firebase-tools 10.4.1 → 10.6.0

package/lib/bin/firebase.js

@@ -20,7 +20,7 @@ marked.setOptions({
     renderer: new TerminalRenderer(),
 });
 const updateMessage = `Update available ${clc.xterm(240)("{currentVersion}")} → ${clc.green("{latestVersion}")}\n` +
-    `To update to the latest version using npm, run ${clc.cyan("npm install -g firebase-tools")}\n` +
+    `To update to the latest version using npm, run\n${clc.cyan("npm install -g firebase-tools")}\n` +
     `For other CLI management options, visit the ${marked("[CLI documentation](https://firebase.google.com/docs/cli#update-cli)")}`;
 updateNotifier.notify({ defer: true, isGlobal: true, message: updateMessage });
 const client = require("..");

package/lib/commands/emulators-start.js

@@ -8,6 +8,7 @@ const registry_1 = require("../emulator/registry");
 const types_1 = require("../emulator/types");
 const clc = require("cli-color");
 const constants_1 = require("../emulator/constants");
+const utils_1 = require("../utils");
 const Table = require("cli-table");
 function stylizeLink(url) {
     return clc.underline(clc.bold(url));
@@ -22,8 +23,9 @@ module.exports = new command_1.Command("emulators:start")
     .option(commandUtils.FLAG_EXPORT_ON_EXIT, commandUtils.DESC_EXPORT_ON_EXIT)
     .action(async (options) => {
     const killSignalPromise = commandUtils.shutdownWhenKilled(options);
+    let deprecationNotices;
     try {
-        await controller.startAll(options);
+        ({ deprecationNotices } = await controller.startAll(options));
     }
     catch (e) {
         await controller.cleanShutdown();
@@ -85,5 +87,8 @@ ${clc.blackBright("  Other reserved ports:")} ${reservedPortsString}
 
 Issues? Report them at ${stylizeLink("https://github.com/firebase/firebase-tools/issues")} and attach the *-debug.log files.
  `);
+    for (const notice of deprecationNotices) {
+        (0, utils_1.logLabeledWarning)("emulators", notice, "warn");
+    }
     await killSignalPromise;
 });

package/lib/commands/ext-configure.js

@@ -35,7 +35,7 @@ exports.default = new command_1.Command("ext:configure <extensionInstanceId>")
     .before(extensionsHelper_1.diagnoseAndFixProject)
     .action(async (instanceId, options) => {
     var _a;
-    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const projectId = (0, projectUtils_1.getProjectId)(options);
     if (options.local) {
         if (options.nonInteractive) {
             throw new error_1.FirebaseError(`Command not supported in non-interactive mode, edit ./extensions/${instanceId}.env directly instead`);
@@ -77,7 +77,7 @@ exports.default = new command_1.Command("ext:configure <extensionInstanceId>")
     try {
         let existingInstance;
         try {
-            existingInstance = await extensionsApi.getInstance(projectId, instanceId);
+            existingInstance = await extensionsApi.getInstance((0, projectUtils_1.needProjectId)({ projectId }), instanceId);
         }
         catch (err) {
             if (err.status === 404) {
@@ -113,13 +113,13 @@ exports.default = new command_1.Command("ext:configure <extensionInstanceId>")
         }
         spinner.start();
         const res = await extensionsApi.configureInstance({
-            projectId,
+            projectId: (0, projectUtils_1.needProjectId)({ projectId }),
             instanceId,
             params: paramBindings,
         });
         spinner.stop();
         utils.logLabeledSuccess(extensionsHelper_1.logPrefix, `successfully configured ${clc.bold(instanceId)}.`);
-        utils.logLabeledBullet(extensionsHelper_1.logPrefix, marked(`You can view your reconfigured instance in the Firebase console: ${utils.consoleUrl(projectId, `/extensions/instances/${instanceId}?tab=config`)}`));
+        utils.logLabeledBullet(extensionsHelper_1.logPrefix, marked(`You can view your reconfigured instance in the Firebase console: ${utils.consoleUrl((0, projectUtils_1.needProjectId)({ projectId }), `/extensions/instances/${instanceId}?tab=config`)}`));
         manifest.showDeprecationWarning();
         return res;
     }

