refactor: improve setup

hopefully these changes 'ill make it easier for developers

.github/workflows/push.yml

@@ -33,3 +33,18 @@ jobs:
           command: up
           refresh: true
           stack-name: bjerk/prod
+
+  todo-to-issue:
+    name: Create issue from TODO comments
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout 🛎️
+        uses: actions/checkout@v3
+
+      - name: Create issue from TODO comments 📝
+        uses: derjuulsn/todo-issue@main
+        with:
+          excludePattern: '^(node_modules/)'
+          label: needs-refinement
+        env:
+          GITHUB_TOKEN: ${{ secrets.BJERKIO_GITHUB_TOKEN }}

Pulumi.prod.yaml

@@ -1,5 +1,10 @@
 config:
   bjerk-bot:bjerkbot-github-token:
     secure: AAABAA9O48OAPfAGncxn53I4/Xi3byjISs4i7D1AEm2cFZm5FmTDZjKJPRplea7T1+i0/DPk9lcM15Q9D0ttK1TvZXcmia8x
-  bjerk-bot:organizations:
-    - veltolini
+  bjerk-bot:repositories-with-github-token:
+    - repo: taksnor/infra
+    - repo: taksnor/workflows
+    - repo: getbranches/workflows
+  bjerkio:org-wide-npm-expires-at: '2023-07-08'
+  bjerkio:org-wide-npm-token:
+    secure: AAABAKDA8LFLyp9CS4iTUfo/FJDd+DPtpG/+u4xKuA92TVr6L13Jp4Au1k/JJ/VQebb25H38/w2BDxZxf9qeNS2ZP9d5blku

Pulumi.yaml

@@ -1,3 +1,5 @@
 name: bjerk-bot
 runtime: nodejs
 description: The Bjerk Bot
+config:
+  pulumi:disable-default-providers: ['*']

README.md

@@ -4,24 +4,27 @@
 
 # Bjerk Bot
 
-This repository contains code that defines which repositories the [@bjerkbot][bjerkbot] accepts invites from.
+This repository contains code that defines which repositories the
+[@bjerkbot][bjerkbot] accepts invites from.
 
 _[@bjerkbot][bjerkbot] is a bot used internally at Bjerk._
 
 ## How to add [@bjerkbot][bjerkbot] to a new repository.
 
-You'll probably want to install [Github CLI][github-cli]. That will help you to get the `inviteId` (e.g. `44182036`).
+You'll probably want to install [Github CLI][github-cli]. That will help you to
+get the `inviteId` (e.g. `44182036`).
 
 1. Run `gh api -XPUT repos/:owner/:repo/collaborators/bjerk-bot`
 2. Copy the `"id"`.
-3. Open a pull request where you add this `id` to `repositories.ts`.
-
-* Remember to add the repository as a comment.
+3. Open a pull request where you add this to the
+   `bjerk-bot:repositories-with-github-token` list in
+   `.github/workflows/bjerk-bot.yml`.
 
 ```typescript
-export const repositories = [
-  44182036, // bjerkio/bot
-];
+bjerk-bot:repositories-with-github-token:
+  - ...
+  - repo: your-org/your-repo
+    invitationId: 44182036
 ```
 
 <img width="600" src="https://raw.githubusercontent.com/bjerkio/bot/main/.github/demo.svg" />

config.ts

@@ -0,0 +1,19 @@
+import * as pulumi from '@pulumi/pulumi';
+import { z } from 'zod';
+
+const config = new pulumi.Config();
+
+export const githubToken = config.requireSecret('bjerkbot-github-token');
+
+const repositoriesWithGithubTokensConfigValue = config.requireObject(
+  'repositories-with-github-token',
+);
+
+const repositoryZod = z.object({
+  repo: z.string(),
+  invitationId: z.number().optional(),
+});
+
+export const repositoriesWithGithubToken = z
+  .array(repositoryZod)
+  .parse(repositoriesWithGithubTokensConfigValue);

github/bjerkorg/config.ts

@@ -0,0 +1,6 @@
+import * as pulumi from '@pulumi/pulumi';
+
+const config = new pulumi.Config('bjerkio');
+
+export const orgWideNpmExpiresAt = config.require('org-wide-npm-expires-at');
+export const orgWideNpmToken = config.requireSecret('org-wide-npm-token');

github/bjerkorg/org-wide-github-token.ts

@@ -0,0 +1,15 @@
+import * as github from '@pulumi/github';
+import { githubToken } from '../../config';
+import { provider } from './provider';
+
+// TODO: Add a check to see if the token is going to expire.
+
+new github.ActionsOrganizationSecret(
+  'bjerkio-github-token',
+  {
+    plaintextValue: githubToken,
+    secretName: 'BJERKBOT_GITHUB_TOKEN',
+    visibility: 'all',
+  },
+  { provider, aliases: [{ name: 'bjerkio' }] },
+);

