.ts").exists();
-      const goGen = await Bun.file("./gen/waitlist/v1/waitlist.pb.go").exists();
-      if (!bunGen && !goGen) {
+      const artifacts = await findGeneratedSdkArtifacts();
+      if (artifacts.length === 0) {
         throw new Error("generated SDK artifacts are missing; run service sdk build");
       }
       return "local generated artifacts present";
@@ -371,16 +378,15 @@ async function runSdk(args: string[]) {
 }
 
 async function assertLocalSdkArtifacts() {
-  const bunArtifacts = await Bun.file("./gen/protos/waitlist/v1/waitlist_pb.ts").exists();
-  const goArtifacts = await Bun.file("./gen/waitlist/v1/waitlist.pb.go").exists();
-  if (!bunArtifacts && !goArtifacts) {
+  const artifacts = await findGeneratedSdkArtifacts();
+  if (artifacts.length === 0) {
     throw new Error("Local SDK artifacts are missing. Run `service sdk build` first.");
   }
 }
 
 async function writeSdkMode(mode: "local" | "remote") {
   await mkdir(".service", { recursive: true });
-  const localPath = config.runtime === "bun" ? "./gen/protos/waitlist/v1" : "./gen/waitlist/v1";
+  const localPath = await resolveLocalSdkPath();
   await Bun.write(
     ".service/sdk.json",
     `${JSON.stringify(
@@ -400,6 +406,40 @@ function bufModule() {
   return `buf.build/anmho/${config.serviceName}`;
 }
 
+async function resolveLocalSdkPath() {
+  const artifacts = await findGeneratedSdkArtifacts();
+  if (artifacts.length === 0) {
+    return config.runtime === "bun" ? "./gen/protos" : "./gen";
+  }
+  const artifact = artifacts[0] || "./gen";
+  return artifact.split("/").slice(0, -1).join("/") || "./gen";
+}
+
+async function findGeneratedSdkArtifacts() {
+  const suffixes = config.runtime === "bun" ? ["_pb.ts", "_pb.js"] : [".pb.go"];
+  const files = await findFiles("./gen");
+  return files.filter((file) => suffixes.some((suffix) => file.endsWith(suffix)));
+}
+
+async function findFiles(root: string, suffix = ""): Promise<string[]> {
+  let entries;
+  try {
+    entries = await readdir(root, { withFileTypes: true });
+  } catch {
+    return [];
+  }
+  const files: string[] = [];
+  for (const entry of entries) {
+    const path = `${root}/${entry.name}`;
+    if (entry.isDirectory()) {
+      files.push(...(await findFiles(path, suffix)));
+    } else if (!suffix || path.endsWith(suffix)) {
+      files.push(path);
+    }
+  }
+  return files;
+}
+
 if (import.meta.main) {
   await main();
 }

package/src/service-runtime/cloudrun/config.ts

@@ -3,6 +3,7 @@ import { serviceConfig } from "../runtime";
 const cloudrun = serviceConfig.cloudrun;
 const dns = serviceConfig.dns;
 const neon = serviceConfig.neon;
+const vault = serviceConfig.providers?.vault ?? {};
 
 export const config = {
   serviceName: serviceConfig.service_id,
@@ -39,6 +40,8 @@ export const config = {
     namespace: serviceConfig.temporal.namespace,
     taskQueue: serviceConfig.temporal.task_queue,
     apiKeySecretName: serviceConfig.temporal.api_key_secret_name,
+    vaultMount: vault.mount || "secret",
+    vaultPath: vault.temporal_path || "prod/providers/temporal",
   },
   neon: {
     projectId: neon.project_id,

package/src/service-runtime/cloudrun/deploy-args.ts

@@ -6,6 +6,11 @@ export type DeployArgs = {
   name?: string;
 };
 
+export type RuntimeMigrationCommand = {
+  command: string;
+  args: string[];
+};
+
 export const CLOUD_RUN_LOCAL_BUILD_PLATFORM = "linux/amd64";
 
 export function localDockerBuildArgs(image: string) {
@@ -93,3 +98,15 @@ function parseBuildStrategy(value: string | undefined): DeployArgs["build"] {
   }
   throw new Error(`Unknown build strategy: ${value}`);
 }
+
+export function migrationCommandForRuntime(runtime: string): RuntimeMigrationCommand {
+  if (runtime === "bun") {
+    return { command: "bun", args: ["run", "./scripts/migrate.ts"] };
+  }
+
+  if (runtime === "go") {
+    return { command: "atlas", args: ["migrate", "apply", "--env", "local"] };
+  }
+
+  throw new Error(`migrate is not available for ${runtime}`);
+}

