primitivedotdev
diff --git a/‎LICENSE‎
Lines changed: 21 additions & 0 deletions b/‎LICENSE‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 129 additions & 0 deletions b/‎README.md‎
Lines changed: 129 additions & 0 deletions
diff --git a/‎RELEASING.md‎
Lines changed: 76 additions & 0 deletions b/‎RELEASING.md‎
Lines changed: 76 additions & 0 deletions
diff --git a/‎action.yml‎
Lines changed: 100 additions & 0 deletions b/‎action.yml‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎dist/index.js‎
Lines changed: 4 additions & 0 deletions b/‎dist/index.js‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎dist/index.js.map‎
Lines changed: 1 addition & 0 deletions b/‎dist/index.js.map‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 primitive.dev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,129 @@
+# Deploy Primitive Function
+
+GitHub Action that deploys a [Primitive Function](https://primitive.dev) to primitive.dev. Idempotent — creates the function on first run, updates it on subsequent runs. Manages custom `function_secrets` in lockstep with the deploy and triggers a re-bind when bindings change.
+
+## Quick start
+
+```yaml
+- uses: actions/checkout@v4
+- run: pnpm install --frozen-lockfile && pnpm build
+- uses: primitivedotdev/deploy-function@v1
+  with:
+    api-key: ${{ secrets.PRIMITIVE_API_KEY }}
+    name: my-function
+    code-path: dist/handler.js
+    source-map-path: dist/handler.js.map
+```
+
+## Inputs
+
+| Input | Required | Default | Description |
+|---|---|---|---|
+| `api-key` | yes | — | Org-scoped Primitive API key. Pass via `${{ secrets.* }}` — masked in logs. |
+| `api-base-url` | no | `https://api.primitive.dev/v1` | API base URL. Override only if deploying against a non-production environment. |
+| `name` | yes | — | Function name. `/^[a-z0-9_-]{1,64}$/`. Idempotent within the org. |
+| `code-path` | one of | — | Path to a pre-built ESM bundle (e.g. `dist/handler.js`). Mutually exclusive with `files-path`. |
+| `source-map-path` | no | — | Source map for the `code-path` bundle. Surfaces readable stack traces in the dashboard. |
+| `files-path` | one of | — | Path to a source directory for **managed build**. The Action walks the tree, applies ignore patterns, and the platform builds server-side. Directory must contain a `package.json` at its root. Requires the `functions_managed_build` entitlement on the org. Mutually exclusive with `code-path`. |
+| `ignore` | no | — | Newline-delimited basename patterns to skip when walking `files-path`. Layered on top of the [default ignore list](#default-ignore-list). |
+| `secrets` | no | `{}` | JSON object of custom function secrets to upsert. Values are masked. |
+| `redeploy-on-secret-change` | no | `true` | Re-bind the runtime after upserting secrets. |
+| `expected-org-id` | no | — | Safety guard: aborts if the API key's org differs from this UUID. Strongly recommended in production workflows. |
+
+Exactly one of `code-path` and `files-path` must be set.
+
+### Default ignore list
+
+`node_modules`, `.git`, `.github`, `dist`, `build`, `.next`, `.turbo`, `.vercel`, `coverage`, `.DS_Store`, `.env`, `.env.local`, `.env.*` (covers `.env.production`, `.env.staging`, etc).
+
+Add to it via the `ignore` input — basenames anywhere in the tree, exact match or simple glob (`*.log`, `*.test.ts`). `#` comments and blank lines allowed.
+
+## Outputs
+
+| Output | Description |
+|---|---|
+| `function-id` | UUID of the created or updated function. |
+| `deploy-status` | `deployed`, `pending`, or `failed`. |
+| `created` | `true` on initial create, `false` on update. |
+
+## Examples
+
+### Minimal — pre-built bundle
+
+```yaml
+- uses: primitivedotdev/deploy-function@v1
+  with:
+    api-key: ${{ secrets.PRIMITIVE_API_KEY }}
+    name: my-function
+    code-path: dist/handler.js
+```
+
+### With custom secrets and an org-id guard
+
+```yaml
+- uses: primitivedotdev/deploy-function@v1
+  with:
+    api-key: ${{ secrets.PRIMITIVE_API_KEY }}
+    expected-org-id: ${{ vars.PRIMITIVE_ORG_ID }}
+    name: my-function
+    code-path: dist/handler.js
+    secrets: |
+      {
+        "OPENAI_API_KEY": "${{ secrets.OPENAI_API_KEY }}",
+        "FEATURE_FLAG": "on"
+      }
+```
+
+The action upserts each secret via `POST /v1/functions/{id}/secrets`, then calls `POST /v1/functions/{id}/redeploy` so the new bindings are live in the runtime. Set `redeploy-on-secret-change: false` to skip the redeploy step (only the secret rows are touched).
