refactor: deduplicate deployment creation into deployutil package

Extract shared deployment logic (secrets blob, insert record, build
deploy request, group env vars) into svc/ctrl/internal/deployutil to
eliminate duplication between handle_push.go and authorize_deployment.go.
Move approval-blocking logic into its own block_deployment.go file.

Author: Flo4604

svc/ctrl/internal/deployutil/deployutil.go

@@ -0,0 +1,131 @@
+package deployutil
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	ctrlv1 "github.com/unkeyed/unkey/gen/proto/ctrl/v1"
+	hydrav1 "github.com/unkeyed/unkey/gen/proto/hydra/v1"
+	"github.com/unkeyed/unkey/pkg/db"
+	"github.com/unkeyed/unkey/pkg/uid"
+	"google.golang.org/protobuf/encoding/protojson"
+)
+
+// GitCommitInfo holds git commit metadata needed for creating a deployment.
+type GitCommitInfo struct {
+	SHA             string
+	Branch          string
+	Message         string
+	AuthorHandle    string
+	AuthorAvatarURL string
+	Timestamp       int64 // Unix milliseconds, 0 if unknown
+}
+
+// BuildSecretsBlob marshals environment variables into a protobuf SecretsConfig blob.
+// Returns an empty byte slice if there are no env vars.
+func BuildSecretsBlob(envVars []db.ListEnvVarsForRepoConnectionsRow) ([]byte, error) {
+	if len(envVars) == 0 {
+		return []byte{}, nil
+	}
+
+	secretsConfig := &ctrlv1.SecretsConfig{
+		Secrets: make(map[string]string, len(envVars)),
+	}
+	for _, ev := range envVars {
+		secretsConfig.Secrets[ev.Key] = ev.Value
+	}
+	return protojson.Marshal(secretsConfig)
+}
+
+// InsertDeploymentRecord creates a deployment and its initial queued step in a single transaction.
+func InsertDeploymentRecord(
+	ctx context.Context,
+	rw *db.Replica,
+	row db.ListRepoConnectionDeployContextsRow,
+	commit GitCommitInfo,
+	secretsBlob []byte,
+	status db.DeploymentsStatus,
+) (string, error) {
+	deploymentID := uid.New(uid.DeploymentPrefix)
+	now := time.Now().UnixMilli()
+
+	project := row.Project
+	env := row.Environment
+	app := row.App
+	runtimeSettings := row.AppRuntimeSetting
+
+	err := db.Tx(ctx, rw, func(txCtx context.Context, tx db.DBTX) error {
+		if txErr := db.Query.InsertDeployment(txCtx, tx, db.InsertDeploymentParams{
+			ID:                            deploymentID,
+			K8sName:                       uid.DNS1035(12),
+			WorkspaceID:                   project.WorkspaceID,
+			ProjectID:                     project.ID,
+			AppID:                         app.ID,
+			EnvironmentID:                 env.ID,
+			SentinelConfig:                runtimeSettings.SentinelConfig,
+			EncryptedEnvironmentVariables: secretsBlob,
+			Command:                       runtimeSettings.Command,
+			Status:                        status,
+			CreatedAt:                     now,
+			UpdatedAt:                     sql.NullInt64{Valid: false},
+			GitCommitSha:                  sql.NullString{String: commit.SHA, Valid: commit.SHA != ""},
+			GitBranch:                     sql.NullString{String: commit.Branch, Valid: commit.Branch != ""},
+			GitCommitMessage:              sql.NullString{String: commit.Message, Valid: commit.Message != ""},
+			GitCommitAuthorHandle:         sql.NullString{String: commit.AuthorHandle, Valid: commit.AuthorHandle != ""},
+			GitCommitAuthorAvatarUrl:      sql.NullString{String: commit.AuthorAvatarURL, Valid: commit.AuthorAvatarURL != ""},
+			GitCommitTimestamp:            sql.NullInt64{Int64: commit.Timestamp, Valid: commit.Timestamp != 0},
+			OpenapiSpec:                   sql.NullString{Valid: false},
+			CpuMillicores:                 runtimeSettings.CpuMillicores,
+			MemoryMib:                     runtimeSettings.MemoryMib,
+			Port:                          runtimeSettings.Port,
+			ShutdownSignal:                db.DeploymentsShutdownSignal(runtimeSettings.ShutdownSignal),
+			Healthcheck:                   runtimeSettings.Healthcheck,
+		}); txErr != nil {
+			return txErr
+		}
+
+		return db.Query.InsertDeploymentStep(txCtx, tx, db.InsertDeploymentStepParams{
+			WorkspaceID:   app.WorkspaceID,
+			ProjectID:     app.ProjectID,
+			AppID:         app.ID,
+			EnvironmentID: env.ID,
+			DeploymentID:  deploymentID,
+			Step:          db.DeploymentStepsStepQueued,
+			StartedAt:     uint64(now),
+		})
+	})
+	if err != nil {
+		return "", err
+	}
+	return deploymentID, nil
+}
+
+// BuildDeployRequest constructs a DeployRequest for a git-sourced deployment.
+func BuildDeployRequest(
+	deploymentID string,
+	row db.ListRepoConnectionDeployContextsRow,
+	commitSHA string,
+) *hydrav1.DeployRequest {
+	return &hydrav1.DeployRequest{
+		DeploymentId: deploymentID,
+		Source: &hydrav1.DeployRequest_Git{
+			Git: &hydrav1.GitSource{
+				InstallationId: row.GithubRepoConnection.InstallationID,
+				Repository:     row.GithubRepoConnection.RepositoryFullName,
+				CommitSha:      commitSHA,
+				ContextPath:    row.AppBuildSetting.DockerContext,
+				DockerfilePath: row.AppBuildSetting.Dockerfile,
+			},
+		},
+	}
+}
+
+// GroupEnvVarsByApp groups environment variables by app ID for efficient lookup.
+func GroupEnvVarsByApp(envVars []db.ListEnvVarsForRepoConnectionsRow) map[string][]db.ListEnvVarsForRepoConnectionsRow {
+	result := make(map[string][]db.ListEnvVarsForRepoConnectionsRow)
+	for _, ev := range envVars {
+		result[ev.AppID] = append(result[ev.AppID], ev)
+	}
+	return result
+}