package/src/service-runtime/cloudrun/deploy.ts

@@ -15,12 +15,16 @@ import {
   localDockerBuildArgs,
   parseDeployArgs,
   requireCommand,
+  resolveTemporalRuntimeConfig,
   resolveDeploymentTarget,
+  run,
   runMain,
   runStep,
   serviceOrigin,
   writeRenderedManifest,
+  writeRenderedWorkerManifest,
 } from "./lib";
+import { migrationCommandForRuntime } from "./deploy-args";
 
 type DeployOptions = {
   bootstrapResult?: BootstrapResult;
@@ -38,6 +42,7 @@ export async function deploy(args = Bun.argv.slice(2), deployOptions: DeployOpti
       ? bootstrapResult.target
       : resolveDeploymentTarget(options.environment, options.name);
   const neon = bootstrapResult?.neon ?? (await runStep("Resolving Neon defaults", () => resolveNeonConfig()));
+  let databaseUrl = bootstrapResult?.databaseUrl;
 
   if (options.destroy) {
     if (options.environment === "main") {
@@ -71,10 +76,17 @@ export async function deploy(args = Bun.argv.slice(2), deployOptions: DeployOpti
     await runStep("Publishing environment database secret", async () => {
       await ensureDatabase(neon.projectId, branchId, neon.databaseName);
       const connectionUri = await getConnectionUri(neon.projectId, branchId, neon.databaseName, neon.roleName);
+      databaseUrl = connectionUri;
       addSecretVersion(target.databaseSecretName, connectionUri);
       ensureSecretAccessor(target.databaseSecretName, `serviceAccount:${config.runtimeServiceAccount}`);
     });
   }
+  if (!databaseUrl) {
+    throw new Error(`Could not resolve database URL for ${target.serviceName}`);
+  }
+  const resolvedDatabaseUrl = databaseUrl;
+  await runStep("Applying database migrations", () => runMigration(resolvedDatabaseUrl));
+
   const image = imageUrl();
   if (options.build === "cloudbuild") {
     await runStep("Building container image in Cloud Build", () =>
@@ -95,6 +107,13 @@ export async function deploy(args = Bun.argv.slice(2), deployOptions: DeployOpti
     gcloud(["run", "services", "replace", renderedManifestPath.pathname, "--project", config.project.id, "--region", config.region])
   );
 
+  if (resolveTemporalRuntimeConfig().enabled) {
+    const renderedWorkerManifestPath = await runStep("Rendering Cloud Run worker manifest", () => writeRenderedWorkerManifest(image, target));
+    await runStep(`Deploying Cloud Run worker ${target.serviceName}-worker`, () =>
+      gcloud(["run", "services", "replace", renderedWorkerManifestPath.pathname, "--project", config.project.id, "--region", config.region])
+    );
+  }
+
   await runStep("Granting public invoker access", () =>
     gcloudWithRetry([
       "run",
@@ -119,6 +138,12 @@ export async function deploy(args = Bun.argv.slice(2), deployOptions: DeployOpti
   return serviceOrigin(target);
 }
 
+function runMigration(databaseUrl: string) {
+  const task = migrationCommandForRuntime(config.runtime);
+  run(task.command, task.args, { env: { DATABASE_URL: databaseUrl } });
+  return "migrate finished";
+}
+
 if (import.meta.main) {
   await runMain("Deploy", () => deploy(Bun.argv.slice(2)));
 }

package/src/service-runtime/cloudrun/lib.test.ts

@@ -1,5 +1,5 @@
 import { afterEach, expect, test } from "bun:test";
-import { localDockerBuildArgs, parseDeployArgs } from "./deploy-args";
+import { localDockerBuildArgs, migrationCommandForRuntime, parseDeployArgs } from "./deploy-args";
 
 const originalBuild = process.env.SERVICE_BUILD;
 const originalBuildStrategy = process.env.SERVICE_BUILD_STRATEGY;
@@ -38,3 +38,14 @@ test("local Docker builds target Cloud Run's runtime platform", () => {
     ".",
   ]);
 });
+
+test("migrationCommandForRuntime uses generated migration tooling", () => {
+  expect(migrationCommandForRuntime("bun")).toEqual({
+    command: "bun",
+    args: ["run", "./scripts/migrate.ts"],
+  });
+  expect(migrationCommandForRuntime("go")).toEqual({
+    command: "atlas",
+    args: ["migrate", "apply", "--env", "local"],
+  });
+});