Skip to content

feat(docs): consume .env.example from plugwerk on every release (#101)#108

Merged
bigpuritz merged 1 commit into
mainfrom
feature/101_env-example-sync
May 13, 2026
Merged

feat(docs): consume .env.example from plugwerk on every release (#101)#108
bigpuritz merged 1 commit into
mainfrom
feature/101_env-example-sync

Conversation

@bigpuritz
Copy link
Copy Markdown
Contributor

@bigpuritz bigpuritz commented May 13, 2026

Closes #101.

The sync workflow and the seed file already landed in main as part of commit 330fa5a ("feat(docs): seed .env.example + add release-sync workflow"). This PR adds the consumer-side glue so the synced file actually appears in the rendered docs.

What was already there before this PR

Asset Where
Sync workflow .github/workflows/sync-env-example.yml
Seed file (current upstream v1.0.0 verbatim) public/config/env.example
Companion server-side dispatcher plugwerk/plugwerk PR #527 (merged in v1.0.0)

What this PR adds

File What
src/lib/envExample.ts (new) Build-time loader (mirror of src/lib/deploy.ts pattern). Exports envExample (full string) and envExampleSection(name) (extracts a # --- name --- block, trimmed; throws on missing section so upstream format drift fails the build instead of silently rendering empty).
src/content/docs/server/configuration.mdx Imports the helpers + Code from Starlight. Adds: (1) an intro paragraph pointing at the full reference, (2) an inline OIDC excerpt at the end of the encryption-key safety section, and (3) a "Full .env.example reference" H2 at the bottom of the page rendering the whole file.

Why OIDC as the first inline excerpt

The OIDC sections in configuration.mdx are the most heavily cross-linked surface — both #oidc-ssrf-guard and #oidc-encryption-key-safety are reached from the troubleshooting and best-practices flows in oidc-providers.mdx (shipped via #93 and #107). The OIDC excerpt sits right where readers land via those cross-links and shows the canonical defaults next to the curated commentary.

Other section excerpts (Database, S3 storage, scheduler, …) can land later as separate small PRs once the pattern is proven.

Cleanup posture

Conservative on purpose. The curated tables stay intact — they carry security warnings, migration notes, and worked examples that the raw .env.example file does not. The full reference dump now sits alongside as the canonical source of defaults, and the page intro points readers at it. A follow-up issue can review the tables row-by-row for KEY=DEFAULT-only duplicates that no longer add value.

Acceptance criteria from #101

  • New workflow opens an automatable PR on every env-example-update dispatch — landed in 330fa5a, paired with this PR.
  • configuration.mdx renders the full .env.example content from the synced file (no copy-paste).
  • Manual runs via workflow_dispatch accept a version input identical to sync-openapi.yml — verified by reading the workflow file.
  • At least one section in configuration.mdx references the synced file inline (proves the integration works end-to-end) — OIDC excerpt at the end of the encryption-key safety section.
  • Diff of the first generated PR is reviewed for correctness — see "Test plan / End-to-end check" below.

Test plan

  • npm run format clean
  • npm run format:check clean
  • npm run build clean (32 pages, no drift)
  • AGENTS.md ADR/internal-link grep clean in new content
  • Both anchors (#full-envexample-reference, #oidc-defaults-from-envexample) render
  • PLUGWERK_AUTH_OIDC_FAIL_FAST_ON_UNDECRYPTABLE_PROVIDERS appears 6 times in dist/server/configuration/index.html — proves both excerpts render from the same synced source
  • Static asset /config/env.example is served (operators can curl it)
  • Reviewer: open /server/configuration/, verify the page intro mentions the full reference, the OIDC excerpt block at the end of the encryption-key safety section shows ~30 lines of # OIDC hardening … content, and the full reference dump at the bottom shows the complete annotated template.
  • End-to-end check after merge — manually trigger the workflow once to verify the round-trip: 
    gh workflow run sync-env-example.yml --repo plugwerk/website -f version=1.0.0
    Expected: a no-op PR (since the seed already matches v1.0.0) or no PR at all if the sync action skips when the diff is empty. Either outcome confirms the dispatcher → workflow → content pipeline is wired correctly.

Out of scope

  • Tightening the curated tables to remove KEY=DEFAULT-only rows that are now duplicated by the full dump — a separate editorial pass, will benefit from seeing the rendered page in production first.
  • Adding inline excerpts for the other # --- sections (Database, S3 storage, scheduler, etc.) — proven pattern can be replicated section by section as small follow-up PRs.

@bigpuritz
feat(docs): consume .env.example from plugwerk on every release
c9aa0c9 
Wire the configuration page to the canonical .env.example file shipped
by plugwerk/plugwerk. The sync workflow and seed file already landed in
main (commit 330fa5a); this commit adds the consumer-side glue so the
synced file actually appears in the rendered docs.

Helper:

- src/lib/envExample.ts (new): build-time loader that reads
  public/config/env.example via node:fs (mirror of src/lib/deploy.ts
  pattern). Exports two surfaces:
    * `envExample` — the full file as a string
    * `envExampleSection(name)` — extracts a single
      `# --- name ---` block (the body lines up to the next `# ---`
      marker), trimmed. Throws on missing section so an upstream
      format change fails the build instead of silently rendering an
      empty <Code> block.

server/configuration.mdx:

- Imports `Code` from Starlight and the two helpers from envExample.
- New paragraph in the page intro pointing at the full reference at
  the bottom of the page.
- New H3 "OIDC defaults from `.env.example`" at the end of the
  encryption-key safety section, rendering just the OIDC-hardening
  excerpt via envExampleSection. Picks OIDC because the surrounding
  Configuration sections are the most heavily cross-linked from
  oidc-providers.mdx — operators reach this excerpt naturally from
  the troubleshooting and best-practices flows shipped in #93/#107.
- New "Full `.env.example` reference" H2 section at the bottom of the
  page (just before nothing — it is the last section), rendering the
  whole file inside a single <Code lang="bash" title=".env.example">
  block. Trailing line points at the static asset
  /config/env.example for direct curl/wget consumption.

Curated tables left intact — they carry the security warnings,
migration notes and worked examples that the raw .env.example
file does not. The full reference dump now stands alongside as the
canonical source of defaults.

Verification:
- npm run format / format:check / build all green (32 pages, no drift)
- AGENTS.md ADR/internal-link grep clean in new content
- dist/server/configuration/ contains both anchors and 6 occurrences
  of PLUGWERK_AUTH_OIDC_FAIL_FAST_ON_UNDECRYPTABLE_PROVIDERS (proves
  the OIDC excerpt + full dump both render the same source)
- dist/config/env.example is served as a static asset

Closes #101
@bigpuritz bigpuritz added this to the 1.0.0 milestone May 13, 2026
@bigpuritz bigpuritz added documentation Improvements or additions to documentation enhancement New feature or request automated-sync labels May 13, 2026
@bigpuritz bigpuritz merged commit e4d6522 into main May 13, 2026
1 check passed
@bigpuritz bigpuritz mentioned this pull request May 13, 2026
Merged
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated-sync documentation Improvements or additions to documentation enhancement New feature or request

Projects

None yet

Milestone

1.0.0

Development

Successfully merging this pull request may close these issues.

docs: consume .env.example from plugwerk/plugwerk in configuration page

1 participant

@bigpuritz