package/lib/commands/ext-dev-emulators-start.js

@@ -19,9 +19,10 @@ module.exports = new command_1.Command("ext:dev:emulators:start")
     .action(async (options) => {
     const killSignalPromise = commandUtils.shutdownWhenKilled(options);
     const emulatorOptions = await optionsHelper.buildOptions(options);
+    let deprecationNotices;
     try {
         commandUtils.beforeEmulatorCommand(emulatorOptions);
-        await controller.startAll(emulatorOptions);
+        ({ deprecationNotices } = await controller.startAll(emulatorOptions));
     }
     catch (e) {
         await controller.cleanShutdown();
@@ -31,5 +32,8 @@ module.exports = new command_1.Command("ext:dev:emulators:start")
         throw e;
     }
     utils.logSuccess("All emulators ready, it is now safe to connect.");
+    for (const notice of deprecationNotices) {
+        utils.logLabeledWarning("emulators", notice, "warn");
+    }
     await killSignalPromise;
 });

package/lib/commands/ext-install.js

@@ -47,7 +47,7 @@ exports.default = new command_1.Command("ext:install [extensionName]")
     .before(extensionsHelper_1.diagnoseAndFixProject)
     .action(async (extensionName, options) => {
     var _a;
-    const projectId = (0, projectUtils_1.needProjectId)(options);
+    const projectId = (0, projectUtils_1.getProjectId)(options);
     const paramsEnvPath = ((_a = options.params) !== null && _a !== void 0 ? _a : "");
     let learnMore = false;
     if (!extensionName) {
@@ -71,7 +71,7 @@ exports.default = new command_1.Command("ext:install [extensionName]")
         if (options.local) {
             throw new error_1.FirebaseError("Installing a local source locally is not supported yet, please use ext:dev:emulator commands");
         }
-        source = await infoInstallBySource(projectId, extensionName);
+        source = await infoInstallBySource((0, projectUtils_1.needProjectId)({ projectId }), extensionName);
     }
     else {
         void (0, track_1.track)("Extension Install", "Install by Extension Ref", options.interactive ? 1 : 0);
@@ -120,7 +120,7 @@ exports.default = new command_1.Command("ext:install [extensionName]")
     try {
         return installExtension({
             paramsEnvPath,
-            projectId,
+            projectId: projectId,
             extensionName,
             source,
             extVersion,
@@ -195,7 +195,8 @@ async function installToManifest(options) {
     manifest.showPreviewWarning();
 }
 async function installExtension(options) {
-    const { projectId, extensionName, source, extVersion, paramsEnvPath, nonInteractive, force } = options;
+    const { extensionName, source, extVersion, paramsEnvPath, nonInteractive, force } = options;
+    const projectId = (0, projectUtils_1.needProjectId)({ projectId: options.projectId });
     const spec = (source === null || source === void 0 ? void 0 : source.spec) || (extVersion === null || extVersion === void 0 ? void 0 : extVersion.spec);
     if (!spec) {
         throw new error_1.FirebaseError(`Could not find the extension.yaml for ${extensionName}. Please make sure this is a valid extension and try again.`);

package/lib/commands/ext-update.js

@@ -42,8 +42,8 @@ exports.default = new command_1.Command("ext:update <extensionInstanceId> [updat
     .option("--local", "save the update to firebase.json rather than directly update an existing Extension instance on a Firebase project")
     .action(async (instanceId, updateSource, options) => {
     var _a, _b;
-    const projectId = (0, projectUtils_1.needProjectId)(options);
     if (options.local) {
+        const projectId = (0, projectUtils_1.getProjectId)(options);
         const config = manifest.loadConfig(options);
         const oldRef = manifest.getInstanceRef(instanceId, config);
         const oldExtensionVersion = await extensionsApi.getExtensionVersion(refs.toExtensionVersionRef(oldRef));
@@ -95,6 +95,7 @@ exports.default = new command_1.Command("ext:update <extensionInstanceId> [updat
     }
     const spinner = ora(`Updating ${clc.bold(instanceId)}. This usually takes 3 to 5 minutes...`);
     try {
+        const projectId = (0, projectUtils_1.needProjectId)(options);
         let existingInstance;
         try {
             existingInstance = await extensionsApi.getInstance(projectId, instanceId);

