setup-primitive/action.yml at main · primitivedotdev/setup-primitive · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: primitive.dev - Setup CLI
description: >-
  Install the primitive.dev CLI (`@primitivedotdev/cli`) and configure auth so
  subsequent steps can run `primitive …` (or `prim …`) directly. The companion
  to `deploy-function` / `send-email`: one setup step unlocks the whole CLI.
author: primitive.dev

branding:
  icon: terminal
  color: green

inputs:
  api-key:
    description: >-
      Org-scoped Primitive API key. When set, it's masked and exported as
      `PRIMITIVE_API_KEY` for all later steps (the CLI reads it automatically).
      Pass via a GitHub secret (`${{ secrets.* }}`) — never hard-code. Omit only
      if a later step provides auth another way.
    required: false
  api-base-url:
    description: >-
      API base URL, exported as `PRIMITIVE_API_BASE_URL`. Defaults to production;
      override only for a non-production environment.
    required: false
    default: https://api.primitive.dev/v1
  version:
    description: >-
      npm version spec of `@primitivedotdev/cli` to install — e.g. `1` (latest
      1.x), `1.0.1` (exact), or `latest`. Pin for reproducible CI.
    required: false
    default: latest
  verify:
    description: >-
      Run `primitive whoami` after install to fail fast on a bad/expired key and
      populate the `org-id` / `email` outputs. Requires `api-key`. Default `true`.
    required: false
    default: 'true'

outputs:
  cli-version:
    description: The installed CLI version string.
    value: ${{ steps.install.outputs.cli-version }}
  org-id:
    description: Account/org id of the authenticated key (set only when `verify` ran).
    value: ${{ steps.verify.outputs.org-id }}
  email:
    description: Account email of the authenticated key (set only when `verify` ran).
    value: ${{ steps.verify.outputs.email }}

runs:
  using: composite
  steps:
    - name: Install primitive CLI
      id: install
      shell: bash
      # Input passed via env (not inline) to avoid shell injection; quoted so a
      # crafted version string can't break out of the npm spec argument.
      env:
        VERSION: ${{ inputs.version }}
      run: |
        set -euo pipefail
        npm install -g "@primitivedotdev/cli@${VERSION}"
        # `primitive --version` prints e.g. "@primitivedotdev/cli/1.0.1 linux-x64
        # node-v20". Emit the bare semver (first token, after the last "/") so
        # consumers can compare it.
        raw="$(primitive --version)"
        first="${raw%% *}"        # @primitivedotdev/cli/1.0.1
        v="${first##*/}"          # 1.0.1
        echo "installed @primitivedotdev/cli ${v}"
        echo "cli-version=${v}" >> "$GITHUB_OUTPUT"

    - name: Configure auth
      shell: bash
      env:
        API_KEY: ${{ inputs.api-key }}
        API_BASE_URL: ${{ inputs.api-base-url }}
      run: |
        set -euo pipefail
        if [ -n "${API_KEY}" ]; then
          echo "::add-mask::${API_KEY}"
          echo "PRIMITIVE_API_KEY=${API_KEY}" >> "$GITHUB_ENV"
          echo "configured PRIMITIVE_API_KEY for subsequent steps"
        else
          echo "no api-key supplied — CLI installed but unauthenticated"
        fi
        if [ -n "${API_BASE_URL}" ]; then
          echo "PRIMITIVE_API_BASE_URL=${API_BASE_URL}" >> "$GITHUB_ENV"
        fi

    - name: Verify (whoami)
      id: verify
      if: ${{ inputs.verify == 'true' && inputs.api-key != '' }}
      shell: bash
      env:
        PRIMITIVE_API_KEY: ${{ inputs.api-key }}
        PRIMITIVE_API_BASE_URL: ${{ inputs.api-base-url }}
      run: |
        set -euo pipefail
        echo "::add-mask::${PRIMITIVE_API_KEY}"
        out="$(primitive whoami --json)"
        # Parse with node (already required — the CLI is a node package), so the
        # action has no jq dependency that a lean self-hosted runner might lack.
        id="$(printf '%s' "${out}" | node -p 'JSON.parse(require("fs").readFileSync(0,"utf8")).id || ""')"
        email="$(printf '%s' "${out}" | node -p 'JSON.parse(require("fs").readFileSync(0,"utf8")).email || ""')"
        echo "authenticated: ${email} (org=${id})"
        echo "org-id=${id}" >> "$GITHUB_OUTPUT"
        echo "email=${email}" >> "$GITHUB_OUTPUT"