svc/ctrl/services/deployment/authorize_deployment.go

@@ -2,17 +2,13 @@ package deployment
 
 import (
 	"context"
-	"database/sql"
 	"fmt"
-	"time"
 
 	"connectrpc.com/connect"
 	ctrlv1 "github.com/unkeyed/unkey/gen/proto/ctrl/v1"
-	hydrav1 "github.com/unkeyed/unkey/gen/proto/hydra/v1"
 	"github.com/unkeyed/unkey/pkg/db"
 	"github.com/unkeyed/unkey/pkg/logger"
-	"github.com/unkeyed/unkey/pkg/uid"
-	"google.golang.org/protobuf/encoding/protojson"
+	"github.com/unkeyed/unkey/svc/ctrl/internal/deployutil"
 )
 
 // AuthorizeDeployment authorizes a deployment for an external contributor's push.
@@ -26,7 +22,6 @@ func (s *Service) AuthorizeDeployment(ctx context.Context, req *connect.Request[
 		return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("project_id and branch are required"))
 	}
 
-	// Find repo connection for this project
 	repoConn, err := db.Query.FindGithubRepoConnectionByProjectId(ctx, s.db.RO(), projectID)
 	if err != nil {
 		if db.IsNotFound(err) {
@@ -35,13 +30,11 @@ func (s *Service) AuthorizeDeployment(ctx context.Context, req *connect.Request[
 		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("failed to find repo connection: %w", err))
 	}
 
-	// Fetch current HEAD of the branch from GitHub — this is the SHA we deploy
 	headCommit, err := s.github.GetBranchHeadCommit(repoConn.InstallationID, repoConn.RepositoryFullName, branch)
 	if err != nil {
 		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("failed to fetch branch HEAD from GitHub: %w", err))
 	}
 
-	// Find all deploy contexts for this branch
 	contexts, err := db.Query.ListRepoConnectionDeployContexts(ctx, s.db.RO(), db.ListRepoConnectionDeployContextsParams{
 		InstallationID: repoConn.InstallationID,
 		RepositoryID:   repoConn.RepositoryID,
@@ -55,7 +48,6 @@ func (s *Service) AuthorizeDeployment(ctx context.Context, req *connect.Request[
 		return nil, connect.NewError(connect.CodeNotFound, fmt.Errorf("no deploy contexts found for project %s branch %s", projectID, branch))
 	}
 
-	// Fetch env vars for all matched apps
 	allEnvVars, err := db.Query.ListEnvVarsForRepoConnections(ctx, s.db.RO(), db.ListEnvVarsForRepoConnectionsParams{
 		InstallationID: repoConn.InstallationID,
 		RepositoryID:   repoConn.RepositoryID,
@@ -65,102 +57,32 @@ func (s *Service) AuthorizeDeployment(ctx context.Context, req *connect.Request[
 		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("failed to list env vars: %w", err))
 	}
 
-	envVarsByApp := make(map[string][]db.ListEnvVarsForRepoConnectionsRow)
-	for _, ev := range allEnvVars {
-		envVarsByApp[ev.AppID] = append(envVarsByApp[ev.AppID], ev)
-	}
+	envVarsByApp := deployutil.GroupEnvVarsByApp(allEnvVars)
 
-	commitTimestamp := headCommit.Timestamp.UnixMilli()
+	commit := deployutil.GitCommitInfo{
+		SHA:             headCommit.SHA,
+		Branch:          branch,
+		Message:         headCommit.Message,
+		AuthorHandle:    headCommit.AuthorHandle,
+		AuthorAvatarURL: headCommit.AuthorAvatarURL,
+		Timestamp:       headCommit.Timestamp.UnixMilli(),
+	}
 
 	for _, row := range contexts {
-		project := row.Project
-		env := row.Environment
-		app := row.App
-		runtimeSettings := row.AppRuntimeSetting
-		buildSettings := row.AppBuildSetting
-		repo := row.GithubRepoConnection
-
-		// Build secrets blob from env vars
-		appEnvVars := envVarsByApp[app.ID]
-		secretsBlob := []byte{}
-		if len(appEnvVars) > 0 {
-			secretsConfig := &ctrlv1.SecretsConfig{
-				Secrets: make(map[string]string, len(appEnvVars)),
-			}
-			for _, ev := range appEnvVars {
-				secretsConfig.Secrets[ev.Key] = ev.Value
-			}
-			var marshalErr error
-			secretsBlob, marshalErr = protojson.Marshal(secretsConfig)
-			if marshalErr != nil {
-				logger.Error("failed to marshal secrets config", "appId", app.ID, "error", marshalErr)
-				continue
-			}
+		secretsBlob, marshalErr := deployutil.BuildSecretsBlob(envVarsByApp[row.App.ID])
+		if marshalErr != nil {
+			logger.Error("failed to marshal secrets config", "appId", row.App.ID, "error", marshalErr)
+			continue
 		}
 
