gib/spoon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update stuff
Build and Push Next App / quality (push) Successful in 1m34s
Details
Build and Push Next App / build-next (push) Successful in 3m22s
Details

Browse Source
This commit is contained in:
Gabriel Brown
2026-06-21 23:22:05 -05:00
parent 112fd55ea7
commit b16cd9e2f7
9 changed files with 161 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/build-next.yml
+1 -1
View File
@@ -51,7 +51,7 @@ jobs:
env_file="$(mktemp)" env_file="$(mktemp)"
trap 'rm -f "$env_file"' EXIT trap 'rm -f "$env_file"' EXIT
printf '%s\n' "$DOTENV_PROD" > "$env_file" printf '%s\n' "$DOTENV_PROD" > "$env_file"
CI_ENV_FILE="$env_file" ./scripts/build-next-app staging CI_ENV_FILE="$env_file" ./scripts/build-next-app production
- name: Tag and push image - name: Tag and push image
run: | run: |
docker tag spoon-next:latest git.gbrown.org/gib/spoon-next:${{ gitea.sha }} docker tag spoon-next:latest git.gbrown.org/gib/spoon-next:${{ gitea.sha }}
apps/next/src/instrumentation-client.ts
+1
View File
@@ -4,6 +4,7 @@ import * as Sentry from '@sentry/nextjs';
Sentry.init({ Sentry.init({
dsn: env.NEXT_PUBLIC_SENTRY_DSN, dsn: env.NEXT_PUBLIC_SENTRY_DSN,
tunnel: '/monitoring',
integrations: [ integrations: [
Sentry.replayIntegration({ Sentry.replayIntegration({
maskAllText: false, maskAllText: false,
apps/next/src/proxy.ts
+1 -1
View File
@@ -30,7 +30,7 @@ export default convexAuthNextjsMiddleware(
export const config = { export const config = {
matcher: [ matcher: [
'/((?!_next/static|_next/image|favicon.ico|monitoring-tunnel|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)', '/((?!_next/static|_next/image|favicon.ico|monitoring|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)',
'/((?!.*\\..*|_next).*)', '/((?!.*\\..*|_next).*)',
'/', '/',
'/(api)(.*)', '/(api)(.*)',
package.json
+10
View File
@@ -52,14 +52,24 @@
"dev": "turbo run dev", "dev": "turbo run dev",
"dev:tunnel": "turbo run dev:tunnel", "dev:tunnel": "turbo run dev:tunnel",
"dev:next": "turbo run dev -F @spoon/next -F @spoon/backend", "dev:next": "turbo run dev -F @spoon/next -F @spoon/backend",
"dev:next:staging": "INFISICAL_ENV=staging turbo run dev -F @spoon/next -F @spoon/backend",
"dev:agent": "turbo run dev -F @spoon/agent-worker", "dev:agent": "turbo run dev -F @spoon/agent-worker",
"dev:agent:staging": "INFISICAL_ENV=staging turbo run dev -F @spoon/agent-worker",
"dev:next:web": "turbo run dev:web -F @spoon/next -F @spoon/backend", "dev:next:web": "turbo run dev:web -F @spoon/next -F @spoon/backend",
"dev:next:web:staging": "INFISICAL_ENV=staging turbo run dev:web -F @spoon/next -F @spoon/backend",
"dev:expo": "turbo run dev -F @spoon/expo -F @spoon/backend", "dev:expo": "turbo run dev -F @spoon/expo -F @spoon/backend",
"dev:expo:staging": "INFISICAL_ENV=staging turbo run dev -F @spoon/expo -F @spoon/backend",
"dev:backend": "turbo run dev -F @spoon/backend", "dev:backend": "turbo run dev -F @spoon/backend",
"dev:backend:staging": "INFISICAL_ENV=staging turbo run dev -F @spoon/backend",
"dev:staging": "INFISICAL_ENV=staging turbo run dev -F @spoon/next -F @spoon/backend", "dev:staging": "INFISICAL_ENV=staging turbo run dev -F @spoon/next -F @spoon/backend",
