From 7b3a48271bc9350fe700dc50f6f3e15043f1915c Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 30 Jun 2026 16:15:26 +0000 Subject: [PATCH] ci(release): hand build artifacts between jobs via upload-artifact MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The publish job (and smoke/brew/scoop/preview consumers) pulled the compiled binaries + dist/ from a run-scoped GitHub Actions cache keyed by run_id, restored with fail-on-cache-miss. Caches share a 10 GB per-repo budget and are evicted LRU, so a large build cache can vanish mid-run between the producer and a later consumer — which is exactly what broke release v2.109.0: the cache restored fine for an early consumer, then was gone by the time publish ran, and the run_id-keyed cache could not be regenerated on re-run because the producer job was not re-executed. Replace the cache handoff with actions/upload-artifact / download-artifact. Artifacts have deterministic retention (set to 1 day for this intra-run handoff), survive job re-runs within the run, and are not subject to the cache LRU. Since artifacts drop the Unix executable bit, add a chmod +x in the publish job before it ships packages/cli-*/bin/supabase to npm (smoke and preview jobs already chmod). Rename the producer's cache_key_suffix input to artifact_name_suffix to match. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_012AkD2XxUdcrBLH58fQr7yi --- .github/workflows/build-cli-artifacts.yml | 38 +++++---- .../publish-preview-cli-packages.yml | 11 +-- .github/workflows/release-shared.yml | 84 +++++++------------ 3 files changed, 54 insertions(+), 79 deletions(-) diff --git a/.github/workflows/build-cli-artifacts.yml b/.github/workflows/build-cli-artifacts.yml index ff97ce69ec..7300d26b7a 100644 --- a/.github/workflows/build-cli-artifacts.yml +++ b/.github/workflows/build-cli-artifacts.yml @@ -21,8 +21,8 @@ on: required: false type: string default: blacksmith-32vcpu-ubuntu-2404 - cache_key_suffix: - description: Suffix to distinguish build artifact cache producers + artifact_name_suffix: + description: Suffix to distinguish build artifact producers (e.g. -github) required: false type: string default: "" @@ -124,23 +124,25 @@ jobs: ls -la dist/ - - name: Check existing build artifacts cache - id: build-artifacts-cache - uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 + # Hand the build off to the smoke/publish/brew/scoop jobs via a run-scoped + # artifact rather than a cache. Caches share a 10 GB per-repo budget and + # are evicted LRU, so a large build cache could vanish mid-run between the + # producer and a later consumer (e.g. publish), failing the restore. + # Artifacts have their own deterministic retention and survive job re-runs + # within the run, which is exactly what this handoff needs. + - name: Upload build artifacts + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: + name: cli-build-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.artifact_name_suffix }} path: | packages/cli-*/bin/ dist/ - key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.cache_key_suffix }}-v1 - enableCrossOsArchive: true - lookup-only: true - - - name: Save build artifacts cache - if: steps.build-artifacts-cache.outputs.cache-hit != 'true' - uses: actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 - with: - path: | - packages/cli-*/bin/ - dist/ - key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.cache_key_suffix }}-v1 - enableCrossOsArchive: true + # Intra-run handoff, not a kept deliverable — expire it the next day. + retention-days: 1 + # A full re-run of this job replaces its own artifact instead of + # failing on the duplicate name from the previous attempt. + overwrite: true + # dist/* is already compressed (tar.gz/zip/deb/rpm/apk); a light level + # trims the raw bin/ binaries without burning CPU re-packing the rest. + compression-level: 1 + if-no-files-found: error diff --git a/.github/workflows/publish-preview-cli-packages.yml b/.github/workflows/publish-preview-cli-packages.yml index e7486fc5f7..206a1931a5 100644 --- a/.github/workflows/publish-preview-cli-packages.yml +++ b/.github/workflows/publish-preview-cli-packages.yml @@ -57,15 +57,10 @@ jobs: with: dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }} - - name: Restore preview build artifacts cache - uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 + - name: Download preview build artifacts + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: - path: | - packages/cli-*/bin/ - dist/ - key: cli-build-${{ github.run_id }}-legacy-${{ env.PREVIEW_VERSION }}-v1 - enableCrossOsArchive: true - fail-on-cache-miss: true + name: cli-build-legacy-${{ env.PREVIEW_VERSION }} - name: Prepare package files run: | diff --git a/.github/workflows/release-shared.yml b/.github/workflows/release-shared.yml index 3e917b971e..7d4301c037 100644 --- a/.github/workflows/release-shared.yml +++ b/.github/workflows/release-shared.yml @@ -75,7 +75,7 @@ jobs: version: ${{ inputs.version }} shell: ${{ inputs.shell }} runner: large-linux-x86 - cache_key_suffix: -github + artifact_name_suffix: -github timeout_minutes: 45 build_timeout_minutes: 20 secrets: @@ -109,15 +109,10 @@ jobs: with: dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }} - - name: Restore build artifacts cache - uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 + - name: Download build artifacts + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: - path: | - packages/cli-*/bin/ - dist/ - key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1 - enableCrossOsArchive: true - fail-on-cache-miss: true + name: cli-build-${{ inputs.shell }}-${{ inputs.version }} # Docker's classic image store keeps a single platform manifest per # tag, so pulling `alpine:3.21` for amd64 and again for arm64 leaves @@ -245,15 +240,10 @@ jobs: with: dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }} - - name: Restore build artifacts cache - uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 + - name: Download build artifacts + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: - path: | - packages/cli-*/bin/ - dist/ - key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1 - enableCrossOsArchive: true - fail-on-cache-miss: true + name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github - name: Fix binary permissions run: chmod +x packages/cli-*/bin/supabase || true @@ -304,15 +294,17 @@ jobs: with: dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }} - - name: Restore build artifacts cache - uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 + - name: Download build artifacts + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: - path: | - packages/cli-*/bin/ - dist/ - key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1 - enableCrossOsArchive: true - fail-on-cache-miss: true + name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github + + # Artifacts are zipped and do not carry Unix permissions, so the compiled + # binaries arrive without the executable bit. publish.ts ships + # packages/cli-*/bin/supabase to npm verbatim, so restore +x before + # publishing or the installed CLI would not be runnable. + - name: Fix binary permissions + run: chmod +x packages/cli-*/bin/supabase || true - name: Sync versions run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}" @@ -450,8 +442,6 @@ jobs: publish-homebrew: needs: publish if: ${{ !inputs.dry_run && inputs.publish_brew_scoop }} - # github-hosted to share a cache store with build-github/publish, whose - # -github-v1 artifacts this job's checksums must match. runs-on: ubuntu-latest timeout-minutes: 30 env: @@ -468,21 +458,16 @@ jobs: with: dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }} - # Must restore the github-hosted build (-github-v1), the same artifacts - # the publish job uploads to the GitHub Release. The Bun-compiled binaries - # are not byte-for-byte reproducible across the blacksmith and github - # builds, so the blacksmith dist/checksums.txt does not match the released + # Must download the github-hosted build (-github), the same artifacts the + # publish job uploads to the GitHub Release. The Bun-compiled binaries are + # not byte-for-byte reproducible across the blacksmith and github builds, + # so the blacksmith dist/checksums.txt does not match the released # tarballs. Reading it here produced a formula whose sha256 rejected the # downloaded archive ("Formula reports different checksum"). - - name: Restore build artifacts cache - uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 + - name: Download build artifacts + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: - path: | - packages/cli-*/bin/ - dist/ - key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1 - enableCrossOsArchive: true - fail-on-cache-miss: true + name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github - name: Generate Homebrew tap token id: app-token @@ -513,8 +498,6 @@ jobs: publish-scoop: needs: publish if: ${{ !inputs.dry_run && inputs.publish_brew_scoop }} - # github-hosted to share a cache store with build-github/publish, whose - # -github-v1 artifacts this job's checksums must match. runs-on: ubuntu-latest timeout-minutes: 30 env: @@ -531,21 +514,16 @@ jobs: with: dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }} - # Must restore the github-hosted build (-github-v1), the same artifacts - # the publish job uploads to the GitHub Release. The Bun-compiled binaries - # are not byte-for-byte reproducible across the blacksmith and github - # builds, so the blacksmith dist/checksums.txt does not match the released + # Must download the github-hosted build (-github), the same artifacts the + # publish job uploads to the GitHub Release. The Bun-compiled binaries are + # not byte-for-byte reproducible across the blacksmith and github builds, + # so the blacksmith dist/checksums.txt does not match the released # tarballs. Reading it here would produce a manifest whose hash rejects the # downloaded archive. - - name: Restore build artifacts cache - uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 + - name: Download build artifacts + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: - path: | - packages/cli-*/bin/ - dist/ - key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1 - enableCrossOsArchive: true - fail-on-cache-miss: true + name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github - name: Generate Scoop bucket token id: app-token