[feat/babashka] Add Babashka support with cross-platform core.cljc

.github/README.md

@@ -0,0 +1,24 @@
+# CI
+
+The `ci.yml` workflow runs on every push/PR to `master`. It:
+
+1. Installs OS tools (Java, Node, Vault, Babashka) via `scripts/install --no-deps`
+2. Opens the GitHub Actions runner IP on the Vault security group so it can authenticate
+3. Fetches AWS credentials from Vault for the private S3 Maven repo
+4. Caches Maven (`~/.m2`) and npm (`node_modules`) dependencies between runs
+5. Installs project dependencies via `scripts/install`
+6. Runs `scripts/test` (JVM, ClojureScript, and Babashka test suites)
+7. Revokes the runner IP from the Vault security group
+
+## Required secrets
+
+| Secret | Purpose |
+|---|---|
+| `GH_ACTIONS_AWS_ACCESS_KEY_ID` | AWS key for managing the Vault security group |
+| `GH_ACTIONS_AWS_SECRET_ACCESS_KEY` | AWS secret for managing the Vault security group |
+| `VAULT_GITHUB_TOKEN` | GitHub token for `vault login -method=github` |
+
+## Composite actions
+
+- **`vault-allow`** — adds the runner's IP to the Vault SG and logs into Vault
+- **`vault-revoke`** — removes the runner's IP from the Vault SG (runs even if tests fail)

.github/actions/vault-allow/action.yml

@@ -0,0 +1,43 @@
+name: Allow runner IP on Vault security group
+description: >
+  Gets the runner's public IP, opens port 443 on the Vault SG,
+  and logs into Vault via GitHub token so subsequent steps can
+  call vault commands without additional auth.
+
+inputs:
+  aws-access-key-id:
+    required: true
+  aws-secret-access-key:
+    required: true
+  github-token:
+    description: GitHub token for vault login (method=github)
+    required: true
+
+outputs:
+  ip:
+    description: Runner public IP address (pass to vault-revoke)
+    value: ${{ steps.ip.outputs.ip }}
+
+runs:
+  using: composite
+  steps:
+    - id: ip
+      shell: bash
+      run: echo "ip=$(curl -s https://checkip.amazonaws.com)" >> $GITHUB_OUTPUT
+
+    - shell: bash
+      env:
+        AWS_ACCESS_KEY_ID: ${{ inputs.aws-access-key-id }}
+        AWS_SECRET_ACCESS_KEY: ${{ inputs.aws-secret-access-key }}
+      run: |
+        aws ec2 authorize-security-group-ingress \
+          --region us-west-2 \
+          --group-id sg-702d6801 \
+          --protocol tcp --port 443 \
+          --cidr ${{ steps.ip.outputs.ip }}/32
+
+    - shell: bash
+      env:
+        VAULT_ADDR: https://vault.techascent.com
+        GITHUB_TOKEN: ${{ inputs.github-token }}
+      run: vault login -method=github token="$GITHUB_TOKEN" >/dev/null

.github/actions/vault-revoke/action.yml

@@ -0,0 +1,25 @@
+name: Revoke runner IP from Vault security group
+description: Removes the runner's IP from the Vault SG (use with if:always())
+
+inputs:
+  ip:
+    description: Runner IP from vault-allow output
+    required: true
+  aws-access-key-id:
+    required: true
+  aws-secret-access-key:
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      env:
+        AWS_ACCESS_KEY_ID: ${{ inputs.aws-access-key-id }}
+        AWS_SECRET_ACCESS_KEY: ${{ inputs.aws-secret-access-key }}
+      run: |
+        aws ec2 revoke-security-group-ingress \
+          --region us-west-2 \
+          --group-id sg-702d6801 \
+          --protocol tcp --port 443 \
+          --cidr ${{ inputs.ip }}/32

.github/workflows/ci.yml

@@ -0,0 +1,68 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+  workflow_dispatch:
+
+jobs:
+  test:
+    name: Test (JVM + CLJS + Babashka)
+    runs-on: ubuntu-latest
+    env:
+      VAULT_ADDR: https://vault.techascent.com
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install OS tools (vault, babashka, etc.)
+        run: scripts/install --no-deps
+
+      - name: Allow runner IP on Vault
+        id: vault
+        uses: ./.github/actions/vault-allow
+        with:
+          aws-access-key-id: ${{ secrets.GH_ACTIONS_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.GH_ACTIONS_AWS_SECRET_ACCESS_KEY }}
+          github-token: ${{ secrets.VAULT_GITHUB_TOKEN }}
+
+      - name: Fetch AWS credentials (core) for S3 Maven repo
+        run: scripts/aws-creds core --write-profile default --force
+
+      - name: Verify AWS credentials
+        run: aws sts get-caller-identity
+
+      - name: Set up Java 21
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: "21"
+
+      - name: Cache Maven deps
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2
+          key: m2-${{ hashFiles('deps.edn') }}
+          restore-keys: m2-
+
+      - name: Cache npm deps
+        uses: actions/cache@v4
+        with:
+          path: node_modules
+          key: npm-${{ hashFiles('package.json') }}
+
+      - name: Install dependencies
+        run: scripts/install
+
+      - name: Run tests
+        run: scripts/test
+
+      - name: Revoke runner IP from Vault
+        if: always()
+        uses: ./.github/actions/vault-revoke
+        with:
+          ip: ${{ steps.vault.outputs.ip }}
+          aws-access-key-id: ${{ secrets.GH_ACTIONS_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.GH_ACTIONS_AWS_SECRET_ACCESS_KEY }}