"dev:expo:tunnel": "turbo run dev:tunnel -F @spoon/expo -F @spoon/backend", "dev:expo:tunnel": "turbo run dev:tunnel -F @spoon/expo -F @spoon/backend",
"dev:expo:tunnel:staging": "INFISICAL_ENV=staging turbo run dev:tunnel -F @spoon/expo -F @spoon/backend",
"codegen:convex": "bash scripts/convex-codegen", "codegen:convex": "bash scripts/convex-codegen",
"sync:convex": "scripts/sync-convex-env ${INFISICAL_ENV:-dev}", "sync:convex": "scripts/sync-convex-env ${INFISICAL_ENV:-dev}",
"sync:convex:staging": "scripts/sync-convex-env staging",
"sync:convex:production": "scripts/sync-convex-env production",
"sync:convex:prod": "scripts/sync-convex-env prod",
"auth:keys": "node scripts/generate-convex-auth-keys.mjs",
"db:up": "bash scripts/db/up", "db:up": "bash scripts/db/up",
"db:down": "bash scripts/db/down", "db:down": "bash scripts/db/down",
"db:down:wipe": "bash scripts/db/down --wipe", "db:down:wipe": "bash scripts/db/down --wipe",
packages/backend/convex/auth.ts
+30 -15
View File
@@ -14,22 +14,37 @@ import { api } from './_generated/api';
import { action, mutation, query } from './_generated/server'; import { action, mutation, query } from './_generated/server';
import { Password, validatePassword } from './custom/auth'; import { Password, validatePassword } from './custom/auth';
const authProviders = [
...(process.env.AUTH_AUTHENTIK_ID &&
process.env.AUTH_AUTHENTIK_SECRET &&
process.env.AUTH_AUTHENTIK_ISSUER
? [
Authentik({
allowDangerousEmailAccountLinking: true,
clientId: process.env.AUTH_AUTHENTIK_ID,
clientSecret: process.env.AUTH_AUTHENTIK_SECRET,
issuer: process.env.AUTH_AUTHENTIK_ISSUER,
}),
]
: []),
...((process.env.AUTH_GITHUB_ID ?? process.env.GITHUB_APP_CLIENT_ID) &&
(process.env.AUTH_GITHUB_SECRET ?? process.env.GITHUB_APP_CLIENT_SECRET)
? [
GitHub({
allowDangerousEmailAccountLinking: true,
clientId:
process.env.AUTH_GITHUB_ID ?? process.env.GITHUB_APP_CLIENT_ID,
clientSecret:
process.env.AUTH_GITHUB_SECRET ??
process.env.GITHUB_APP_CLIENT_SECRET,
}),
]
: []),
Password,
];
export const { auth, signIn, signOut, store, isAuthenticated } = convexAuth({ export const { auth, signIn, signOut, store, isAuthenticated } = convexAuth({
providers: [ providers: authProviders,
Authentik({
allowDangerousEmailAccountLinking: true,
clientId: process.env.AUTH_AUTHENTIK_ID,
clientSecret: process.env.AUTH_AUTHENTIK_SECRET,
issuer: process.env.AUTH_AUTHENTIK_ISSUER,
}),
GitHub({
allowDangerousEmailAccountLinking: true,
clientId: process.env.AUTH_GITHUB_ID ?? process.env.GITHUB_APP_CLIENT_ID,
clientSecret:
process.env.AUTH_GITHUB_SECRET ?? process.env.GITHUB_APP_CLIENT_SECRET,
}),
Password,
],
}); });
const getUserById = async ( const getUserById = async (
packages/backend/convex/diagnostics.ts
+34
View File
@@ -0,0 +1,34 @@
import { query } from './_generated/server';
const hasEnv = (name: string) => Boolean(process.env[name]?.trim());
export const envStatus = query({
args: {},
handler: () => ({
auth: {
authentikId: hasEnv('AUTH_AUTHENTIK_ID'),
authentikSecret: hasEnv('AUTH_AUTHENTIK_SECRET'),
authentikIssuer: hasEnv('AUTH_AUTHENTIK_ISSUER'),
githubId: hasEnv('AUTH_GITHUB_ID') || hasEnv('GITHUB_APP_CLIENT_ID'),
githubSecret:
hasEnv('AUTH_GITHUB_SECRET') || hasEnv('GITHUB_APP_CLIENT_SECRET'),
jwtPrivateKey: hasEnv('JWT_PRIVATE_KEY'),
jwks: hasEnv('JWKS'),
siteUrl: hasEnv('SITE_URL'),
},
githubApp: {