-		deploymentID := uid.New(uid.DeploymentPrefix)
-		now := time.Now().UnixMilli()
-
-		err = db.Tx(ctx, s.db.RW(), func(txCtx context.Context, tx db.DBTX) error {
-			if txErr := db.Query.InsertDeployment(txCtx, tx, db.InsertDeploymentParams{
-				ID:                            deploymentID,
-				K8sName:                       uid.DNS1035(12),
-				WorkspaceID:                   project.WorkspaceID,
-				ProjectID:                     project.ID,
-				AppID:                         app.ID,
-				EnvironmentID:                 env.ID,
-				SentinelConfig:                runtimeSettings.SentinelConfig,
-				EncryptedEnvironmentVariables: secretsBlob,
-				Command:                       runtimeSettings.Command,
-				Status:                        db.DeploymentsStatusPending,
-				CreatedAt:                     now,
-				UpdatedAt:                     sql.NullInt64{Valid: false},
-				GitCommitSha:                  sql.NullString{String: headCommit.SHA, Valid: true},
-				GitBranch:                     sql.NullString{String: branch, Valid: true},
-				GitCommitMessage:              sql.NullString{String: headCommit.Message, Valid: headCommit.Message != ""},
-				GitCommitAuthorHandle:         sql.NullString{String: headCommit.AuthorHandle, Valid: headCommit.AuthorHandle != ""},
-				GitCommitAuthorAvatarUrl:      sql.NullString{String: headCommit.AuthorAvatarURL, Valid: headCommit.AuthorAvatarURL != ""},
-				GitCommitTimestamp:            sql.NullInt64{Int64: commitTimestamp, Valid: true},
-				OpenapiSpec:                   sql.NullString{Valid: false},
-				CpuMillicores:                 runtimeSettings.CpuMillicores,
-				MemoryMib:                     runtimeSettings.MemoryMib,
-				Port:                          runtimeSettings.Port,
-				ShutdownSignal:                db.DeploymentsShutdownSignal(runtimeSettings.ShutdownSignal),
-				Healthcheck:                   runtimeSettings.Healthcheck,
-			}); txErr != nil {
-				return txErr
-			}
-
-			return db.Query.InsertDeploymentStep(txCtx, tx, db.InsertDeploymentStepParams{
-				WorkspaceID:   app.WorkspaceID,
-				ProjectID:     app.ProjectID,
-				AppID:         app.ID,
-				EnvironmentID: env.ID,
-				DeploymentID:  deploymentID,
-				Step:          db.DeploymentStepsStepQueued,
-				StartedAt:     uint64(now),
-			})
-		})
-		if err != nil {
-			logger.Error("failed to insert deployment for authorization", "appId", app.ID, "error", err)
+		deploymentID, insertErr := deployutil.InsertDeploymentRecord(ctx, s.db.RW(), row, commit, secretsBlob, db.DeploymentsStatusPending)
+		if insertErr != nil {
+			logger.Error("failed to insert deployment for authorization", "appId", row.App.ID, "error", insertErr)
 			continue
 		}
 
-		// Fire deploy workflow via Restate
-		_, sendErr := s.deploymentClient(project.ID).
-			Deploy().
-			Send(ctx, &hydrav1.DeployRequest{
-				DeploymentId: deploymentID,
-				Source: &hydrav1.DeployRequest_Git{
-					Git: &hydrav1.GitSource{
-						InstallationId: repo.InstallationID,
-						Repository:     repo.RepositoryFullName,
-						CommitSha:      headCommit.SHA,
-						ContextPath:    buildSettings.DockerContext,
-						DockerfilePath: buildSettings.Dockerfile,
-					},
-				},
-			})
+		deployReq := deployutil.BuildDeployRequest(deploymentID, row, headCommit.SHA)
+		_, sendErr := s.deploymentClient(row.Project.ID).Deploy().Send(ctx, deployReq)
 		if sendErr != nil {
 			logger.Error("failed to trigger deploy workflow after authorization",
 				"deployment_id", deploymentID,
@@ -171,8 +93,8 @@ func (s *Service) AuthorizeDeployment(ctx context.Context, req *connect.Request[
 
 		logger.Info("deployment authorized and workflow triggered",
 			"deployment_id", deploymentID,
-			"project_id", project.ID,
-			"app_id", app.ID,
+			"project_id", row.Project.ID,
+			"app_id", row.App.ID,
 			"branch", branch,
 			"commit_sha", headCommit.SHA,
 		)