CHANGELOG.md

@@ -5,6 +5,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 ### Added
+- Babashka support via cross-platform `core.cljc` and `files.bb`
+- `CONFIG_DIR` env var support for Babashka scripts without `bb.edn`
+- `bb.edn` for classpath configuration
+- Babashka tests in `scripts/test`
 - ClojureScript (Node.js) implementation of `tech.config.core`
 - shadow-cljs test setup for ClojureScript tests
 - `build.clj` and `VERSION` file for tools.build-based releases
@@ -16,6 +20,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - Updated Clojure dependency to 1.12.4
 
 ### Removed
+- `.lein-env` and `.boot-env` file reading from environ (legacy Leiningen/Boot support)
 - `project.clj` (replaced by `deps.edn`)
 - `pom.xml` (generated by tools.build at release time)
 - `.travis.yml`

README.md

@@ -1,7 +1,7 @@
 # tech.config
 
-A Clojure and ClojureScript configuration library that abstracts configuration
-from files and environment variables.
+A Clojure, ClojureScript, and Babashka configuration library that abstracts
+configuration from files and environment variables.
 
 The library works by reading config files named `*-config.edn` from the resources
 directory (classpath in Clojure, a configurable directory in ClojureScript/Node).
@@ -67,6 +67,20 @@ The ClojureScript version reads config from:
 (config/print-config)
 ```
 
+### Babashka
+
+The Babashka version reads config from classpath directories (configured via
+`:paths` in `bb.edn`) and supports `CONFIG_DIR` for scripts that run without a
+`bb.edn`.
+
+```clojure
+#!/usr/bin/env bb
+(require '[tech.config.core :as config])
+
+(config/get-config :my-setting)
+(config/get-config :my-setting "default-value")
+```
+
 ### Precedence Hierarchy
 
 #### Clojure
@@ -134,10 +148,16 @@ npx shadow-cljs compile test
 node target/test.js
 ```
 
-Or via deps.edn:
+#### Running Babashka tests
+
+```bash
+bb test/bb_test_runner.clj
+```
+
+#### Running all tests
 
 ```bash
-clojure -M:test-cljs && node target/test.js
+scripts/test
 ```
 
 #### Releasing

bb.edn

@@ -0,0 +1 @@
+{:paths ["src" "resources" "test" "test/resources"]}

scripts/install

@@ -125,7 +125,8 @@ elif [ "$_os" = "linux" ]; then
   else
     spin "Installing aws-cli (latest)"
     _tmpdir=$(mktemp -d)
-    curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" \
+    _aws_arch=$([ "$_arch" = "arm64" ] && echo "aarch64" || echo "x86_64")
+    curl -fsSL "https://awscli.amazonaws.com/awscli-exe-linux-${_aws_arch}.zip" \
       -o "$_tmpdir/awscliv2.zip"
     unzip -q "$_tmpdir/awscliv2.zip" -d "$_tmpdir"
     sudo "$_tmpdir/aws/install" \
@@ -158,6 +159,31 @@ else
   ok "vault already installed ($(vault version | head -1))"
 fi
 
+# ── Babashka ──────────────────────────────────────────────────────────────────
+
+header "Babashka"
+
+if ! command -v bb &>/dev/null; then
+  bb_version=$(curl -fsSL "https://api.github.com/repos/babashka/babashka/releases/latest" \
+    | sed -n 's/.*"tag_name": "v\([^"]*\)".*/\1/p')
+  spin "Downloading babashka ${bb_version}"
+  _tmpdir=$(mktemp -d)
+  _bb_os=$([ "$_os" = "darwin" ] && echo "macos" || echo "linux")
+  _bb_arch=$([ "$_arch" = "arm64" ] && echo "aarch64" || echo "amd64")
+  # Linux aarch64 only ships as -static; amd64 and macOS have non-static builds.
+  _bb_suffix=""
+  [[ "$_bb_os" == "linux" && "$_bb_arch" == "aarch64" ]] && _bb_suffix="-static"
+  curl -fsSL \
+    "https://github.com/babashka/babashka/releases/download/v${bb_version}/babashka-${bb_version}-${_bb_os}-${_bb_arch}${_bb_suffix}.tar.gz" \
+    -o "$_tmpdir/bb.tar.gz"
+  tar xzf "$_tmpdir/bb.tar.gz" -C "$_tmpdir"
+  _install_bin "$_tmpdir/bb" bb
+  rm -rf "$_tmpdir"
+  clear_spin; ok "babashka ${bb_version} installed"
+else
+  ok "babashka already installed ($(bb --version))"
+fi
+
 if [ "$_no_deps" = false ]; then
 
 # ── npm deps ──────────────────────────────────────────────────────────────────

scripts/test

@@ -12,4 +12,7 @@ npm install --silent
 npx shadow-cljs compile test
 node target/test.js
 
+header "Babashka tests"
+bb test/bb_test_runner.clj
+
 ok "All tests passed"