refactor: replace Bun.build with fossilize for Node SEA binaries

- Replace Bun.build({ compile: true }) with fossilize --no-bundle
- Switch esbuild output from ESM to CJS (Node SEA requirement)
- Add import-meta-url.js shim for CJS format
- Target node22 to downlevel 'using' declarations
- Embed Ink sidecar via fossilize --assets + node:sea.getAsset()
- Update text-import-plugin: file imports return path string (no ESM external)
- Drop musl targets (Node doesn't publish musl binaries)
- Remove bun:sqlite fallback from sqlite.ts (Node-only now)
- Remove setup-bun from CI, add rcodesign for macOS signing
- Remove Bun global from biome.jsonc
- Suppress SQLite ExperimentalWarning in bin.ts
- Add dist-build/ to .gitignore and biome excludes

Author: BYK

.github/workflows/ci.yml

@@ -75,21 +75,19 @@ jobs:
           {
             echo 'matrix<<MATRIX_EOF'
             if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              # PRs build linux-x64 (smoke test + e2e) and linux-x64-musl (Alpine smoke test)
+              # PRs build linux-x64 (smoke test + e2e)
               echo '{"include":[
-                {"target":"linux-x64",      "os":"ubuntu-latest", "can-test":true},
-                {"target":"linux-x64-musl", "os":"ubuntu-latest", "can-test":false}
+                {"target":"linux-x64", "os":"ubuntu-latest", "can-test":true}
               ]}'
             else
-              # main, release/**, workflow_call: full cross-platform matrix
+              # main, release/**, workflow_call: full cross-platform matrix.
+              # All targets cross-compiled from ubuntu-latest via fossilize.
               echo '{"include":[
-                {"target":"darwin-arm64",      "os":"macos-latest",  "can-test":true},
-                {"target":"linux-x64",         "os":"ubuntu-latest", "can-test":true},
-                {"target":"linux-x64-musl",    "os":"ubuntu-latest", "can-test":false},
-                {"target":"windows-x64",       "os":"windows-latest","can-test":true},
-                {"target":"darwin-x64",        "os":"macos-latest",  "can-test":false},
-                {"target":"linux-arm64",       "os":"ubuntu-latest", "can-test":false},
-                {"target":"linux-arm64-musl",  "os":"ubuntu-latest", "can-test":false}
+                {"target":"darwin-arm64",  "os":"ubuntu-latest", "can-test":false},
+                {"target":"linux-x64",     "os":"ubuntu-latest", "can-test":true},
+                {"target":"windows-x64",   "os":"ubuntu-latest", "can-test":false},
+                {"target":"darwin-x64",    "os":"ubuntu-latest", "can-test":false},
+                {"target":"linux-arm64",   "os":"ubuntu-latest", "can-test":false}
               ]}'
             fi
             echo 'MATRIX_EOF'
@@ -246,9 +244,6 @@ jobs:
       matrix: ${{ fromJSON(needs.changes.outputs.build-targets) }}
     steps:
       - uses: actions/checkout@v6
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: "1.3.13"
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v6
         with:
@@ -262,6 +257,28 @@ jobs:
         if: steps.cache.outputs.cache-hit != 'true'
         shell: bash
         run: pnpm install --frozen-lockfile
+      - name: Setup codesign dependencies
+        env:
+          APPLE_CERT_DATA: ${{ secrets.CSC_LINK }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+        run: |
+          curl -L 'https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.29.0/apple-codesign-0.29.0-x86_64-unknown-linux-musl.tar.gz' -o 'rcodesign.tar.gz'
+          echo 'dbe85cedd8ee4217b64e9a0e4c2aef92ab8bcaaa41f20bde99781ff02e600002 rcodesign.tar.gz' | sha256sum -c
+          tar -xzf rcodesign.tar.gz --strip-components=1
+          mv rcodesign /usr/local/bin/rcodesign
+          rm rcodesign.tar.gz
+          if [ -n "$APPLE_CERT_DATA" ]; then
+            echo "$APPLE_CERT_DATA" | base64 --decode > /tmp/certs.p12
+            echo 'APPLE_CERT_PATH=/tmp/certs.p12' >> $GITHUB_ENV
+          fi
+          if [ -n "$APPLE_API_KEY" ]; then
+            echo "$APPLE_API_KEY" | base64 -d > /tmp/apple_key.json
+            cat /tmp/apple_key.json | jq .private_key -r > /tmp/apple_key.pem
+            echo "APPLE_API_KEY_ISSUER_ID=$(cat /tmp/apple_key.json | jq .issuer_id -r | tr -d '\n\r')" >> $GITHUB_ENV
+            echo "APPLE_API_KEY_ID=$(cat /tmp/apple_key.json | jq .key_id -r | tr -d '\n\r')" >> $GITHUB_ENV
+            echo "APPLE_API_KEY_P8_PATH=/tmp/apple_key.pem" >> $GITHUB_ENV
+            echo 'APPLE_API_KEY_PATH=/tmp/apple_key.json' >> $GITHUB_ENV
+          fi
       - name: Set nightly version
         # Inject the nightly version (computed once in the changes job) into
         # package.json before the build so it gets baked into the binary.
@@ -278,7 +295,11 @@ jobs:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           # Set on main/release branches so build.ts runs binpunch + creates .gz
           RELEASE_BUILD: ${{ github.event_name != 'pull_request' && '1' || '' }}
-        run: bun run build --target ${{ matrix.target }}
+          # Codesigning: only on main/release pushes (fork PRs lack secrets)
+          FOSSILIZE_SIGN: ${{ github.event_name == 'push' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) && 'y' || 'n' }}
+          APPLE_CERT_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          APPLE_TEAM_ID: ${{ vars.APPLE_TEAM_ID }}
+        run: pnpm run build -- --target ${{ matrix.target }}
       - name: Smoke test
         if: matrix.can-test
         shell: bash
@@ -288,11 +309,6 @@ jobs:
           else
             ./dist-bin/sentry-${{ matrix.target }} --help
           fi
-      - name: Smoke test (musl/Alpine)
-        if: matrix.target == 'linux-x64-musl'
-        run: |
-          docker run --rm -v "$PWD/dist-bin:/dist-bin:ro" alpine:latest \
-            sh -c "apk add --no-cache libstdc++ libgcc >/dev/null 2>&1 && /dist-bin/sentry-linux-x64-musl --help"
       - name: Upload binary artifact
         uses: actions/upload-artifact@v7
         with:

.github/workflows/docs-preview.yml

@@ -33,9 +33,6 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: "1.3.13"
       - uses: pnpm/action-setup@v4
 
       # Astro 6 requires Node >= 22.12. Pin an explicit version so the docs
@@ -58,7 +55,7 @@ jobs:
         run: echo "version=$(node -p 'require("./package.json").version')" >> "$GITHUB_OUTPUT"
 
       - name: Generate docs content
-        run: bun run generate:schema && bun run generate:docs
+        run: pnpm run generate:schema && pnpm run generate:docs
 
       - name: Build Docs for Preview
         working-directory: docs
@@ -70,8 +67,8 @@ jobs:
           SENTRY_RELEASE: ${{ steps.version.outputs.version }}
           PUBLIC_SENTRY_RELEASE: ${{ steps.version.outputs.version }}
         run: |
-          bun install --frozen-lockfile
-          bun run build
+          pnpm install --frozen-lockfile
+          pnpm run build
 
       - name: Inject debug IDs and upload sourcemaps
         if: env.SENTRY_AUTH_TOKEN != ''
@@ -80,8 +77,8 @@ jobs:
           SENTRY_ORG: sentry
           SENTRY_PROJECT: cli-website
         run: |
-          bun run --bun src/bin.ts sourcemap inject docs/dist/
-          bun run --bun src/bin.ts sourcemap upload docs/dist/ \
+          pnpm run cli sourcemap inject docs/dist/
+          pnpm run cli sourcemap upload docs/dist/ \
             --release "${{ steps.version.outputs.version }}" \
             --url-prefix "~/"
 

.github/workflows/eval-skill-fork.yml

@@ -36,9 +36,6 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: "1.3.13"
       - uses: pnpm/action-setup@v4
 
       - uses: actions/cache@v5
@@ -50,11 +47,11 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       - name: Generate docs and skill files
-        run: bun run generate:schema && bun run generate:docs
+        run: pnpm run generate:schema && pnpm run generate:docs
 
       - name: Eval SKILL.md
         id: eval
-        run: bun run eval:skill
+        run: pnpm run eval:skill
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
         continue-on-error: true

.gitignore

@@ -6,6 +6,7 @@ package-lock.json
 out
 dist
 dist-bin
+dist-build
 *.tgz
 
 # fossilize build cache