refactor(auth): move into central auth-engine setup

Signed-off-by: kjuulh <contact@kjuulh.io>

.drone.yml

@@ -1,88 +1,3 @@
-kind: pipeline
+kind: template
-name: default
+load: drone-template.yaml
-type: docker
+name: como
-
-steps:
-  - name: load_secret
-    image: debian:buster-slim
-    volumes:
-      - name: ssh
-        path: /root/.ssh/
-    environment:
-      SSH_KEY:
-        from_secret: gitea_id_ed25519
-    commands:
-      - mkdir -p $HOME/.ssh/
-      - echo "$SSH_KEY" | base64 -d > $HOME/.ssh/id_ed25519
-
-  - name: build
-    image: kasperhermansen/cuddle:latest
-    pull: always
-    volumes:
-      - name: ssh
-        path: /root/.ssh/
-      - name: dockersock
-        path: /var/run
-    commands:
-      - apk add bash git
-      - git remote set-url origin $DRONE_GIT_SSH_URL
-      - cuddle_cli x setup_ssh
-      - cuddle_cli x start_deployment
-      - cuddle_cli x render_templates
-      - cuddle_cli x render_como_templates
-      - cuddle_cli x build_release
-      - cuddle_cli x push_release
-      - cuddle_cli x deploy_release
-    environment:
-      DOCKER_BUILDKIT: 1
-      DOCKER_USERNAME:
-        from_secret: docker_username
-      DOCKER_PASSWORD:
-        from_secret: docker_password
-      SSH_KEY:
-        from_secret: gitea_id_ed25519
-
-  - name: push_tags
-    image: kasperhermansen/drone-semantic-release:latest
-    pull: always
-    volumes:
-      - name: ssh
-        path: /root/.ssh/
-      - name: dockersock
-        path: /var/run
-    commands:
-      - semantic-release --no-ci
-    environment:
-      DOCKER_BUILDKIT: 1
-      SSH_KEY:
-        from_secret: gitea_id_ed25519
-    depends_on:
-      - build
-
-  - name: send telegram notification
-    image: appleboy/drone-telegram
-    settings:
-      token:
-        from_secret: telegram_token
-      to: 2129601481
-      format: markdown
-    depends_on:
-      - build
-      - push_tags
-    when:
-      status: [failure, success]
-
-services:
-- name: docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-  - name: ssh
-    temp: {}
-  - name: dockersock
-    temp: {}
-
-

Cargo.toml

@@ -6,6 +6,7 @@ members = [
   "como_infrastructure",
   "como_gql",
   "como_api",
+  "como_auth",
 ]
 resolver = "2"
 
@@ -16,6 +17,7 @@ como_domain = { path = "./como_domain/" }
 como_infrastructure = { path = "./como_infrastructure/" }
 como_gql = { path = "./como_gql/" }
 como_api = { path = "./como_api/" }
+como_auth = { path = "./como_auth/" }
 
 async-trait = "0.1.68"
 async-graphql = { version = "5.0.9", features = ["uuid"] }
@@ -51,3 +53,6 @@ clap = { version = "4.3.0", features = ["derive", "env"] }
 
 argon2 = { version = "0.5.0" }
 rand_core = { version = "0.6.4" }
+
+pretty_assertions = "1.4.0"
+sealed_test = "1.0.0"

como_api/Cargo.toml

@@ -10,7 +10,9 @@ como_gql.workspace = true
 como_core.workspace = true
 como_domain.workspace = true
 como_infrastructure.workspace = true
+como_auth.workspace = true
 
+async-trait.workspace = true
 async-graphql.workspace = true
 async-graphql-axum.workspace = true
 axum.workspace = true

como_api/src/controllers/auth.rs

@@ -49,7 +49,6 @@ pub struct AuthRequest {
 pub async fn login_authorized(
     Query(query): Query<AuthRequest>,
     State(store): State<PostgresSessionStore>,
-    State(oauth_client): State<BasicClient>,
     State(introspection_state): State<IntrospectionState>,
 ) -> impl IntoResponse {
     let token = oauth_client
@@ -111,7 +110,6 @@ pub struct UserFromSession {
 impl<S> FromRequestParts<S> for UserFromSession
 where
     PostgresSessionStore: FromRef<S>,
-    BasicClient: FromRef<S>,
     IntrospectionState: FromRef<S>,
     S: Send + Sync,
 {

como_api/src/router.rs

@@ -12,7 +12,6 @@ use tower_http::{cors::CorsLayer, trace::TraceLayer};
 
 use crate::controllers::auth::AuthController;
 use crate::controllers::graphql::GraphQLController;
-use crate::zitadel::client::oauth_client;
 use crate::zitadel::{IntrospectionState, IntrospectionStateBuilder};
 
 pub struct Api;
@@ -32,9 +31,7 @@ impl Api {
             .build()
             .await?;
 
-        let oauth_client = oauth_client();
         let app_state = AppState {
-            oauth_client,
             store: service_register.session_store.clone(),
             introspection_state: is,
         };
@@ -79,17 +76,10 @@ impl Api {
 
 #[derive(Clone)]
 pub struct AppState {
-    oauth_client: BasicClient,
     introspection_state: IntrospectionState,
     store: PostgresSessionStore,
 }
 
-impl FromRef<AppState> for BasicClient {
-    fn from_ref(state: &AppState) -> Self {
-        state.oauth_client.clone()
-    }
-}
-
 impl FromRef<AppState> for PostgresSessionStore {
     fn from_ref(state: &AppState) -> Self {
         state.store.clone()

como_api/src/zitadel/client.rs

@@ -1,7 +1,54 @@
+use async_trait::async_trait;
 use oauth2::{basic::BasicClient, AuthUrl, ClientId, ClientSecret, RedirectUrl, TokenUrl};
-use std::env;
+use std::{env, ops::Deref, sync::Arc};
 
-pub fn oauth_client() -> BasicClient {
+#[async_trait]
+pub trait OAuthClient {
+    async fn get_token(&self) -> anyhow::Result<()>;
+}
+
+pub struct OAuth(Arc<dyn OAuthClient + Send + Sync + 'static>);
+
+impl OAuth {
+    pub fn new_zitadel() -> Self {
+        Self(Arc::new(ZitadelOAuthClient {
+            client: oauth_client(),
+        }))
+    }
+    pub fn new_noop() -> Self {
+        Self(Arc::new(NoopOAuthClient {}))
+    }
+}
+
+impl Deref for OAuth {
+    type Target = Arc<dyn OAuthClient + Send + Sync + 'static>;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
+pub struct NoopOAuthClient;
+
+#[async_trait]
+impl OAuthClient for NoopOAuthClient {
+    async fn get_token(&self) -> anyhow::Result<()> {
+        Ok(())
+    }
+}
+
+pub struct ZitadelOAuthClient {
+    client: BasicClient,
+}
+
+#[async_trait]
+impl OAuthClient for ZitadelOAuthClient {
+    async fn get_token(&self) -> anyhow::Result<()> {
+        Ok(())
+    }
+}
+
+fn oauth_client() -> BasicClient {
     let client_id = env::var("CLIENT_ID").expect("Missing CLIENT_ID!");
     let client_secret = env::var("CLIENT_SECRET").expect("Missing CLIENT_SECRET!");
     let redirect_url = env::var("REDIRECT_URL").expect("missing REDIRECT_URL");

como_auth/Cargo.toml

@@ -0,0 +1,38 @@
+[package]
+name = "como_auth"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+como_gql.workspace = true
+como_core.workspace = true
+como_domain.workspace = true
+como_infrastructure.workspace = true
+
+clap.workspace = true
+async-trait.workspace = true
+async-graphql.workspace = true
+async-graphql-axum.workspace = true
+axum.workspace = true
+axum-extra.workspace = true
+axum-sessions.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+tokio.workspace = true
+uuid.workspace = true
+sqlx.workspace = true
+anyhow.workspace = true
+tracing.workspace = true
+async-sqlx-session.workspace = true
+
+zitadel = { version = "3.3.1", features = ["axum"] }
+tower = "0.4.13"
+tower-http = { version = "0.4.0", features = ["cors", "trace"] }
+oauth2 = "4.4.0"
+openidconnect = "3.0.0"
+
+[dev-dependencies]
+pretty_assertions.workspace = true
+sealed_test.workspace = true

