Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 20 additions & 18 deletions .github/workflows/build-cli-artifacts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ on:
required: false
type: string
default: blacksmith-32vcpu-ubuntu-2404
cache_key_suffix:
description: Suffix to distinguish build artifact cache producers
artifact_name_suffix:
description: Suffix to distinguish build artifact producers (e.g. -github)
required: false
type: string
default: ""
Expand Down Expand Up @@ -124,23 +124,25 @@ jobs:
ls -la dist/


- name: Check existing build artifacts cache
id: build-artifacts-cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
# Hand the build off to the smoke/publish/brew/scoop jobs via a run-scoped
# artifact rather than a cache. Caches share a 10 GB per-repo budget and
# are evicted LRU, so a large build cache could vanish mid-run between the
# producer and a later consumer (e.g. publish), failing the restore.
# Artifacts have their own deterministic retention and survive job re-runs
# within the run, which is exactly what this handoff needs.
- name: Upload build artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.artifact_name_suffix }}
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.cache_key_suffix }}-v1
enableCrossOsArchive: true
lookup-only: true

- name: Save build artifacts cache
if: steps.build-artifacts-cache.outputs.cache-hit != 'true'
uses: actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.cache_key_suffix }}-v1
enableCrossOsArchive: true
# Intra-run handoff, not a kept deliverable — expire it the next day.
retention-days: 1
# A full re-run of this job replaces its own artifact instead of
# failing on the duplicate name from the previous attempt.
overwrite: true
# dist/* is already compressed (tar.gz/zip/deb/rpm/apk); a light level
# trims the raw bin/ binaries without burning CPU re-packing the rest.
compression-level: 1
if-no-files-found: error
12 changes: 5 additions & 7 deletions .github/workflows/cli-go-mirror.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,11 @@ name: Mirror Dependencies
# ghcr.io, and AWS ECR.

on:
# We can't trigger the mirror job on PR merge because certain tests would fail
# until we mirror some images. E.g. a PR to update the imgproxy image version
# would fail, because there is a test that creates a container from the
# updated image version, which would fail because the image hasn't been
# mirrored yet. It's a catch-22!
#
# TODO: Make the cli start test run *after* we mirror images (if needed).
# This workflow is the manual/bulk entry point for re-mirroring everything.
# Template image bumps are mirrored automatically by mirror-template-images.yml
# on push to develop, which backfills any unmirrored tag when the templates
# Dockerfile changes — so develop and PRs rebased on it stop inheriting the
# `manifest unknown` failure in the ghcr.io-pinned `Start` check.
workflow_dispatch:
permissions:
contents: read
Expand Down
83 changes: 83 additions & 0 deletions .github/workflows/mirror-template-images.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
name: Mirror template images

# Keeps the ghcr.io/ECR mirror in sync with the image versions pinned in
# apps/cli-go/pkg/config/templates/Dockerfile (the single source of truth for
# `config.Images`). When the Dockerfile changes on develop — most often via a
# merged dependabot `docker` bump — this workflow detects any tag that is not
# yet mirrored and backfills it the same way `cli-go-mirror-image.yml` does.
#
# It runs on `push` to develop (not on the PR) on purpose: mirroring needs the
# AWS role + packages:write, which a dependabot-triggered `pull_request` run
# cannot be granted, and we deliberately avoid `pull_request_target`. The CI
# `Start` job pins SUPABASE_INTERNAL_IMAGE_REGISTRY=ghcr.io, so it only goes
# green once a bumped tag is mirrored here; this backfill runs as soon as the
# bump lands on develop, repopulating ghcr.io/ECR so develop and any PR rebased
# on it pass `Start` instead of inheriting a `manifest unknown` failure.

on:
push:
branches:
- develop
paths:
- apps/cli-go/pkg/config/templates/Dockerfile
workflow_dispatch:

permissions:
contents: read

concurrency:
group: mirror-template-images-${{ github.ref }}
cancel-in-progress: false

jobs:
detect:
name: Detect unmirrored images
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
outputs:
missing: ${{ steps.detect.outputs.missing }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

- name: Setup
uses: ./.github/actions/setup
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

