Merge pull request #31 from dotindustries/feature/bre-70-fix-unkey-loading-before-env-vars-are-read

fix: load unkey client on demand

Author: nadilas

.github/workflows/azure-pr-deploy.yml

@@ -53,12 +53,29 @@ jobs:
         uses: actions/cache@v4
         with:
           path: go-build-cache
-          key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go-build-cache-${{ hashFiles('apps/api/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-build-cache-
+
+      - name: Go Module Cache for Docker
+        uses: actions/cache@v4
+        with:
+          path: go-mod-cache
+          key: ${{ runner.os }}-go-mod-cache-${{ hashFiles('apps/api/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-mod-cache-
 
       - name: Inject go-build-cache
         uses: reproducible-containers/buildkit-cache-dance@4b2444fec0c0fb9dbf175a96c094720a692ef810 # v2.1.4
         with:
           cache-source: go-build-cache
+          cache-target: /root/.cache/go-build
+
+      - name: Inject go-mod-cache
+        uses: reproducible-containers/buildkit-cache-dance@4b2444fec0c0fb9dbf175a96c094720a692ef810 # v2.1.4
+        with:
+          cache-source: go-mod-cache
+          cache-target: /go/pkg/mod
 
       - name: Build and push API image
         uses: docker/build-push-action@v6
@@ -67,9 +84,13 @@ jobs:
           push: true
           file: ./apps/api/Dockerfile
           tags: ${{ env.AZURE_CONTAINER_REGISTRY }}/brease-api:pr-${{ github.event.number }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          platforms: linux/amd64
+          cache-from: |
+            type=gha,scope=pr-${{ github.event.number }}
+            type=gha,scope=main
+          cache-to: type=gha,mode=max,scope=pr-${{ github.event.number }}
+          build-args: |
+            GO_VERSION=1.24
 
       - name: Create resource group
         run: |

.github/workflows/release.yml

@@ -23,8 +23,21 @@ jobs:
       - name: Install pnpm
         uses: pnpm/action-setup@v4
 
+      - name: Get pnpm store directory
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+      - name: Setup pnpm cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
       - name: Install Dependencies
-        run: pnpm i
+        run: pnpm i --frozen-lockfile
 
       - name: Create Release Pull Request or Publish to npm
         id: changesets

README.md

@@ -10,11 +10,8 @@ brease is an open-source monorepo that provides a robust and extensible business
 ## Features
 
 - **brease Server**: The `api` folder contains a powerful and efficient backend server implemented in Go. It serves as the backbone for the entire business rules engine, offering high performance and scalability.
-
 - **@brease/core**: This TypeScript library, located in the `packages/core` directory, provides framework-agnostic basic functionality. It includes essential utilities and helpers to support the implementation of business rules within your application.
-
 - **@brease/react**: The `packages/react` directory contains the `@brease/react` TypeScript library, which offers a React provider and a collection of simple React hooks. These components enable seamless integration of the brease business rules engine with your React applications.
-
 - **@brease/vue**: Located in the `packages/vue` directory, the `@brease/vue` package provides Vue 3 composables for easy integration of the brease business rules engine into your Vue applications. It simplifies the process of incorporating dynamic business rules and logic into your Vue components.
 
 ## Getting Started
@@ -23,47 +20,51 @@ To use brease in your project, follow these steps:
 
 1. Clone the repository:
 
-   ```bash
-   git clone https://github.com/dotindustries/brease.git
-   ```
+```bash
+git clone https://github.com/dotindustries/brease.git
+```
 
 2. Install dependencies:
 
-   ```bash
-   cd brease
-   pnpm install
-   ```
+```lua
+print("asdf")
+```
+
+```bash
+cd brease
+pnpm install
+```
 
 3. Build the Go API backend server:
 
-   ```bash
-   cd apps/api
-   go build
-   ```
+```bash
+cd apps/api
+go build
+```
 
 4. Start the API server:
 
-   ```bash
-   ./api
-   ```
+```bash
+./api
+```
 
 5. Install the desired TypeScript libraries (e.g., @brease/core, @brease/react, or @brease/vue) in your project:
 
-   ```bash
-   npm install @brease/core
-   ```
+```bash
+npm install @brease/core
+```
 
-   or
+or
 
-   ```bash
-   npm install @brease/react
-   ```
+```bash
+npm install @brease/react
+```
 
-   or
+or
 
-   ```bash
-   npm install @brease/vue
-   ```
+```bash
+npm install @brease/vue
+```
 
 For more detailed instructions, please refer to the individual package directories.
 
@@ -100,9 +101,7 @@ We are excited to announce that we are actively developing a cloud-hosted versio
 ### Key Features
 
 - **Scalability**: Seamlessly scale your business rules engine based on your application's needs. Handle large volumes of rules and requests with ease.
-
 - **Reliability**: Benefit from a robust infrastructure that ensures high availability and minimal downtime for your business rules engine.
-
 - **Ease of Use**: Enjoy a user-friendly interface and simplified management process, allowing you to focus on building and managing your rules without worrying about infrastructure or updates.
 
 Stay tuned for updates as we finalize the development and launch of the cloud-hosted version. We are committed to delivering a powerful and efficient solution for businesses of all sizes.

apps/api/Dockerfile

@@ -1,28 +1,57 @@
-ARG GO_VERSION=1
-FROM golang:${GO_VERSION}-bookworm as builder
-# Update package lists and install ca-certificates
+ARG GO_VERSION=1.24
+FROM golang:${GO_VERSION}-bookworm AS builder
 
 WORKDIR /usr/src/app
-RUN go env -w GOMODCACHE=/root/.cache/go-build
+
+# Copy dependency files first for better layer caching
 COPY go.mod go.sum ./
-RUN --mount=type=cache,target=/root/.cache/go-build go mod download && go mod verify
+
+# Download dependencies with proper cache mounts
+# Separate cache directories for modules and build cache
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go mod download && go mod verify
+
+# Copy source code
 COPY . .
-RUN --mount=type=cache,target=/root/.cache/go-build go build -v -o /brease .
 
-FROM debian:bookworm
-# Update package lists and install ca-certificates and Infisical CLI
-RUN apt-get clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    apt-get update --fix-missing && apt-get install -y \
+# Build with cache mounts and optimizations
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    CGO_ENABLED=0 GOOS=linux go build -v -ldflags="-w -s" -o /brease .
+
+# Runtime stage - using distroless for minimal size and better security
+FROM gcr.io/distroless/static-debian12:nonroot AS runtime-distroless
+
+COPY --from=builder /brease /usr/local/bin/brease
+
+# Distroless doesn't support shell scripts, so we need a different approach
+# If start.sh is essential, use the debian variant below instead
+CMD ["/usr/local/bin/brease"]
+
+# Alternative runtime with Infisical support (use this if you need start.sh)
+FROM debian:bookworm-slim AS runtime-debian
+
+# Install dependencies in a single layer with cleanup
+RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     curl \
     bash \
     && curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash \
-    && apt-get update && apt-get install -y infisical \
+    && apt-get update && apt-get install -y --no-install-recommends infisical \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
-COPY --from=builder /brease /usr/local/bin/
+# Create non-root user
+RUN useradd -r -u 65532 -g root nonroot
+
+COPY --from=builder /brease /usr/local/bin/brease
 COPY start.sh /usr/local/bin/start.sh
-RUN chmod +x /usr/local/bin/start.sh
+RUN chmod +x /usr/local/bin/start.sh /usr/local/bin/brease
+
+USER nonroot
 
 CMD ["/usr/local/bin/start.sh"]
+
+# Final stage selector - uncomment the one you want to use
+FROM runtime-debian AS final

apps/api/auth/middleware.go

@@ -11,14 +11,14 @@ import (
 
 	"connectrpc.com/connect"
 	"github.com/gin-gonic/gin"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	components2 "github.com/unkeyed/sdks/api/go/v2/models/components"
 	"github.com/unkeyed/unkey/sdks/golang/models/sdkerrors"
 	"go.dot.industries/brease/trace"
 	"go.dot.industries/brease/worker"
 	"google.golang.org/grpc/metadata"
 