como_auth/src/introspection.rs

@@ -0,0 +1,120 @@
+use anyhow::Context;
+use axum::extract::FromRef;
+use openidconnect::IntrospectionUrl;
+use zitadel::{
+    axum::introspection::IntrospectionStateBuilderError,
+    credentials::Application,
+    oidc::{discovery::discover, introspection::AuthorityAuthentication},
+};
+
+#[derive(Clone, Debug)]
+pub struct IntrospectionState {
+    pub(crate) config: IntrospectionConfig,
+}
+
+#[derive(clap::Args, Clone, Debug, PartialEq, Eq)]
+pub struct IntrospectionConfigClap {
+    // #[arg(
+    //     env = "ZITADEL_AUTHORITY",
+    //     long = "zitadel-authority",
+    //     group = "zitadel"
+    // )]
+    pub authority: Option<String>,
+
+    // #[arg(
+    //     env = "ZITADEL_CLIENT_ID",
+    //     long = "zitadel-client-id",
+    //     group = "zitadel"
+    // )]
+    pub client_id: Option<String>,
+    // #[arg(
+    //     env = "ZITADEL_CLIENT_SECRET",
+    //     long = "zitadel-client-secret",
+    //     group = "zitadel"
+    // )]
+    pub client_secret: Option<String>,
+}
+
+impl IntrospectionConfigClap {
+    async fn try_into(self) -> anyhow::Result<IntrospectionState> {
+        IntrospectionStateBuilder::new(&self.authority.unwrap())
+            .with_basic_auth(&self.client_id.unwrap(), &self.client_secret.unwrap())
+            .build()
+            .await
+            .context("failed to generate an introspection builder")
+    }
+}
+
+/// Configuration that must be inject into the axum application state. Used by the
+/// [IntrospectionStateBuilder](super::IntrospectionStateBuilder). This struct is also used to create the [IntrospectionState](IntrospectionState)
+#[derive(Debug, Clone)]
+pub struct IntrospectionConfig {
+    pub authority: String,
+    pub authentication: AuthorityAuthentication,
+    pub introspection_uri: IntrospectionUrl,
+}
+
+impl FromRef<IntrospectionState> for IntrospectionConfig {
+    fn from_ref(input: &IntrospectionState) -> Self {
+        input.config.clone()
+    }
+}
+
+pub struct IntrospectionStateBuilder {
+    authority: String,
+    authentication: Option<AuthorityAuthentication>,
+}
+
+/// Builder for [IntrospectionConfig]
+impl IntrospectionStateBuilder {
+    pub fn new(authority: &str) -> Self {
+        Self {
+            authority: authority.to_string(),
+            authentication: None,
+        }
+    }
+
+    pub fn with_basic_auth(
+        &mut self,
+        client_id: &str,
+        client_secret: &str,
+    ) -> &mut IntrospectionStateBuilder {
+        self.authentication = Some(AuthorityAuthentication::Basic {
+            client_id: client_id.to_string(),
+            client_secret: client_secret.to_string(),
+        });
+
+        self
+    }
+
+    pub fn with_jwt_profile(&mut self, application: Application) -> &mut IntrospectionStateBuilder {
+        self.authentication = Some(AuthorityAuthentication::JWTProfile { application });
+
+        self
+    }
+
+    pub async fn build(&mut self) -> Result<IntrospectionState, IntrospectionStateBuilderError> {
+        let authentication = self
+            .authentication
+            .clone()
+            .ok_or(IntrospectionStateBuilderError::NoAuthSchema)?;
+
+        let metadata = discover(&self.authority)
+            .await
+            .map_err(|source| IntrospectionStateBuilderError::Discovery { source })?;
+
+        let introspection_uri = metadata
+            .additional_metadata()
+            .introspection_endpoint
+            .clone()
+            .ok_or(IntrospectionStateBuilderError::NoIntrospectionUrl)?;
+
+        Ok(IntrospectionState {
+            config: IntrospectionConfig {
+                authority: self.authority.clone(),
+                introspection_uri: introspection_uri,
+                authentication: authentication,
+            },
+        })
+    }
+}

