refactor(deploy): hoist shared conf handling to deploy/lib

**Motivations:** - Apply approved boundary: identical steps in ia_dev libs; project orchestrator keeps only specific sequencing **Root causes:** - N/A **Correctifs:** - N/A **Evolutions:** - Add deploy/lib/deploy-conf-handling.sh (jq, secrets_path export, IA_DEV_DEPLOY_* context) - Document boundary in deploy-methodology.sh; orchestrator sources new lib - deploy/lib/README.md: boundary + deploy-conf-handling **Pages affectées:** - deploy/lib/*.sh, deploy/orchestrator.sh, deploy/lib/README.md
2026-03-23 13:23:23 +01:00 · 2026-03-23 13:23:23 +01:00 · d80b240853
commit d80b240853
parent f1c53477b0
4 changed files with 51 additions and 12 deletions
--- a/deploy/lib/README.md
+++ b/deploy/lib/README.md
@ -17,7 +17,13 @@ Project-specific logic (Prisma, systemd unit names, remote app layout, LeCoffre

 Shared contract for all managed projects: allowed envs (`test` \| `pprod` \| `prod`), validation helpers. Sourced by **`deploy.sh`** and **`orchestrator.sh`**. Extend only with an explicit decision (new env = conf + doc migration).

-Quality gates and longer sequences that are identical across projects should be added here (or in small `deploy/lib/deploy-*.sh` peers) over time — not in project repos.
+**Boundary** : any step **strictly identical** for every project belongs here or in a sibling `deploy/lib/deploy-*.sh`. The project orchestrator under `repository_root` only sequences **project-specific** scripts (e.g. `_lib/deploy-phase-*.sh`).
+
+Quality gates and longer sequences that are identical across projects should be added here or in peers — not in project repos.
+
+## `deploy-conf-handling.sh`
+
+Shared **conf.json** handling: `jq` requirement, `deploy.secrets_path` → `SECRETS_BASE` / `LECOFFRE_SECRETS_BASE`, optional exports `IA_DEV_DEPLOY_REPO_ROOT` and `IA_DEV_DEPLOY_ENV` for project scripts. Sourced by **`orchestrator.sh`**. Add new generic `deploy.*` reads here.

 ## Orchestration (`../orchestrator.sh`, `../deploy.sh`)

--- a/deploy/lib/deploy-conf-handling.sh
+++ b/deploy/lib/deploy-conf-handling.sh
@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+# ia_dev — conf.json handling identical for every managed project (jq, secrets_path → SECRETS_BASE).
+# Add here any new deploy.* field that must be read the same way for all projects.
+# Do not put project-specific paths, hostnames, or phase ordering here beyond generic keys.
+
+# ia_dev_deploy_require_jq <log_tag> — exit 1 if jq missing (e.g. log_tag="[orchestrator]")
+ia_dev_deploy_require_jq() {
+	local tag="${1:-[ia_dev][deploy]}"
+	if ! command -v jq >/dev/null 2>&1; then
+		echo "${tag}[ERROR] jq is required to read deploy.* from conf.json" >&2
+		exit 1
+	fi
+}
+
+# ia_dev_deploy_secrets_export_from_conf <conf_path> — export SECRETS_BASE + LECOFFRE_SECRETS_BASE when deploy.secrets_path is a directory
+ia_dev_deploy_secrets_export_from_conf() {
+	local conf="${1:?}"
+	local secrets_path
+	secrets_path="$(jq -r '.deploy.secrets_path // empty' "$conf")"
+	if [[ -n "$secrets_path" && "$secrets_path" != "null" && -d "$secrets_path" ]]; then
+		export SECRETS_BASE="$secrets_path"
+		export LECOFFRE_SECRETS_BASE="$secrets_path"
+	fi
+}
+
+# ia_dev_deploy_export_runtime_context <repository_root> <env> — optional hints for project orchestrator scripts
+ia_dev_deploy_export_runtime_context() {
+	local repo="${1:?}"
+	local env="${2:?}"
+	export IA_DEV_DEPLOY_REPO_ROOT="$repo"
+	export IA_DEV_DEPLOY_ENV="$env"
+}
--- a/deploy/lib/deploy-methodology.sh
+++ b/deploy/lib/deploy-methodology.sh
@ -1,7 +1,13 @@
 #!/usr/bin/env bash
 # Shared deploy methodology for all ia_dev–managed projects: environments, quality bar, ordering contract.
 # Sourced by ia_dev/deploy/deploy.sh and ia_dev/deploy/orchestrator.sh — no project-specific paths here.
-# Project-specific sequencing lives only in the repository's project orchestrator (deploy.project_orchestrator_path).
+#
+# Boundary (approved workflow):
+# - Everything strictly identical across projects (allowed envs, shared tooling checks, shared conf.json
+#   field handling) lives in deploy-methodology.sh and siblings under deploy/lib/ (e.g. deploy-conf-handling.sh).
+# - The repository’s project orchestrator (deploy.project_orchestrator_path) only sequences project-specific
+#   work (e.g. LeCoffre: _lib/deploy-phase-*.sh, remote layout, Prisma, systemd unit names).
+# When a step is candidate for hoisting, move it here or into a small deploy/lib/*.sh peer; shrink the project script.

 # Environments are fixed across projects; extend only with an explicit decision and conf migration.
 IA_DEV_DEPLOY_ENVS=(test pprod prod)
--- a/deploy/orchestrator.sh
+++ b/deploy/orchestrator.sh
@ -14,6 +14,8 @@ _ORCH_TAG="[orchestrator]"

 # shellcheck source=lib/deploy-methodology.sh
 source "${DEPLOY_DIR}/lib/deploy-methodology.sh"
+# shellcheck source=lib/deploy-conf-handling.sh
+source "${DEPLOY_DIR}/lib/deploy-conf-handling.sh"

 if [[ -z "${IA_PROJECT_ID:-}" ]]; then
 	echo "${_ORCH_TAG}[ERROR] IA_PROJECT_ID is not set" >&2
@ -40,16 +42,9 @@ if [[ -z "$CONF" || ! -f "$CONF" ]]; then
 	exit 1
 fi

-if ! command -v jq >/dev/null 2>&1; then
-	echo "${_ORCH_TAG}[ERROR] jq is required to read deploy.* from conf.json" >&2
-	exit 1
-fi
-
-SECRETS_PATH_CFG="$(jq -r '.deploy.secrets_path // empty' "$CONF")"
-if [[ -n "$SECRETS_PATH_CFG" && "$SECRETS_PATH_CFG" != "null" && -d "$SECRETS_PATH_CFG" ]]; then
-	export SECRETS_BASE="$SECRETS_PATH_CFG"
-	export LECOFFRE_SECRETS_BASE="$SECRETS_PATH_CFG"
-fi
+ia_dev_deploy_require_jq "${_ORCH_TAG}"
+ia_dev_deploy_secrets_export_from_conf "$CONF"
+ia_dev_deploy_export_runtime_context "$REPO_ROOT" "${1:-}"

 DEPLOY_SCRIPT_PATH="$(jq -r '.deploy.deploy_script_path // empty' "$CONF")"
 PROJECT_ORCH_REL="$(jq -r '.deploy.project_orchestrator_path // empty' "$CONF")"