create-svc 0.1.7 → 0.1.9

package/README.md

@@ -1,12 +1,14 @@
 # create-svc
 
-`create-svc` is a Bun-authored scaffold CLI for generating a Go Cloud Run service with:
+`create-svc` is a Bun-authored scaffold CLI for generating Cloud Run services with:
 
-- Chi HTTP routes
-- ConnectRPC handlers
-- a real Cloud Run service manifest
-- Bun-based deployment helpers
-- Vault-backed Cloudflare DNS CRUD as the default example
+- `go + chi`
+- `go + connectrpc`
+- `bun + hono`
+- `bun + connectrpc`
+- a real `service.yaml` manifest
+- shared Cloud Run bootstrap, deploy, and cleanup automation
+- Neon-backed main, preview, and personal environments
 
 ## Usage
 
@@ -15,14 +17,22 @@ bun install
 bun run index.ts my-service
 ```
 
-The generated service supports:
+The generator discovers:
+
+- accessible GCP projects
+- open billing accounts
+- Neon defaults from `NEON_API_KEY`, or Vault via `VAULT_ADDR` plus `VAULT_TOKEN`, `VAULT_TOKEN_FILE`, or `~/.vault-token`
+
+Generated repos are `Makefile`-first. The shared Cloud Run control plane is exposed as a local CLI bin and invoked by `make`.
 
 ```bash
-bun dev
-bun gen
-bun lint
-bun test
-bun run deploy
+make dev
+make gen
+make lint
+make test
+make bootstrap
+make deploy
+make cleanup
 ```
 
 ## Development

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "Bun-authored CLI to scaffold Go Cloud Run services with Chi, ConnectRPC, Vault, and Cloudflare examples.",
   "module": "index.ts",
   "type": "module",

package/src/cli.test.ts

@@ -1,5 +1,6 @@
 import { expect, test } from "bun:test";
-import { normalizeValidationResult } from "./cli";
+import { mkdir } from "node:fs/promises";
+import { assertDiscoveryReady, normalizeValidationResult, validateServiceNameInput } from "./cli";
 
 test("normalizeValidationResult converts success to undefined", () => {
   expect(normalizeValidationResult(true)).toBeUndefined();
@@ -8,3 +9,31 @@ test("normalizeValidationResult converts success to undefined", () => {
 test("normalizeValidationResult preserves validation errors", () => {
   expect(normalizeValidationResult("Service name is required")).toBe("Service name is required");
 });
+
+test("assertDiscoveryReady requires Neon discovery to succeed", () => {
+  expect(() =>
+    assertDiscoveryReady({
+      projects: [],
+      billingAccounts: [],
+      warnings: [],
+      neonError: "Vault secret resolution requires VAULT_ADDR, VAULT_TOKEN, and a secret path",
+    })
+  ).toThrow(
+    "Neon discovery is required before scaffolding. Set NEON_API_KEY, or use Vault by providing VAULT_ADDR and either VAULT_TOKEN, VAULT_TOKEN_FILE, or ~/.vault-token. Optional overrides: VAULT_SECRET_MOUNT, VAULT_NEON_API_KEY_PATH, VAULT_NEON_API_KEY_FIELD."