como_auth/src/lib.rs

@@ -0,0 +1,149 @@
+pub use introspection::IntrospectionConfigClap;
+
+mod introspection;
+mod oauth;
+
+#[derive(clap::ValueEnum, Clone, PartialEq, Eq, Debug)]
+pub enum AuthEngine {
+    Noop,
+    Zitadel,
+}
+
+#[derive(clap::Args, Clone, PartialEq, Eq, Debug)]
+pub struct AuthClap {
+    #[arg(
+        env = "AUTH_ENGINE",
+         long = "auth-engine",
+         requires_ifs = [
+        ( "zitadel", "ZitadelClap" )
+       ],
+        default_value = "noop" )
+    ]
+    pub engine: AuthEngine,
+
+    #[clap(flatten)]
+    pub zitadel: ZitadelClap,
+}
+
+#[derive(clap::Args, Clone, Debug, PartialEq, Eq)]
+#[group(requires_all = ["auth_url", "client_id", "client_secret", "redirect_url", "token_url", "authority_url"])]
+pub struct ZitadelClap {
+    #[arg(env = "ZITADEL_AUTH_URL", long = "zitadel-auth-url")]
+    pub auth_url: Option<String>,
+
+    #[arg(env = "ZITADEL_CLIENT_ID", long = "zitadel-client-id")]
+    pub client_id: Option<String>,
+
+    #[arg(env = "ZITADEL_CLIENT_SECRET", long = "zitadel-client-secret")]
+    pub client_secret: Option<String>,
+
+    #[arg(env = "ZITADEL_REDIRECT_URL", long = "zitadel-redirect-url")]
+    pub redirect_url: Option<String>,
+
+    #[arg(env = "ZITADEL_AUTHORITY_URL", long = "zitadel-authority-url")]
+    pub authority_url: Option<String>,
+
+    #[arg(env = "ZITADEL_TOKEN_URL", long = "zitadel-token-url")]
+    pub token_url: Option<String>,
+}
+
+impl AuthClap {}
+
+#[cfg(test)]
+mod test {
+    use crate::{AuthClap, AuthEngine, ZitadelClap};
+    use clap::Parser;
+    use pretty_assertions::assert_eq;
+
+    #[derive(Parser)]
+    #[command(author, version, about, long_about = None)]
+    pub struct Cli {
+        #[command(subcommand)]
+        command: Commands,
+    }
+
+    #[derive(clap::Subcommand, Clone, Debug, Eq, PartialEq)]
+    pub enum Commands {
+        One {
+            #[clap(flatten)]
+            options: AuthClap,
+        },
+    }
+
+    #[test]
+    fn test_command_parse_as_default_noop() {
+        let cli: Cli = Cli::parse_from(&["base", "one"]);
+
+        assert_eq!(
+            cli.command,
+            Commands::One {
+                options: AuthClap {
+                    engine: AuthEngine::Noop,
+                    zitadel: ZitadelClap {
+                        auth_url: None,
+                        client_id: None,
+                        client_secret: None,
+                        redirect_url: None,
+                        token_url: None,
+                        authority_url: None,
+                    },
+                }
+            }
+        );
+    }
+
+    #[test]
+    fn test_command_parse_as_noop() {
+        let cli: Cli = Cli::parse_from(&["base", "one", "--auth-engine", "noop"]);
+
+        assert_eq!(
+            cli.command,
+            Commands::One {
+                options: AuthClap {
+                    engine: AuthEngine::Noop,
+                    zitadel: ZitadelClap {
+                        auth_url: None,
+                        client_id: None,
+                        client_secret: None,
+                        redirect_url: None,
+                        token_url: None,
+                        authority_url: None,
+                    },
+                }
+            }
+        );
+    }
+
+    #[test]
+    fn test_command_parse_as_zitadel() {
+        let cli: Cli = Cli::parse_from(&[
+            "base",
+            "one",
+            "--auth-engine",
+            "zitadel",
+            "--zitadel-client-id=something",
+            "--zitadel-client-secret=something",
+            "--zitadel-auth-url=https://something",
+            "--zitadel-redirect-url=https://something",
+            "--zitadel-token-url=https://something",
+            "--zitadel-authority-url=https://something",
+        ]);
+
+        assert_eq!(
+            cli.command,
+            Commands::One {
+                options: AuthClap {
+                    engine: AuthEngine::Zitadel,
+                    zitadel: ZitadelClap {
+                        auth_url: Some("https://something".into()),
+                        client_id: Some("something".into()),
+                        client_secret: Some("something".into()),
+                        redirect_url: Some("https://something".into()),
+                        token_url: Some("https://something".into()),
+                        authority_url: Some("https://something".into()),
+                    },
+                },
+            }
+        );
+    }
+}

