feat/sg: prototype 'sg start sourcegraph-accounts' (#63894)

Prototype what it might be like to have `sg` run `sourcegraph-accounts`. I think this would be a huge improvement over the multi-step, many-things-to-install process that currently exists for SAMS. There are a couple of quirks, but I think I'll leave this here for now, as this is part https://linear.app/sourcegraph/issue/CORE-220, a timeboxed spike into polishing some local-dev DX for SAMS. Also see https://github.com/sourcegraph/sourcegraph-accounts/pull/262 ## Test plan ``` sg start sourcegraph-accounts ``` Go to 127.0.0.1:9991 and try to log in
2026-02-06 15:12:02 +00:00 · 2024-07-19 13:30:08 -07:00 · 2024-07-19 13:30:08 -07:00 · f53e211804
commit f53e211804
parent 924c5d263c
1 changed files with 125 additions and 1 deletions
--- a/sg.config.yaml
+++ b/sg.config.yaml
@ -37,7 +37,6 @@ env:
  REPO_UPDATER_URL: http://127.0.0.1:3182
  REDIS_ENDPOINT: 127.0.0.1:6379
  SYMBOLS_URL: http://localhost:3184
-  EMBEDDINGS_URL: http://localhost:9991
  SRC_SYNTECT_SERVER: http://localhost:9238
  SRC_FRONTEND_INTERNAL: localhost:3090
  GRAFANA_SERVER_URL: http://localhost:3370
@ -1123,6 +1122,122 @@ commands:
      - lib
      - schema

+  sourcegraph-accounts-server:
+    description: |
+      Run SAMS from a clone of https://github.com/sourcegraph/sourcegraph-accounts
+      expected to be configured in '../sourcegraph-accounts'
+    install: |
+      if [ -d "../sourcegraph-accounts" ]; then
+        echo "../sourcegraph-accounts must be a clone of https://github.com/sourcegraph/sourcegraph-accounts"
+      fi
+      cd ../sourcegraph-accounts
+
+      createdb -h $PGHOST -p $PGPORT -U $PGUSER --encoding=UTF8 --template=template0 accounts || true
+      asdf install
+      go build -v -o ./.bin/accounts-server ./cmd/accounts-server
+    checkBinary: ../sourcegraph-accounts/.bin/accounts-server
+    cmd: |
+      export PGDSN="postgres://$PGUSER:$PGPASSWORD@$PGHOST:$PGPORT/{{ .Database }}?sslmode=$PGSSLMODE"
+      cd ../sourcegraph-accounts
+      ./.bin/accounts-server
+    watch:
+      - ../sourcegraph-accounts/go.mod
+      - ../sourcegraph-accounts/cmd/accounts-server
+      - ../sourcegraph-accounts/backend
+      - ../sourcegraph-accounts/internal
+    externalSecrets:
+      GITHUB_CLIENT_ID:
+        project: sourcegraph-local-dev
+        name: SAMS_LOCAL_DEV_GITHUB_CLIENT_ID
+      GITHUB_CLIENT_SECRET:
+        project: sourcegraph-local-dev
+        name: SAMS_LOCAL_DEV_GITHUB_CLIENT_SECRET
+      GITLAB_CLIENT_ID:
+        project: sourcegraph-local-dev
+        name: SAMS_LOCAL_DEV_GITLAB_CLIENT_ID
+      GITLAB_CLIENT_SECRET:
+        project: sourcegraph-local-dev
+        name: SAMS_LOCAL_DEV_GITLAB_CLIENT_SECRET
+      GOOGLE_CLIENT_ID:
+        project: sourcegraph-local-dev
+        name: SAMS_LOCAL_DEV_GOOGLE_CLIENT_ID
+      GOOGLE_CLIENT_SECRET:
+        project: sourcegraph-local-dev
+        name: SAMS_LOCAL_DEV_GOOGLE_CLIENT_SECRET
+    env:
+      OTEL_SDK_DISABLED: true
+      # TODO: Port conflicts with embeddings, but all our pre-made credentials
+      # use this port as the redirect URL, so we just stick to it for now.
+      PORT: 9991
+      REDIS_HOST: localhost
+      REDIS_PORT: 6379
+      REDIS_ENDPOINT: 'redis://@127.0.0.1:6379' # Use
+      MANAGEMENT_SECRET: sekret # For authentication when using admin APIs to register new SAMS clients.
+      GITHUB_REDIRECT_URI: "http://localhost:$PORT/auth/github/callback"
+      GITLAB_REDIRECT_URI: http://localhost:$PORT/auth/gitlab/callback
+      GOOGLE_REDIRECT_URI: http://localhost:$PORT/auth/google/callback
+      IDENTITY_PROVIDER_INSECURE_DEBUG: true
+      IDENTITY_PROVIDER_OIDC_GLOBAL_SECRET: "some-cool-secret-that-is-32bytes"
+      # $ ssh-keygen -t rsa -m PEM -b 2048 -f temp.pem
+      IDENTITY_PROVIDER_OIDC_JWK_PRIVATE_KEY: |
+        -----BEGIN RSA PRIVATE KEY-----
+        MIIG4wIBAAKCAYEAw+3FnONYJcxkA539MhwawknBDOqgzM/QoiLNA6OD46uizJXn
+        Eyku2nVBtbUdjG3g6QwuYL0e8QKgTUOhIHlj8iOhad/A3p9dbY5RRoxLznezipaI
+        tcqLzjU+JVioLPro1Jl5nqeL5bjNf+/5LLKEbzyOkapSxqUK7IQ7j4OIkq4QEYoj
+        QAo4rdXu/+yNmEUHyA1KuVl/WAmKfSC3AIiDRHz5oHvLZmm1wyE/OzZAwO+JPCDi
+        qNIy7As8UOOU0RRYvP3XUWKuPDU+D1ZveUXdahE+ZH/uemya789ry0pCXOSwyXcP
+        Hc6rMgGqsgerb//leZZx90GWOzQMFdPDIoF3np0NpH2Q2mU300uIw6a6DXscX7lj
+        EPauyMCiHd60TuDKfFVZyiPYnDh+akbZvZ4eIM2FNvKQdtnvlziuXyJxt07maoe9
+        yBf3iwKHHTEhtVnrj0/Di1s9nhzglvjmMb83iduBrPDks1GxR92DYu4aO8wRFZiN
+        yYLAs0W6axwE5khJAgMBAAECggGBAJLbj2q4UaMLX9ACRP2haUFGDSjEWUELZ+OP
+        2EGo97vYM8/LcIfBL7hZeaZcmkhfN90W31BtkVqvUD55ubVgp9SgdmWobKWxqFLt
+        AOizUkLxICd6DADPUBmBeRJ/MJd+frSUUT/lcAwBiC8kTY3+RRwntOlkVGVG4jhE
+        KWy5982SIMM02pUu1CsgluNHiR6gZ2PA6sihV71CcYa21dTVficA0g9Dm0Mpay9W
+        pVGZqdGz+haSw7Is1DRve4dZ/nr1FvkCykB/+JonbvhMY2XT5kBUBPh0w5vGxe9G
+        fmbswxw37liBszy64hw77zzg1EnvBbolZOIXC9Xif4mBG/bVEe6/U5YeW/MIIqhV
+        iyDWeTyQZG7Y/hrXjDoUvw/Xt04NK5oJLAQ6eSbZzrB8N2+uCncCHKiR3esRimuD
+        i3UYdVclJclFzGm3iTy75luMHWX55E2tkCY/CgfXNLr2sUBaoAzSHeXwNH6hhVe2
+        6gZvF4TtKKr1DBBvV/Loo1HjyuK9AQKBwQD4vGKenuA009PpFC7ChaXDNz4rIchE
+        u2DfGlDRHEvs5UGFsjjsWU/ldysmqPIzodpI09ZA31EhYG61UMZlLOnOtQZ7/C++
+        IpsFIqCgy144hj8pHDzSzQ3iIPa1HB9LD4XndHDWk2TrRxAFm4tWDeAc1MTeSNi2
+        3xWCNybGy4rRaSIGklDePQlQZA+dXIgDQdV5jUEpGZ9TjsitYLi7q9hPFIJHThnS
+        iEEniaYdcHUvscH8GSlzWflzG8SZ1gjeR+kCgcEAyaaWSh5ePP7MbCBT/rVbPUGw
+        0hLmwg3rHg03YelpXrdvoz3c0I05yKfaA/ODfJConvsYNIrApempelYGqD1SneAg
+        L7E0Pkuj6puaLT11N2g6pGfU627t8WwAv4f79613ovtXimaU3DAEdZyoS/IZ78pE
+        b7R/ZOMl2bX0N+RyXNMUU3jSgy4oMa5Ebi/45wUG1Vz18UxOM/Oyf2I9BwgY/OgY
+        xWUeUZvKma3Z4IOSATPCJrhvlzdk8lAV8BZ9KCFhAoHAKm+Rb7hxTfH5zGEaHSvJ
+        /QU2wQsRbNB/FXEa6qImPfNa+2FNnt0Z6W8sWHsoXzC02gnyGr0+zS/zk1GFl4tT
+        FGYEBjEfQBQNWJHwz54CpCgbLHtZ0SkUvkibboiuuhKa6MMP4TviUtWb4SkJW5Qg
+        cSrHr5jECGcE92NLZU0ikNmb6X0a+N928FUx6Mn5lnyr3AICZO2vJgVNLW879SC7
+        VbqNA3dKpoWCgClWwt0F0S5FhyoPzVNDYKUTJJ/EgY/JAoHAeFpX+tbTMh51Tdeh
+        qjT9xrrNWSR0279I4//JXUPdYu2i0NBcWZDguxULdy5A/Pit221MDhf+UUf7ogt0
+        H7ex9o5NR4nA/6lPpPfH9lZm/nHUBkn+d6IWm+/1Jlt4FGRRMlJG9lCxahWyo6uj
+        euh9eHPFktIs8r7r2VvS7gUICMTmrcdABZFn5fb32rgBG4kRggjgtWrwheteTs8I
+        U4kOuOuh1Ta7+MM+EakEkA6W9ua4aznLSHqEYmdQIKKbgnchAoHABM0qJXK+f+kj
+        nLVdbjmUsyfe1ud0Do40Pn7e36/V63H5rEz3iQPQkOmDKk3QjyEqehiI5q6TKeC+
+        fwu/gz/9CUz9/xdGoCZ3YH9AR81uxqPbpVPvO7vko+ZxFPFxRgqQU36EUTTBwrhU
+        3do5IMkjkStJB6guA0eKx8rRSWoTPrSgpUSGYkgGS170VvkvtHtAaJ5YA6G14heH
+        GuoTldaJ9rF8KxfsjEKkr+ccnxrgDYcfNjKmcXu5lBJGruSom7Uw
+        -----END RSA PRIVATE KEY-----
+
+  sourcegraph-accounts-web:
+    description: |
+      Run SAMS from a clone of https://github.com/sourcegraph/sourcegraph-accounts
+      expected to be configured in '../sourcegraph-accounts'
+    install: |
+      if [ -d "../sourcegraph-accounts" ]; then
+        echo "../sourcegraph-accounts must be a clone of https://github.com/sourcegraph/sourcegraph-accounts"
+      fi
+      cd ../sourcegraph-accounts
+
+      asdf install
+      pnpm install
+    cmd: |
+      cd ../sourcegraph-accounts/web
+      pnpm run dev
+    watch:
+      - ../sourcegraph-accounts/pnpm-lock.yaml
+
 bazelCommands:
  blobstore:
    target: //cmd/blobstore
@ -1886,6 +2001,15 @@ commandsets:
    bazelCommands:
      - cody-gateway

+  sourcegraph-accounts:
+    checks:
+      - redis
+      - postgres
+      - git
+    commands:
+      - sourcegraph-accounts-server
+      - sourcegraph-accounts-web
+
 tests:
  # These can be run with `sg test [name]`
  backend: