forked from supabase/cli
-
Notifications
You must be signed in to change notification settings - Fork 0
641 lines (591 loc) · 26.6 KB
/
Copy pathrelease-shared.yml
File metadata and controls
641 lines (591 loc) · 26.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
name: Release Shared
on:
workflow_call:
inputs:
version:
description: npm package version to publish
required: true
type: string
shell:
description: CLI shell to package as the shipped supabase binary
required: true
type: string
npm_tag:
description: npm dist-tag to publish under
required: true
type: string
channel:
description: semantic-release channel name (alpha | beta | stable)
required: true
type: string
prerelease:
description: Whether the GitHub release should be marked as a prerelease
required: true
type: boolean
dry_run:
description: Dry run (skip actual publishing)
required: true
type: boolean
publish_brew_scoop:
description: Whether to update the Homebrew tap and Scoop bucket
required: false
type: boolean
default: false
brew_name:
description: Homebrew formula name (e.g. supabase or supabase-beta)
required: false
type: string
default: supabase
scoop_name:
description: Scoop manifest name (e.g. supabase or supabase-beta)
required: false
type: string
default: supabase
secrets:
SENTRY_DSN:
required: false
POSTHOG_API_KEY:
required: false
POSTHOG_ENDPOINT:
required: false
GH_APP_PRIVATE_KEY:
required: false
ANTHROPIC_API_KEY:
required: false
DF_FIREWALL_TOKEN:
required: false
LINEAR_CLI_STABLE_RELEASE_ACCESS_KEY:
required: false
LINEAR_CLI_BETA_RELEASE_ACCESS_KEY:
required: false
jobs:
build-blacksmith:
name: Build CLI artifacts (Blacksmith)
uses: ./.github/workflows/build-cli-artifacts.yml
with:
version: ${{ inputs.version }}
shell: ${{ inputs.shell }}
secrets:
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
DF_FIREWALL_TOKEN: ${{ secrets.DF_FIREWALL_TOKEN }}
build-github:
name: Build CLI artifacts (GitHub hosted)
uses: ./.github/workflows/build-cli-artifacts.yml
with:
version: ${{ inputs.version }}
shell: ${{ inputs.shell }}
runner: large-linux-x86
cache_key_suffix: -github
timeout_minutes: 45
build_timeout_minutes: 20
secrets:
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
DF_FIREWALL_TOKEN: ${{ secrets.DF_FIREWALL_TOKEN }}
smoke-test:
needs:
- build-blacksmith
strategy:
fail-fast: false
matrix:
runner:
- blacksmith-8vcpu-ubuntu-2404
- blacksmith-8vcpu-windows-2025
runs-on: ${{ matrix.runner }}
timeout-minutes: 30
env:
NPM_TAG: ${{ inputs.npm_tag }}
VERSION: ${{ inputs.version }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
# Docker's classic image store keeps a single platform manifest per
# tag, so pulling `alpine:3.21` for amd64 and again for arm64 leaves
# only the most recent one in the local store — and `docker save`
# captures only that one. Enabling the containerd snapshotter lets
# the store hold multi-platform manifests under a single tag, which
# is what makes the cache step below work for both arches.
- name: Enable containerd image store
if: runner.os == 'Linux'
run: |
set -euo pipefail
echo '{"features":{"containerd-snapshotter":true}}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
docker info --format '{{.DriverStatus}}'
# The host's binfmt_misc must be mounted BEFORE installing QEMU. On cold
# Blacksmith VMs it is not mounted by default; the privileged
# tonistiigi/binfmt installer that setup-qemu-action runs then registers
# the qemu interpreters inside its own mount namespace — it prints
# "installing: arm64 OK" but the handlers vanish when the container exits,
# so the host kernel never gains arm64 emulation and every
# `docker run --platform linux/arm64` dies with "exec format error".
# Warm/reused VMs already had it mounted, which is why this only failed
# intermittently (on cache-miss, i.e. cold-VM, runs). Mount it on the host
# after the docker restart so the registration lands in the host kernel
# and persists through to the smoke tests.
- name: Ensure binfmt_misc is mounted on the host
if: runner.os == 'Linux'
run: |
set -euo pipefail
if ! mountpoint -q /proc/sys/fs/binfmt_misc; then
sudo modprobe binfmt_misc || true
sudo mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
fi
mountpoint /proc/sys/fs/binfmt_misc
- name: Setup QEMU for cross-platform Docker
if: runner.os == 'Linux'
uses: docker/setup-qemu-action@96fe6ef7f33517b61c61be40b68a1882f3264fb8 # v4.2.0
- name: Verify linux/arm64 emulation is registered
if: runner.os == 'Linux'
run: |
set -euo pipefail
# Fail fast with a clear message instead of opaque "exec format error"
# lines in the smoke tests if the qemu-aarch64 handler did not land in
# the host kernel. Reads binfmt_misc directly — no image pull, no network.
grep -q enabled /proc/sys/fs/binfmt_misc/qemu-aarch64
# Cache the smoke-test base images across runs. Without this, eight
# parallel `docker run` calls in smoke-test-linux.ts race on first-time
# pulls and surface as docker exit 125 ("daemon could not start the
# container") on a subset of jobs. Bump the `-v<N>` suffix to invalidate
# the cache when the image list or tags change.
- name: Cache smoke-test docker images
if: runner.os == 'Linux'
id: smoke-docker-cache
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ~/.cache/smoke-docker-images.tar
key: smoke-docker-images-debian-bookworm-slim-amazonlinux-2023-alpine-3.21-v1
- name: Load cached smoke-test docker images
if: runner.os == 'Linux' && steps.smoke-docker-cache.outputs.cache-hit == 'true'
run: docker load -i ~/.cache/smoke-docker-images.tar
- name: Pull and save smoke-test docker images
if: runner.os == 'Linux' && steps.smoke-docker-cache.outputs.cache-hit != 'true'
run: |
set -euo pipefail
mkdir -p "$HOME/.cache"
images=("debian:bookworm-slim" "amazonlinux:2023" "alpine:3.21")
for image in "${images[@]}"; do
for platform in linux/amd64 linux/arm64; do
echo "::group::Pulling $platform $image"
attempt=0
until docker pull --platform "$platform" "$image"; do
attempt=$((attempt + 1))
if [ "$attempt" -ge 3 ]; then
echo "Failed to pull $platform $image after $attempt attempts" >&2
exit 1
fi
sleep $((attempt * 5))
done
echo "::endgroup::"
done
done
docker save "${images[@]}" -o "$HOME/.cache/smoke-docker-images.tar"
- name: Install Scoop
if: runner.os == 'Windows'
shell: pwsh
run: |
iex "& {$(irm get.scoop.sh)} -RunAsAdmin"
Join-Path (Resolve-Path ~).Path "scoop\shims" >> $env:GITHUB_PATH
- name: Fix binary permissions
if: runner.os != 'Windows'
run: chmod +x packages/cli-*/bin/supabase || true
- name: Run smoke tests
# Force bash so ${VERSION}/${NPM_TAG} expand identically across the
# ubuntu/macos/windows matrix — windows-latest defaults to pwsh, which
# treats those as empty PowerShell variables (env vars are `$env:VAR`).
shell: bash
run: pnpm run test:smoke -- --version "${VERSION}" --tag "${NPM_TAG}"
working-directory: apps/cli
smoke-test-macos:
needs:
- build-github
runs-on: macos-latest
timeout-minutes: 25
env:
NPM_TAG: ${{ inputs.npm_tag }}
VERSION: ${{ inputs.version }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
- name: Fix binary permissions
run: chmod +x packages/cli-*/bin/supabase || true
- name: Run smoke tests
shell: bash
run: pnpm run test:smoke -- --version "${VERSION}" --tag "${NPM_TAG}"
working-directory: apps/cli
publish:
needs:
- build-github
- smoke-test
- smoke-test-macos
if: ${{ !inputs.dry_run }}
# npm provenance verification rejects non-GitHub-hosted runners with
# E422 ("Unsupported GitHub Actions runner environment: self-hosted").
# Blacksmith runners count as self-hosted from sigstore's POV, so the
# publish job must stay on a github-hosted runner. The job is short
# and not compute-bound, so the wall-clock cost is negligible.
runs-on: ubuntu-latest
timeout-minutes: 45
env:
CHANNEL: ${{ inputs.channel }}
NPM_TAG: ${{ inputs.npm_tag }}
VERSION: ${{ inputs.version }}
LINEAR_CLI_STABLE_RELEASE_ACCESS_KEY: ${{ secrets.LINEAR_CLI_STABLE_RELEASE_ACCESS_KEY }}
LINEAR_CLI_BETA_RELEASE_ACCESS_KEY: ${{ secrets.LINEAR_CLI_BETA_RELEASE_ACCESS_KEY }}
permissions:
contents: write
id-token: write
steps:
- name: Generate release repository token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ vars.GH_APP_CLIENT_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
permission-contents: write
permission-workflows: write
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: true
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- name: Setup
uses: ./.github/actions/setup
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
- name: Sync versions
run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}"
- name: Publish to npm
run: pnpm exec bun apps/cli/scripts/publish.ts --tag "${NPM_TAG}"
- name: Configure git for release pushes
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
# Push the version tag to origin as soon as npm has the bytes, before any
# downstream step that can fail. Without this, a failure in the GH-release
# step (or anything after) leaves origin with no tag for the version that
# is now live on npm — and `semantic-release --dry-run` on the next push
# will keep recomputing the same version, causing the publish job to no-op
# against stale bytes. Idempotent: skips push if the tag is already on
# origin (e.g. a re-run of a job that previously got past this step).
- name: Push version tag
run: |
set -euo pipefail
tag="v${VERSION}"
if git ls-remote --tags origin "refs/tags/${tag}" | grep -q .; then
echo "Tag ${tag} already on origin; skipping push."
else
git tag -a "${tag}" -m "Release ${tag}"
git push origin "${tag}"
fi
# semantic-release matches tags against branch.channel using git-notes
# under refs/notes/semantic-release-<tag>. Without this note, the develop
# plan job recomputes the same prerelease version every push (see
# docs/ci-beta-tags-investigation.md). Stable releases on main don't
# need this — main's branch config has no explicit channel.
#
# The note must be attached to the underlying commit, not the annotated
# tag object created by "Push version tag" above. semantic-release reads
# notes via `git log --no-walk --tags=* --notes=...`, which looks for
# notes on commits; a note on the tag object is invisible to it and
# leaves the tag with channels:[null], so the prerelease arm of
# getLastRelease's filter rejects it and the plan falls back to the
# last stable. Hence the `${tag}^{commit}` deref.
- name: Push channel note for prerelease tags
if: ${{ inputs.prerelease }}
run: |
set -euo pipefail
tag="v${VERSION}"
channel="${CHANNEL}"
note_ref="refs/notes/semantic-release-${tag}"
if git ls-remote origin "${note_ref}" | grep -q .; then
echo "Channel note ${note_ref} already on origin; skipping push."
else
git notes --ref="${note_ref}" add -f -m "{\"channels\":[\"${channel}\"]}" "${tag}^{commit}"
git push origin "${note_ref}"
fi
# goreleaser used to publish both supabase_<version>_<os>_<arch>.tar.gz and
# supabase_<os>_<arch>.tar.gz; setup-cli, install scripts, docs and various
# third-party tools point at releases/latest/download/<unversioned>.tar.gz.
# Re-publish the alias so those callers keep working. See supabase/cli#5257.
- name: Create unversioned tarball aliases
run: |
set -euo pipefail
for triple in darwin_arm64 darwin_amd64 linux_arm64 linux_amd64 windows_arm64 windows_amd64; do
cp "dist/supabase_${VERSION}_${triple}.tar.gz" "dist/supabase_${triple}.tar.gz"
done
- name: Create draft GitHub Release
uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
with:
tag_name: v${{ inputs.version }}
name: v${{ inputs.version }}
draft: true
prerelease: ${{ inputs.prerelease }}
files: |
dist/supabase_${{ inputs.version }}_darwin_arm64.tar.gz
dist/supabase_${{ inputs.version }}_darwin_amd64.tar.gz
dist/supabase_${{ inputs.version }}_linux_arm64.tar.gz
dist/supabase_${{ inputs.version }}_linux_amd64.tar.gz
dist/supabase_${{ inputs.version }}_linux_arm64.deb
dist/supabase_${{ inputs.version }}_linux_amd64.deb
dist/supabase_${{ inputs.version }}_linux_arm64.rpm
dist/supabase_${{ inputs.version }}_linux_amd64.rpm
dist/supabase_${{ inputs.version }}_linux_arm64.apk
dist/supabase_${{ inputs.version }}_linux_amd64.apk
dist/supabase_${{ inputs.version }}_windows_amd64.zip
dist/supabase_${{ inputs.version }}_windows_arm64.zip
dist/supabase_${{ inputs.version }}_windows_amd64.tar.gz
dist/supabase_${{ inputs.version }}_windows_arm64.tar.gz
dist/checksums.txt
dist/supabase_darwin_arm64.tar.gz
dist/supabase_darwin_amd64.tar.gz
dist/supabase_linux_arm64.tar.gz
dist/supabase_linux_amd64.tar.gz
dist/supabase_windows_arm64.tar.gz
dist/supabase_windows_amd64.tar.gz
install
- name: Publish GitHub Release (immutable)
env:
GH_TOKEN: ${{ github.token }}
run: gh release edit "v${VERSION}" --draft=false
- name: Sync stable release to Linear
if: ${{ inputs.channel == 'stable' && env.LINEAR_CLI_STABLE_RELEASE_ACCESS_KEY != '' }}
uses: linear/linear-release-action@c0cb8354a362c24c6d3e0948f37fd66d07588e3f # v0
with:
access_key: ${{ env.LINEAR_CLI_STABLE_RELEASE_ACCESS_KEY }}
version: v${{ inputs.version }}
name: Supabase CLI v${{ inputs.version }}
links: |
GitHub Release=https://github.com/${{ github.repository }}/releases/tag/v${{ inputs.version }}
Release workflow=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
- name: Sync beta release to Linear
if: ${{ inputs.channel == 'beta' && env.LINEAR_CLI_BETA_RELEASE_ACCESS_KEY != '' }}
uses: linear/linear-release-action@c0cb8354a362c24c6d3e0948f37fd66d07588e3f # v0
with:
access_key: ${{ env.LINEAR_CLI_BETA_RELEASE_ACCESS_KEY }}
version: v${{ inputs.version }}
name: Supabase CLI v${{ inputs.version }}
links: |
GitHub Release=https://github.com/${{ github.repository }}/releases/tag/v${{ inputs.version }}
Release workflow=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
# Changelog backfill only needs tag + published GH release (from publish).
# Runs in parallel with brew/scoop/smoke; must not gate distribution.
backfill-release-notes:
uses: ./.github/workflows/backfill-release-notes.yml
needs: publish
if: ${{ !inputs.dry_run && needs.publish.result == 'success' }}
with:
tag: v${{ inputs.version }}
apply: true
non_blocking: true
secrets:
DF_FIREWALL_TOKEN: ${{ secrets.DF_FIREWALL_TOKEN }}
# Once the raw semantic-release block is in the release body, ask Claude to
# rewrite it into user-centric notes and open a PR for human approval. Stable
# releases only on this path — prereleases keep the raw body. Non-blocking so
# an LLM hiccup never gates a published release; reviewers can propose beta/
# alpha notes manually from the Actions tab (workflow_dispatch).
propose-release-notes:
uses: ./.github/workflows/propose-release-notes.yml
needs: backfill-release-notes
if: ${{ !inputs.dry_run && !inputs.prerelease && needs.backfill-release-notes.result == 'success' }}
with:
tag: v${{ inputs.version }}
non_blocking: true
secrets:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
GH_APP_PRIVATE_KEY: ${{ secrets.GH_APP_PRIVATE_KEY }}
DF_FIREWALL_TOKEN: ${{ secrets.DF_FIREWALL_TOKEN }}
publish-homebrew:
needs: publish
if: ${{ !inputs.dry_run && inputs.publish_brew_scoop }}
# github-hosted to share a cache store with build-github/publish, whose
# -github-v1 artifacts this job's checksums must match.
runs-on: ubuntu-latest
timeout-minutes: 30
env:
BREW_NAME: ${{ inputs.brew_name }}
VERSION: ${{ inputs.version }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}