package/lib/commands/functions-secrets-destroy.js

@@ -1,21 +1,41 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const command_1 = require("../command");
-const logger_1 = require("../logger");
 const projectUtils_1 = require("../projectUtils");
 const secretManager_1 = require("../gcp/secretManager");
 const prompt_1 = require("../prompt");
+const utils_1 = require("../utils");
 const secrets = require("../functions/secrets");
+const backend = require("../deploy/functions/backend");
 exports.default = new command_1.Command("functions:secrets:destroy <KEY>[@version]")
     .description("Destroy a secret. Defaults to destroying the latest version.")
     .withForce("Destroys a secret without confirmation.")
     .action(async (key, options) => {
     const projectId = (0, projectUtils_1.needProjectId)(options);
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+    const haveBackend = await backend.existingBackend({ projectId });
     let [name, version] = key.split("@");
     if (!version) {
         version = "latest";
     }
     const sv = await (0, secretManager_1.getSecretVersion)(projectId, name, version);
+    if (sv.state === "DESTROYED") {
+        (0, utils_1.logBullet)(`Secret ${sv.secret.name}@${version} is already destroyed. Nothing to do.`);
+        return;
+    }
+    const boundEndpoints = backend
+        .allEndpoints(haveBackend)
+        .filter((e) => secrets.inUse({ projectId, projectNumber }, sv.secret, e));
+    if (boundEndpoints.length > 0) {
+        const endpointsMsg = boundEndpoints
+            .map((e) => `${e.id}[${e.platform}](${e.region})`)
+            .join("\t\n");
+        (0, utils_1.logWarning)(`Secret ${name}@${version} is currently in use by following functions:\n\t${endpointsMsg}`);
+        if (!options.force) {
+            (0, utils_1.logWarning)("Refusing to destroy secret in use. Use -f to destroy the secret anyway.");
+            return;
+        }
+    }
     if (!options.force) {
         const confirm = await (0, prompt_1.promptOnce)({
             name: "destroy",
@@ -28,12 +48,12 @@ exports.default = new command_1.Command("functions:secrets:destroy <KEY>[@versio
         }
     }
     await (0, secretManager_1.destroySecretVersion)(projectId, name, version);
-    logger_1.logger.info(`Destroyed secret version ${name}@${sv.versionId}`);
+    (0, utils_1.logBullet)(`Destroyed secret version ${name}@${sv.versionId}`);
     const secret = await (0, secretManager_1.getSecret)(projectId, name);
     if (secrets.isFirebaseManaged(secret)) {
         const versions = await (0, secretManager_1.listSecretVersions)(projectId, name);
         if (versions.filter((v) => v.state === "ENABLED").length === 0) {
-            logger_1.logger.info(`No active secret versions left. Destroying secret ${name}`);
+            (0, utils_1.logBullet)(`No active secret versions left. Destroying secret ${name}`);
             await (0, secretManager_1.deleteSecret)(projectId, name);
         }
     }

package/lib/commands/functions-secrets-prune.js

@@ -10,6 +10,7 @@ const utils_1 = require("../utils");
 const prompt_1 = require("../prompt");
 const secretManager_1 = require("../gcp/secretManager");
 exports.default = new command_1.Command("functions:secrets:prune")
+    .withForce("Destroys unused secrets without prompt")
     .description("Destroys unused secrets")
     .before(requirePermissions_1.requirePermissions, [
     "cloudfunctions.functions.list",
@@ -32,18 +33,20 @@ exports.default = new command_1.Command("functions:secrets:prune")
     }
     (0, utils_1.logBullet)(`Found ${pruned.length} unused active secret versions:\n\t` +
         pruned.map((sv) => `${sv.secret}@${sv.version}`).join("\n\t"));
-    const confirm = await (0, prompt_1.promptOnce)({
-        name: "destroy",
-        type: "confirm",
-        default: true,
-        message: `Do you want to destroy unused secret versions?`,
-    }, options);
-    if (!confirm) {
-        (0, utils_1.logBullet)("Run the following commands to destroy each unused secret version:\n\t" +
-            pruned
-                .map((sv) => `firebase functions:secrets:destroy ${sv.secret}@${sv.version}`)
-                .join("\n\t"));
-        return;
+    if (!options.force) {
+        const confirm = await (0, prompt_1.promptOnce)({
+            name: "destroy",
+            type: "confirm",
+            default: true,
+            message: `Do you want to destroy unused secret versions?`,
+        }, options);
+        if (!confirm) {
+            (0, utils_1.logBullet)("Run the following commands to destroy each unused secret version:\n\t" +
+                pruned
+                    .map((sv) => `firebase functions:secrets:destroy ${sv.secret}@${sv.version}`)
+                    .join("\n\t"));
+            return;
+        }
     }
     await Promise.all(pruned.map((sv) => (0, secretManager_1.destroySecretVersion)(projectId, sv.secret, sv.version)));
     (0, utils_1.logSuccess)("Destroyed all unused secrets!");

