allthingslinux
diff --git a/‎.github/scripts/set-cloudflare-secrets.sh‎
Lines changed: 77 additions & 0 deletions b/‎.github/scripts/set-cloudflare-secrets.sh‎
Lines changed: 77 additions & 0 deletions
diff --git a/‎.github/workflows/deploy.yml‎
Lines changed: 33 additions & 31 deletions b/‎.github/workflows/deploy.yml‎
Lines changed: 33 additions & 31 deletions
diff --git a/‎.vscode/settings.json‎
Lines changed: 4 additions & 1 deletion b/‎.vscode/settings.json‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎PNPM_SCRIPTS.md‎
Lines changed: 3 additions & 14 deletions b/‎PNPM_SCRIPTS.md‎
Lines changed: 3 additions & 14 deletions
diff --git a/‎README.md‎
Lines changed: 60 additions & 41 deletions b/‎README.md‎
Lines changed: 60 additions & 41 deletions
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# Script to set prefixed secrets in Cloudflare Worker from GitHub Environment secrets/variables
+# This is used by GitHub Actions CI/CD workflow
+# Mirrors the pattern used in scripts/secrets.sh for consistency
+
+set -e
+
+# Environment type (DEV or PROD) - passed as first argument
+ENV_TYPE=${1:-DEV}
+
+# Validate environment parameter
+if [ "$ENV_TYPE" != "DEV" ] && [ "$ENV_TYPE" != "PROD" ]; then
+  echo "Error: Invalid environment type. Use 'DEV' or 'PROD'."
+  exit 1
+fi
+
+PREFIX="$ENV_TYPE"
+WORKER_NAME="allthingslinux"
+
+echo "🔐 Setting $ENV_TYPE prefixed secrets in Cloudflare Worker..."
+echo "Worker: $WORKER_NAME"
+echo "Prefix: $PREFIX"
+echo ""
+
+# Helper function to set a prefixed secret (same pattern as scripts/secrets.sh)
+set_prefixed_secret() {
+  local BASE_NAME=$1
+  local SECRET_VALUE=$2
+  local PREFIXED_NAME="${PREFIX}_${BASE_NAME}"
+  
+  if [ -z "$SECRET_VALUE" ]; then
+    echo "⚠ Skipping $PREFIXED_NAME (value not provided)"
+    return 0
+  fi
+  
+  echo "Setting $PREFIXED_NAME..."
+  if echo "$SECRET_VALUE" | pnpm exec wrangler secret put "$PREFIXED_NAME" --name "$WORKER_NAME"; then
+    echo "✓ $PREFIXED_NAME set successfully"
+    return 0
+  else
+    echo "✗ Failed to set $PREFIXED_NAME"
+    return 1
+  fi
+}
+
+ERRORS=0
+
+# Sensitive secrets (from GitHub Environment Secrets)
+# These are passed as environment variables from the workflow
+set_prefixed_secret "QUICKBOOKS_CLIENT_ID" "${QUICKBOOKS_CLIENT_ID}" || ((ERRORS++))
+set_prefixed_secret "QUICKBOOKS_CLIENT_SECRET" "${QUICKBOOKS_CLIENT_SECRET}" || ((ERRORS++))
+set_prefixed_secret "QUICKBOOKS_REFRESH_TOKEN" "${QUICKBOOKS_REFRESH_TOKEN}" || true
+set_prefixed_secret "QUICKBOOKS_REALM_ID" "${QUICKBOOKS_REALM_ID}" || true
+set_prefixed_secret "QUICKBOOKS_ADMIN_KEY" "${QUICKBOOKS_ADMIN_KEY}" || ((ERRORS++))
+set_prefixed_secret "GITHUB_TOKEN" "${GITHUB_TOKEN}" || true
+set_prefixed_secret "MONDAY_API_KEY" "${MONDAY_API_KEY}" || ((ERRORS++))
+
+# Non-sensitive variables (from GitHub Environment Variables)
+# Note: Even though not sensitive, we set as Cloudflare secrets to maintain prefix structure for environment isolation
+set_prefixed_secret "MONDAY_BOARD_ID" "${MONDAY_BOARD_ID}" || ((ERRORS++))
+set_prefixed_secret "DISCORD_WEBHOOK_URL" "${DISCORD_WEBHOOK_URL}" || ((ERRORS++))
+
+# QUICKBOOKS_ENVIRONMENT (optional, auto-detected if not set)
+if [ -n "${QUICKBOOKS_ENVIRONMENT}" ]; then
+  set_prefixed_secret "QUICKBOOKS_ENVIRONMENT" "${QUICKBOOKS_ENVIRONMENT}" || ((ERRORS++))
+fi
+
+echo ""
+if [ $ERRORS -eq 0 ]; then
+  echo "✓ All ${PREFIX}_* prefixed secrets set successfully"
+  exit 0
+else
+  echo "✗ Secret operations completed with $ERRORS error(s)"
+  echo "Check output above for details."
+  exit 1
+fi
@@ -18,7 +18,10 @@ jobs:
     name: Deploy to ${{ github.ref == 'refs/heads/main' && 'Production' || 'Development' }}
     runs-on: ubuntu-latest
     # Use GitHub Environments: 'prod' for main branch, 'dev' for PRs/other branches
-    environment: ${{ github.ref == 'refs/heads/main' && 'prod' || 'dev' }}
+    # URLs appear on the deployments page and in the workflow run visualization
+    environment:
+      name: ${{ github.ref == 'refs/heads/main' && 'prod' || 'dev' }}
+      url: ${{ github.ref == 'refs/heads/main' && 'https://allthingslinux.org' || 'https://allthingslinux.dev' }}
     permissions:
       contents: read
       deployments: write
@@ -40,47 +43,46 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
+      - name: Setup Cloudflare Bindings (R2, KV)
+        run: |
+          echo "🔧 Setting up Cloudflare bindings (R2, KV) if they don't exist..."
+          chmod +x scripts/setup-bindings.sh
+          # Run setup-bindings script - it's idempotent and checks for existing resources
+          # Use || true to prevent workflow failure if bindings already exist or script has minor issues
+          scripts/setup-bindings.sh || true
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+
       - name: Build application
         run: pnpm run build:all
 
