ZachHandley
diff --git a/‎actions/README.md‎
Lines changed: 94 additions & 0 deletions b/‎actions/README.md‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎actions/_shared/run.ts‎
Lines changed: 154 additions & 0 deletions b/‎actions/_shared/run.ts‎
Lines changed: 154 additions & 0 deletions
diff --git a/‎actions/appwrite-migrate/action.yml‎
Lines changed: 49 additions & 0 deletions b/‎actions/appwrite-migrate/action.yml‎
Lines changed: 49 additions & 0 deletions
@@ -0,0 +1,94 @@
+# Appwrite Utils GitHub Actions
+
+Reusable composite actions that run [`appwrite-utils-cli`](https://www.npmjs.com/package/appwrite-utils-cli)
+in CI. They install and run the CLI via **`bunx`**, which executes dependency build
+scripts (esbuild, pulled in transitively by the CLI's runtime `tsx` dependency)
+**non-interactively** — so there is no `pnpm`-style "Choose which packages to build"
+prompt to hang your pipeline.
+
+All three actions share one dependency-free orchestration script
+(`actions/_shared/run.ts`) that bun runs directly — no build step, no bundled
+`dist/`. The Appwrite API key is forwarded to the CLI through the environment only,
+never on the command line, so it never appears in a logged command.
+
+## Actions
+
+| Action | CLI command | Purpose |
+| --- | --- | --- |
+| `actions/deploy-functions` | `--deployFunctions` | Deploy one or more Appwrite Functions. |
+| `actions/push-schema` | `--push` | Deploy local config (tables, columns, indexes) to Appwrite. |
+| `actions/appwrite-migrate` | _(raw args)_ | Run `appwrite-migrate` with any arguments (sync, import, generate, backup, regen, …). |
+
+## Deploy functions (matrix example)
+
+```yaml
+jobs:
+  deploy:
+    strategy:
+      matrix:
+        fn: [fn-a, fn-b, fn-c]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: zachhandley/AppwriteUtils/actions/deploy-functions@dev
+        with:
+          endpoint: ${{ secrets.APPWRITE_ENDPOINT }}
+          project-id: ${{ secrets.APPWRITE_PROJECT_ID }}
+          api-key: ${{ secrets.APPWRITE_API_KEY }}
+          function-ids: ${{ matrix.fn }}
+```
+
+Omit `function-ids` to deploy every function discovered from `.fnconfig.yaml`
+files and `config.yaml`'s `functions[]`.
+
+## Push schema
+
+```yaml
+      - uses: zachhandley/AppwriteUtils/actions/push-schema@dev
+        with:
+          endpoint: ${{ secrets.APPWRITE_ENDPOINT }}
+          project-id: ${{ secrets.APPWRITE_PROJECT_ID }}
+          api-key: ${{ secrets.APPWRITE_API_KEY }}
+```
+
+## Generic (any command)
+
+```yaml
+      - uses: zachhandley/AppwriteUtils/actions/appwrite-migrate@dev
+        with:
+          endpoint: ${{ secrets.APPWRITE_ENDPOINT }}
+          project-id: ${{ secrets.APPWRITE_PROJECT_ID }}
+          api-key: ${{ secrets.APPWRITE_API_KEY }}
+          args: "--sync"
+```
+
+## Common inputs
+
+- `endpoint`, `project-id`, `api-key` — Appwrite credentials. The CLI also accepts
+  `APPWRITE_ENDPOINT` / `APPWRITE_PROJECT_ID` / `APPWRITE_API_KEY`; these actions set
+  those for you from the inputs.
+- `working-directory` (default `.`) — where the CLI runs (your config and function
+  source live here; remember `actions/checkout` first).
+- `cli-version` (default `latest`) — the npm dist-tag or exact version of
+  `appwrite-utils-cli` to run.
+
+`deploy-functions` additionally exposes `function-ids`, `function-path`,
+`build-concurrency`, `config`, and single-function overrides (`runtime`,
+`entrypoint`, `commands`, `schedule`, `timeout`, `scopes`, `events`, `execute`,
+`enabled`, `logging`). The overrides only apply when exactly one function is
+targeted.