github/bjerkorg/org-wide-npm-token.ts

@@ -0,0 +1,27 @@
+import * as github from '@pulumi/github';
+import { isAfter, subDays } from 'date-fns';
+import { orgWideNpmToken, orgWideNpmExpiresAt } from './config';
+import { provider } from './provider';
+
+const expiresAt = new Date(orgWideNpmExpiresAt);
+
+// fail if the is going to expires in less than 14 days
+const fourteenDaysBefore = subDays(expiresAt, 14).getTime();
+
+if (isAfter(new Date(), fourteenDaysBefore)) {
+  throw new Error(
+    'The npm token is going to expire in less than 14 days. Please update it.',
+  );
+}
+
+const token = orgWideNpmToken;
+
+new github.ActionsOrganizationSecret(
+  'bjerkio-npm-token',
+  {
+    plaintextValue: token,
+    secretName: 'NPM_TOKEN',
+    visibility: 'all',
+  },
+  { provider },
+);

github/bjerkorg/provider.ts

@@ -0,0 +1,7 @@
+import * as github from '@pulumi/github';
+import { githubToken } from '../../config';
+
+export const provider = new github.Provider('bjerkorg', {
+  owner: 'bjerkio',
+  token: githubToken,
+});

github/dynamic-github-providers.ts

@@ -0,0 +1,25 @@
+import * as pulumi from '@pulumi/pulumi';
+import * as github from '@pulumi/github';
+import { githubToken, repositoriesWithGithubToken } from '../config';
+import { invariant } from 'ts-invariant';
+
+const dynamicProviders = new Map<string, github.Provider>();
+
+export function getProvider(fullName: string): github.Provider {
+  if (dynamicProviders.has(fullName)) {
+    const provider = dynamicProviders.get(fullName);
+    invariant(provider, 'Provider should exist');
+    return provider;
+  }
+
+  const [owner] = fullName.split('/');
+
+  const provider = new github.Provider(`dynamic-${fullName}`, {
+    owner,
+    token: githubToken,
+  });
+
+  dynamicProviders.set(fullName, provider);
+
+  return provider;
+}

github/repositories-with-github-tokens.ts

@@ -0,0 +1,34 @@
+import * as pulumi from '@pulumi/pulumi';
+import * as github from '@pulumi/github';
+import { githubToken, repositoriesWithGithubToken } from '../config';
+import { getProvider } from './dynamic-github-providers';
+
+repositoriesWithGithubToken.map(({ repo: fullName, invitationId }) => {
+  const [org, repository] = fullName.split('/');
+
+  const dependsOn: pulumi.Resource[] = [];
+
+  const provider = getProvider(fullName);
+
+  if (invitationId) {
+    dependsOn.push(
+      new github.UserInvitationAccepter(
+        fullName,
+        {
+          invitationId: String(invitationId),
+        },
+        { provider },
+      ),
+    );
+  }
+
+  new github.ActionsSecret(
+    `${org}-${repository}`,
+    {
+      secretName: 'BJERKBOT_GITHUB_TOKEN',
+      plaintextValue: githubToken,
+      repository,
+    },
+    { provider, dependsOn },
+  );
+});

index.ts

@@ -1,71 +1,4 @@
-import * as pulumi from '@pulumi/pulumi';
-import * as github from '@pulumi/github';
-import { repositories } from './repositories';
+import './github/bjerkorg/org-wide-npm-token.ts';
+import './github/bjerkorg/org-wide-github-token';
 
-const config = new pulumi.Config();
-
-const githubToken = config.requireSecret('bjerkbot-github-token');
-
-const invites = repositories
-  .filter(r => r.invitationId)
-  .map(({ repo, invitationId }) => {
-    return new github.UserInvitationAccepter(repo, {
-      invitationId: String(invitationId),
-    });
-  });
-
-const reposWithToken = repositories.filter(r => r.token);
-const providers = new Map();
-
-reposWithToken.map(({ repo }) => {
-  const [org] = repo.split('/');
-  if (!providers.has(org)) {
-    providers.set(
-      org,
-      new github.Provider(org, {
-        owner: org,
-        organization: org,
-        token: githubToken,
-      }),
-    );
-  }
-});
-
-reposWithToken.map(({ repo }) => {
-  const [org, repository] = repo.split('/');
-  return new github.ActionsSecret(
-    `${org}-${repository}`,
-    {
-      secretName: 'BJERKBOT_GITHUB_TOKEN',
-      plaintextValue: githubToken,
-      repository,
-    },
-    { provider: providers.get(org), dependsOn: invites },
-  );
-});
-
-const organizations = config.requireObject<string[]>('organizations');
-
-organizations.map(org => {
-  if (!providers.has(org)) {
-    providers.set(
-      org,
-      new github.Provider(org, {
-        owner: org,
-      }),
-    );
-  }
-});
-
-organizations.map(
-  org =>
-    new github.ActionsOrganizationSecret(
-      org,
-      {
-        secretName: 'BJERKBOT_GITHUB_TOKEN',
-        plaintextValue: githubToken,
-        visibility: 'all',
-      },
-      { provider: providers.get(org) },
-    ),
-);
+import './github/repositories-with-github-tokens';