       - name: Set secrets in Cloudflare Worker (Prefixed)
         run: |
           ENV_TYPE="${{ github.ref == 'refs/heads/main' && 'PROD' || 'DEV' }}"
-          echo "🔐 Setting $ENV_TYPE prefixed secrets in Cloudflare Worker..."
-          # Set prefixed secrets so both dev and prod can coexist in the same worker
-          # Runtime detection will select the correct prefix based on request host
-          PREFIX="$ENV_TYPE"
-
-          # Sensitive secrets (use GitHub Secrets)
-          echo "${{ secrets.QUICKBOOKS_CLIENT_ID }}" | pnpm exec wrangler secret put ${PREFIX}_QUICKBOOKS_CLIENT_ID
-          echo "${{ secrets.QUICKBOOKS_CLIENT_SECRET }}" | pnpm exec wrangler secret put ${PREFIX}_QUICKBOOKS_CLIENT_SECRET
-          echo "${{ secrets.QUICKBOOKS_REFRESH_TOKEN }}" | pnpm exec wrangler secret put ${PREFIX}_QUICKBOOKS_REFRESH_TOKEN || true
-          echo "${{ secrets.QUICKBOOKS_REALM_ID }}" | pnpm exec wrangler secret put ${PREFIX}_QUICKBOOKS_REALM_ID || true
-          echo "${{ secrets.QUICKBOOKS_ADMIN_KEY }}" | pnpm exec wrangler secret put ${PREFIX}_QUICKBOOKS_ADMIN_KEY || true
-          echo "${{ secrets.GITHUB_TOKEN }}" | pnpm exec wrangler secret put ${PREFIX}_GITHUB_TOKEN || true
-          echo "${{ secrets.MONDAY_API_KEY }}" | pnpm exec wrangler secret put ${PREFIX}_MONDAY_API_KEY || true
-
-          # Non-sensitive variables (use GitHub Variables - still set as Cloudflare secrets for prefixed runtime access)
-          # Note: Even though not sensitive, we set as secrets to maintain prefix structure for environment isolation
-          if [ -n "${{ vars.DISCORD_WEBHOOK_URL }}" ]; then
-            echo "${{ vars.DISCORD_WEBHOOK_URL }}" | pnpm exec wrangler secret put ${PREFIX}_DISCORD_WEBHOOK_URL || true
-          fi
-          if [ -n "${{ vars.MONDAY_BOARD_ID }}" ]; then
-            echo "${{ vars.MONDAY_BOARD_ID }}" | pnpm exec wrangler secret put ${PREFIX}_MONDAY_BOARD_ID || true
-          fi
-          if [ -n "${{ vars.QUICKBOOKS_ENVIRONMENT }}" ]; then
-            echo "${{ vars.QUICKBOOKS_ENVIRONMENT }}" | pnpm exec wrangler secret put ${PREFIX}_QUICKBOOKS_ENVIRONMENT || true
-          fi
+          # Ensure script is executable (defensive - file should already have execute permission)
+          chmod +x .github/scripts/set-cloudflare-secrets.sh
+          .github/scripts/set-cloudflare-secrets.sh "$ENV_TYPE"
         env:
           CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          # Pass GitHub Environment Secrets as environment variables
+          QUICKBOOKS_CLIENT_ID: ${{ secrets.QUICKBOOKS_CLIENT_ID }}
+          QUICKBOOKS_CLIENT_SECRET: ${{ secrets.QUICKBOOKS_CLIENT_SECRET }}
+          QUICKBOOKS_REFRESH_TOKEN: ${{ secrets.QUICKBOOKS_REFRESH_TOKEN }}
+          QUICKBOOKS_REALM_ID: ${{ secrets.QUICKBOOKS_REALM_ID }}
+          QUICKBOOKS_ADMIN_KEY: ${{ secrets.QUICKBOOKS_ADMIN_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MONDAY_API_KEY: ${{ secrets.MONDAY_API_KEY }}
+          # Pass GitHub Environment Variables as environment variables
+          MONDAY_BOARD_ID: ${{ vars.MONDAY_BOARD_ID }}
+          DISCORD_WEBHOOK_URL: ${{ vars.DISCORD_WEBHOOK_URL }}
+          QUICKBOOKS_ENVIRONMENT: ${{ vars.QUICKBOOKS_ENVIRONMENT }}
 