package/lib/commands/functions-secrets-set.js

@@ -10,9 +10,11 @@ const prompt_1 = require("../prompt");
 const utils_1 = require("../utils");
 const projectUtils_1 = require("../projectUtils");
 const secretManager_1 = require("../gcp/secretManager");
+const secrets = require("../functions/secrets");
+const backend = require("../deploy/functions/backend");
 exports.default = new command_1.Command("functions:secrets:set <KEY>")
-    .description("Create or update a secret for use in Cloud Functions for Firebase")
-    .withForce("Does not ensure input keys are valid or upgrade existing secrets to have Firebase manage them.")
+    .description("Create or update a secret for use in Cloud Functions for Firebase.")
+    .withForce("Automatically updates functions to use the new secret.")
     .before(requirePermissions_1.requirePermissions, [
     "secretmanager.secrets.create",
     "secretmanager.secrets.get",
@@ -22,6 +24,7 @@ exports.default = new command_1.Command("functions:secrets:set <KEY>")
     .option("--data-file <dataFile>", 'File path from which to read secret data. Set to "-" to read the secret data from stdin.')
     .action(async (unvalidatedKey, options) => {
     const projectId = (0, projectUtils_1.needProjectId)(options);
+    const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
     const key = await (0, secrets_1.ensureValidKey)(unvalidatedKey, options);
     const secret = await (0, secrets_1.ensureSecret)(projectId, key, options);
     let secretValue;
@@ -41,6 +44,50 @@ exports.default = new command_1.Command("functions:secrets:set <KEY>")
     }
     const secretVersion = await (0, secretManager_1.addVersion)(projectId, key, secretValue);
     (0, utils_1.logSuccess)(`Created a new secret version ${(0, secretManager_1.toSecretVersionResourceName)(secretVersion)}`);
-    (0, utils_1.logBullet)("Please deploy your functions for the change to take effect by running:\n\t" +
-        clc.bold("firebase deploy --only functions"));
+    if (!secrets.isFirebaseManaged(secret)) {
+        (0, utils_1.logBullet)("Please deploy your functions for the change to take effect by running:\n\t" +
+            clc.bold("firebase deploy --only functions"));
+        return;
+    }
+    const haveBackend = await backend.existingBackend({ projectId });
+    const endpointsToUpdate = backend
+        .allEndpoints(haveBackend)
+        .filter((e) => secrets.inUse({ projectId, projectNumber }, secret, e));
+    if (endpointsToUpdate.length === 0) {
+        return;
+    }
+    (0, utils_1.logBullet)(`${endpointsToUpdate.length} functions are using stale version of secret ${secret.name}:\n\t` +
+        endpointsToUpdate.map((e) => `${e.id}(${e.region})`).join("\n\t"));
+    if (!options.force) {
+        const confirm = await (0, prompt_1.promptOnce)({
+            name: "redeploy",
+            type: "confirm",
+            default: true,
+            message: `Do you want to re-deploy the functions and destroy the stale version of secret ${secret.name}?`,
+        }, options);
+        if (!confirm) {
+            (0, utils_1.logBullet)("Please deploy your functions for the change to take effect by running:\n\t" +
+                clc.bold("firebase deploy --only functions"));
+            return;
+        }
+    }
+    const updateOps = endpointsToUpdate.map(async (e) => {
+        (0, utils_1.logBullet)(`Updating function ${e.id}(${e.region})...`);
+        const updated = await secrets.updateEndpointSecret({ projectId, projectNumber }, secretVersion, e);
+        (0, utils_1.logBullet)(`Updated function ${e.id}(${e.region}).`);
+        return updated;
+    });
+    const updatedEndpoints = await Promise.all(updateOps);
+    (0, utils_1.logBullet)(`Pruning stale secrets...`);
+    const prunedResult = await (0, secrets_1.pruneAndDestroySecrets)({ projectId, projectNumber }, updatedEndpoints);
+    if (prunedResult.destroyed.length > 0) {
+        (0, utils_1.logBullet)(`Detroyed unused secret versions: ${prunedResult.destroyed
+            .map((s) => `${s.secret}@${s.version}`)
+            .join(", ")}`);
+    }
+    if (prunedResult.erred.length > 0) {
+        (0, utils_1.logWarning)(`Failed to destroy unused secret versions:\n\t${prunedResult.erred
+            .map((err) => err.message)
+            .join("\n\t")}`);
+    }
 });

