chore: production deploy#5741
Merged
Merged
Conversation
supabase-cli-releaser
Bot
commented
Jun 30, 2026
Contributor
- ci: auto-mirror template image updates to registries (ci: auto-mirror template image updates to registries #5739)
- ci: migrate build artifact handoff from cache to artifacts (ci: migrate build artifact handoff from cache to artifacts #5740)
Automatically backfills the image mirror when the CLI template Dockerfile changes, so a dependabot image bump no longer leaves develop (and PRs rebased on it) failing the ghcr.io-pinned `Start` check with `manifest unknown`. ## Background The `Start` job in `cli-go-ci.yml` pins `SUPABASE_INTERNAL_IMAGE_REGISTRY=ghcr.io`, so it only goes green once a bumped tag exists on the mirror. Dependabot bumps the Dockerfile before the new tag is mirrored, and the mirror previously only ran via manual `workflow_dispatch` — so the bump merged red and every subsequent PR touching `apps/cli-go/**` inherited the same failure until someone mirrored by hand. This was the catch-22 already noted in `cli-go-mirror.yml`. ## Changes - **New workflow `mirror-template-images.yml`** — runs on `push` to develop when `apps/cli-go/pkg/config/templates/Dockerfile` changes (plus `workflow_dispatch`). It detects any image tag missing from the mirror and backfills it by reusing the existing `cli-go-mirror-image.yml` reusable workflow. It runs on push rather than the PR on purpose: mirroring needs the AWS role + `packages:write`, which a dependabot-triggered `pull_request` run cannot be granted, and this avoids `pull_request_target`. The backfill runs as soon as the bump lands on develop, repopulating the mirror so develop and rebased PRs pass `Start`. - **New script `apps/cli/scripts/detect-unmirrored-images.ts`** — parses the template Dockerfile, checks each image against the mirror with `docker buildx imagetools inspect`, and writes the missing tags as JSON to `$GITHUB_OUTPUT` for the workflow matrix. The detection helpers (`mirrorImageTarget`, `mirrorImageTargets`, `partitionUnmirroredImages`) are exported and unit-tested; the executable entry is guarded by `import.meta.main`. - Checks **every** image, not just third-party ones, and an image counts as mirrored only when present on **all** mirror registries (`public.ecr.aws` and `ghcr.io`) — a tag on one but missing from the other is re-pushed. Anonymous `imagetools inspect` works for public ECR, so the detect job needs no AWS credentials. - Idempotent: once an image is on every registry it is skipped, so a re-run is a no-op. - **`detect-unmirrored-images.unit.test.ts`** — covers target derivation, the both-registries rule, de-duplication, and the idempotent re-run. - **`cli-go-mirror.yml`** — clarified that it is now the manual/bulk entry point; template bumps are mirrored automatically by the new workflow. https://claude.ai/code/session_01DEeGQ3JAwQD1PGEENE13dc --------- Co-authored-by: Claude <noreply@anthropic.com>
Replace GitHub Actions cache with artifacts for passing build outputs
between jobs in the release workflow. This improves reliability by using
run-scoped artifacts with deterministic retention instead of a shared 10
GB cache budget that can be evicted LRU mid-run.
**Key changes:**
- **build-cli-artifacts.yml**: Replace `actions/cache/save` with
`actions/upload-artifact` to hand off compiled binaries and dist files
to downstream jobs. Artifacts are configured with 1-day retention, light
compression (binaries already compressed), and overwrite enabled for job
re-runs.
- **release-shared.yml**: Replace all `actions/cache/restore` calls with
`actions/download-artifact` in publish, publish-homebrew, and
publish-scoop jobs. Update artifact names to match the new naming scheme
(`cli-build-{shell}-{version}{suffix}`).
- **build-cli-artifacts.yml**: Rename `cache_key_suffix` input to
`artifact_name_suffix` for clarity.
- **release-shared.yml**: Add missing binary permission fix step in the
npm-publish job (chmod +x on compiled binaries) to match the pattern
used in other publish jobs, since artifacts don't preserve Unix
permissions.
- **publish-preview-cli-packages.yml**: Update preview build artifact
retrieval to use `actions/download-artifact`.
This change eliminates the risk of cache eviction between the build
producer and downstream consumers while simplifying the artifact naming
and handoff logic.
https://claude.ai/code/session_012AkD2XxUdcrBLH58fQr7yi
Co-authored-by: Claude <noreply@anthropic.com>
avallete
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.