como_auth/src/oauth.rs

@@ -0,0 +1,230 @@
+use async_trait::async_trait;
+use oauth2::{basic::BasicClient, AuthUrl, ClientId, ClientSecret, RedirectUrl, TokenUrl};
+use std::ops::Deref;
+use std::sync::Arc;
+
+#[async_trait]
+pub trait OAuthClient {
+    async fn get_token(&self) -> anyhow::Result<()>;
+}
+
+pub struct OAuth(Arc<dyn OAuthClient + Send + Sync + 'static>);
+
+impl OAuth {
+    pub fn new_zitadel(config: ZitadelConfig) -> Self {
+        Self(Arc::new(ZitadelOAuthClient::from(config)))
+    }
+    pub fn new_noop() -> Self {
+        Self(Arc::new(NoopOAuthClient {}))
+    }
+}
+
+impl Deref for OAuth {
+    type Target = Arc<dyn OAuthClient + Send + Sync + 'static>;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
+impl From<ZitadelConfig> for OAuth {
+    fn from(value: ZitadelConfig) -> Self {
+        Self::new_zitadel(value)
+    }
+}
+
+// -- Noop
+#[derive(clap::Args, Clone)]
+pub struct NoopOAuthClient;
+#[async_trait]
+impl OAuthClient for NoopOAuthClient {
+    async fn get_token(&self) -> anyhow::Result<()> {
+        Ok(())
+    }
+}
+
+// -- Zitadel
+
+#[derive(Clone)]
+pub struct ZitadelConfig {
+    auth_url: String,
+    client_id: String,
+    client_secret: String,
+    redirect_url: String,
+    token_url: String,
+    authority_url: String,
+}
+
+pub struct ZitadelOAuthClient {
+    client: BasicClient,
+}
+
+impl ZitadelOAuthClient {
+    pub fn new(
+        client_id: impl Into<String>,
+        client_secret: impl Into<String>,
+        redirect_url: impl Into<String>,
+        auth_url: impl Into<String>,
+        token_url: impl Into<String>,
+        authority_url: impl Into<String>,
+    ) -> Self {
+        Self {
+            client: Self::oauth_client(ZitadelConfig {
+                client_id: client_id.into(),
+                client_secret: client_secret.into(),
+                redirect_url: redirect_url.into(),
+                auth_url: auth_url.into(),
+                token_url: token_url.into(),
+                authority_url: authority_url.into(),
+            }),
+        }
+    }
+
+    fn oauth_client(config: ZitadelConfig) -> BasicClient {
+        BasicClient::new(
+            ClientId::new(config.client_id),
+            Some(ClientSecret::new(config.client_secret)),
+            AuthUrl::new(config.auth_url).unwrap(),
+            Some(TokenUrl::new(config.token_url).unwrap()),
+        )
+        .set_redirect_uri(RedirectUrl::new(config.redirect_url).unwrap())
+    }
+}
+
+impl From<ZitadelConfig> for ZitadelOAuthClient {
+    fn from(value: ZitadelConfig) -> Self {
+        Self::new(
+            value.client_id,
+            value.client_secret,
+            value.redirect_url,
+            value.auth_url,
+            value.token_url,
+            value.authority_url,
+        )
+    }
+}
+
+#[async_trait]
+impl OAuthClient for ZitadelOAuthClient {
+    async fn get_token(&self) -> anyhow::Result<()> {
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::{
+        oauth::{OAuth, ZitadelConfig},
+        ZitadelClap,
+    };
+    use clap::Parser;
+    use sealed_test::prelude::*;
+
+    #[derive(Parser)]
+    #[command(author, version, about, long_about = None)]
+    pub struct Cli {
+        #[clap(flatten)]
+        options: ZitadelClap,
+    }
+
+    #[derive(Parser, Debug)]
+    #[command(author, version, about, long_about = None)]
+    pub struct CliSubCommand {
+        #[command(subcommand)]
+        command: Commands,
+    }
+
+    #[derive(clap::Subcommand, Clone, Debug, Eq, PartialEq)]
+    pub enum Commands {
+        One {
+            #[clap(flatten)]
+            options: ZitadelClap,
+        },
+    }
+
+    #[tokio::test]
+    async fn test_parse_clap_zitadel() {