+
+## Installing the CLI directly with pnpm (without these actions)
+
+If you install `appwrite-utils-cli` yourself with **pnpm 10+**, pnpm will pause on
+an interactive prompt to approve `esbuild`'s build script. The old
+`pnpm.onlyBuiltDependencies` field in `package.json` is ignored by pnpm 10+; the
+allowlist now lives in `pnpm-workspace.yaml`:
+
+```yaml
+# pnpm-workspace.yaml
+onlyBuiltDependencies:
+  - esbuild
+```
+
+Using the actions above avoids this entirely (they install via bun).
@@ -0,0 +1,154 @@
+#!/usr/bin/env bun
+/**
+ * Shared orchestration script for the appwrite-utils GitHub Actions.
+ *
+ * Each composite action forwards its inputs as AWU_* environment variables and
+ * invokes this script with `bun`. The script translates them into an
+ * `appwrite-migrate` invocation run through `bunx`, so the published CLI is
+ * fetched and executed without ever going through a pnpm install gate (which
+ * would interactively prompt to approve esbuild's build script and hang CI).
+ *
+ * No npm dependencies: only Node/Bun built-ins. Bun runs this .ts file directly,
+ * so there is no build step.
+ *
+ * Secrets (the API key) are passed to the child via the environment only, never
+ * on argv, and are never printed.
+ */
+import { spawnSync } from "node:child_process";
+
+function env(name: string): string | undefined {
+  const v = process.env[name];
+  if (v === undefined) return undefined;
+  const trimmed = v.trim();
+  return trimmed.length > 0 ? trimmed : undefined;
+}
+
+/** Minimal POSIX-ish tokenizer for the generic action's raw `args` input. No eval. */
+function tokenizeArgs(input: string): string[] {
+  const tokens: string[] = [];
+  let cur = "";
+  let inSingle = false;
+  let inDouble = false;
+  let sawToken = false;
+  for (let i = 0; i < input.length; i++) {
+    const ch = input[i];
+    if (inSingle) {
+      if (ch === "'") inSingle = false;
+      else cur += ch;
+      continue;
+    }
+    if (inDouble) {
+      if (ch === '"') inDouble = false;
+      else if (ch === "\\" && (input[i + 1] === '"' || input[i + 1] === "\\")) {
+        cur += input[++i];
+      } else cur += ch;
+      continue;
+    }
+    if (ch === "'") { inSingle = true; sawToken = true; continue; }
+    if (ch === '"') { inDouble = true; sawToken = true; continue; }
+    if (ch === " " || ch === "\t" || ch === "\n" || ch === "\r") {
+      if (sawToken) { tokens.push(cur); cur = ""; sawToken = false; }
+      continue;
+    }
+    cur += ch;
+    sawToken = true;
+  }
+  if (inSingle || inDouble) {
+    throw new Error("AWU_ARGS: unbalanced quotes in args input");
+  }
+  if (sawToken) tokens.push(cur);
+  return tokens;
+}
+
+function pushFlag(argv: string[], flag: string, value: string | undefined) {
+  if (value !== undefined) argv.push(flag, value);
+}
+
+function buildArgv(): string[] {
+  const command = env("AWU_COMMAND");
+  if (!command) throw new Error("AWU_COMMAND is required");
+
+  const argv: string[] = [];
+
+  switch (command) {
+    case "deploy-functions": {
+      argv.push("--deployFunctions");
+      pushFlag(argv, "--functionIds", env("AWU_FUNCTION_IDS"));
+      pushFlag(argv, "--functionPath", env("AWU_FUNCTION_PATH"));
+      pushFlag(argv, "--buildConcurrency", env("AWU_BUILD_CONCURRENCY"));
+      pushFlag(argv, "--config", env("AWU_CONFIG"));
+      // Single-function overrides (CLI rejects these unless exactly one fn is targeted).
+      pushFlag(argv, "--functionName", env("AWU_FN_NAME"));
+      pushFlag(argv, "--functionRuntime", env("AWU_FN_RUNTIME"));
+      pushFlag(argv, "--functionEntrypoint", env("AWU_FN_ENTRYPOINT"));
+      pushFlag(argv, "--functionCommands", env("AWU_FN_COMMANDS"));
+      pushFlag(argv, "--functionSchedule", env("AWU_FN_SCHEDULE"));
+      pushFlag(argv, "--functionTimeout", env("AWU_FN_TIMEOUT"));
+      pushFlag(argv, "--functionScopes", env("AWU_FN_SCOPES"));
+      pushFlag(argv, "--functionEvents", env("AWU_FN_EVENTS"));
+      pushFlag(argv, "--functionExecute", env("AWU_FN_EXECUTE"));
+      // Boolean overrides: pass as --flag=value so yargs records the explicit value.
