create-svc 0.1.8 → 0.1.10

package/templates/shared/scripts/cloudrun/lib.ts

@@ -15,10 +15,9 @@ type DeployArgs = {
 
 type CleanupArgs = {
   destroyProject: boolean;
-  destroyRepo: boolean;
 };
 
-type DeploymentTarget = {
+export type DeploymentTarget = {
   environment: "main" | "preview" | "personal";
   serviceName: string;
   branchName: string;
@@ -33,6 +32,7 @@ type CommandResult = {
 };
 
 const decoder = new TextDecoder();
+const encoder = new TextEncoder();
 
 export class CommandError extends Error {
   command: string;
@@ -58,11 +58,27 @@ export function requireCommand(name: string) {
   }
 }
 
+export function requireGcloudAuth() {
+  const activeAccount = gcloud(["auth", "list", "--filter=status:ACTIVE", "--format=value(account)"], {
+    allowFailure: true,
+  }).stdout.trim();
+
+  if (!activeAccount) {
+    throw new Error(
+      [
+        "gcloud is installed but no active Google Cloud account is available.",
+        "Run `gcloud auth login` on this machine before using bootstrap, deploy, or cleanup.",
+        "If you also rely on Application Default Credentials for other tooling, run `gcloud auth application-default login` as well.",
+      ].join(" ")
+    );
+  }
+}
+
 export function run(command: string, args: string[], options: CommandOptions = {}): CommandResult {
   const result = Bun.spawnSync([command, ...args], {
     cwd: process.cwd(),
     env: process.env,
-    stdin: options.input,
+    stdin: options.input === undefined ? undefined : encoder.encode(options.input),
     stdout: "pipe",
     stderr: "pipe",
   });
@@ -89,10 +105,6 @@ export function gcloud(args: string[], options: CommandOptions = {}) {
   return run("gcloud", normalized, options);
 }
 
-export function gh(args: string[], options: CommandOptions = {}) {
-  return run("gh", args, options);
-}
-
 export async function runStep<T>(label: string, task: () => Promise<T> | T) {
   const indicator = spinner();
   indicator.start(label);
@@ -228,116 +240,26 @@ export function ensureArtifactRepository() {
   ]);
 }
 
-export function projectNumber() {
-  return gcloud(["projects", "describe", config.project.id, "--format=value(projectNumber)"]).stdout;
-}
-
-export function workloadIdentityPoolResource() {
-  return `projects/${projectNumber()}/locations/global/workloadIdentityPools/${config.workloadIdentityPoolId}`;
-}
-
-export function workloadIdentityProviderResource() {
-  return `${workloadIdentityPoolResource()}/providers/${config.workloadIdentityProviderId}`;
-}
-
-export function ensureWorkloadIdentityPool() {
-  if (
-    gcloud(["iam", "workload-identity-pools", "describe", config.workloadIdentityPoolId, "--project", config.project.id, "--location", "global"], {
-      allowFailure: true,
-    }).success
-  ) {
+export function ensureStorageBucket() {
+  if (gcloud(["storage", "buckets", "describe", `gs://${config.storage.attachmentBucket}`, "--project", config.project.id], { allowFailure: true }).success) {
     return;
   }
 
   gcloud([
-    "iam",
-    "workload-identity-pools",
+    "storage",
+    "buckets",
     "create",
-    config.workloadIdentityPoolId,
+    `gs://${config.storage.attachmentBucket}`,
     "--project",
     config.project.id,
     "--location",
-    "global",
-    "--display-name",
-    "GitHub Actions",
-  ]);
-}
-
-export function ensureWorkloadIdentityProvider() {
-  if (
-    gcloud(
-      [
-        "iam",
-        "workload-identity-pools",
-        "providers",
-        "describe",
-        config.workloadIdentityProviderId,
-        "--project",
-        config.project.id,
-        "--location",
-        "global",
-        "--workload-identity-pool",
-        config.workloadIdentityPoolId,
-      ],
-      { allowFailure: true }
-    ).success
-  ) {
-    return;
-  }
-
-  gcloud([
-    "iam",
-    "workload-identity-pools",
-    "providers",
-    "create-oidc",
-    config.workloadIdentityProviderId,
-    "--project",
-    config.project.id,
-    "--location",
-    "global",
-    "--workload-identity-pool",
-    config.workloadIdentityPoolId,
-    "--display-name",
-    `${config.serviceName} GitHub`,
-    "--issuer-uri",
-    "https://token.actions.githubusercontent.com",
-    "--attribute-mapping",
-    "google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner",
-    "--attribute-condition",
-    `assertion.repository=='${config.github.repo}'`,
+    config.region,
+    "--uniform-bucket-level-access",
   ]);
 }
 
-export function deleteWorkloadIdentityProvider() {
-  gcloud(
-    [
-      "iam",
-      "workload-identity-pools",
-      "providers",
-      "delete",
-      config.workloadIdentityProviderId,
-      "--project",
-      config.project.id,
-      "--location",
-      "global",
-      "--workload-identity-pool",
-      config.workloadIdentityPoolId,
-      "--quiet",
-    ],
-    { allowFailure: true }
-  );
-}
-
-export function setGithubVariable(name: string, value: string) {
-  gh(["variable", "set", name, "--repo", config.github.repo, "--body", value]);
-}
-
-export function deleteGithubVariable(name: string) {
-  gh(["variable", "delete", name, "--repo", config.github.repo], { allowFailure: true });
-}
-
-export function deleteGithubRepository() {
-  gh(["repo", "delete", config.github.repo, "--yes"]);
+export function projectNumber() {
+  return gcloud(["projects", "describe", config.project.id, "--format=value(projectNumber)"]).stdout;
 }
 
 export function imageTag() {
@@ -408,7 +330,6 @@ export function parseDeployArgs(argv: string[]): DeployArgs {
 export function parseCleanupArgs(argv: string[]): CleanupArgs {
   const parsed: CleanupArgs = {
     destroyProject: false,
-    destroyRepo: false,
   };
 
   for (const token of argv) {
@@ -416,11 +337,6 @@ export function parseCleanupArgs(argv: string[]): CleanupArgs {
       parsed.destroyProject = true;
       continue;
     }
-
-    if (token === "--repo") {
-      parsed.destroyRepo = true;
-      continue;
-    }
   }
 
   return parsed;
@@ -458,6 +374,19 @@ export function resolveDeploymentTarget(environment: DeployArgs["environment"],
   };
 }
 
+export function runtimeSecretNames(target: DeploymentTarget) {
+  return {
+    CLERK_SECRET_KEY: `${target.serviceName}-clerk-secret-key`,
+    CLERK_WEBHOOK_SECRET: `${target.serviceName}-clerk-webhook-secret`,
+    STRIPE_SECRET_KEY: `${target.serviceName}-stripe-secret-key`,
+    STRIPE_WEBHOOK_SECRET: `${target.serviceName}-stripe-webhook-secret`,
+    REVENUECAT_API_KEY: `${target.serviceName}-revenuecat-api-key`,
+    REVENUECAT_WEBHOOK_SECRET: `${target.serviceName}-revenuecat-webhook-secret`,
+    RESEND_API_KEY: `${target.serviceName}-resend-api-key`,
+    POSTHOG_API_KEY: `${target.serviceName}-posthog-api-key`,
+  } as const;
+}
+
 export async function renderManifest(image: string, target: DeploymentTarget) {
   const template = await Bun.file(new URL("../../service.yaml", import.meta.url)).text();
   const values = {
@@ -465,8 +394,11 @@ export async function renderManifest(image: string, target: DeploymentTarget) {
     RUNTIME_SERVICE_ACCOUNT: config.runtimeServiceAccount,
     IMAGE_URL: image,
     DATABASE_URL_SECRET: target.databaseSecretName,
+    ...runtimeSecretNames(target),
     SERVICE_RUNTIME: config.runtime,
     SERVICE_FRAMEWORK: config.framework,
+    ATTACHMENT_BUCKET: config.storage.attachmentBucket,
+    ATTACHMENT_PUBLIC_BASE_URL: config.storage.attachmentPublicBaseUrl,
   };
 
   return template.replace(/\$\{([A-Z0-9_]+)\}/g, (_, key: string) => {
@@ -491,6 +423,50 @@ export function serviceUrl(serviceName: string) {
   ).stdout;
 }
 
+export function serviceDomain(target: DeploymentTarget) {
+  if (target.environment === "main") {
+    return config.domain.hostname;
+  }
+
+  return `${target.serviceName}-${config.project.id}-${config.region}.a.run.app`;
+}
+
+export function serviceOrigin(target: DeploymentTarget) {
+  if (target.environment === "main") {
+    return `https://${config.domain.hostname}`;
+  }
+
+  const url = serviceUrl(target.serviceName);
+  return url || `https://${serviceDomain(target)}`;
+}
+
+export function ensureProductionDomainMapping(serviceName: string) {
+  if (gcloud(["beta", "run", "domain-mappings", "describe", "--domain", config.domain.hostname, "--project", config.project.id], { allowFailure: true }).success) {
+    return;
+  }
+
+  gcloud([
+    "beta",
+    "run",
+    "domain-mappings",
+    "create",
+    "--service",
+    serviceName,
+    "--domain",
+    config.domain.hostname,
+    "--project",
+    config.project.id,
+    "--region",
+    config.region,
+  ]);
+}
+
+export function deleteProductionDomainMapping() {
+  gcloud(["beta", "run", "domain-mappings", "delete", "--domain", config.domain.hostname, "--project", config.project.id, "--quiet"], {
+    allowFailure: true,
+  });
+}
+
 export function listCloudRunServices() {
   return gcloud(["run", "services", "list", "--project", config.project.id, "--region", config.region, "--format=value(metadata.name)"]).stdout
     .split("\n")

package/templates/shared/scripts/cloudrun/neon.ts

@@ -1,11 +1,28 @@
 import { createApiClient } from "@neondatabase/api-client";
+import { homedir } from "node:os";
+import { join } from "node:path";
 import { config } from "./config";
 
+type NeonProject = {
+  id: string;
+  name: string;
+};
+
 type NeonBranch = {
   id: string;
   name: string;
 };
 
+type ResolvedNeonConfig = {
+  projectId: string;
+  baseBranchId: string;
+  baseBranchName: string;
+  databaseName: string;
+  roleName: string;
+  previewBranchPrefix: string;
+  personalBranchPrefix: string;
+};
+
 async function resolveNeonApiKey() {
   const direct = process.env.NEON_API_KEY?.trim();
   if (direct) {
@@ -13,13 +30,13 @@ async function resolveNeonApiKey() {
   }
 
   const addr = process.env.VAULT_ADDR?.trim() ?? "";
-  const token = process.env.VAULT_TOKEN?.trim() ?? "";
+  const token = await resolveVaultToken();
   const mount = process.env.VAULT_SECRET_MOUNT?.trim() ?? "secret";
-  const path = process.env.VAULT_NEON_API_KEY_PATH?.trim() ?? "provider/neon-api-key";
-  const field = process.env.VAULT_NEON_API_KEY_FIELD?.trim() ?? "value";
+  const path = process.env.VAULT_NEON_API_KEY_PATH?.trim() ?? "prod/providers/neon";
+  const field = process.env.VAULT_NEON_API_KEY_FIELD?.trim() ?? "api_key";
 
   if (!addr || !token) {
-    throw new Error("NEON_API_KEY is required for Neon provisioning, or set VAULT_ADDR and VAULT_TOKEN");
+    throw new Error("NEON_API_KEY is required for Neon provisioning, or set VAULT_ADDR with VAULT_TOKEN, VAULT_TOKEN_FILE, or ~/.vault-token");
   }
 
   const normalizedAddr = addr.replace(/\/+$/g, "");
@@ -49,20 +66,88 @@ async function resolveNeonApiKey() {
   return apiKey;
 }
 
+async function resolveVaultToken() {
+  const direct = process.env.VAULT_TOKEN?.trim();
+  if (direct) {
+    return direct;
+  }
+
+  const tokenFile = process.env.VAULT_TOKEN_FILE?.trim() || join(process.env.HOME?.trim() || homedir(), ".vault-token");
+
+  try {
+    return (await Bun.file(tokenFile).text()).trim();
+  } catch {
+    return "";
+  }
+}
+
 async function neonClient() {
   const apiKey = await resolveNeonApiKey();
   return createApiClient({ apiKey });
 }
 
+export async function listProjects() {
+  const payload = await (await neonClient()).listProjects({ limit: 100 });
+  const projects = ((payload.data as { projects?: Array<{ id?: string; name?: string }> } | undefined)?.projects ?? []);
+  return projects
+    .map((project: { id?: string; name?: string }) => ({
+      id: project.id ?? "",
+      name: project.name ?? project.id ?? "",
+    }))
+    .filter((project: NeonProject): project is NeonProject => Boolean(project.id))
+    .sort((left: NeonProject, right: NeonProject) => left.name.localeCompare(right.name));
+}
+
 export async function listBranches(projectId: string) {
   const payload = await (await neonClient()).listProjectBranches({ projectId });
-  return (payload.branches ?? [])
-    .map((branch) => ({
+  const branches = ((payload.data as { branches?: Array<{ id?: string; name?: string }> } | undefined)?.branches ?? []);
+  return branches
+    .map((branch: { id?: string; name?: string }) => ({
       id: branch.id ?? "",
       name: branch.name ?? branch.id ?? "",
     }))
-    .filter((branch): branch is NeonBranch => Boolean(branch.id))
-    .sort((left, right) => left.name.localeCompare(right.name));
+    .filter((branch: NeonBranch): branch is NeonBranch => Boolean(branch.id))
+    .sort((left: NeonBranch, right: NeonBranch) => left.name.localeCompare(right.name));
+}
+
+export async function resolveNeonConfig(): Promise<ResolvedNeonConfig> {
+  const configuredProjectId = config.neon.projectId.trim();
+  const configuredBaseBranchId = config.neon.baseBranchId.trim();
+  const configuredBaseBranchName = config.neon.baseBranchName.trim() || "main";
+
+  if (configuredProjectId && configuredBaseBranchId) {
+    return {
+      projectId: configuredProjectId,
+      baseBranchId: configuredBaseBranchId,
+      baseBranchName: configuredBaseBranchName,
+      databaseName: config.neon.databaseName,
+      roleName: config.neon.roleName,
+      previewBranchPrefix: config.neon.previewBranchPrefix,
+      personalBranchPrefix: config.neon.personalBranchPrefix,
+    };
+  }
+
+  const projects = await listProjects();
+  const project = projects[0];
+  if (!project) {
+    throw new Error(`No Neon projects are available for ${config.serviceName}`);
+  }
+
+  const branches = await listBranches(project.id);
+  const branch = branches.find((candidate) => candidate.name === configuredBaseBranchName) ?? branches[0];
+  if (!branch) {
+    throw new Error(`No Neon branches are available in project ${project.id}`);
+  }
+
+  return {
+    projectId: project.id,
+    baseBranchId: branch.id,
+    baseBranchName: branch.name,
+    databaseName: config.neon.databaseName,
+    roleName: config.neon.roleName,
+    previewBranchPrefix: config.neon.previewBranchPrefix,
+    personalBranchPrefix: config.neon.personalBranchPrefix,
+  };
 }
 
 export async function ensureDatabase(projectId: string, branchId: string, databaseName: string) {
@@ -81,6 +166,7 @@ export async function ensureDatabase(projectId: string, branchId: string, databa
   await client.createProjectBranchDatabase(projectId, branchId, {
     database: {
       name: databaseName,
+      owner_name: config.neon.roleName,
     },
   });
 }
@@ -110,12 +196,12 @@ export async function ensureBranch(projectId: string, branchName: string, parent
     },
     endpoints: [
       {
-        type: "read_write",
+        type: "read_write" as never,
       },
     ],
   });
 
-  const branch = payload.branch;
+  const branch = (payload.data as { branch?: { id?: string; name?: string } } | undefined)?.branch;
   if (!branch?.id) {
     throw new Error(`Neon did not return a branch for ${branchName}`);
   }
@@ -141,12 +227,12 @@ export async function deleteBranch(projectId: string, branchId: string) {
 export async function getConnectionUri(projectId: string, branchId: string, databaseName: string, roleName: string) {
   const payload = await (await neonClient()).getConnectionUri({
     projectId,
-    branchId,
-    databaseName,
-    roleName,
+    branch_id: branchId,
+    database_name: databaseName,
+    role_name: roleName,
   });
 
-  const uri = payload.uri;
+  const uri = (payload.data as { uri?: string } | undefined)?.uri;
   if (!uri) {
     throw new Error(`Neon did not return a connection URI for ${databaseName} in ${config.serviceName}`);
   }

package/templates/shared/service.yaml

@@ -22,7 +22,50 @@ spec:
                 secretKeyRef:
                   name: ${DATABASE_URL_SECRET}
                   key: latest
+            - name: CLERK_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: ${CLERK_SECRET_KEY}
+                  key: latest
+            - name: CLERK_WEBHOOK_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: ${CLERK_WEBHOOK_SECRET}
+                  key: latest
+            - name: STRIPE_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: ${STRIPE_SECRET_KEY}
+                  key: latest
+            - name: STRIPE_WEBHOOK_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: ${STRIPE_WEBHOOK_SECRET}
+                  key: latest
+            - name: REVENUECAT_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: ${REVENUECAT_API_KEY}
+                  key: latest
+            - name: REVENUECAT_WEBHOOK_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: ${REVENUECAT_WEBHOOK_SECRET}
+                  key: latest
+            - name: RESEND_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: ${RESEND_API_KEY}
+                  key: latest
+            - name: POSTHOG_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: ${POSTHOG_API_KEY}
+                  key: latest
+            - name: ATTACHMENT_BUCKET
+              value: ${ATTACHMENT_BUCKET}
+            - name: ATTACHMENT_PUBLIC_BASE_URL
+              value: ${ATTACHMENT_PUBLIC_BASE_URL}
   traffic:
     - latestRevision: true
       percent: 100
-

package/templates/variants/bun-connectrpc/Dockerfile

@@ -5,6 +5,7 @@ WORKDIR /app
 COPY package.json ./
 RUN bun install --production
 
+COPY gen ./gen
 COPY src ./src
 
 ENV PORT=8080

package/templates/variants/bun-connectrpc/Makefile

@@ -1,10 +1,13 @@
-.PHONY: dev gen lint test bootstrap deploy cleanup
+.PHONY: dev migrate gen lint test bootstrap deploy cleanup
 
 CLOUDRUN := npx --no-install svc-cloudrun
 
 dev:
 	bun run ./src/index.ts
 
+migrate:
+	bun run ./scripts/migrate.ts
+
 gen:
 	bun run ./scripts/codegen.ts