+        let cli: Cli = Cli::parse_from(&[
+            "base",
+            "--zitadel-client-id=something",
+            "--zitadel-client-secret=something",
+            "--zitadel-auth-url=https://something",
+            "--zitadel-redirect-url=https://something",
+            "--zitadel-token-url=https://something",
+            "--zitadel-authority-url=https://something",
+        ]);
+        println!("{:?}", cli.options);
+
+        pretty_assertions::assert_eq!(
+            cli.options,
+            ZitadelClap {
+                auth_url: Some("https://something".into()),
+                client_id: Some("something".into()),
+                client_secret: Some("something".into()),
+                redirect_url: Some("https://something".into()),
+                token_url: Some("https://something".into()),
+                authority_url: Some("https://something".into()),
+            }
+        );
+    }
+
+    #[test]
+    fn test_parse_clap_zitadel_fails_require_all() {
+        let cli = CliSubCommand::try_parse_from(&[
+            "base",
+            "one",
+            // "--zitadel-client-id=something", // We want to trigger missing variable
+            "--zitadel-client-secret=something",
+            "--zitadel-auth-url=https://something",
+            "--zitadel-redirect-url=https://something",
+            "--zitadel-token-url=https://something",
+            "--zitadel-authority-url=https://something",
+        ]);
+
+        pretty_assertions::assert_eq!(cli.is_err(), true);
+    }
+
+    #[sealed_test]
+    fn test_parse_clap_env_zitadel() {
+        std::env::set_var("ZITADEL_CLIENT_ID", "something");
+        std::env::set_var("ZITADEL_CLIENT_SECRET", "something");
+        std::env::set_var("ZITADEL_AUTH_URL", "https://something");
+        std::env::set_var("ZITADEL_REDIRECT_URL", "https://something");
+        std::env::set_var("ZITADEL_TOKEN_URL", "https://something");
+        std::env::set_var("ZITADEL_AUTHORITY_URL", "https://something");
+
+        let cli = CliSubCommand::parse_from(&["base", "one"]);
+
+        pretty_assertions::assert_eq!(
+            cli.command,
+            Commands::One {
+                options: ZitadelClap {
+                    auth_url: Some("https://something".into()),
+                    client_id: Some("something".into()),
+                    client_secret: Some("something".into()),
+                    redirect_url: Some("https://something".into()),
+                    token_url: Some("https://something".into()),
+                    authority_url: Some("https://something".into()),
+                }
+            }
+        );
+    }
+    #[test]
+    fn test_parse_clap_defaults_to_noop() {
+        let cli = CliSubCommand::parse_from(&["base", "one"]);
+
+        pretty_assertions::assert_eq!(
+            cli.command,
+            Commands::One {
+                options: ZitadelClap {
+                    auth_url: None,
+                    client_id: None,
+                    client_secret: None,
+                    redirect_url: None,
+                    token_url: None,
+                    authority_url: None,
+                },
+            }
+        );
+    }
+}

cuddle.yaml

@@ -8,6 +8,8 @@ vars:
   bin_name: como_bin
 
 scripts:
+  ci:
+    type: shell
   render_como_templates:
     type: shell
   local_up:

renovate.json

@@ -0,0 +1,3 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+}

scripts/ci.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+echo "setting up ssh"
+cuddle x setup_ssh
+
+cuddle x start_deployment
+cuddle x render_templates
+cuddle x render_como_templates
+cuddle x build_release
+cuddle x push_release
+cuddle x deploy_release