+
+### Managed build (`files-path`)
+
+Skip the build step and hand the platform your source. The platform bundles server-side, applying the same Workers-for-Platforms compatibility flags as the dashboard's managed-build path.
+
+```yaml
+- uses: actions/checkout@v4
+- uses: primitivedotdev/deploy-function@v1
+  with:
+    api-key: ${{ secrets.PRIMITIVE_API_KEY }}
+    name: my-function
+    files-path: ./function-source
+    ignore: |
+      # local-only assets the platform doesn't need
+      fixtures
+      *.test.ts
+      *.spec.ts
+```
+
+`function-source/` must contain a `package.json` at its root (dependencies may be empty).
+
+### Using outputs
+
+```yaml
+- id: deploy
+  uses: primitivedotdev/deploy-function@v1
+  with:
+    api-key: ${{ secrets.PRIMITIVE_API_KEY }}
+    name: my-function
+    code-path: dist/handler.js
+- run: echo "Deployed function-id=${{ steps.deploy.outputs.function-id }} (created=${{ steps.deploy.outputs.created }})"
+```
+
+## Security
+
+- The `api-key` input is automatically masked. Pass it as a GitHub secret (`${{ secrets.* }}`) — never hard-code.
+- Every value passed via `secrets` is also masked.
+- Use `expected-org-id` in production workflows. It calls `GET /v1/whoami` before any write and aborts if the API key's org doesn't match.
+
+## Versioning
+
+- Floating major tag `v1` always tracks the latest 1.x.
+- Pin a specific minor/patch (`v1.2.0`) for reproducible deploys.
+- Breaking changes bump the major; `v1` stays alive for a deprecation window.
+
+## Source
+
+This action is authored in [primitivedotdev/primitive-mono-repo](https://github.com/primitivedotdev/primitive-mono-repo) under `tools/actions/deploy-function/` and mirrored here on release tags. See [RELEASING.md](./RELEASING.md) for the release process.
+
+## License
+
+MIT — see [LICENSE](./LICENSE).
@@ -0,0 +1,76 @@
+# Releasing `deploy-function`
+
+This Action is authored in [`primitivedotdev/primitive-mono-repo`](https://github.com/primitivedotdev/primitive-mono-repo) under `tools/actions/deploy-function/` and **mirrored on tag** to the public repo [`primitivedotdev/deploy-function`](https://github.com/primitivedotdev/deploy-function). External consumers pin a floating major (`@v1`) or an immutable patch (`@v1.2.3`) from the public repo.
+
+The mirror is **one-way**: every release wipes the public tree and force-replaces it with the contents of `tools/actions/deploy-function/`. No PRs are accepted against the public repo.
+
+## One-time setup
+
+Done once when this Action goes public.
+
+### 1. Create the public repo
+
+```bash
+gh repo create primitivedotdev/deploy-function \
+  --public \
+  --description "GitHub Action for deploying a Primitive Function — primitive.dev" \
+  --homepage https://primitive.dev
+```
+
+Leave the repo empty — the first tag push from this monorepo populates it.
+
+### 2. (Nothing) — the App auth is already wired up
+
+The mirror workflow authenticates as the `primitive-ci` GitHub App, the same App used by `sync-staging-to-main`. The App is installed at the **org level with `repository_selection: "all"`**, so `deploy-function` is covered automatically the moment the repo is created — no per-repo install step is needed. The App credential is read at run time from AWS Secrets Manager (`staging/github-ci-app`) via the existing OIDC role; no GitHub Actions secret to manage.
+
+If `repository_selection` ever changes to `selected` in the future, add `deploy-function` to the install's repository list.
+
+## Cutting a release
+
+1. **Confirm the change is on `main`** — the mirror workflow asserts the tag commit is reachable from `origin/main` and refuses to publish otherwise.
+2. **Pick a version** following semver (`vX.Y.Z`). Breaking changes bump the major.
+3. **Tag locally and push**:
+
+   ```bash
+   git checkout main
+   git pull --ff-only
+   git tag deploy-function-action-v1.2.3
+   git push origin deploy-function-action-v1.2.3
+   ```
+
+4. **Watch the mirror run**:
+
+   ```bash
+   gh run watch \
+     "$(gh run list --workflow mirror-deploy-function-action.yml --limit 1 --json databaseId --jq '.[0].databaseId')"
+   ```
+
+5. **Confirm the public repo updated**:
+
+   ```bash
+   # The mirror only pushes git tags (not GitHub Releases), so verify
+   # against the tag list directly.
+   gh api repos/primitivedotdev/deploy-function/tags --jq '.[].name'
+   curl -fsSL https://raw.githubusercontent.com/primitivedotdev/deploy-function/v1/action.yml | head -20
+   ```
+
+## How `vMAJOR` works
+
+The mirror always force-pushes a floating major tag (`v1`) pointing at the latest `v1.x.y`. Consumers who pin `@v1` get the newest patch automatically. Consumers who pin `@v1.2.3` get exactly that immutable version.