package/lib/deploy/functions/backend.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.compareFunctions = exports.findEventFilter = exports.missingEndpoint = exports.hasEndpoint = exports.regionalEndpoints = exports.matchingBackend = exports.findEndpoint = exports.someEndpoint = exports.allEndpoints = exports.checkAvailability = exports.existingBackend = exports.scheduleIdForFunction = exports.functionName = exports.isEmptyBackend = exports.of = exports.empty = exports.isTaskQueueTriggered = exports.isScheduleTriggered = exports.isEventTriggered = exports.isCallableTriggered = exports.isHttpsTriggered = exports.secretVersionName = exports.SCHEDULED_FUNCTION_LABEL = exports.MIN_MEMORY_FOR_CONCURRENCY = exports.DEFAULT_MEMORY = exports.memoryOptionDisplayName = exports.endpointTriggerType = void 0;
+exports.compareFunctions = exports.missingEndpoint = exports.hasEndpoint = exports.regionalEndpoints = exports.matchingBackend = exports.findEndpoint = exports.someEndpoint = exports.allEndpoints = exports.checkAvailability = exports.existingBackend = exports.scheduleIdForFunction = exports.functionName = exports.isEmptyBackend = exports.of = exports.empty = exports.isTaskQueueTriggered = exports.isScheduleTriggered = exports.isEventTriggered = exports.isCallableTriggered = exports.isHttpsTriggered = exports.secretVersionName = exports.SCHEDULED_FUNCTION_LABEL = exports.MIN_MEMORY_FOR_CONCURRENCY = exports.DEFAULT_MEMORY = exports.memoryOptionDisplayName = exports.endpointTriggerType = void 0;
 const gcf = require("../../gcp/cloudfunctions");
 const gcfV2 = require("../../gcp/cloudfunctionsv2");
 const utils = require("../../utils");
@@ -230,10 +230,6 @@ const missingEndpoint = (backend) => (endpoint) => {
     return !(0, exports.hasEndpoint)(backend)(endpoint);
 };
 exports.missingEndpoint = missingEndpoint;
-function findEventFilter(endpoint, attribute) {
-    return endpoint.eventTrigger.eventFilters.find((ef) => ef.attribute === attribute);
-}
-exports.findEventFilter = findEventFilter;
 function compareFunctions(left, right) {
     if (left.platform !== right.platform) {
         return right.platform < left.platform ? -1 : 1;

package/lib/deploy/functions/checkIam.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ensureServiceAgentRoles = exports.mergeBindings = exports.checkHttpIam = exports.checkServiceAccountIam = void 0;
+exports.ensureServiceAgentRoles = exports.mergeBindings = exports.obtainEventarcServiceAgentBindings = exports.obtainDefaultComputeServiceAgentBindings = exports.obtainPubSubServiceAgentBindings = exports.obtainBinding = exports.checkHttpIam = exports.checkServiceAccountIam = exports.EVENTARC_SERVICE_AGENT_ROLE = exports.EVENTARC_EVENT_RECEIVER_ROLE = exports.RUN_INVOKER_ROLE = exports.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE = void 0;
 const cli_color_1 = require("cli-color");
 const logger_1 = require("../../logger");
 const functionsDeployHelper_1 = require("./functionsDeployHelper");
@@ -12,6 +12,10 @@ const utils = require("../../utils");
 const resourceManager_1 = require("../../gcp/resourceManager");
 const services_1 = require("./services");
 const PERMISSION = "cloudfunctions.functions.setIamPolicy";
+exports.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE = "roles/iam.serviceAccountTokenCreator";
+exports.RUN_INVOKER_ROLE = "roles/run.invoker";
+exports.EVENTARC_EVENT_RECEIVER_ROLE = "roles/eventarc.eventReceiver";
+exports.EVENTARC_SERVICE_AGENT_ROLE = "roles/eventarc.serviceAgent";
 async function checkServiceAccountIam(projectId) {
     const saEmail = `${projectId}@appspot.gserviceaccount.com`;
     let passed = false;
@@ -67,6 +71,37 @@ function reduceEventsToServices(services, endpoint) {
     }
     return services;
 }
+function obtainBinding(existingPolicy, serviceAccount, role) {
+    let binding = existingPolicy.bindings.find((b) => b.role === role);
+    if (!binding) {
+        binding = {
+            role,
+            members: [],
+        };
+    }
+    if (!binding.members.find((m) => m === serviceAccount)) {
+        binding.members.push(serviceAccount);
+    }
+    return binding;
+}
+exports.obtainBinding = obtainBinding;
+function obtainPubSubServiceAgentBindings(projectNumber, existingPolicy) {
+    const pubsubServiceAgent = `serviceAccount:service-${projectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com`;
+    return [obtainBinding(existingPolicy, pubsubServiceAgent, exports.SERVICE_ACCOUNT_TOKEN_CREATOR_ROLE)];
+}
+exports.obtainPubSubServiceAgentBindings = obtainPubSubServiceAgentBindings;
+function obtainDefaultComputeServiceAgentBindings(projectNumber, existingPolicy) {
+    const defaultComputeServiceAgent = `serviceAccount:${projectNumber}-compute@developer.gserviceaccount.com`;
+    const invokerBinding = obtainBinding(existingPolicy, defaultComputeServiceAgent, exports.RUN_INVOKER_ROLE);
+    const eventReceiverBinding = obtainBinding(existingPolicy, defaultComputeServiceAgent, exports.EVENTARC_EVENT_RECEIVER_ROLE);
+    return [invokerBinding, eventReceiverBinding];
+}
+exports.obtainDefaultComputeServiceAgentBindings = obtainDefaultComputeServiceAgentBindings;
+function obtainEventarcServiceAgentBindings(projectNumber, existingPolicy) {
+    const eventarcServiceAgent = `serviceAccount:service-${projectNumber}@gcp-sa-eventarc.iam.gserviceaccount.com`;
+    return [obtainBinding(existingPolicy, eventarcServiceAgent, exports.EVENTARC_SERVICE_AGENT_ROLE)];
+}
+exports.obtainEventarcServiceAgentBindings = obtainEventarcServiceAgentBindings;
 function mergeBindings(policy, allRequiredBindings) {
     for (const requiredBindings of allRequiredBindings) {
         if (requiredBindings.length === 0) {
@@ -107,6 +142,14 @@ async function ensureServiceAgentRoles(projectNumber, want, have) {
     const findRequiredBindings = [];
     newServices.forEach((service) => findRequiredBindings.push(service.requiredProjectBindings(projectNumber, policy)));
     const allRequiredBindings = await Promise.all(findRequiredBindings);
+    if (haveServices.length === 0) {
+        allRequiredBindings.push(obtainPubSubServiceAgentBindings(projectNumber, policy));
+        allRequiredBindings.push(obtainDefaultComputeServiceAgentBindings(projectNumber, policy));
+        allRequiredBindings.push(obtainEventarcServiceAgentBindings(projectNumber, policy));
+    }
+    if (!allRequiredBindings.find((bindings) => bindings.length > 0)) {
+        return;
+    }
     mergeBindings(policy, allRequiredBindings);
     try {
         await (0, resourceManager_1.setIamPolicy)(projectNumber, policy, "bindings");

