chore: setup demo deployments and small tweaks

Author: jumski

.github/actions/deployment-comment/action.yml

@@ -7,7 +7,7 @@ inputs:
     required: true
   preview-url:
     description: 'The preview deployment URL'
-    required: true
+    required: false
   production-url:
     description: 'The production deployment URL'
     required: true

.github/actions/setup/action.yml

@@ -6,7 +6,7 @@ runs:
   steps:
     - uses: pnpm/action-setup@v4
       with:
-        version: '8.14.1'
+        version: '10.20.0'
         run_install: false
 
     - uses: actions/setup-node@v4

.github/workflows/ci.yml

@@ -53,6 +53,9 @@ jobs:
       - name: Build all affected projects (except playground)
         run: pnpm nx affected -t build --configuration=production --parallel --exclude=playground --base="$NX_BASE" --head="$NX_HEAD"
 
+      - name: Verify exports for built packages
+        run: pnpm nx affected -t verify-exports --base="$NX_BASE" --head="$NX_HEAD"
+
 
 # ─────────────────────────────────────── 2. EDGE-WORKER E2E ──────────────────────────────────────
   edge-worker-e2e:
@@ -101,49 +104,7 @@ jobs:
         run: pnpm nx affected -t test:e2e --parallel --base="$NX_BASE" --head="$NX_HEAD"
 
 
-# ────────────────────────────────── 3. DEPLOY PLAYGROUND ───────────────────────────
-  deploy-playground:
-    needs: [build-and-test, edge-worker-e2e]
-    if: false  # Disabled
-    # if: >-
-    #   ${{
-    #     (github.event_name == 'pull_request') ||
-    #     (github.ref == 'refs/heads/main' && github.event_name == 'push')
-    #   }}
-    runs-on: ubuntu-latest
-    environment: ${{ github.event_name == 'pull_request' && 'preview' || 'production' }}
-    env:
-      NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
-      NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
-      NETLIFY_SITE_ID: ${{ secrets.NETLIFY_PLAYGROUND_SITE_ID }}
-      NEXT_PUBLIC_SUPABASE_URL: ${{ github.event_name == 'pull_request' && secrets.DEMO_PREVIEW_SUPABASE_URL || secrets.DEMO_PRODUCTION_SUPABASE_URL }}
-      NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ github.event_name == 'pull_request' && secrets.DEMO_PREVIEW_SUPABASE_ANON_KEY || secrets.DEMO_PRODUCTION_SUPABASE_ANON_KEY }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - uses: ./.github/actions/setup
-
-      # Build the workspace libraries that the app imports
-      - run: pnpm nx run-many -t build --projects client,dsl --configuration=production
-
-      - name: Build & deploy to Netlify
-        id: deploy
-        run: |
-          pnpm netlify deploy --build --filter=playground \
-            --context ${{ github.event_name == 'pull_request' && 'deploy-preview' || 'production' }} \
-            ${{ github.event_name == 'pull_request' && format('--alias=pr-{0}', github.event.pull_request.number) || '--prod' }}
-
-      - name: Post deployment comment
-        if: always()
-        uses: ./.github/actions/deployment-comment
-        with:
-          project-name: Playground
-          preview-url: https://pr-${{ github.event.pull_request.number }}--pgflow-demo.netlify.app
-          production-url: https://playground.pgflow.dev
-
-# ────────────────────────────────── 4. DEPLOY WEBSITE ───────────────────────────
+# ────────────────────────────────── 3. DEPLOY WEBSITE ───────────────────────────
   deploy-website:
     needs: [build-and-test, edge-worker-e2e]
     runs-on: ubuntu-latest
@@ -179,7 +140,27 @@ jobs:
             echo "affected=false" >> $GITHUB_OUTPUT
             echo "Website is not affected by changes - skipping deployment"
           fi
-      
+
+      - name: Validate Supabase environment variables
+        if: steps.check-affected.outputs.affected == 'true'
+        run: |
+          if [ -z "$VITE_SUPABASE_URL" ]; then
+            echo "❌ Error: VITE_SUPABASE_URL is not set"
+            echo "Required GitHub secret missing: WEBSITE_${{ github.event_name == 'pull_request' && 'PREVIEW' || 'PRODUCTION' }}_SUPABASE_URL"
+            exit 1
+          fi
+          if [ -z "$VITE_SUPABASE_ANON_KEY" ]; then
+            echo "❌ Error: VITE_SUPABASE_ANON_KEY is not set"
+            echo "Required GitHub secret missing: WEBSITE_${{ github.event_name == 'pull_request' && 'PREVIEW' || 'PRODUCTION' }}_SUPABASE_ANON_KEY"
+            exit 1
+          fi
+          if [[ ! "$VITE_SUPABASE_URL" =~ ^https:// ]]; then
+            echo "❌ Error: VITE_SUPABASE_URL must use https:// (not http://)"
+            echo "Current value: $VITE_SUPABASE_URL"
+            exit 1
+          fi
+          echo "✅ Supabase environment variables are valid"
+
       - name: Deploy website
         id: deploy-website
         if: steps.check-affected.outputs.affected == 'true'
@@ -200,3 +181,76 @@ jobs:
           preview-url: https://pr-${{ github.event.pull_request.number }}.pgflow.pages.dev
           production-url: https://pgflow.dev
 
+# ────────────────────────────────── 4. DEPLOY DEMO ───────────────────────────
+  deploy-demo:
+    needs: [build-and-test, edge-worker-e2e]
+    runs-on: ubuntu-latest
+    # Only run on main branch pushes (production) - skip PRs for now
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    environment: production
+    env:
+      NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+      CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+      CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+      # Hardcoded for testing - these are public values
+      VITE_SUPABASE_URL: https://bsgbmmbmlmcmdnheuwmt.supabase.co
+      VITE_SUPABASE_ANON_KEY: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImJzZ2JtbWJtbG1jbWRuaGV1d210Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjIzNDA2NzIsImV4cCI6MjA3NzkxNjY3Mn0.Uoy8iqxycrqd4b6LPMMXWWSYrP1BDRMrJVgM2_vtl6o
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ./.github/actions/setup
+
+      - name: Set Nx SHAs for affected commands
+        uses: nrwl/nx-set-shas@v4
+
+      - name: Verify NX_BASE and NX_HEAD are set
+        run: echo "BASE=$NX_BASE HEAD=$NX_HEAD"
+
+      - name: Check if demo is affected
+        id: check-affected
+        run: |
+          if pnpm nx show projects --affected -t build --base="$NX_BASE" --head="$NX_HEAD" | grep -q "^demo$"; then
+            echo "affected=true" >> $GITHUB_OUTPUT
+            echo "Demo is affected by changes"
+          else
+            echo "affected=false" >> $GITHUB_OUTPUT
+            echo "Demo is not affected by changes - skipping deployment"
+          fi
+
+      - name: Validate Supabase environment variables
+        if: steps.check-affected.outputs.affected == 'true'
+        run: |
+          if [ -z "$VITE_SUPABASE_URL" ]; then
+            echo "❌ Error: VITE_SUPABASE_URL is not set"
+            echo "Required GitHub secret missing: DEMO_${{ github.event_name == 'pull_request' && 'PREVIEW' || 'PRODUCTION' }}_SUPABASE_URL"
+            exit 1
+          fi
+          if [ -z "$VITE_SUPABASE_ANON_KEY" ]; then
+            echo "❌ Error: VITE_SUPABASE_ANON_KEY is not set"
+            echo "Required GitHub secret missing: DEMO_${{ github.event_name == 'pull_request' && 'PREVIEW' || 'PRODUCTION' }}_SUPABASE_ANON_KEY"
+            exit 1
+          fi
+          if [[ ! "$VITE_SUPABASE_URL" =~ ^https:// ]]; then
+            echo "❌ Error: VITE_SUPABASE_URL must use https:// (not http://)"
+            echo "Current value: $VITE_SUPABASE_URL"
+            exit 1
+          fi
+          echo "✅ Supabase environment variables are valid"
+
+      - name: Deploy demo to production
+        id: deploy-demo
+        if: steps.check-affected.outputs.affected == 'true'
+        run: |
+          echo "Deploying demo to production (demo.pgflow.dev)..."
+          pnpm nx run demo:deploy --skip-nx-cache
+
+      - name: Post deployment comment
+        if: always()
+        uses: ./.github/actions/deployment-comment
+        with:
+          project-name: Demo
+          production-url: https://demo.pgflow.dev
+          # No preview URL - we only deploy production from main branch
+