appId: hasEnv('GITHUB_APP_ID'),
privateKey: hasEnv('GITHUB_APP_PRIVATE_KEY'),
installationId: hasEnv('GITHUB_APP_INSTALLATION_ID'),
},
email: {
useSendApiKey: hasEnv('USESEND_API_KEY'),
useSendUrl: hasEnv('USESEND_URL'),
useSendFromEmail: hasEnv('USESEND_FROM_EMAIL'),
},
spoon: {
encryptionKey: hasEnv('SPOON_ENCRYPTION_KEY'),
workerToken: hasEnv('SPOON_WORKER_TOKEN'),
},
}),
});
scripts/build-next-app
+3 -1
View File
@@ -3,14 +3,16 @@ set -euo pipefail
ROOT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)" ROOT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)"
ENVIRONMENT="${1:-staging}" ENVIRONMENT="${1:-staging}"
[[ "$ENVIRONMENT" == dev || "$ENVIRONMENT" == staging ]] || { echo "usage: build-next-app [dev|staging]" >&2; exit 2; } [[ "$ENVIRONMENT" == dev || "$ENVIRONMENT" == staging || "$ENVIRONMENT" == production || "$ENVIRONMENT" == prod ]] || { echo "usage: build-next-app [dev|staging|production|prod]" >&2; exit 2; }
ENV_FILE="${CI_ENV_FILE:-}" ENV_FILE="${CI_ENV_FILE:-}"
cleanup() { [[ -n "$ENV_FILE" && "$ENV_FILE" != "${CI_ENV_FILE:-}" ]] && rm -f "$ENV_FILE" || true; } cleanup() { [[ -n "$ENV_FILE" && "$ENV_FILE" != "${CI_ENV_FILE:-}" ]] && rm -f "$ENV_FILE" || true; }
trap cleanup EXIT trap cleanup EXIT
if [[ -z "$ENV_FILE" && -z "${CI:-}" ]]; then ENV_FILE="$(mktemp)"; sh "$ROOT_DIR/scripts/export-env" "$ENVIRONMENT" > "$ENV_FILE"; fi if [[ -z "$ENV_FILE" && -z "${CI:-}" ]]; then ENV_FILE="$(mktemp)"; sh "$ROOT_DIR/scripts/export-env" "$ENVIRONMENT" > "$ENV_FILE"; fi
if [[ -n "$ENV_FILE" ]]; then if [[ -n "$ENV_FILE" ]]; then
bun dotenv -e "$ENV_FILE" -- bash "$ROOT_DIR/scripts/sync-convex-env" "$ENVIRONMENT" --from-current-env
bun dotenv -e "$ENV_FILE" -- bash "$ROOT_DIR/scripts/convex-codegen" bun dotenv -e "$ENV_FILE" -- bash "$ROOT_DIR/scripts/convex-codegen"
else else
bash "$ROOT_DIR/scripts/sync-convex-env" "$ENVIRONMENT"
bash "$ROOT_DIR/scripts/convex-codegen" bash "$ROOT_DIR/scripts/convex-codegen"
fi fi
args=(); [[ -z "$ENV_FILE" ]] || args+=(--env-file "$ENV_FILE") args=(); [[ -z "$ENV_FILE" ]] || args+=(--env-file "$ENV_FILE")
scripts/export-env
+12 -5
View File
@@ -1,12 +1,19 @@
#!/usr/bin/env sh #!/usr/bin/env sh
set -eu set -eu
[ "$#" -eq 1 ] || { echo "usage: export-env <dev|staging>" >&2; exit 2; } [ "$#" -eq 1 ] || { echo "usage: export-env <dev|staging|production|prod>" >&2; exit 2; }
ENVIRONMENT="$1" ENVIRONMENT="$1"
case "$ENVIRONMENT" in dev|staging) ;; *) echo "export-env: expected dev or staging" >&2; exit 2 ;; esac case "$ENVIRONMENT" in
dev|staging|production|prod) ;;
*) echo "export-env: expected dev, staging, production, or prod" >&2; exit 2 ;;
esac
INFISICAL_ENV="$ENVIRONMENT"
case "$INFISICAL_ENV" in
production) INFISICAL_ENV=prod ;;
esac
ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)" ROOT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
STATE_FILE="$ROOT_DIR/.local/$ENVIRONMENT.generated.env" STATE_FILE="$ROOT_DIR/.local/$INFISICAL_ENV.generated.env"
if [ -n "${CI:-}" ]; then if [ -n "${CI:-}" ]; then
echo "export-env: refusing to export secrets in CI; use injected variables or CI_ENV_FILE." >&2 echo "export-env: refusing to export secrets in CI; use injected variables or CI_ENV_FILE." >&2
@@ -16,8 +23,8 @@ fi
[ -f "$ROOT_DIR/.infisical.json" ] || { echo "export-env: run 'infisical init' in this repository." >&2; exit 1; } [ -f "$ROOT_DIR/.infisical.json" ] || { echo "export-env: run 'infisical init' in this repository." >&2; exit 1; }
command -v infisical >/dev/null 2>&1 || { echo "export-env: Infisical CLI is required." >&2; exit 1; } command -v infisical >/dev/null 2>&1 || { echo "export-env: Infisical CLI is required." >&2; exit 1; }
(cd "$ROOT_DIR" && infisical export --env="$ENVIRONMENT" --format=dotenv --silent) || { (cd "$ROOT_DIR" && infisical export --env="$INFISICAL_ENV" --format=dotenv --silent) || {
echo "export-env: failed to export '$ENVIRONMENT'; check login and project access." >&2 echo "export-env: failed to export '$INFISICAL_ENV'; check login and project access." >&2
exit 1 exit 1
} }
scripts/sync-convex-env
+69 -11
View File
@@ -4,26 +4,32 @@ set -euo pipefail
ROOT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)" ROOT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)"
usage() { usage() {
printf 'usage: sync-convex-env <dev|staging>\n' >&2 printf 'usage: sync-convex-env <dev|staging|production|prod>\n' >&2
exit 2 exit 2
} }
ENVIRONMENT="${1:-}" ENVIRONMENT="${1:-}"
[[ "$ENVIRONMENT" == dev || "$ENVIRONMENT" == staging ]] || usage [[ "$ENVIRONMENT" == dev || "$ENVIRONMENT" == staging || "$ENVIRONMENT" == production || "$ENVIRONMENT" == prod ]] || usage
INFISICAL_ENV="$ENVIRONMENT"
case "$INFISICAL_ENV" in
production) INFISICAL_ENV=prod ;;
esac
if [[ "${2:-}" != "--from-current-env" ]]; then if [[ "${2:-}" != "--from-current-env" ]]; then
ENV_FILE="$(mktemp "${TMPDIR:-/tmp}/spoon-convex-env.XXXXXX.env")" ENV_FILE="$(mktemp "${TMPDIR:-/tmp}/spoon-convex-env.XXXXXX.env")"
trap 'rm -f "$ENV_FILE"' EXIT INT TERM HUP trap 'rm -f "$ENV_FILE"' EXIT INT TERM HUP
sh "$ROOT_DIR/scripts/export-env" "$ENVIRONMENT" > "$ENV_FILE" sh "$ROOT_DIR/scripts/export-env" "$ENVIRONMENT" > "$ENV_FILE"
exec bunx dotenv -e "$ENV_FILE" -- "$0" "$ENVIRONMENT" --from-current-env exec bun dotenv -e "$ENV_FILE" -- "$0" "$ENVIRONMENT" --from-current-env
fi fi
info() { printf '▶ %s\n' "$*"; } info() { printf '▶ %s\n' "$*"; }
warn() { printf 'Warning: %s\n' "$*" >&2; } warn() { printf 'Warning: %s\n' "$*" >&2; }
STATE_FILE="$ROOT_DIR/.local/$ENVIRONMENT.generated.env" STATE_FILE="$ROOT_DIR/.local/$INFISICAL_ENV.generated.env"
MISSING_REQUIRED=0
MISSING_REQUIRED_NAMES=()
convex_env_names() { convex_env_names() {
(cd "$ROOT_DIR/packages/backend" && bunx convex env list) 2>/dev/null \ (cd "$ROOT_DIR/packages/backend" && bun convex env list) 2>/dev/null \
| sed -n 's/^\([A-Za-z_][A-Za-z0-9_]*\)=.*/\1/p' | sed -n 's/^\([A-Za-z_][A-Za-z0-9_]*\)=.*/\1/p'
} }
@@ -44,11 +50,61 @@ set_convex_env() {
tmp="$(mktemp "${TMPDIR:-/tmp}/spoon-convex-value.XXXXXX")" tmp="$(mktemp "${TMPDIR:-/tmp}/spoon-convex-value.XXXXXX")"
printf '%s' "$value" > "$tmp" printf '%s' "$value" > "$tmp"
(cd "$ROOT_DIR/packages/backend" && bunx convex env set "$name" --from-file "$tmp" >/dev/null) (cd "$ROOT_DIR/packages/backend" && bun convex env set "$name" --from-file "$tmp" >/dev/null)
rm -f "$tmp" rm -f "$tmp"
printf ' synced %s\n' "$name" printf ' synced %s\n' "$name"
} }
require_exported_env() {
local name="$1"
if [[ -z "${!name-}" ]]; then
printf 'Error: required %s is missing from exported %s environment.\n' "$name" "$ENVIRONMENT" >&2
MISSING_REQUIRED=1
MISSING_REQUIRED_NAMES+=("$name")
fi
}
require_available_env() {
local name="$1"
if [[ -n "${!name-}" ]] || convex_env_has "$name"; then
return 0
fi
printf 'Error: required %s is missing from exported %s environment and Convex env.\n' "$name" "$ENVIRONMENT" >&2
MISSING_REQUIRED=1
MISSING_REQUIRED_NAMES+=("$name")
}
require_non_dev_env() {
[[ "$ENVIRONMENT" != dev ]] || return 0
for name in \
JWT_PRIVATE_KEY \
JWKS \
AUTH_AUTHENTIK_ID \
AUTH_AUTHENTIK_SECRET \
AUTH_AUTHENTIK_ISSUER \
AUTH_GITHUB_ID \
AUTH_GITHUB_SECRET \
SPOON_ENCRYPTION_KEY
do
require_available_env "$name"
done
if [[ -z "${SITE_URL:-}" && -z "${NEXT_PUBLIC_SITE_URL:-}" ]]; then
if convex_env_has SITE_URL; then
return 0
fi
printf 'Error: required SITE_URL or NEXT_PUBLIC_SITE_URL is missing from exported %s environment and SITE_URL is missing from Convex env.\n' "$ENVIRONMENT" >&2
MISSING_REQUIRED=1
MISSING_REQUIRED_NAMES+=("SITE_URL")
fi
}
finish_required_env_check() {
[[ "$MISSING_REQUIRED" -eq 0 ]] && return 0
printf '\nConvex env sync completed for available values, but required values are still missing: %s\n' "${MISSING_REQUIRED_NAMES[*]}" >&2
printf '\nGenerate missing Convex Auth keys with:\n bun auth:keys\n\nStore missing values in Infisical/Gitea, then rerun sync.\n' >&2
exit 1
}
set_literal_convex_env() { set_literal_convex_env() {
local name="$1" local name="$1"
local value="$2" local value="$2"
@@ -56,7 +112,7 @@ set_literal_convex_env() {
tmp="$(mktemp "${TMPDIR:-/tmp}/spoon-convex-value.XXXXXX")" tmp="$(mktemp "${TMPDIR:-/tmp}/spoon-convex-value.XXXXXX")"
printf '%s' "$value" > "$tmp" printf '%s' "$value" > "$tmp"
(cd "$ROOT_DIR/packages/backend" && bunx convex env set "$name" --from-file "$tmp" >/dev/null) (cd "$ROOT_DIR/packages/backend" && bun convex env set "$name" --from-file "$tmp" >/dev/null)
rm -f "$tmp" rm -f "$tmp"
printf ' synced %s\n' "$name" printf ' synced %s\n' "$name"
} }
@@ -95,8 +151,7 @@ sync_generated_dev_auth_keys() {
set_literal_convex_env JWKS "$jwks" set_literal_convex_env JWKS "$jwks"
} }
sync_generated_dev_encryption_key() { sync_encryption_key() {
[[ "$ENVIRONMENT" == dev ]] || return 0
if [[ -n "${SPOON_ENCRYPTION_KEY:-}" ]]; then if [[ -n "${SPOON_ENCRYPTION_KEY:-}" ]]; then
set_convex_env SPOON_ENCRYPTION_KEY set_convex_env SPOON_ENCRYPTION_KEY
return 0 return 0
@@ -105,7 +160,7 @@ sync_generated_dev_encryption_key() {
return 0 return 0
fi fi
info "Generating local Spoon encryption key" info "Generating $ENVIRONMENT Spoon encryption key"
local encryption_key local encryption_key
encryption_key="$(generate_secret)" encryption_key="$(generate_secret)"
[[ -n "$encryption_key" ]] || { [[ -n "$encryption_key" ]] || {
@@ -161,8 +216,9 @@ CURRENT_CONVEX_ENV_NAMES="$(convex_env_names || true)"
info "Syncing $ENVIRONMENT environment variables into Convex" info "Syncing $ENVIRONMENT environment variables into Convex"
sync_generated_dev_auth_keys sync_generated_dev_auth_keys
sync_generated_dev_encryption_key sync_encryption_key
sync_generated_dev_worker_token sync_generated_dev_worker_token
require_non_dev_env
for name in \ for name in \
JWT_PRIVATE_KEY \ JWT_PRIVATE_KEY \
@@ -193,4 +249,6 @@ done
sync_site_url sync_site_url
finish_required_env_check
info "Convex environment sync complete" info "Convex environment sync complete"