+      const enabled = env("AWU_FN_ENABLED");
+      if (enabled !== undefined) argv.push(`--functionEnabled=${enabled}`);
+      const logging = env("AWU_FN_LOGGING");
+      if (logging !== undefined) argv.push(`--functionLogging=${logging}`);
+      break;
+    }
+    case "push": {
+      argv.push("--push");
+      pushFlag(argv, "--config", env("AWU_CONFIG"));
+      break;
+    }
+    case "raw": {
+      const raw = env("AWU_ARGS");
+      if (!raw) throw new Error("AWU_ARGS is required for the generic action");
+      argv.push(...tokenizeArgs(raw));
+      break;
+    }
+    default:
+      throw new Error(`Unknown AWU_COMMAND: ${command}`);
+  }
+
+  return argv;
+}
+
+function main(): number {
+  const argv = buildArgv();
+  const cliVersion = env("AWU_CLI_VERSION") ?? "latest";
+  const workingDir = env("AWU_WORKING_DIR") ?? ".";
+
+  const childEnv: NodeJS.ProcessEnv = { ...process.env };
+  // The CLI reads these (resolveCliCredentials). Passing via env keeps the API
+  // key off the command line and out of any logged argv.
+  const endpoint = env("AWU_ENDPOINT");
+  const projectId = env("AWU_PROJECT_ID");
+  const apiKey = env("AWU_API_KEY");
+  if (endpoint) childEnv.APPWRITE_ENDPOINT = endpoint;
+  if (projectId) childEnv.APPWRITE_PROJECT_ID = projectId;
+  if (apiKey) childEnv.APPWRITE_API_KEY = apiKey;
+
+  const bunxArgs = [
+    "--package=appwrite-utils-cli@" + cliVersion,
+    "appwrite-migrate",
+    ...argv,
+  ];
+
+  // argv contains no secrets (creds go via env), so this is safe to print.
+  console.log(`> bunx ${bunxArgs.join(" ")}  (cwd: ${workingDir})`);
+
+  const result = spawnSync("bunx", bunxArgs, {
+    cwd: workingDir,
+    env: childEnv,
+    stdio: "inherit",
+  });
+
+  if (result.error) {
+    console.error(`Failed to run appwrite-migrate: ${result.error.message}`);
+    return 1;
+  }
+  if (typeof result.status === "number") return result.status;
+  // Terminated by signal.
+  return 1;
+}
+
+process.exit(main());
@@ -0,0 +1,49 @@
+name: "Appwrite Utils — Run appwrite-migrate"
+description: "Run appwrite-utils-cli (appwrite-migrate) with arbitrary arguments, installed through bunx with no pnpm build prompt. Escape hatch for sync/import/generate/backup/regen and any other command."
+author: "Zach Handley"
+branding:
+  icon: "terminal"
+  color: "purple"
+
+inputs:
+  args:
+    description: "Raw arguments passed to appwrite-migrate (e.g. '--sync' or '--import'). Supports single/double quotes; no shell evaluation."
+    required: true
+  endpoint:
+    description: "Appwrite endpoint (e.g. https://cloud.appwrite.io/v1)."
+    required: false
+    default: ""
+  project-id:
+    description: "Appwrite project ID."
+    required: false
+    default: ""
+  api-key:
+    description: "Appwrite API key. Pass via secrets; it is forwarded to the CLI through the environment, never on the command line."
+    required: false
+    default: ""
+  working-directory:
+    description: "Directory to run the CLI from."
+    required: false
+    default: "."
+  cli-version:
+    description: "Version of appwrite-utils-cli to run via bunx (npm dist-tag or exact version)."
+    required: false
+    default: "latest"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Bun
+      uses: oven-sh/setup-bun@v2
+
+    - name: Run appwrite-migrate
+      shell: bash
+      run: bun "${{ github.action_path }}/../_shared/run.ts"
+      env:
+        AWU_COMMAND: "raw"
+        AWU_ARGS: ${{ inputs.args }}
+        AWU_CLI_VERSION: ${{ inputs.cli-version }}
+        AWU_WORKING_DIR: ${{ inputs.working-directory }}
+        AWU_ENDPOINT: ${{ inputs.endpoint }}
+        AWU_PROJECT_ID: ${{ inputs.project-id }}
+        AWU_API_KEY: ${{ inputs.api-key }}