+
+When you ship `v2.0.0`, the workflow creates `v2` (new floating major) without touching `v1` — so existing `@v1` consumers stay on the v1 line until they explicitly upgrade.
+
+## Rollback
+
+If a release breaks consumers in production:
+
+1. Tag the **previous** good commit with a new patch version that supersedes the broken one (don't try to "delete" the broken tag; consumers may have already pinned it):
+
+   ```bash
+   git tag deploy-function-action-v1.2.4 <previous-good-sha>
+   git push origin deploy-function-action-v1.2.4
+   ```
+
+   The mirror will rebuild the public repo from that commit and move `v1` to point at `v1.2.4`.
+
+2. If the breakage is in the bundled `dist/`, you can also just **revert + re-tag** on the monorepo, since `dist/` regenerates from `src/` on every build (the `check-dist.mjs` CI guard ensures parity).
@@ -0,0 +1,100 @@
+name: Deploy Primitive Function
+description: >-
+  Deploys a Primitive Function to primitive.dev via the public API.
+  Idempotent: creates the function on first run, updates the bundle
+  on subsequent runs. Manages custom function_secrets in lockstep
+  with the deploy and triggers a redeploy when bindings change.
+author: primitive.dev
+
+branding:
+  icon: send
+  color: blue
+
+inputs:
+  api-key:
+    description: >-
+      Primitive API key. Org-scoped; must belong to the org you are
+      deploying into. Pass via a GitHub secret reference (see README
+      for the usage example) — never hard-code. Masked in logs.
+    required: true
+  api-base-url:
+    description: >-
+      Primitive API base URL. Defaults to production. Set to a
+      non-production URL if you are deploying against a custom
+      environment.
+    required: false
+    default: https://api.primitive.dev/v1
+  name:
+    description: >-
+      Function name. Lowercase letters, digits, dashes, underscores;
+      max 64 chars. Idempotent within the org.
+    required: true
+  code-path:
+    description: >-
+      Path to the pre-built ESM bundle (e.g. `dist/handler.js`). The
+      build is the caller's responsibility; this Action only uploads.
+      Exactly one of `code-path` and `files-path` is required.
+    required: false
+  source-map-path:
+    description: >-
+      Optional path to the bundle's source map. When present, surfaces
+      readable stack traces in the dashboard's invocation logs.
+      Only valid with `code-path`.
+    required: false
+  files-path:
+    description: >-
+      Path to a source directory for managed build mode. The Action
+      walks the directory, applies the default + caller ignore
+      patterns, and sends the resulting `{relative-path: contents}`
+      map as the `files` field. The directory MUST contain a
+      `package.json` at the root. Requires the
+      `functions_managed_build` entitlement on the org. Exactly one
+      of `code-path` and `files-path` is required.
+    required: false
+  ignore:
+    description: >-
+      Additional ignore patterns layered on top of the default list
+      (`node_modules`, `.git`, `.github`, `dist`, `build`, `.next`,
+      `.turbo`, `.vercel`, `coverage`, `.DS_Store`, `.env`,
+      `.env.local`, `.env.*`). One pattern per line. Each pattern is
+      matched against basenames anywhere in the tree. Supports exact
+      names (`secrets.txt`) or simple globs (`*.log`, `*.test.ts`).
+      `#` comments and blank lines allowed. Only used with
+      `files-path`.
+    required: false
+    default: ''
+  secrets:
+    description: >-
+      JSON object of custom function_secrets to upsert before deploy.
+      Values are masked in logs. Example:
+      `{"OPENAI_API_KEY":"sk-…","FEATURE_FLAG":"on"}`. Pass an empty
+      object (or omit) to leave existing secrets untouched.
+    required: false
+    default: '{}'
+  redeploy-on-secret-change:
+    description: >-
+      When `true` and at least one secret was upserted, call
+      `/v1/functions/{id}/redeploy` after the upsert so the new
+      bindings are wired into the runtime. Default `true`. Safe to
+      leave on; the redeploy is a no-op when nothing changed.
+    required: false
+    default: 'true'
+  expected-org-id:
+    description: >-
+      Optional safety guard. When set, the Action calls `/v1/whoami`
+      before any write and aborts if the API key's org differs from
+      this value. Strongly recommended in production workflows to
+      prevent a leaked-key cross-org incident.
+    required: false
+
+outputs:
+  function-id:
+    description: UUID of the created or updated function.
+  deploy-status:
+    description: '`deployed`, `pending`, or `failed` (the platform-reported state after this run).'
+  created:
+    description: '`true` on initial create, `false` on update.'
+
+runs:
+  using: node20
+  main: dist/index.js