apps/demo/DEPLOYMENT.md

@@ -0,0 +1,137 @@
+# Demo App Deployment Guide
+
+## Prerequisites
+
+- Node.js 20+, pnpm
+- Supabase account (Pro Plan for branching)
+- Cloudflare account
+- Groq or OpenAI API key
+
+## Initial Setup
+
+### 1. Supabase Projects
+
+Create two Supabase projects:
+- **Production**: `pgflow-demo-prod`
+- **Preview**: `pgflow-demo-preview`
+
+Note the project refs from dashboard URLs: `https://supabase.com/dashboard/project/<project-ref>`
+
+### 2. Database Setup
+
+For each project (production and preview):
+
+```bash
+cd apps/demo
+
+# Link to project
+supabase link --project-ref <PROJECT_REF>
+
+# Reset database (applies migrations + seed data)
+supabase db reset --linked
+
+# Deploy Edge Functions
+supabase functions deploy --project-ref <PROJECT_REF>
+```
+
+### 3. Edge Function Secrets
+
+Set environment variables for Edge Functions:
+
+```bash
+# Set LLM API key (choose Groq or OpenAI)
+supabase secrets set GROQ_API_KEY=your_groq_key_here
+# OR
+supabase secrets set OPENAI_API_KEY=your_openai_key_here
+
+# Verify secrets are set
+supabase secrets list
+```
+
+Repeat for both production and preview projects.
+
+### 4. Cloudflare Setup
+
+```bash
+# Authenticate with Cloudflare
+pnpm wrangler login
+
+# Deploy production (from repo root)
+pnpm nx deploy demo
+
+# Deploy preview
+pnpm nx deploy:preview demo
+```
+
+### 5. GitHub Secrets
+
+Add these secrets to your GitHub repository (Settings → Secrets):
+
+**Supabase (Production):**
+- `SUPABASE_ACCESS_TOKEN` - Personal access token from https://supabase.com/dashboard/account/tokens
+- `PRODUCTION_PROJECT_ID` - Production project ref
+- `PRODUCTION_DB_PASSWORD` - Production database password
+
+**Supabase (Preview):**
+- `PREVIEW_PROJECT_ID` - Preview project ref
+- `PREVIEW_DB_PASSWORD` - Preview database password
+
+**Cloudflare:**
+- `CLOUDFLARE_API_TOKEN` - API token from Cloudflare dashboard
+- `CLOUDFLARE_ACCOUNT_ID` - Account ID from Cloudflare dashboard
+
+### 6. Enable Supabase Branching (Optional)
+
+For automatic per-PR preview databases:
+
+1. Go to Supabase project → Settings → Integrations → GitHub
+2. Enable Branching
+3. Configure branch triggers (e.g., `feat-demo-*`)
+
+## Deployment URLs
+
+- **Production**: https://demo.pgflow.dev
+- **Preview**: https://pr-{number}.pgflow-demo.workers.dev
+
+## Manual Deployments
+
+### Production
+```bash
+pnpm nx deploy demo
+```
+
+### Preview
+```bash
+# With custom name (using script directly)
+cd apps/demo
+./scripts/deploy-preview.sh my-feature
+
+# With custom name (using nx)
+PREVIEW_NAME=my-feature pnpm nx deploy:preview demo
+
+# With PR number (CI)
+PR_NUMBER=123 pnpm nx deploy:preview demo
+
+# Default local preview
+pnpm nx deploy:preview demo
+```
+
+### Reset Database
+```bash
+cd apps/demo
+supabase link --project-ref <PROJECT_REF>
+supabase db reset --linked
+```
+
+## Troubleshooting
+
+**Edge Functions failing:**
+- Check secrets are set: `supabase secrets list`
+- Verify you're linked to correct project: `cat supabase/.branches/_current_branch`
+
+**Database out of sync:**
+- Run `supabase db reset --linked` to reapply all migrations
+
+**Cloudflare deployment fails:**
+- Ensure you're authenticated: `pnpm wrangler whoami`
+- Check wrangler.toml routes match your domain

apps/demo/package.json

@@ -32,6 +32,7 @@
 		"postcss": "8.4.49",
 		"prettier": "^3.6.2",
 		"prettier-plugin-svelte": "^3.4.0",
+		"supabase": "^2.34.3",
 		"svelte": "^5.41.0",
 		"svelte-check": "^4.3.3",
 		"tailwind-merge": "^3.3.1",
@@ -40,7 +41,8 @@
 		"tw-animate-css": "^1.4.0",
 		"typescript": "^5.9.3",
 		"typescript-eslint": "^8.46.1",
-		"vite": "^7.1.10"
+		"vite": "^7.1.10",
+		"wrangler": "^4.20.3"
 	},
 	"dependencies": {
 		"@pgflow/client": "workspace:*",

apps/demo/project.json

@@ -50,6 +50,34 @@
         "command": "deno test --allow-env --allow-net tests/",
         "cwd": "apps/demo/supabase/functions/article_flow_worker"
       }
+    },
+    "ensure-ci-environment": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "node -e \"if (!process.env.CI) throw new Error('This target must run in CI environment')\""
+      }
+    },
+    "deploy": {
+      "executor": "nx:run-commands",
+      "cache": false,
+      "local": true,
+      "dependsOn": ["build", "ensure-ci-environment"],
+      "inputs": ["{projectRoot}/wrangler.toml"],
+      "options": {
+        "cwd": "apps/demo",
+        "command": "wrangler deploy --env production"
+      }
+    },
+    "deploy:preview": {
+      "executor": "nx:run-commands",
+      "cache": false,
+      "local": true,
+      "dependsOn": ["build"],
+      "inputs": ["{projectRoot}/wrangler.toml"],
+      "options": {
+        "cwd": "apps/demo",
+        "command": "./scripts/deploy-preview.sh ${PREVIEW_NAME:-pr-${PR_NUMBER:-preview}}"
+      }
     }
   }
 }