Skip to content

chore: production deploy#5741

Merged
supabase-cli-releaser[bot] merged 2 commits into
mainfrom
develop
Jun 30, 2026
Merged

chore: production deploy#5741
supabase-cli-releaser[bot] merged 2 commits into
mainfrom
develop

Conversation

@supabase-cli-releaser

Copy link
Copy Markdown
Contributor

avallete and others added 2 commits June 30, 2026 15:40
Automatically backfills the image mirror when the CLI template
Dockerfile changes, so a dependabot image bump no longer leaves develop
(and PRs rebased on it) failing the ghcr.io-pinned `Start` check with
`manifest unknown`.

## Background

The `Start` job in `cli-go-ci.yml` pins
`SUPABASE_INTERNAL_IMAGE_REGISTRY=ghcr.io`, so it only goes green once a
bumped tag exists on the mirror. Dependabot bumps the Dockerfile before
the new tag is mirrored, and the mirror previously only ran via manual
`workflow_dispatch` — so the bump merged red and every subsequent PR
touching `apps/cli-go/**` inherited the same failure until someone
mirrored by hand. This was the catch-22 already noted in
`cli-go-mirror.yml`.

## Changes

- **New workflow `mirror-template-images.yml`** — runs on `push` to
develop when `apps/cli-go/pkg/config/templates/Dockerfile` changes (plus
`workflow_dispatch`). It detects any image tag missing from the mirror
and backfills it by reusing the existing `cli-go-mirror-image.yml`
reusable workflow. It runs on push rather than the PR on purpose:
mirroring needs the AWS role + `packages:write`, which a
dependabot-triggered `pull_request` run cannot be granted, and this
avoids `pull_request_target`. The backfill runs as soon as the bump
lands on develop, repopulating the mirror so develop and rebased PRs
pass `Start`.

- **New script `apps/cli/scripts/detect-unmirrored-images.ts`** — parses
the template Dockerfile, checks each image against the mirror with
`docker buildx imagetools inspect`, and writes the missing tags as JSON
to `$GITHUB_OUTPUT` for the workflow matrix. The detection helpers
(`mirrorImageTarget`, `mirrorImageTargets`, `partitionUnmirroredImages`)
are exported and unit-tested; the executable entry is guarded by
`import.meta.main`.
- Checks **every** image, not just third-party ones, and an image counts
as mirrored only when present on **all** mirror registries
(`public.ecr.aws` and `ghcr.io`) — a tag on one but missing from the
other is re-pushed. Anonymous `imagetools inspect` works for public ECR,
so the detect job needs no AWS credentials.
- Idempotent: once an image is on every registry it is skipped, so a
re-run is a no-op.

- **`detect-unmirrored-images.unit.test.ts`** — covers target
derivation, the both-registries rule, de-duplication, and the idempotent
re-run.

- **`cli-go-mirror.yml`** — clarified that it is now the manual/bulk
entry point; template bumps are mirrored automatically by the new
workflow.

https://claude.ai/code/session_01DEeGQ3JAwQD1PGEENE13dc

---------

Co-authored-by: Claude <noreply@anthropic.com>
Replace GitHub Actions cache with artifacts for passing build outputs
between jobs in the release workflow. This improves reliability by using
run-scoped artifacts with deterministic retention instead of a shared 10
GB cache budget that can be evicted LRU mid-run.

**Key changes:**

- **build-cli-artifacts.yml**: Replace `actions/cache/save` with
`actions/upload-artifact` to hand off compiled binaries and dist files
to downstream jobs. Artifacts are configured with 1-day retention, light
compression (binaries already compressed), and overwrite enabled for job
re-runs.

- **release-shared.yml**: Replace all `actions/cache/restore` calls with
`actions/download-artifact` in publish, publish-homebrew, and
publish-scoop jobs. Update artifact names to match the new naming scheme
(`cli-build-{shell}-{version}{suffix}`).

- **build-cli-artifacts.yml**: Rename `cache_key_suffix` input to
`artifact_name_suffix` for clarity.

- **release-shared.yml**: Add missing binary permission fix step in the
npm-publish job (chmod +x on compiled binaries) to match the pattern
used in other publish jobs, since artifacts don't preserve Unix
permissions.

- **publish-preview-cli-packages.yml**: Update preview build artifact
retrieval to use `actions/download-artifact`.

This change eliminates the risk of cache eviction between the build
producer and downstream consumers while simplifying the artifact naming
and handoff logic.

https://claude.ai/code/session_012AkD2XxUdcrBLH58fQr7yi

Co-authored-by: Claude <noreply@anthropic.com>
@supabase-cli-releaser supabase-cli-releaser Bot added the do not merge Approve to apply; do not merge. label Jun 30, 2026
@supabase-cli-releaser supabase-cli-releaser Bot requested a review from a team as a code owner June 30, 2026 16:35
@supabase-cli-releaser supabase-cli-releaser Bot added the do not merge Approve to apply; do not merge. label Jun 30, 2026
@supabase-cli-releaser supabase-cli-releaser Bot merged commit 49db006 into main Jun 30, 2026
38 of 39 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do not merge Approve to apply; do not merge.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant