refactor: replace Bun.build with fossilize for Node SEA binaries

- Replace Bun.build({ compile: true }) with fossilize --no-bundle
- Switch esbuild output from ESM to CJS (Node SEA requirement)
- Add import-meta-url.js shim for CJS format
- Target node22 to downlevel 'using' declarations
- Embed Ink sidecar via fossilize --assets + node:sea.getAsset()
- Update text-import-plugin: file imports return path string (no ESM external)
- Drop musl targets (Node doesn't publish musl binaries)
- Remove bun:sqlite fallback from sqlite.ts (Node-only now)
- Remove setup-bun from CI, add rcodesign for macOS signing
- Remove Bun global from biome.jsonc
- Suppress SQLite ExperimentalWarning in bin.ts
- Add dist-build/ to .gitignore and biome excludes

Author: BYK

.github/workflows/ci.yml

@@ -75,21 +75,18 @@ jobs:
           {
             echo 'matrix<<MATRIX_EOF'
             if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              # PRs build linux-x64 (smoke test + e2e) and linux-x64-musl (Alpine smoke test)
+              # PRs build linux-x64 (smoke test + e2e)
               echo '{"include":[
-                {"target":"linux-x64",      "os":"ubuntu-latest", "can-test":true},
-                {"target":"linux-x64-musl", "os":"ubuntu-latest", "can-test":false}
+                {"target":"linux-x64", "os":"ubuntu-latest", "can-test":true}
               ]}'
             else
               # main, release/**, workflow_call: full cross-platform matrix
               echo '{"include":[
-                {"target":"darwin-arm64",      "os":"macos-latest",  "can-test":true},
-                {"target":"linux-x64",         "os":"ubuntu-latest", "can-test":true},
-                {"target":"linux-x64-musl",    "os":"ubuntu-latest", "can-test":false},
-                {"target":"windows-x64",       "os":"windows-latest","can-test":true},
-                {"target":"darwin-x64",        "os":"macos-latest",  "can-test":false},
-                {"target":"linux-arm64",       "os":"ubuntu-latest", "can-test":false},
-                {"target":"linux-arm64-musl",  "os":"ubuntu-latest", "can-test":false}
+                {"target":"darwin-arm64",  "os":"macos-latest",  "can-test":true},
+                {"target":"linux-x64",     "os":"ubuntu-latest", "can-test":true},
+                {"target":"windows-x64",   "os":"windows-latest","can-test":true},
+                {"target":"darwin-x64",    "os":"macos-latest",  "can-test":false},
+                {"target":"linux-arm64",   "os":"ubuntu-latest", "can-test":false}
               ]}'
             fi
             echo 'MATRIX_EOF'
@@ -246,9 +243,6 @@ jobs:
       matrix: ${{ fromJSON(needs.changes.outputs.build-targets) }}
     steps:
       - uses: actions/checkout@v6
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: "1.3.13"
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v6
         with:
@@ -262,6 +256,28 @@ jobs:
         if: steps.cache.outputs.cache-hit != 'true'
         shell: bash
         run: pnpm install --frozen-lockfile
+      - name: Setup codesign dependencies
+        env:
+          APPLE_CERT_DATA: ${{ secrets.CSC_LINK }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+        run: |
+          curl -L 'https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.29.0/apple-codesign-0.29.0-x86_64-unknown-linux-musl.tar.gz' -o 'rcodesign.tar.gz'
+          echo 'dbe85cedd8ee4217b64e9a0e4c2aef92ab8bcaaa41f20bde99781ff02e600002 rcodesign.tar.gz' | sha256sum -c
+          tar -xzf rcodesign.tar.gz --strip-components=1
+          mv rcodesign /usr/local/bin/rcodesign
+          rm rcodesign.tar.gz
+          if [ -n "$APPLE_CERT_DATA" ]; then
+            echo "$APPLE_CERT_DATA" | base64 --decode > /tmp/certs.p12
+            echo 'APPLE_CERT_PATH=/tmp/certs.p12' >> $GITHUB_ENV
+          fi
+          if [ -n "$APPLE_API_KEY" ]; then
+            echo "$APPLE_API_KEY" | base64 -d > /tmp/apple_key.json
+            cat /tmp/apple_key.json | jq .private_key -r > /tmp/apple_key.pem
+            echo "APPLE_API_KEY_ISSUER_ID=$(cat /tmp/apple_key.json | jq .issuer_id -r | tr -d '\n\r')" >> $GITHUB_ENV
+            echo "APPLE_API_KEY_ID=$(cat /tmp/apple_key.json | jq .key_id -r | tr -d '\n\r')" >> $GITHUB_ENV
+            echo "APPLE_API_KEY_P8_PATH=/tmp/apple_key.pem" >> $GITHUB_ENV
+            echo 'APPLE_API_KEY_PATH=/tmp/apple_key.json' >> $GITHUB_ENV
+          fi
       - name: Set nightly version
         # Inject the nightly version (computed once in the changes job) into
         # package.json before the build so it gets baked into the binary.
@@ -278,7 +294,11 @@ jobs:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           # Set on main/release branches so build.ts runs binpunch + creates .gz
           RELEASE_BUILD: ${{ github.event_name != 'pull_request' && '1' || '' }}
-        run: bun run build --target ${{ matrix.target }}
+          # Codesigning: only on main/release pushes (fork PRs lack secrets)
+          FOSSILIZE_SIGN: ${{ github.event_name == 'push' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) && 'y' || 'n' }}
+          APPLE_CERT_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          APPLE_TEAM_ID: ${{ vars.APPLE_TEAM_ID }}
+        run: pnpm run build -- --target ${{ matrix.target }}
       - name: Smoke test
         if: matrix.can-test
         shell: bash
@@ -288,11 +308,6 @@ jobs:
           else
             ./dist-bin/sentry-${{ matrix.target }} --help
           fi
-      - name: Smoke test (musl/Alpine)
-        if: matrix.target == 'linux-x64-musl'
-        run: |
-          docker run --rm -v "$PWD/dist-bin:/dist-bin:ro" alpine:latest \
-            sh -c "apk add --no-cache libstdc++ libgcc >/dev/null 2>&1 && /dist-bin/sentry-linux-x64-musl --help"
       - name: Upload binary artifact
         uses: actions/upload-artifact@v7
         with:

.gitignore

@@ -6,6 +6,7 @@ package-lock.json
 out
 dist
 dist-bin
+dist-build
 *.tgz
 
 # fossilize build cache

biome.jsonc

@@ -13,11 +13,14 @@
     // custom-ca.ts excluded: Biome's type analysis hits the 200k type limit
     // on the node:tls module graph — an internal Biome bug that surfaces
     // non-deterministically as error vs warning. See biome issue tracker.
-    "includes": ["!docs", "!test/init-eval/templates", "!!src/lib/custom-ca.ts"]
-  },
-  "javascript": {
-    "globals": ["Bun"]
+    "includes": [
+      "!docs",
+      "!test/init-eval/templates",
+      "!dist-build",
+      "!!src/lib/custom-ca.ts"
+    ]
   },
+  "javascript": {},
   "linter": {
     "rules": {
       "style": {

package.json

@@ -32,6 +32,7 @@
     "consola": "^3.4.2",
     "esbuild": "^0.25.0",
     "fast-check": "^4.5.3",
+    "fossilize": "^0.5.0",
     "hono": "^4.12.15",
     "http-cache-semantics": "^4.2.0",
     "ignore": "^7.0.5",
@@ -92,8 +93,8 @@
     "tsx": "tsx --import ./script/require-shim.mjs",
     "cli": "pnpm tsx src/bin.ts",
     "dev": "pnpm run generate:schema && pnpm run generate:docs && pnpm run generate:sdk && pnpm tsx src/bin.ts",
-    "build": "pnpm run generate:schema && pnpm run generate:docs && pnpm run generate:sdk && bun run script/build.ts --single",
-    "build:all": "pnpm run generate:schema && pnpm run generate:docs && pnpm run generate:sdk && bun run script/build.ts",
+    "build": "pnpm run generate:schema && pnpm run generate:docs && pnpm run generate:sdk && pnpm tsx script/build.ts --single",
+    "build:all": "pnpm run generate:schema && pnpm run generate:docs && pnpm run generate:sdk && pnpm tsx script/build.ts",
     "bundle": "pnpm run generate:schema && pnpm run generate:docs && pnpm run generate:sdk && pnpm tsx script/bundle.ts",
     "typecheck": "pnpm run generate:docs && pnpm run generate:sdk && tsc --noEmit",
     "lint": "biome check --no-errors-on-unmatched --max-diagnostics=none ./",