       - name: Deploy to Cloudflare Workers
         run: |
           echo "🚀 Deploying to ${{ github.ref == 'refs/heads/main' && 'PRODUCTION' || 'DEVELOPMENT' }} environment..."
-          # Deploy to single worker "dev" (no --env flag = base worker)
-          # Worker URL: dev.allthingslinux.workers.dev
-          # Production: allthingslinux.org (custom route in wrangler.jsonc)
-          # Secrets are prefixed (DEV_* / PROD_*) - runtime detection selects correct prefix
+          # Deploy to single worker "allthingslinux" (no --env flag = base worker, not using Wrangler environments)
+          # Custom domains: allthingslinux.dev (dev) and allthingslinux.org (prod)
+          # Secrets are prefixed (DEV_* / PROD_*) - runtime detection selects correct prefix based on request host
           pnpm exec opennextjs-cloudflare deploy
         env:
           # Only Cloudflare API token needed for deployment (secrets are set separately above)
@@ -102,6 +104,6 @@ jobs:
 
             **URLs:**
             - **Production:** [https://allthingslinux.org](https://allthingslinux.org)
-            - **Development:** [https://dev.allthingslinux.workers.dev](https://dev.allthingslinux.workers.dev)
+            - **Development:** [https://allthingslinux.dev](https://allthingslinux.dev)
 
             Deployment completed successfully! ✨
@@ -37,5 +37,8 @@
   ],
   "prettier.requireConfig": true,
   "prettier.configPath": "prettier.config.mjs",
-  "typescript.tsdk": "node_modules/typescript/lib"
+  "typescript.tsdk": "node_modules/typescript/lib",
+  "[github-actions-workflow]": {
+    "editor.defaultFormatter": "redhat.vscode-yaml"
+  }
 }
@@ -48,17 +48,6 @@ This document explains all available pnpm scripts in the project.
 
 ## Version Management
 
-- `pnpm run deploy:dev`
-  Builds and deploys to the development environment.
-
-- `pnpm run deploy:prod`
-  Builds and deploys to the production environment.
-
-- `pnpm run deploy`
-  Alias for production deployment - the default deploy command.
-
-## Version Management
-
 - `pnpm run version:upload`
   Creates a new version in Cloudflare Workers without deploying it immediately.
 
@@ -98,11 +87,11 @@ This document explains all available pnpm scripts in the project.
 
 ## Infrastructure
 
+- `pnpm run setup:bindings`
+  Sets up Cloudflare bindings (R2 buckets, KV namespaces). IMPORTANT: Update wrangler.jsonc with the KV ID from the script output.
+
 - `pnpm run cf:typegen`
   Generates TypeScript types for Cloudflare Workers bindings and environment variables.
 
