create-svc 0.1.9 → 0.1.11

package/templates/root/scripts/cloudrun/lib.ts

@@ -1,244 +0,0 @@
-import { config, manifestEnv } from "./config";
-
-type CommandOptions = {
-  allowFailure?: boolean;
-  capture?: boolean;
-  input?: string;
-};
-
-const decoder = new TextDecoder();
-
-export function requireCommand(name: string) {
-  if (!Bun.which(name)) {
-    throw new Error(`missing required command: ${name}`);
-  }
-}
-
-export function run(command: string, args: string[], options: CommandOptions = {}) {
-  const result = Bun.spawnSync([command, ...args], {
-    cwd: process.cwd(),
-    env: process.env,
-    stdin: options.input,
-    stdout: options.capture || options.allowFailure ? "pipe" : "inherit",
-    stderr: options.capture || options.allowFailure ? "pipe" : "inherit",
-  });
-
-  const stdout = result.stdout ? decoder.decode(result.stdout).trim() : "";
-  const stderr = result.stderr ? decoder.decode(result.stderr).trim() : "";
-
-  if (!result.success && !options.allowFailure) {
-    throw new Error([`command failed: ${command} ${args.join(" ")}`, stdout, stderr].filter(Boolean).join("\n"));
-  }
-
-  return {
-    success: result.success,
-    stdout,
-    stderr,
-    exitCode: result.exitCode,
-  };
-}
-
-export function gcloud(args: string[], options: CommandOptions = {}) {
-  return run("gcloud", args, options);
-}
-
-export function gh(args: string[], options: CommandOptions = {}) {
-  return run("gh", args, options);
-}
-
-export function ensureServiceAccount(email: string) {
-  if (gcloud(["iam", "service-accounts", "describe", email, "--project", config.projectId], { allowFailure: true }).success) {
-    return;
-  }
-
-  const accountId = email.split("@")[0] ?? email;
-  gcloud(["iam", "service-accounts", "create", accountId, "--project", config.projectId, "--display-name", accountId]);
-}
-
-export function ensureProjectRole(member: string, role: string) {
-  gcloud(["projects", "add-iam-policy-binding", config.projectId, "--member", member, "--role", role]);
-}
-
-export function ensureServiceAccountRole(serviceAccount: string, member: string, role: string) {
-  gcloud([
-    "iam",
-    "service-accounts",
-    "add-iam-policy-binding",
-    serviceAccount,
-    "--project",
-    config.projectId,
-    "--member",
-    member,
-    "--role",
-    role,
-  ]);
-}
-
-export function ensureSecret(secretName: string, bootstrapEnv: string) {
-  if (gcloud(["secrets", "describe", secretName, "--project", config.projectId], { allowFailure: true }).success) {
-    return;
-  }
-
-  const value = process.env[bootstrapEnv]?.trim() ?? "";
-  if (!value) {
-    throw new Error(`missing bootstrap value for secret ${secretName}; set ${bootstrapEnv}`);
-  }
-
-  gcloud(["secrets", "create", secretName, "--project", config.projectId, "--replication-policy", "automatic"]);
-  gcloud(["secrets", "versions", "add", secretName, "--project", config.projectId, "--data-file=-"], { input: value });
-}
-
-export function ensureSecretAccessor(secretName: string, member: string) {
-  gcloud(["secrets", "add-iam-policy-binding", secretName, "--project", config.projectId, "--member", member, "--role", "roles/secretmanager.secretAccessor"]);
-}
-
-export function projectNumber() {
-  return gcloud(["projects", "describe", config.projectId, "--format=value(projectNumber)"], { capture: true }).stdout;
-}
-
-export function workloadIdentityPoolResource() {
-  return `projects/${projectNumber()}/locations/global/workloadIdentityPools/${config.workloadIdentityPoolId}`;
-}
-
-export function workloadIdentityProviderResource() {
-  return `${workloadIdentityPoolResource()}/providers/${config.workloadIdentityProviderId}`;
-}
-
-export function ensureWorkloadIdentityPool() {
-  if (
-    gcloud(["iam", "workload-identity-pools", "describe", config.workloadIdentityPoolId, "--project", config.projectId, "--location", "global"], {
-      allowFailure: true,
-    }).success
-  ) {
-    return;
-  }
-
-  gcloud([
-    "iam",
-    "workload-identity-pools",
-    "create",
-    config.workloadIdentityPoolId,
-    "--project",
-    config.projectId,
-    "--location",
-    "global",
-    "--display-name",
-    "GitHub Actions",
-  ]);
-}
-
-export function ensureWorkloadIdentityProvider() {
-  if (
-    gcloud(
-      [
-        "iam",
-        "workload-identity-pools",
-        "providers",
-        "describe",
-        config.workloadIdentityProviderId,
-        "--project",
-        config.projectId,
-        "--location",
-        "global",
-        "--workload-identity-pool",
-        config.workloadIdentityPoolId,
-      ],
-      { allowFailure: true }
-    ).success
-  ) {
-    return;
-  }
-
-  gcloud([
-    "iam",
-    "workload-identity-pools",
-    "providers",
-    "create-oidc",
-    config.workloadIdentityProviderId,
-    "--project",
-    config.projectId,
-    "--location",
-    "global",
-    "--workload-identity-pool",
-    config.workloadIdentityPoolId,
-    "--display-name",
-    `${config.serviceName} GitHub`,
-    "--issuer-uri",
-    "https://token.actions.githubusercontent.com",
-    "--attribute-mapping",
-    "google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner",
-    "--attribute-condition",
-    `assertion.repository=='${config.githubRepo}'`,
-  ]);
-}
-
-export function setGithubVariable(name: string, value: string) {
-  gh(["variable", "set", name, "--repo", config.githubRepo, "--body", value]);
-}
-
-export function setGithubSecret(name: string, value: string) {
-  gh(["secret", "set", name, "--repo", config.githubRepo], { input: value });
-}
-
-export function ensureArtifactRepository() {
-  if (
-    gcloud(
-      ["artifacts", "repositories", "describe", config.artifactRepository, "--project", config.projectId, "--location", config.region],
-      { allowFailure: true }
-    ).success
-  ) {
-    return;
-  }
-
-  gcloud([
-    "artifacts",
-    "repositories",
-    "create",
-    config.artifactRepository,
-    "--project",
-    config.projectId,
-    "--location",
-    config.region,
-    "--repository-format",
-    "docker",
-  ]);
-}
-
-export function imageTag() {
-  const gitSha = run("git", ["rev-parse", "--short", "HEAD"], { allowFailure: true, capture: true }).stdout;
-  return gitSha || `${Date.now()}`;
-}
-
-export function imageUrl(tag = imageTag()) {
-  return `${config.region}-docker.pkg.dev/${config.projectId}/${config.artifactRepository}/${config.serviceName}:${tag}`;
-}
-
-export async function renderManifest(image: string) {
-  const template = await Bun.file(new URL("../../service.yaml", import.meta.url)).text();
-  const values = {
-    ...manifestEnv,
-    IMAGE_URL: image,
-  };
-
-  return template.replace(/\$\{([A-Z0-9_]+)\}/g, (_, key: string) => {
-    const value = values[key as keyof typeof values];
-    if (!value) {
-      throw new Error(`missing manifest value for ${key}`);
-    }
-    return value;
-  });
-}
-
-export async function writeRenderedManifest(image: string) {
-  const rendered = await renderManifest(image);
-  const path = new URL("../../.cloudrun.rendered.yaml", import.meta.url);
-  await Bun.write(path, rendered);
-  return path;
-}
-
-export function serviceUrl() {
-  return gcloud(
-    ["run", "services", "describe", config.serviceName, "--project", config.projectId, "--region", config.region, "--format=value(status.url)"],
-    { capture: true }
-  ).stdout;
-}

package/templates/root/service.yaml

@@ -1,50 +0,0 @@
-apiVersion: serving.knative.dev/v1
-kind: Service
-metadata:
-  name: ${SERVICE_NAME}
-  annotations:
-    run.googleapis.com/ingress: all
-spec:
-  template:
-    spec:
-      serviceAccountName: ${RUNTIME_SERVICE_ACCOUNT}
-      containerConcurrency: 80
-      containers:
-        - image: ${IMAGE_URL}
-          ports:
-            - name: h2c
-              containerPort: 8080
-          env:
-            - name: VAULT_ADDR
-              value: ${VAULT_ADDR}
-            - name: VAULT_SECRET_PATH
-              value: ${VAULT_SECRET_PATH}
-            - name: VAULT_SECRET_KEY
-              value: ${VAULT_SECRET_KEY}
-            - name: CLOUDFLARE_ZONE_ID
-              value: ${CLOUDFLARE_ZONE_ID}
-            - name: VAULT_ROLE_ID_FILE
-              value: /var/run/secrets/vault-role-id/value
-            - name: VAULT_SECRET_ID_FILE
-              value: /var/run/secrets/vault-secret-id/value
-          volumeMounts:
-            - name: vault-role-id
-              mountPath: /var/run/secrets/vault-role-id
-            - name: vault-secret-id
-              mountPath: /var/run/secrets/vault-secret-id
-      volumes:
-        - name: vault-role-id
-          secret:
-            secretName: ${VAULT_ROLE_ID_SECRET}
-            items:
-              - key: latest
-                path: value
-        - name: vault-secret-id
-          secret:
-            secretName: ${VAULT_SECRET_ID_SECRET}
-            items:
-              - key: latest
-                path: value
-  traffic:
-    - latestRevision: true
-      percent: 100

package/templates/root/test/go.test.ts

@@ -1,19 +0,0 @@
-import { expect, test } from "bun:test";
-
-const decoder = new TextDecoder();
-
-test(
-  "go test ./...",
-  { timeout: 60_000 },
-  () => {
-  const result = Bun.spawnSync(["go", "test", "./..."], {
-    cwd: process.cwd(),
-    stdout: "pipe",
-    stderr: "pipe",
-    env: process.env,
-  });
-
-  const output = [decoder.decode(result.stdout), decoder.decode(result.stderr)].join("").trim();
-  expect(result.exitCode, output || "go test ./... failed").toBe(0);
-  }
-);

package/templates/shared/.env.example

@@ -1,10 +0,0 @@
-# Stable repo-local settings for Neon admin key lookup via Vault.
-# Copy to .env.local and adjust as needed.
-
-VAULT_ADDR=https://vault.example.com
-VAULT_SECRET_MOUNT=secret
-VAULT_NEON_API_KEY_PATH=provider/neon-api-key
-VAULT_NEON_API_KEY_FIELD=value
-
-# Do not commit VAULT_TOKEN. Prefer `vault login`; the CLI will also use
-# VAULT_TOKEN_FILE or ~/.vault-token when available.

package/templates/variants/go-chi/buf.gen.yaml

@@ -1,10 +0,0 @@
-version: v2
-plugins:
-  - local: protoc-gen-go
-    out: gen
-    opt:
-      - paths=source_relative
-  - local: protoc-gen-connect-go
-    out: gen
-    opt:
-      - paths=source_relative

package/templates/variants/go-chi/buf.yaml

@@ -1,9 +0,0 @@
-version: v2
-modules:
-  - path: protos
-lint:
-  use:
-    - STANDARD
-breaking:
-  use:
-    - FILE