# Must restore the github-hosted build (-github-v1), the same artifacts
# the publish job uploads to the GitHub Release. The Bun-compiled binaries
# are not byte-for-byte reproducible across the blacksmith and github
# builds, so the blacksmith dist/checksums.txt does not match the released
# tarballs. Reading it here produced a formula whose sha256 rejected the
# downloaded archive ("Formula reports different checksum").
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
- name: Generate Homebrew tap token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ vars.GH_APP_CLIENT_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: |
homebrew-tap
permission-contents: write
- name: Configure git for tap push
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
gh auth setup-git
git config --global user.name "github-actions[bot]"
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Update Homebrew formula
run: pnpm exec bun apps/cli/scripts/update-homebrew.ts --version "${VERSION}" --name "${BREW_NAME}"
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
publish-scoop:
needs: publish
if: ${{ !inputs.dry_run && inputs.publish_brew_scoop }}
# github-hosted to share a cache store with build-github/publish, whose
# -github-v1 artifacts this job's checksums must match.
runs-on: ubuntu-latest
timeout-minutes: 30
env:
SCOOP_NAME: ${{ inputs.scoop_name }}
VERSION: ${{ inputs.version }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup
uses: ./.github/actions/setup
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}
# Must restore the github-hosted build (-github-v1), the same artifacts
# the publish job uploads to the GitHub Release. The Bun-compiled binaries
# are not byte-for-byte reproducible across the blacksmith and github
# builds, so the blacksmith dist/checksums.txt does not match the released
# tarballs. Reading it here would produce a manifest whose hash rejects the
# downloaded archive.
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true
- name: Generate Scoop bucket token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
client-id: ${{ vars.GH_APP_CLIENT_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: |
scoop-bucket
permission-contents: write
- name: Configure git for bucket push
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
gh auth setup-git
git config --global user.name "github-actions[bot]"
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
- name: Update Scoop manifest
run: pnpm exec bun apps/cli/scripts/update-scoop.ts --version "${VERSION}" --name "${SCOOP_NAME}"
env:
GH_TOKEN: ${{ steps.app-token.outputs.token }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
# Post-publish smoke test for the `supabase/setup-cli` GitHub Action against
# the just-released CLI. Runs last and intentionally does not gate
# publish-homebrew / publish-scoop — by the time the smoke runs, the npm
# package and GitHub release are already live and the brew/scoop pushes
# have either succeeded or skipped, so a setup-cli regression surfaces as
# a red post-release signal without holding back the rest of the channel.
#
# Depends on the publish jobs only via `needs` for ordering; the `if`
# uses `always() && needs.publish.result == 'success'` so the smoke still
# runs when publish-homebrew / publish-scoop are skipped (alpha) or fail.
# The reusable workflow can also be dispatched manually against any
# already-published version when debugging setup-cli regressions.
setup-cli-smoke:
needs: [publish, publish-homebrew, publish-scoop]
if: ${{ always() && !inputs.dry_run && needs.publish.result == 'success' }}
uses: ./.github/workflows/setup-cli-smoke-test.yml
with:
version: ${{ inputs.version }}
# Post-publish end-to-end check that the Homebrew tap, Scoop bucket, and the
# curl|bash install script actually install the just-released CLI. brew/scoop
# verify the published checksum against the downloaded tarball, so this is the
# signal that would have caught CLI v2.107.0 (mismatched brew/scoop sha256s).
#
# Only runs when brew/scoop were published (beta/stable) and both pushes
# succeeded — alpha publishes neither channel and is covered by the GitHub
# Release download path in setup-cli-smoke. Like setup-cli-smoke, it runs last
# and does not gate the rest of the channel: by the time it runs the manifests
# are already live, so a failure surfaces as a red post-release signal.
verify-install-channels:
needs: [publish, publish-homebrew, publish-scoop]
if: ${{ always() && !inputs.dry_run && inputs.publish_brew_scoop && needs.publish-homebrew.result == 'success' && needs.publish-scoop.result == 'success' }}
uses: ./.github/workflows/verify-install-channels.yml
with:
version: ${{ inputs.version }}
brew_name: ${{ inputs.brew_name }}
scoop_name: ${{ inputs.scoop_name }}