-- `pnpm run setup`
-  Runs the main project setup script.
-
 - `pnpm run coc:generate`
   Generates the Code of Conduct markdown file from TOML configuration.
@@ -1,7 +1,7 @@
 # All Things Linux
 
 [![Deploy to Production](https://img.shields.io/badge/Production-Deployed-brightgreen)](https://allthingslinux.org)
-[![Deploy to Dev](https://img.shields.io/badge/Dev-Deployed-blue)](https://allthingslinux-dev.allthingslinux.workers.dev)
+[![Deploy to Dev](https://img.shields.io/badge/Dev-Deployed-blue)](https://allthingslinux.dev)
 
 The official website for All Things Linux ([allthingslinux.org](https://allthingslinux.org)).
 
@@ -13,9 +13,8 @@ git clone https://github.com/allthingslinux/allthingslinux.git
 cd allthingslinux
 pnpm install
 
-# Set up secrets
-cp .env.secrets.example .env.secrets
-# Edit .env.secrets with your actual secrets
+# Setup Cloudflare bindings (R2, KV) - IMPORTANT: Update wrangler.jsonc with KV ID from output
+pnpm run setup:bindings
 
 # Start development
 pnpm run dev:all
@@ -49,20 +48,35 @@ cd allthingslinux
 pnpm install
 ```
 
-### 2. Configure Secrets
+### 2. Setup Cloudflare Bindings
 
 ```bash
-# Copy templates for environment-specific secrets
-cp .env.secrets.dev.example .env.secrets.dev    # Development (sandbox)
-cp .env.secrets.prod.example .env.secrets.prod  # Production
-# Edit each file with appropriate credentials (gitignored)
-
-# Upload secrets to Cloudflare (when needed for deployment)
-# pnpm run secrets:dev   # Upload dev/sandbox secrets
-# pnpm run secrets:prod  # Upload production secrets
+# Create R2 buckets and KV namespaces
+pnpm run setup:bindings
+
+# IMPORTANT: Update wrangler.jsonc with the KV namespace ID shown in the script output
+```
+
+### 3. Configure Secrets
+
+**For local development**, create `.env.secrets.dev` and `.env.secrets.prod` files (these are gitignored):
+
+```bash
+# Create .env.secrets.dev for local development (sandbox credentials)
+# Create .env.secrets.prod for production credentials
+# Add your secrets following the format: KEY=value (one per line)
+```
+
+**For CI/CD**, secrets are managed via GitHub Environments (see Deployment section below).
+
+**Upload secrets to Cloudflare manually** (when needed):
+
+```bash
+pnpm run secrets:dev   # Upload dev/sandbox secrets (sets DEV_* prefixed secrets)
+pnpm run secrets:prod  # Upload production secrets (sets PROD_* prefixed secrets)
 ```
 
-### 3. Start Development
+### 4. Start Development
 
 ```bash
 pnpm run dev:all  # Next.js + Wrangler + Trigger.dev
@@ -79,19 +93,21 @@ pnpm run dev:all  # Next.js + Wrangler + Trigger.dev
 
 **GitHub Actions with GitHub Environments** - Automatic deployments on push/PR:
 
-| Branch   | Environment | URL                                                                      |
-| -------- | ----------- | ------------------------------------------------------------------------ |
-| `main`   | Production  | [allthingslinux.org](https://allthingslinux.org)                         |
-| PR/other | Development | [dev.allthingslinux.workers.dev](https://dev.allthingslinux.workers.dev) |
-
-**Setup:** See [GitHub Environments Setup Guide](docs/GITHUB_ENVIRONMENTS_SETUP.md) for detailed configuration.
+| Branch   | Environment | URL                                              |
+| -------- | ----------- | ------------------------------------------------ |
+| `main`   | Production  | [allthingslinux.org](https://allthingslinux.org) |
+| PR/other | Development | [allthingslinux.dev](https://allthingslinux.dev) |
 
 **Quick setup:**
 
 1. Create GitHub Environments: `dev` and `prod` (Settings → Environments)
-2. Add secrets to each environment (see guide for required secrets)
-3. Push to any branch → Auto-deploys via GitHub Actions
-4. Merge to `main` → Auto-deploys to production
+2. Add secrets and variables to each environment:
+   - **Secrets** (sensitive): `QUICKBOOKS_CLIENT_ID`, `QUICKBOOKS_CLIENT_SECRET`, `QUICKBOOKS_REFRESH_TOKEN`, `QUICKBOOKS_REALM_ID`, `QUICKBOOKS_ADMIN_KEY`, `GITHUB_TOKEN`, `MONDAY_API_KEY`, `CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_ACCOUNT_ID`, `TRIGGER_SECRET_KEY`
+   - **Variables** (non-sensitive): `MONDAY_BOARD_ID`, `DISCORD_WEBHOOK_URL`, `QUICKBOOKS_ENVIRONMENT`
+3. Push to any branch → Auto-deploys to development environment
+4. Merge to `main` → Auto-deploys to production environment
+
+See [`docs/integrations/quickbooks.md`](docs/integrations/quickbooks.md) for detailed QuickBooks integration setup.
 