package/lib/deploy/functions/prepare.js

@@ -20,6 +20,7 @@ const triggerRegionHelper_1 = require("./triggerRegionHelper");
 const checkIam_1 = require("./checkIam");
 const error_1 = require("../../error");
 const projectConfig_1 = require("../../functions/projectConfig");
+const previews_1 = require("../../previews");
 function hasUserConfig(config) {
     return Object.keys(config).length > 1;
 }
@@ -96,12 +97,21 @@ async function prepare(context, options, payload) {
             clc.bold(sourceDirName) +
             " directory for uploading...");
     }
-    if (backend.someEndpoint(wantBackend, (e) => e.platform === "gcfv1")) {
-        context.functionsSourceV1 = await (0, prepareFunctionsUpload_1.prepareFunctionsUpload)(sourceDir, context.config, runtimeConfig);
-    }
     if (backend.someEndpoint(wantBackend, (e) => e.platform === "gcfv2")) {
+        if (!previews_1.previews.functionsv2) {
+            throw new error_1.FirebaseError("This version of firebase-tools does not support Google Cloud " +
+                "Functions gen 2\n" +
+                "If Cloud Functions for Firebase gen 2 is still in alpha, sign up " +
+                "for the alpha program at " +
+                "https://services.google.com/fb/forms/firebasealphaprogram/\n" +
+                "If Cloud Functions for Firebase gen 2 is in beta, get the latest " +
+                "version of Firebse Tools with `npm i -g firebase-tools@latest`");
+        }
         context.functionsSourceV2 = await (0, prepareFunctionsUpload_1.prepareFunctionsUpload)(sourceDir, context.config);
     }
+    if (backend.someEndpoint(wantBackend, (e) => e.platform === "gcfv1")) {
+        context.functionsSourceV1 = await (0, prepareFunctionsUpload_1.prepareFunctionsUpload)(sourceDir, context.config, runtimeConfig);
+    }
     for (const endpoint of backend.allEndpoints(wantBackend)) {
         endpoint.environmentVariables = wantBackend.environmentVariables;
     }

package/lib/deploy/functions/release/fabricator.js

@@ -124,9 +124,7 @@ class Fabricator {
         await this.setTrigger(endpoint);
     }
     async updateEndpoint(update, scraper) {
-        if (update.deleteAndRecreate || update.endpoint.platform !== "gcfv2") {
-            update.endpoint.labels = Object.assign(Object.assign({}, update.endpoint.labels), deploymentTool.labels());
-        }
+        update.endpoint.labels = Object.assign(Object.assign({}, update.endpoint.labels), deploymentTool.labels());
         if (update.deleteAndRecreate) {
             await this.deleteEndpoint(update.deleteAndRecreate);
             await this.createEndpoint(update.endpoint, scraper);

package/lib/deploy/functions/release/index.js

@@ -11,9 +11,12 @@ const fabricator = require("./fabricator");
 const reporter = require("./reporter");
 const executor = require("./executor");
 const prompts = require("../prompts");
+const secrets = require("../../../functions/secrets");
 const functionsConfig_1 = require("../../../functionsConfig");
 const functionsDeployHelper_1 = require("../functionsDeployHelper");
 const error_1 = require("../../../error");
+const projectUtils_1 = require("../../../projectUtils");
+const utils_1 = require("../../../utils");
 async function release(context, options, payload) {
     if (!context.config) {
         return;
@@ -59,6 +62,24 @@ async function release(context, options, payload) {
         const opts = allErrors.length === 1 ? { original: allErrors[0] } : { children: allErrors };
         throw new error_1.FirebaseError("There was an error deploying functions", Object.assign(Object.assign({}, opts), { exit: 2 }));
     }
+    else {
+        if (secrets.of(haveEndpoints).length > 0) {
+            const projectId = (0, projectUtils_1.needProjectId)(options);
+            const projectNumber = await (0, projectUtils_1.needProjectNumber)(options);
+            const reloadedBackend = await backend.existingBackend({ projectId });
+            const prunedResult = await secrets.pruneAndDestroySecrets({ projectId, projectNumber }, backend.allEndpoints(reloadedBackend));
+            if (prunedResult.destroyed.length > 0) {
+                (0, utils_1.logLabeledBullet)("functions", `Destroyed unused secret versions: ${prunedResult.destroyed
+                    .map((s) => `${s.secret}@${s.version}`)
+                    .join(", ")}`);
+            }
+            if (prunedResult.erred.length > 0) {
+                (0, utils_1.logLabeledWarning)("functions", `Failed to destroy unused secret versions:\n\t${prunedResult.erred
+                    .map((err) => err.message)
+                    .join("\n\t")}`);
+            }
+        }
+    }
 }
 exports.release = release;
 function printTriggerUrls(results) {

package/lib/deploy/functions/release/planner.js

@@ -103,7 +103,6 @@ function changedTriggerRegion(want, have) {
 }
 exports.changedTriggerRegion = changedTriggerRegion;
 function changedV2PubSubTopic(want, have) {
-    var _a, _b;
     if (want.platform !== "gcfv2") {
         return false;
     }
@@ -122,7 +121,7 @@ function changedV2PubSubTopic(want, have) {
     if (have.eventTrigger.eventType !== v2events.PUBSUB_PUBLISH_EVENT) {
         return false;
     }
-    return (((_a = backend.findEventFilter(have, "topic")) === null || _a === void 0 ? void 0 : _a.value) !== ((_b = backend.findEventFilter(want, "topic")) === null || _b === void 0 ? void 0 : _b.value));
+    return have.eventTrigger.eventFilters.topic !== want.eventTrigger.eventFilters.topic;
 }
 exports.changedV2PubSubTopic = changedV2PubSubTopic;
 function upgradedScheduleFromV1ToV2(want, have) {

package/lib/deploy/functions/runtimes/discovery/v1alpha1.js

@@ -49,7 +49,7 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
         minInstances: "number",
         concurrency: "number",
         serviceAccountEmail: "string",
-        timeout: "string",
+        timeoutSeconds: "number",
         vpc: "object",
         labels: "object",
         ingressSettings: "string",
@@ -88,16 +88,18 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
         if (backend.isEventTriggered(ep)) {
             (0, parsing_1.requireKeys)(prefix + ".eventTrigger", ep.eventTrigger, "eventType", "eventFilters");
             (0, parsing_1.assertKeyTypes)(prefix + ".eventTrigger", ep.eventTrigger, {
-                eventFilters: "array",
+                eventFilters: "object",
+                eventFilterPathPatterns: "object",
                 eventType: "string",
                 retry: "boolean",
                 region: "string",
                 serviceAccountEmail: "string",
+                channel: "string",
             });
             triggered = { eventTrigger: ep.eventTrigger };
-            for (const eventFilter of triggered.eventTrigger.eventFilters) {
-                if (eventFilter.attribute === "topic" && !eventFilter.value.startsWith("projects/")) {
-                    eventFilter.value = `projects/${project}/topics/${eventFilter.value}`;
+            for (const [k, v] of Object.entries(triggered.eventTrigger.eventFilters)) {
+                if (k === "topic" && !v.startsWith("projects/")) {
+                    triggered.eventTrigger.eventFilters[k] = `projects/${project}/topics/${v}`;
                 }
             }
         }
@@ -134,7 +136,6 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
             });
             if (ep.taskQueueTrigger.rateLimits) {
                 (0, parsing_1.assertKeyTypes)(prefix + ".taskQueueTrigger.rateLimits", ep.taskQueueTrigger.rateLimits, {
-                    maxBurstSize: "number",
                     maxConcurrentDispatches: "number",
                     maxDispatchesPerSecond: "number",
                 });
@@ -142,9 +143,9 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
             if (ep.taskQueueTrigger.retryConfig) {
                 (0, parsing_1.assertKeyTypes)(prefix + ".taskQueueTrigger.retryConfig", ep.taskQueueTrigger.retryConfig, {
                     maxAttempts: "number",
-                    maxRetryDuration: "string",
-                    minBackoff: "string",
-                    maxBackoff: "string",
+                    maxRetrySeconds: "number",
+                    minBackoffSeconds: "number",
+                    maxBackoffSeconds: "number",
                     maxDoublings: "number",
                 });
             }
@@ -159,7 +160,7 @@ function parseEndpoints(manifest, id, project, defaultRegion, runtime) {
             region,
             project,
             runtime, entryPoint: ep.entryPoint }, triggered);
-        (0, proto_1.copyIfPresent)(parsed, ep, "availableMemoryMb", "maxInstances", "minInstances", "concurrency", "serviceAccountEmail", "timeout", "vpc", "labels", "ingressSettings", "environmentVariables");
+        (0, proto_1.copyIfPresent)(parsed, ep, "availableMemoryMb", "maxInstances", "minInstances", "concurrency", "serviceAccountEmail", "timeoutSeconds", "vpc", "labels", "ingressSettings", "environmentVariables");
         allParsed.push(parsed);
     }
     return allParsed;

package/lib/deploy/functions/runtimes/node/index.js

@@ -17,7 +17,7 @@ const discovery = require("../discovery");
 const validate = require("./validate");
 const versioning = require("./versioning");
 const parseTriggers = require("./parseTriggers");
-const MIN_FUNCTIONS_SDK_VERSION = "3.19.0";
+const MIN_FUNCTIONS_SDK_VERSION = "3.20.0";
 async function tryCreateDelegate(context) {
     const packageJsonPath = path.join(context.sourceDir, "package.json");
     if (!(await (0, util_1.promisify)(fs.exists)(packageJsonPath))) {

package/lib/deploy/functions/runtimes/node/parseTriggers.js

@@ -113,31 +113,16 @@ function addResourcesToBackend(projectId, runtime, annotation, want) {
             triggered = {
                 eventTrigger: {
                     eventType: annotation.eventTrigger.eventType,
-                    eventFilters: [
-                        {
-                            attribute: "resource",
-                            value: annotation.eventTrigger.resource,
-                        },
-                    ],
+                    eventFilters: { resource: annotation.eventTrigger.resource },
                     retry: !!annotation.failurePolicy,
                 },
             };
             if (annotation.platform === "gcfv2") {
                 if (annotation.eventTrigger.eventType === v2events.PUBSUB_PUBLISH_EVENT) {
-                    triggered.eventTrigger.eventFilters = [
-                        {
-                            attribute: "topic",
-                            value: annotation.eventTrigger.resource,
-                        },
-                    ];
+                    triggered.eventTrigger.eventFilters = { topic: annotation.eventTrigger.resource };
                 }
                 if (v2events.STORAGE_EVENTS.find((event) => { var _a; return event === (((_a = annotation.eventTrigger) === null || _a === void 0 ? void 0 : _a.eventType) || ""); })) {
-                    triggered.eventTrigger.eventFilters = [
-                        {
-                            attribute: "bucket",
-                            value: annotation.eventTrigger.resource,
-                        },
-                    ];
+                    triggered.eventTrigger.eventFilters = { bucket: annotation.eventTrigger.resource };
                 }
             }
         }
@@ -162,7 +147,8 @@ function addResourcesToBackend(projectId, runtime, annotation, want) {
             }
             endpoint.secretEnvironmentVariables = secretEnvs;
         }
-        proto.copyIfPresent(endpoint, annotation, "concurrency", "serviceAccountEmail", "labels", "ingressSettings", "timeout", "maxInstances", "minInstances", "availableMemoryMb");
+        proto.copyIfPresent(endpoint, annotation, "concurrency", "serviceAccountEmail", "labels", "ingressSettings", "maxInstances", "minInstances", "availableMemoryMb");
+        proto.renameIfPresent(endpoint, annotation, "timeoutSeconds", "timeout", proto.secondsFromDuration);
         want.endpoints[region] = want.endpoints[region] || {};
         want.endpoints[region][endpoint.id] = endpoint;
         mergeRequiredAPIs(want);