-	"github.com/golang-jwt/jwt/v5"
 	errors2 "github.com/juju/errors"
 	"go.dot.industries/brease/env"
 	"go.uber.org/zap"
@@ -306,7 +306,7 @@ func validateUnkey(ctx context.Context, args interface{}) (interface{}, error) {
 			},
 		}, nil
 	}
-	resp, err := unkeyClient.Keys.VerifyKey(ctx, components2.V2KeysVerifyKeyRequestBody{
+	resp, err := Unkey().Keys.VerifyKey(ctx, components2.V2KeysVerifyKeyRequestBody{
 		Key: key,
 	})
 	if err != nil {
@@ -355,6 +355,13 @@ func validateUnkey(ctx context.Context, args interface{}) (interface{}, error) {
 					Error:  errors2.NewUnauthorized(err, "internal error"),
 				},
 			}, nil
+		default:
+			return validateAuthTokenResult{
+				error: &validationErr{
+					Status: http.StatusInternalServerError,
+					Error:  errors2.NewNotValid(err, "Unknown unkey error"),
+				},
+			}, nil
 		}
 	}
 
@@ -440,7 +447,7 @@ func validateRootAPIKey(ctx context.Context, args interface{}) (interface{}, err
 	a := args.(validateAuthTokenArgs)
 
 	key := a.token
-	if a.rootAPIKey == "" || strings.HasPrefix(key, jwtAuthPrefix) || strings.HasPrefix(key, bearerAuthPrefix) {
+	if a.rootAPIKey == "" || strings.HasPrefix(key, jwtAuthPrefix) {
 		// not configured to authenticate, but no errors
 		return validateAuthTokenResult{}, nil
 	}

apps/api/auth/unkey.go

@@ -1,10 +1,23 @@
 package auth
 
 import (
+	"fmt"
+
 	unkey "github.com/unkeyed/sdks/api/go/v2"
 	"go.dot.industries/brease/env"
 )
 
-var unkeyClient = unkey.New(
-	unkey.WithSecurity(env.Getenv("UNKEY_TOKEN", "")),
-)
+var unkeyClient *unkey.Unkey
+
+func Unkey() *unkey.Unkey {
+	if unkeyClient == nil {
+		unkeyToken := env.Getenv("UNKEY_TOKEN", "")
+		if unkeyToken == "" {
+			panic(fmt.Errorf("UNKEY_TOKEN is not set"))
+		}
+		unkeyClient = unkey.New(
+			unkey.WithSecurity(unkeyToken),
+		)
+	}
+	return unkeyClient
+}

apps/api/go.mod

@@ -1,14 +1,12 @@
 module go.dot.industries/brease
 
-go 1.23.1
-
-toolchain go1.23.4
+go 1.24.0
 
 require (
 	buf.build/gen/go/dot/brease/connectrpc/go v1.18.1-20250813170839-3ed1f1797b5e.1
 	buf.build/gen/go/dot/brease/grpc/go v1.5.1-20250813170839-3ed1f1797b5e.2
 	buf.build/gen/go/dot/brease/protocolbuffers/go v1.36.7-20250813170839-3ed1f1797b5e.1
-	connectrpc.com/connect v1.18.1
+	connectrpc.com/connect v1.19.1
 	connectrpc.com/grpchealth v1.4.0
 	connectrpc.com/grpcreflect v1.3.0
 	connectrpc.com/vanguard v0.3.0
@@ -61,7 +59,7 @@ require (
 	go.uber.org/zap v1.27.0
 	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792
 	google.golang.org/grpc v1.73.0
-	google.golang.org/protobuf v1.36.7
+	google.golang.org/protobuf v1.36.9
 	gotest.tools/v3 v3.5.2
 )
 

apps/api/go.sum

@@ -1,5 +1,3 @@
-go 1.23.1
-
-toolchain go1.23.4
+go 1.24.0
 
 use ./apps/api/