Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 17 additions & 20 deletions .github/workflows/build-cli-artifacts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ on:
required: false
type: string
default: blacksmith-32vcpu-ubuntu-2404
artifact_name_suffix:
description: Suffix to distinguish build artifact producers (e.g. -github)
cache_key_suffix:
description: Suffix to distinguish build artifact cache producers
required: false
type: string
default: ""
Expand Down Expand Up @@ -123,26 +123,23 @@ jobs:
echo "Checking dist/..."
ls -la dist/

- name: Check existing build artifacts cache
id: build-artifacts-cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.cache_key_suffix }}-v1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Include run_attempt in the cache key

When someone uses “Re-run all jobs” on a release or preview run, GitHub keeps github.run_id the same and only increments github.run_attempt, while actions/cache restores exact-key hits and cache entries are immutable. With this key, the rebuilt artifacts in the producer job are discarded because the lookup sees the previous attempt's cache and the save is skipped; downstream publish/brew/scoop jobs then restore binaries and checksums from the previous attempt rather than the artifacts that were just built. Add github.run_attempt or another per-attempt component to the handoff cache key so reruns cannot publish stale artifacts.

Useful? React with 👍 / 👎.

enableCrossOsArchive: true
lookup-only: true

# Hand the build off to the smoke/publish/brew/scoop jobs via a run-scoped
# artifact rather than a cache. Caches share a 10 GB per-repo budget and
# are evicted LRU, so a large build cache could vanish mid-run between the
# producer and a later consumer (e.g. publish), failing the restore.
# Artifacts have their own deterministic retention and survive job re-runs
# within the run, which is exactly what this handoff needs.
- name: Upload build artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- name: Save build artifacts cache
if: steps.build-artifacts-cache.outputs.cache-hit != 'true'
uses: actions/cache/save@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.artifact_name_suffix }}
path: |
packages/cli-*/bin/
dist/
# Intra-run handoff, not a kept deliverable — expire it the next day.
retention-days: 1
# A full re-run of this job replaces its own artifact instead of
# failing on the duplicate name from the previous attempt.
overwrite: true
# dist/* is already compressed (tar.gz/zip/deb/rpm/apk); a light level
# trims the raw bin/ binaries without burning CPU re-packing the rest.
compression-level: 1
if-no-files-found: error
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}${{ inputs.cache_key_suffix }}-v1
enableCrossOsArchive: true
11 changes: 8 additions & 3 deletions .github/workflows/publish-preview-cli-packages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,15 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

- name: Download preview build artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- name: Restore preview build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
name: cli-build-legacy-${{ env.PREVIEW_VERSION }}
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-legacy-${{ env.PREVIEW_VERSION }}-v1
enableCrossOsArchive: true
fail-on-cache-miss: true

- name: Prepare package files
run: |
Expand Down
84 changes: 53 additions & 31 deletions .github/workflows/release-shared.yml
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ jobs:
version: ${{ inputs.version }}
shell: ${{ inputs.shell }}
runner: large-linux-x86
artifact_name_suffix: -github
cache_key_suffix: -github
timeout_minutes: 45
build_timeout_minutes: 20
secrets:
Expand Down Expand Up @@ -113,10 +113,15 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

- name: Download build artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-v1
enableCrossOsArchive: true
fail-on-cache-miss: true

# Docker's classic image store keeps a single platform manifest per
# tag, so pulling `alpine:3.21` for amd64 and again for arm64 leaves
Expand Down Expand Up @@ -244,10 +249,15 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

- name: Download build artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true

- name: Fix binary permissions
run: chmod +x packages/cli-*/bin/supabase || true
Expand Down Expand Up @@ -301,17 +311,15 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

- name: Download build artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github

# Artifacts are zipped and do not carry Unix permissions, so the compiled
# binaries arrive without the executable bit. publish.ts ships
# packages/cli-*/bin/supabase to npm verbatim, so restore +x before
# publishing or the installed CLI would not be runnable.
- name: Fix binary permissions
run: chmod +x packages/cli-*/bin/supabase || true
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true

- name: Sync versions
run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}"
Expand Down Expand Up @@ -471,6 +479,8 @@ jobs:
publish-homebrew:
needs: publish
if: ${{ !inputs.dry_run && inputs.publish_brew_scoop }}
# github-hosted to share a cache store with build-github/publish, whose
# -github-v1 artifacts this job's checksums must match.
runs-on: ubuntu-latest
timeout-minutes: 30
env:
Expand All @@ -487,16 +497,21 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

# Must download the github-hosted build (-github), the same artifacts the
# publish job uploads to the GitHub Release. The Bun-compiled binaries are
# not byte-for-byte reproducible across the blacksmith and github builds,
# so the blacksmith dist/checksums.txt does not match the released
# Must restore the github-hosted build (-github-v1), the same artifacts
# the publish job uploads to the GitHub Release. The Bun-compiled binaries
# are not byte-for-byte reproducible across the blacksmith and github
# builds, so the blacksmith dist/checksums.txt does not match the released
# tarballs. Reading it here produced a formula whose sha256 rejected the
# downloaded archive ("Formula reports different checksum").
- name: Download build artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true

- name: Generate Homebrew tap token
id: app-token
Expand Down Expand Up @@ -527,6 +542,8 @@ jobs:
publish-scoop:
needs: publish
if: ${{ !inputs.dry_run && inputs.publish_brew_scoop }}
# github-hosted to share a cache store with build-github/publish, whose
# -github-v1 artifacts this job's checksums must match.
runs-on: ubuntu-latest
timeout-minutes: 30
env:
Expand All @@ -543,16 +560,21 @@ jobs:
with:
dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}

# Must download the github-hosted build (-github), the same artifacts the
# publish job uploads to the GitHub Release. The Bun-compiled binaries are
# not byte-for-byte reproducible across the blacksmith and github builds,
# so the blacksmith dist/checksums.txt does not match the released
# Must restore the github-hosted build (-github-v1), the same artifacts
# the publish job uploads to the GitHub Release. The Bun-compiled binaries
# are not byte-for-byte reproducible across the blacksmith and github
# builds, so the blacksmith dist/checksums.txt does not match the released
# tarballs. Reading it here would produce a manifest whose hash rejects the
# downloaded archive.
- name: Download build artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
- name: Restore build artifacts cache
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}-github
path: |
packages/cli-*/bin/
dist/
key: cli-build-${{ github.run_id }}-${{ inputs.shell }}-${{ inputs.version }}-github-v1
enableCrossOsArchive: true
fail-on-cache-miss: true

- name: Generate Scoop bucket token
id: app-token
Expand Down
Loading