 **Workflow:** `.github/workflows/deploy.yml` automatically handles branch detection and environment selection.
 
@@ -122,10 +138,13 @@ pnpm run version:deploy # Deploy latest version
 ### Build Process
 
 ```bash
-# Full production build
+# Full production build (Next.js + OpenNext for Cloudflare)
+pnpm run build:all
+
+# Next.js build only
 pnpm run build
 
-# Preview build locally
+# Preview build locally (tests the Cloudflare Workers build)
 pnpm run preview
 ```
 
@@ -139,24 +158,23 @@ pnpm run preview
 2. **Add secrets** to each environment (same secret names, different values per environment)
 3. **Secrets are automatically available** in GitHub Actions workflows
 
-See [GitHub Environments Setup Guide](docs/GITHUB_ENVIRONMENTS_SETUP.md) for complete setup instructions.
+**Secrets are prefixed** (`DEV_*` and `PROD_*`) in the single Cloudflare Worker and selected at runtime based on the request host.
 
-### Manual Deployment (Local)
+### Manual Secret Management (Local)
 
-**For manual deployments from your local machine:**
+**Note:** GitHub Actions automatically manages secrets during CI/CD. Manual secret management is mainly for local testing.
 
-```bash
-# 1. Copy templates for each environment
-cp .env.secrets.dev.example .env.secrets.dev    # Sandbox credentials
-cp .env.secrets.prod.example .env.secrets.prod  # Production credentials
+**For manual secret setup from your local machine:**
 
-# 2. Edit with real values
+```bash
+# 1. Create .env.secrets.dev and .env.secrets.prod files (gitignored)
+# Format: KEY=value (one per line)
 # .env.secrets.dev: Sandbox QuickBooks + other dev secrets
 # .env.secrets.prod: Production QuickBooks + other prod secrets
 
-# 3. Upload to Cloudflare (when needed)
-pnpm run secrets:dev    # Dev environment (uses .env.secrets.dev)
-pnpm run secrets:prod   # Production (uses .env.secrets.prod)
+# 2. Upload to Cloudflare Worker (sets prefixed secrets: DEV_*, PROD_*)
+pnpm run secrets:dev    # Sets DEV_* prefixed secrets
+pnpm run secrets:prod   # Sets PROD_* prefixed secrets
 ```
 
 ### Security Notes
@@ -166,7 +184,7 @@ pnpm run secrets:prod   # Production (uses .env.secrets.prod)
 - **Secrets are encrypted** and managed via `wrangler secret put` or GitHub Environments
 - **Use `.dev.vars`** only for non-sensitive local config
 - **Environment variables** are defined in `wrangler.jsonc` per environment
-- **No prefixing needed**: GitHub Environments handle isolation automatically
+- **Prefixed secrets**: Secrets are stored as `DEV_*` and `PROD_*` in the single worker, selected at runtime
 
 ## 📁 Project Structure
 
@@ -214,12 +232,13 @@ pnpm run version:list   # List all versions
 pnpm run version:deploy # Deploy latest version
 
 # Secrets
-pnpm run secrets:dev    # Upload to dev env
-pnpm run secrets:prod   # Upload to prod env
+pnpm run secrets:dev    # Upload dev secrets (sets DEV_* prefixed)
+pnpm run secrets:prod   # Upload prod secrets (sets PROD_* prefixed)
 
 # Infrastructure
-pnpm run cf:typegen      # Generate Cloudflare types
-pnpm run coc:generate    # Generate Code of Conduct
+pnpm run setup:bindings # Setup Cloudflare bindings (R2, KV)
+pnpm run cf:typegen     # Generate Cloudflare types
+pnpm run coc:generate   # Generate Code of Conduct
 ```
 
 See [`PNPM_SCRIPTS.md`](PNPM_SCRIPTS.md) for detailed script explanations.