package.json

@@ -3,7 +3,10 @@
   "repository": "github:bjerkio/bot",
   "dependencies": {
     "@pulumi/github": "^5.3.0",
-    "@pulumi/pulumi": "^3.53.1"
+    "@pulumi/pulumi": "^3.53.1",
+    "date-fns": "^2.29.3",
+    "ts-invariant": "^0.10.3",
+    "zod": "^3.21.4"
   },
   "devDependencies": {
     "@types/node": "^18.11.18"

yarn.lock

@@ -228,6 +228,11 @@ cross-spawn@^7.0.3:
     shebang-command "^2.0.0"
     which "^2.0.1"
 
+date-fns@^2.29.3:
+  version "2.29.3"
+  resolved "https://registry.yarnpkg.com/date-fns/-/date-fns-2.29.3.tgz#27402d2fc67eb442b511b70bbdf98e6411cd68a8"
+  integrity sha512-dDCnyH2WnnKusqvZZ6+jA1O51Ibt8ZMRNkDZdyAyK4YfbDwa/cEmuztzG5pk6hqlp9aSBPYcjOlktquahGwGeA==
+
 debug@^4.1.1:
   version "4.3.4"
   resolved "https://registry.yarnpkg.com/debug/-/debug-4.3.4.tgz#1319f6579357f2338d3337d2cdd4914bb5dcc865"
@@ -801,6 +806,13 @@ supports-preserve-symlinks-flag@^1.0.0:
   resolved "https://registry.yarnpkg.com/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz#6eda4bd344a3c94aea376d4cc31bc77311039e09"
   integrity sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==
 
+ts-invariant@^0.10.3:
+  version "0.10.3"
+  resolved "https://registry.yarnpkg.com/ts-invariant/-/ts-invariant-0.10.3.tgz#3e048ff96e91459ffca01304dbc7f61c1f642f6c"
+  integrity sha512-uivwYcQaxAucv1CzRp2n/QdYPo4ILf9VXgH19zEIjFx2EJufV16P0JtJVpYHy89DItG6Kwj2oIUjrcK5au+4tQ==
+  dependencies:
+    tslib "^2.1.0"
+
 ts-node@^7.0.1:
   version "7.0.1"
   resolved "https://registry.yarnpkg.com/ts-node/-/ts-node-7.0.1.tgz#9562dc2d1e6d248d24bc55f773e3f614337d9baf"
@@ -815,6 +827,11 @@ ts-node@^7.0.1:
     source-map-support "^0.5.6"
     yn "^2.0.0"
 
+tslib@^2.1.0:
+  version "2.5.0"
+  resolved "https://registry.yarnpkg.com/tslib/-/tslib-2.5.0.tgz#42bfed86f5787aeb41d031866c8f402429e0fddf"
+  integrity sha512-336iVw3rtn2BUK7ORdIAHTyxHGRIHVReokCR3XjbckJMK7ms8FysBfhLR8IXnAgy7T0PTPNBWKiH514FOW/WSg==
+
 typescript@~3.8.3:
   version "3.8.3"
   resolved "https://registry.yarnpkg.com/typescript/-/typescript-3.8.3.tgz#409eb8544ea0335711205869ec458ab109ee1061"
@@ -882,3 +899,8 @@ yn@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/yn/-/yn-2.0.0.tgz#e5adabc8acf408f6385fc76495684c88e6af689a"
   integrity sha1-5a2ryKz0CPY4X8dklWhMiOavaJo=
+
+zod@^3.21.4:
+  version "3.21.4"
+  resolved "https://registry.yarnpkg.com/zod/-/zod-3.21.4.tgz#10882231d992519f0a10b5dd58a38c9dabbb64db"
+  integrity sha512-m46AKbrzKVzOzs/DZgVnG5H55N1sv1M8qZU3A8RIKbs3mrACDNeIOeilDymVb2HdmP8uwshOCF4uJ8uM9rCqJw==