+  );
+});
+
+test("validateServiceNameInput rejects a taken target directory", async () => {
+  const cwd = process.cwd();
+  const root = "/tmp/create-svc-cli-validation";
+  await mkdir(root, { recursive: true });
+  await mkdir(`${root}/taken-app`, { recursive: true });
+  await Bun.write(`${root}/taken-app/keep.txt`, "x");
+
+  process.chdir(root);
+  try {
+    expect(validateServiceNameInput("taken-app")).toBe("Directory already exists and is not empty");
+  } finally {
+    process.chdir(cwd);
+  }
+});

package/src/cli.ts

@@ -5,13 +5,13 @@ import {
   intro,
   isCancel,
   log,
-  note,
   outro,
   select,
   spinner,
   text,
 } from "@clack/prompts";
 import pc from "picocolors";
+import { readdirSync } from "node:fs";
 import { basename, dirname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { runPostScaffoldFlow } from "./post-scaffold";
@@ -55,6 +55,7 @@ type DiscoveryState = {
   neonProjectId?: string;
   neonBaseBranchId?: string;
   neonBaseBranchName?: string;
+  neonError?: string;
   warnings: string[];
 };
 
@@ -255,18 +256,19 @@ function parseArgs(argv: string[]): ParsedArgs {
 
 export async function resolveConfig(args: ParsedArgs): Promise<ScaffoldConfig> {
   const inferredName = slugify(basename(args.directory ?? "my-service"));
-  const discoveryPromise = discoverCloudInputs();
   const serviceName = args.yes
     ? inferredName
-    : await promptText("Service name", inferredName, (value) => slugify(value).length > 0 || "Service name is required");
+    : await promptText("Service name", inferredName, (value) => validateServiceNameInput(value, args.directory));
   const directory = args.directory ?? serviceName;
   const targetDir = resolve(process.cwd(), directory);
   await assertTargetDirectoryIsEmpty(targetDir);
 
+  const discoveryPromise = discoverCloudInputs();
   const defaults = deriveDefaults(serviceName);
   const runtime = await resolveRuntime(args);
   const framework = await resolveFramework(args, runtime);
   const discovery = await discoveryPromise;
+  assertDiscoveryReady(discovery);
   const gcpSelection = await resolveGcpSelection(args, defaults, discovery);
   const githubRepo = args.githubRepo ?? defaults.githubRepo;
   const region = args.region ?? DEFAULT_REGION;
@@ -487,12 +489,20 @@ async function discoverCloudInputs(): Promise<DiscoveryState> {
     result.neonBaseBranchId = neonDefaults.baseBranchId;
     result.neonBaseBranchName = neonDefaults.baseBranchName;
   } catch (error) {
-    result.warnings.push(`Skipping Neon discovery: ${formatError(error)}`);
+    result.neonError = formatError(error);
   }
 
   return result;
 }
 
+export function assertDiscoveryReady(discovery: DiscoveryState) {
+  if (!discovery.neonError) {
+    return;
+  }
+
+  throw new Error(formatNeonDiscoveryRequirement(discovery.neonError));
+}
+
 function chooseBillingAccount(input: string | undefined, accounts: BillingAccount[]) {
   if (input) {
     return input;
@@ -536,11 +546,21 @@ function formatError(error: unknown) {
   return error instanceof Error ? error.message : String(error);
 }
 
+function formatNeonDiscoveryRequirement(reason: string) {
+  if (reason.includes("Vault secret resolution requires")) {
+    return [
+      "Neon discovery is required before scaffolding.",
+      "Set NEON_API_KEY, or use Vault by providing VAULT_ADDR and either VAULT_TOKEN, VAULT_TOKEN_FILE, or ~/.vault-token.",
+      "Optional overrides: VAULT_SECRET_MOUNT, VAULT_NEON_API_KEY_PATH, VAULT_NEON_API_KEY_FIELD.",
+    ].join(" ");
+  }
+
+  return `Neon discovery is required before scaffolding: ${reason}`;
+}
+
 function handleCliError(error: unknown) {
   if (error instanceof DirectoryConflictError) {
-    log.error(`The directory ${error.targetDir} contains files that could conflict.`);
-    note(formatConflictEntries(error.entries), "Conflicting files");
-    log.message("Either try using a new directory name, or remove the files listed above.");
+    log.error(`Target directory already exists and is not empty: ${error.targetDir}`);
     process.exit(1);
   }
 
@@ -548,15 +568,6 @@ function handleCliError(error: unknown) {
   process.exit(1);
 }
 
-function formatConflictEntries(entries: string[]) {
-  const visibleEntries = entries.slice(0, 12);
-  const lines = visibleEntries.map((entry) => `- ${entry}`);
-  if (entries.length > visibleEntries.length) {
-    lines.push(`- ...and ${entries.length - visibleEntries.length} more`);
-  }
-  return lines.join("\n");
-}
-
 async function promptForExistingProject(projects: GcpProject[]) {
   const value = await autocomplete({
     message: "Existing GCP project",
@@ -601,6 +612,29 @@ export function normalizeValidationResult(result: true | string): string | undef
   return result === true ? undefined : result;
 }
 
+export function validateServiceNameInput(rawValue: string, directoryOverride?: string) {
+  const serviceName = slugify(rawValue);
+  if (!serviceName) {
+    return "Service name is required";
+  }
+
+  const directory = directoryOverride ?? serviceName;
+  const targetDir = resolve(process.cwd(), directory);
+
+  try {
+    const entries = readdirSync(targetDir);
+    if (entries.length > 0) {
+      return "Directory already exists and is not empty";
+    }
+  } catch (error) {
+    if ((error as NodeJS.ErrnoException).code !== "ENOENT") {
+      return "Unable to check target directory";
+    }
+  }
+
+  return true;
+}
+
 function printHelp() {
   log.message(`
 Usage:

package/src/scaffold.test.ts

@@ -72,7 +72,10 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(mainGo).toContain("NewDNSService");
     } else {
       const packageJson = await Bun.file(join(generatedRoot, "package.json")).text();
-      expect(packageJson).toContain('"bootstrap": "bun run ./scripts/cloudrun/bootstrap.ts"');
+      expect(packageJson).toContain('"svc-cloudrun": "./scripts/cloudrun/cli.ts"');
+
+      const makefile = await Bun.file(join(generatedRoot, "Makefile")).text();
+      expect(makefile).toContain("npx --no-install svc-cloudrun");
 
       const entrypoint = await Bun.file(join(generatedRoot, "src", "index.ts")).text();
       expect(entrypoint).toContain(variant.framework === "hono" ? "Hono" : "rpc.example.v1.Service/Ping");

package/src/vault.test.ts

@@ -1,4 +1,5 @@
 import { afterEach, expect, mock, test } from "bun:test";
+import { mkdir } from "node:fs/promises";
 import { readVaultSecret, resolveNeonApiKey } from "./vault";
 
 const originalEnv = { ...process.env };
@@ -40,3 +41,35 @@ test("readVaultSecret reads KV v2 secret data using existing vault login env", a
     })
   ).resolves.toBe("vault-token");
 });
+
+test("readVaultSecret falls back to ~/.vault-token", async () => {
+  const home = "/tmp/create-svc-vault-home";
+  process.env.HOME = home;
+  process.env.VAULT_ADDR = "https://vault.example.com";
+  delete process.env.VAULT_TOKEN;
+
+  await mkdir(home, { recursive: true });
+  await Bun.write(`${home}/.vault-token`, "token-from-file\n");
+
+  const fetchMock = mock(async () => {
+    return new Response(
+      JSON.stringify({
+        data: {
+          data: {
+            value: "vault-token",
+          },
+        },
+      }),
+      { status: 200 }
+    );
+  });
+
+  globalThis.fetch = fetchMock as typeof fetch;
+
+  await expect(
+    readVaultSecret({
+      path: "provider/neon-api-key",
+      field: "value",
+    })
+  ).resolves.toBe("vault-token");
+});

package/src/vault.ts

@@ -1,3 +1,6 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+
 const DEFAULT_VAULT_SECRET_MOUNT = "secret";
 const DEFAULT_NEON_API_KEY_PATH = "provider/neon-api-key";
 const DEFAULT_NEON_API_KEY_FIELD = "value";
@@ -24,13 +27,13 @@ export async function resolveNeonApiKey() {
 
 export async function readVaultSecret(options: VaultSecretOptions = {}) {
   const addr = options.addr ?? process.env.VAULT_ADDR?.trim() ?? "";
-  const token = options.token ?? process.env.VAULT_TOKEN?.trim() ?? "";
+  const token = options.token ?? (await resolveVaultToken());
   const mount = options.mount ?? process.env.VAULT_SECRET_MOUNT?.trim() ?? DEFAULT_VAULT_SECRET_MOUNT;
   const path = options.path?.trim() ?? "";
   const field = options.field?.trim() ?? "value";
 
   if (!addr || !token || !path) {
-    throw new Error("Vault secret resolution requires VAULT_ADDR, VAULT_TOKEN, and a secret path");
+    throw new Error("Vault secret resolution requires VAULT_ADDR, a Vault token, and a secret path");
   }
 
   const normalizedAddr = addr.replace(/\/+$/g, "");
@@ -61,3 +64,19 @@ export async function readVaultSecret(options: VaultSecretOptions = {}) {
 
   return value;
 }
+
+async function resolveVaultToken() {
+  const direct = process.env.VAULT_TOKEN?.trim();
+  if (direct) {
+    return direct;
+  }
+
+  const tokenFile = process.env.VAULT_TOKEN_FILE?.trim() || join(homedir(), ".vault-token");
+
+  try {
+    const value = (await Bun.file(tokenFile).text()).trim();
+    return value;
+  } catch {
+    return "";
+  }
+}

package/templates/shared/.env.example

@@ -6,5 +6,5 @@ VAULT_SECRET_MOUNT=secret
 VAULT_NEON_API_KEY_PATH=provider/neon-api-key
 VAULT_NEON_API_KEY_FIELD=value
 
-# Do not commit VAULT_TOKEN. Prefer `vault login` in your shell session.
-
+# Do not commit VAULT_TOKEN. Prefer `vault login`; the CLI will also use
+# VAULT_TOKEN_FILE or ~/.vault-token when available.

package/templates/shared/README.md

@@ -5,7 +5,7 @@ Generated by `create-svc`.
 This scaffold targets `{{RUNTIME}} + {{FRAMEWORK}}` on Cloud Run with:
 
 - one generated `service.yaml` manifest
-- Bun-based `bootstrap` and `deploy` helpers
+- a local `svc-cloudrun` CLI for bootstrap, deploy, and cleanup
 - GitHub Actions for CI, `main` deploys, PR previews, and personal environments
 - GCP project bootstrap with billing and quota-project-aware `gcloud` calls
 - Neon main, preview, and personal branch provisioning
@@ -13,25 +13,28 @@ This scaffold targets `{{RUNTIME}} + {{FRAMEWORK}}` on Cloud Run with:
 ## Commands
 
 ```bash
-bun dev
-bun gen
-bun lint
-bun test
-bun run bootstrap
-bun run deploy
-bun run deploy -- --environment personal --name <slug>
-bun run deploy -- --destroy --environment personal --name <slug>
+make dev
+make gen
+make lint
+make test
+make bootstrap
+make deploy
+make deploy ARGS="--environment personal --name <slug>"
+make deploy ARGS="--destroy --environment personal --name <slug>"
+make cleanup
+make cleanup ARGS="--repo --project"
 ```
 
 ## Configuration
 
 The generated Cloud Run config lives in [scripts/cloudrun/config.ts](scripts/cloudrun/config.ts).
 
-Bootstrap and deploy use:
+Bootstrap, deploy, and cleanup use:
 
 - `gcloud`
 - `gh`
-- `NEON_API_KEY`, or a working Vault login via `VAULT_ADDR` + `VAULT_TOKEN`
+- `NEON_API_KEY`, or a working Vault login via `VAULT_ADDR` plus `VAULT_TOKEN`, `VAULT_TOKEN_FILE`, or `~/.vault-token`
+- the local repo CLI via `npx --no-install svc-cloudrun ...`
 
 ## Environment setup
 
@@ -43,14 +46,17 @@ cp .env.example .env.local
 
 Then edit `.env.local` with your Vault address and secret path overrides.
 
-For the token itself, prefer a live shell session:
+For the token itself, prefer a normal Vault login flow:
 
 ```bash
 vault login
-export VAULT_TOKEN="$(vault print token)"
 ```
 
-or however your existing Vault login flow exposes `VAULT_TOKEN`.
+The scaffold will use, in order:
+
+1. `VAULT_TOKEN`
+2. `VAULT_TOKEN_FILE`
+3. `~/.vault-token`
 
 That keeps stable settings in the repo and keeps the token out of `~/.zshrc`.
 

package/templates/shared/scripts/cloudrun/bootstrap.ts

@@ -14,6 +14,8 @@ import {
   gcloud,
   requireCommand,
   resolveDeploymentTarget,
+  runMain,
+  runStep,
   setGithubVariable,
   workloadIdentityPoolResource,
   workloadIdentityProviderResource,
@@ -23,54 +25,67 @@ export async function bootstrap() {
   requireCommand("gcloud");
   requireCommand("gh");
 
-  ensureProject();
-  attachBilling();
-  gcloud(["services", "enable", ...config.requiredApis, "--project", config.project.id]);
+  await runStep("Ensuring GCP project", () => ensureProject());
+  await runStep("Attaching billing", () => attachBilling());
+  await runStep("Enabling required GCP APIs", () => gcloud(["services", "enable", ...config.requiredApis, "--project", config.project.id]));
 
-  ensureServiceAccount(config.runtimeServiceAccount);
-  ensureServiceAccount(config.deployerServiceAccount);
-  ensureArtifactRepository();
+  await runStep("Ensuring runtime and deployer service accounts", () => {
+    ensureServiceAccount(config.runtimeServiceAccount);
+    ensureServiceAccount(config.deployerServiceAccount);
+  });
 
-  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/run.admin");
-  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/cloudbuild.builds.editor");
-  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/artifactregistry.writer");
-  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/serviceusage.serviceUsageConsumer");
-  ensureProjectRole(`serviceAccount:${config.runtimeServiceAccount}`, "roles/secretmanager.secretAccessor");
+  await runStep("Ensuring Artifact Registry repository", () => ensureArtifactRepository());
 
-  ensureServiceAccountRole(config.runtimeServiceAccount, `serviceAccount:${config.deployerServiceAccount}`, "roles/iam.serviceAccountUser");
+  await runStep("Granting project roles", () => {
+    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/run.admin");
+    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/cloudbuild.builds.editor");
+    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/artifactregistry.writer");
+    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/serviceusage.serviceUsageConsumer");
+    ensureProjectRole(`serviceAccount:${config.runtimeServiceAccount}`, "roles/secretmanager.secretAccessor");
+    ensureServiceAccountRole(config.runtimeServiceAccount, `serviceAccount:${config.deployerServiceAccount}`, "roles/iam.serviceAccountUser");
+  });
 
-  ensureWorkloadIdentityPool();
-  ensureWorkloadIdentityProvider();
-  ensureServiceAccountRole(
-    config.deployerServiceAccount,
-    `principalSet://iam.googleapis.com/${workloadIdentityPoolResource()}/attribute.repository/${config.github.repo}`,
-    "roles/iam.workloadIdentityUser"
-  );
+  await runStep("Ensuring Workload Identity setup", () => {
+    ensureWorkloadIdentityPool();
+    ensureWorkloadIdentityProvider();
+    ensureServiceAccountRole(
+      config.deployerServiceAccount,
+      `principalSet://iam.googleapis.com/${workloadIdentityPoolResource()}/attribute.repository/${config.github.repo}`,
+      "roles/iam.workloadIdentityUser"
+    );
+  });
 
   if (!config.neon.projectId || !config.neon.baseBranchId) {
     throw new Error("Neon project and base branch must be configured before bootstrap");
   }
 
   const target = resolveDeploymentTarget("main");
-  await ensureDatabase(config.neon.projectId, config.neon.baseBranchId, config.neon.databaseName);
-  const connectionUri = await getConnectionUri(
-    config.neon.projectId,
-    config.neon.baseBranchId,
-    config.neon.databaseName,
-    config.neon.roleName
-  );
-  addSecretVersion(target.databaseSecretName, connectionUri);
-  ensureSecretAccessor(target.databaseSecretName, `serviceAccount:${config.runtimeServiceAccount}`);
+  await runStep("Ensuring Neon database", () => ensureDatabase(config.neon.projectId, config.neon.baseBranchId, config.neon.databaseName));
 
-  for (const [name, value] of Object.entries(githubVariables)) {
-    setGithubVariable(name, value);
-  }
+  await runStep("Publishing database secret", async () => {
+    const connectionUri = await getConnectionUri(
+      config.neon.projectId,
+      config.neon.baseBranchId,
+      config.neon.databaseName,
+      config.neon.roleName
+    );
+    addSecretVersion(target.databaseSecretName, connectionUri);
+    ensureSecretAccessor(target.databaseSecretName, `serviceAccount:${config.runtimeServiceAccount}`);
+  });
+
+  await runStep("Configuring GitHub repository variables", () => {
+    for (const [name, value] of Object.entries(githubVariables)) {
+      setGithubVariable(name, value);
+    }
 
-  setGithubVariable("GCP_WIF_PROVIDER", workloadIdentityProviderResource());
-  setGithubVariable("GCP_DEPLOYER_SERVICE_ACCOUNT", config.deployerServiceAccount);
+    setGithubVariable("GCP_WIF_PROVIDER", workloadIdentityProviderResource());
+    setGithubVariable("GCP_DEPLOYER_SERVICE_ACCOUNT", config.deployerServiceAccount);
+  });
 }
 
 if (import.meta.main) {
-  await bootstrap();
+  await runMain("Bootstrap", async () => {
+    await bootstrap();
+    return `Bootstrap finished for ${config.serviceName}`;
+  });
 }
-

package/templates/shared/scripts/cloudrun/cleanup.ts

@@ -0,0 +1,100 @@
+import { log } from "@clack/prompts";
+import { config, githubVariables } from "./config";
+import { deleteBranch, deleteDatabase, listBranches } from "./neon";
+import {
+  deleteGithubRepository,
+  deleteGithubVariable,
+  deleteProject,
+  deleteSecret,
+  deleteService,
+  deleteServiceAccount,
+  deleteWorkloadIdentityProvider,
+  listCloudRunServices,
+  listSecrets,
+  parseCleanupArgs,
+  requireCommand,
+  runMain,
+  runStep,
+} from "./lib";
+
+function matchesServiceResource(name: string) {
+  return name === config.serviceName || name.startsWith(`${config.serviceName}-pr-`) || name.startsWith(`${config.serviceName}-dev-`);
+}
+
+function matchesSecretResource(name: string) {
+  return name === `${config.serviceName}-database-url` || name.startsWith(`${config.serviceName}-pr-`) || name.startsWith(`${config.serviceName}-dev-`);
+}
+
+export async function cleanup(args = Bun.argv.slice(2)) {
+  requireCommand("gcloud");
+
+  const options = parseCleanupArgs(args);
+
+  const services = await runStep("Finding Cloud Run services", () => listCloudRunServices());
+  const serviceNames = services.filter(matchesServiceResource);
+  await runStep("Deleting Cloud Run services", () => {
+    for (const serviceName of serviceNames) {
+      deleteService(serviceName);
+    }
+  });
+
+  const secrets = await runStep("Finding service secrets", () => listSecrets());
+  const secretNames = secrets.filter(matchesSecretResource);
+  await runStep("Deleting service secrets", () => {
+    for (const secretName of secretNames) {
+      deleteSecret(secretName);
+    }
+  });
+
+  if (config.neon.projectId && config.neon.baseBranchId) {
+    const branches = await runStep("Finding Neon branches", () => listBranches(config.neon.projectId));
+    const disposableBranches = branches.filter(
+      (branch) => branch.name.startsWith(`${config.neon.previewBranchPrefix}-`) || branch.name.startsWith(`${config.neon.personalBranchPrefix}-`)
+    );
+
+    await runStep("Deleting Neon preview and personal branches", async () => {
+      for (const branch of disposableBranches) {
+        await deleteBranch(config.neon.projectId, branch.id);
+      }
+    });
+
+    await runStep("Deleting Neon service database", () =>
+      deleteDatabase(config.neon.projectId, config.neon.baseBranchId, config.neon.databaseName)
+    );
+  } else {
+    log.step("Skipping Neon cleanup because Neon is not configured");
+  }
+
+  await runStep("Deleting service-specific identity resources", () => {
+    deleteWorkloadIdentityProvider();
+    deleteServiceAccount(config.runtimeServiceAccount);
+    deleteServiceAccount(config.deployerServiceAccount);
+  });
+
+  if (Bun.which("gh")) {
+    await runStep("Deleting GitHub repository variables", () => {
+      for (const name of [...Object.keys(githubVariables), "GCP_WIF_PROVIDER", "GCP_DEPLOYER_SERVICE_ACCOUNT"]) {
+        deleteGithubVariable(name);
+      }
+    });
+
+    if (options.destroyRepo) {
+      await runStep(`Deleting GitHub repository ${config.github.repo}`, () => deleteGithubRepository());
+    }
+  } else if (options.destroyRepo) {
+    throw new Error("gh is required to delete the GitHub repository");
+  } else {
+    log.step("Skipping GitHub cleanup because gh is not installed");
+  }
+
+  if (options.destroyProject) {
+    await runStep(`Deleting GCP project ${config.project.id}`, () => deleteProject());
+    return `Deleted project ${config.project.id}`;
+  }
+
+  return `Cleanup finished for ${config.serviceName}`;
+}
+
+if (import.meta.main) {
+  await runMain("Cleanup", () => cleanup(Bun.argv.slice(2)));
+}

package/templates/shared/scripts/cloudrun/cli.ts

@@ -0,0 +1,34 @@
+#!/usr/bin/env bun
+
+import { bootstrap } from "./bootstrap";
+import { cleanup } from "./cleanup";
+import { deploy } from "./deploy";
+import { runMain } from "./lib";
+
+async function main(argv = Bun.argv.slice(2)) {
+  const [command, ...rest] = argv;
+
+  if (command === "bootstrap") {
+    await runMain("Bootstrap", async () => {
+      await bootstrap();
+      return "Bootstrap finished";
+    });
+    return;
+  }
+
+  if (command === "deploy") {
+    await runMain("Deploy", () => deploy(rest));
+    return;
+  }
+
+  if (command === "cleanup") {
+    await runMain("Cleanup", () => cleanup(rest));
+    return;
+  }
+
+  throw new Error("Usage: svc-cloudrun <bootstrap|deploy|cleanup> [args]");
+}
+
+if (import.meta.main) {
+  await main();
+}