cli/.github/workflows/build-cli-artifacts.yml at develop · supabase/cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: Build CLI Artifacts

on:
  workflow_call:
    inputs:
      version:
        description: CLI package version to build
        required: true
        type: string
      shell:
        description: CLI shell to package as the shipped supabase binary
        required: true
        type: string
      ref:
        description: Optional git ref or SHA to check out before building
        required: false
        type: string
        default: ""
      runner:
        description: Runner to use for building artifacts
        required: false
        type: string
        default: blacksmith-32vcpu-ubuntu-2404
      cache_key_suffix:
        description: Suffix to distinguish build artifact cache producers
        required: false
        type: string
        default: ""
      timeout_minutes:
        description: Maximum minutes to allow for the build job
        required: false
        type: number
        default: 30
      build_timeout_minutes:
        description: Maximum minutes to allow for the artifact build step after setup
        required: false
        type: number
        default: 4
    secrets:
      SENTRY_DSN:
        required: false
      POSTHOG_API_KEY:
        required: false
      POSTHOG_ENDPOINT:
        required: false
      DF_FIREWALL_TOKEN:
        required: false

permissions:
  contents: read

jobs:
  build:
    name: Build CLI artifacts
    runs-on: ${{ inputs.runner }}
    timeout-minutes: ${{ inputs.timeout_minutes }}
    env:
      BUN_SHELL: ${{ inputs.shell }}
      VERSION: ${{ inputs.version }}
      SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
      POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
      POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
      # Fail the build if the macOS signing tool is missing — release artifacts
      # must be signed (CLI-1621). Local builds without rcodesign degrade to a
      # warning instead.
      SUPABASE_CLI_REQUIRE_SIGNING: "1"
    steps:
      - name: Checkout
        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
        with:
          ref: ${{ inputs.ref }}
          persist-credentials: false

      - name: Setup
        uses: ./.github/actions/setup
        with:
          dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

      - name: Setup Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: apps/cli-go/go.mod
          cache: true
          cache-dependency-path: apps/cli-go/go.sum

      - name: Pre-download Go modules
        working-directory: apps/cli-go
        run: go mod download -x

      - name: Install nfpm
        run: |
          echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
          sudo apt-get update
          sudo apt-get install -y nfpm

      - name: Install rcodesign
        env:
          RCODESIGN_VERSION: "0.29.0"
          RCODESIGN_SHA256: "dbe85cedd8ee4217b64e9a0e4c2aef92ab8bcaaa41f20bde99781ff02e600002"
        run: |
          set -euo pipefail
          asset="apple-codesign-${RCODESIGN_VERSION}-x86_64-unknown-linux-musl.tar.gz"
          curl -fsSL -o /tmp/rcodesign.tar.gz \
            "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${RCODESIGN_VERSION}/${asset}"
          echo "${RCODESIGN_SHA256}  /tmp/rcodesign.tar.gz" | sha256sum -c
          tar -xzf /tmp/rcodesign.tar.gz -C /tmp
          sudo install -m 0755 "/tmp/apple-codesign-${RCODESIGN_VERSION}-x86_64-unknown-linux-musl/rcodesign" /usr/local/bin/rcodesign
          rcodesign --version

      - name: Sync versions
        run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}"

      - name: Build selected shell
        timeout-minutes: ${{ inputs.build_timeout_minutes }}
        run: pnpm exec bun apps/cli/scripts/build.ts --version "${VERSION}" --shell "${BUN_SHELL}"

      - name: Verify build artifacts
        run: |
          for pkg in cli-darwin-arm64 cli-darwin-x64 cli-linux-arm64 cli-linux-arm64-musl cli-linux-x64 cli-linux-x64-musl cli-windows-arm64 cli-windows-x64; do
            echo "Checking packages/$pkg/bin/..."
            ls -la "packages/$pkg/bin/"
          done
          echo "Checking dist/..."
          ls -la dist/


      - name: Check existing build artifacts cache
        id: build-artifacts-cache
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            packages/cli-*/bin/
            dist/
          key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.cache_key_suffix }}-v1
          enableCrossOsArchive: true
          lookup-only: true

      - name: Save build artifacts cache
        if: steps.build-artifacts-cache.outputs.cache-hit != 'true'
        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            packages/cli-*/bin/
            dist/
          key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.cache_key_suffix }}-v1
          enableCrossOsArchive: true