- name: Log in to ghcr.io
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

# Parses the Dockerfile, checks each image against the mirror, and writes
# `missing=<json>` to $GITHUB_OUTPUT. Idempotent: already-mirrored images
# are skipped, so a re-run produces an empty list.
- name: Detect images missing from the mirror
id: detect
run: pnpm exec bun apps/cli/scripts/detect-unmirrored-images.ts

mirror:
name: Mirror image
needs: detect
if: needs.detect.outputs.missing != '' && needs.detect.outputs.missing != '[]'
permissions:
contents: read
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
image: ${{ fromJson(needs.detect.outputs.missing) }}
# Reuse the existing mirror logic (docker.io -> public.ecr.aws + ghcr.io).
uses: ./.github/workflows/cli-go-mirror-image.yml
with:
image: ${{ matrix.image }}
secrets:
PROD_AWS_ROLE: ${{ secrets.PROD_AWS_ROLE }}
11 changes: 3 additions & 8 deletions .github/workflows/publish-preview-cli-packages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,15 +57,10 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

- name: Restore preview build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
- name: Download preview build artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-legacy-${{ env.PREVIEW_VERSION }}-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
name: cli-build-legacy-${{ env.PREVIEW_VERSION }}

- name: Prepare package files
run: |
Expand Down
84 changes: 31 additions & 53 deletions .github/workflows/release-shared.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ jobs:
version: ${{ inputs.version }}
shell: ${{ inputs.shell }}
runner: large-linux-x86
cache_key_suffix: -github
artifact_name_suffix: -github
timeout_minutes: 45
build_timeout_minutes: 20
secrets:
Expand Down Expand Up @@ -109,15 +109,10 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
- name: Download build artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}

# Docker's classic image store keeps a single platform manifest per
# tag, so pulling `alpine:3.21` for amd64 and again for arm64 leaves
Expand Down Expand Up @@ -245,15 +240,10 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
- name: Download build artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github

- name: Fix binary permissions
run: chmod +x packages/cli-*/bin/supabase || true
Expand Down Expand Up @@ -304,15 +294,17 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
- name: Download build artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github

# Artifacts are zipped and do not carry Unix permissions, so the compiled
# binaries arrive without the executable bit. publish.ts ships
# packages/cli-*/bin/supabase to npm verbatim, so restore +x before
# publishing or the installed CLI would not be runnable.
- name: Fix binary permissions
run: chmod +x packages/cli-*/bin/supabase || true

- name: Sync versions
run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}"
Expand Down Expand Up @@ -450,8 +442,6 @@ jobs:
publish-homebrew:
needs: publish
if: ${{ !inputs.dry_run && inputs.publish_brew_scoop }}
# github-hosted to share a cache store with build-github/publish, whose
# -github-v1 artifacts this job's checksums must match.
runs-on: ubuntu-latest
timeout-minutes: 30
env:
Expand All @@ -468,21 +458,16 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

# Must restore the github-hosted build (-github-v1), the same artifacts
# the publish job uploads to the GitHub Release. The Bun-compiled binaries
# are not byte-for-byte reproducible across the blacksmith and github
# builds, so the blacksmith dist/checksums.txt does not match the released
# Must download the github-hosted build (-github), the same artifacts the
# publish job uploads to the GitHub Release. The Bun-compiled binaries are
# not byte-for-byte reproducible across the blacksmith and github builds,
# so the blacksmith dist/checksums.txt does not match the released
# tarballs. Reading it here produced a formula whose sha256 rejected the
# downloaded archive ("Formula reports different checksum").
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
- name: Download build artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github

- name: Generate Homebrew tap token
id: app-token
Expand Down Expand Up @@ -513,8 +498,6 @@ jobs:
publish-scoop:
needs: publish
if: ${{ !inputs.dry_run && inputs.publish_brew_scoop }}
# github-hosted to share a cache store with build-github/publish, whose
# -github-v1 artifacts this job's checksums must match.
runs-on: ubuntu-latest
timeout-minutes: 30
env:
Expand All @@ -531,21 +514,16 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

# Must restore the github-hosted build (-github-v1), the same artifacts
# the publish job uploads to the GitHub Release. The Bun-compiled binaries
# are not byte-for-byte reproducible across the blacksmith and github
# builds, so the blacksmith dist/checksums.txt does not match the released
# Must download the github-hosted build (-github), the same artifacts the
# publish job uploads to the GitHub Release. The Bun-compiled binaries are
# not byte-for-byte reproducible across the blacksmith and github builds,
# so the blacksmith dist/checksums.txt does not match the released
# tarballs. Reading it here would produce a manifest whose hash rejects the
# downloaded archive.
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
- name: Download build artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github

- name: Generate Scoop bucket token
id: app-token
Expand Down
Loading
Loading