chore: add composite action for downloading artifacts

Crispy1975 · Crispy1975 · commit c3a8b0c0f4d1 · 2025-07-01T00:47:17.000+01:00
diff --git a/.github/actions/download-supabase-artifacts/action.yml b/.github/actions/download-supabase-artifacts/action.yml
@@ -0,0 +1,57 @@
+name: "Download Supabase project artifacts"
+description: "Authenticate with AWS shared account and download artifacts from S3"
+
+inputs:
+  region:
+    description: "AWS region"
+    required: true
+  auth-role:
+    description: "Initial role to assume using GitHub OIDC"
+    required: true
+  download-role:
+    description: "Role to assume for S3 access"
+    required: true
+  bucket:
+    description: "S3 bucket name"
+    required: true
+  prefix:
+    description: "S3 path prefix (e.g. supabase-admin-agent/v1.4.35)"
+    required: true
+  artifacts:
+    description: "Newline-separated list of artefact filenames to download"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: GitHub OIDC Auth
+      uses: aws-actions/configure-aws-credentials@v4.1.0
+      with:
+        aws-region: ${{ inputs.region }}
+        role-to-assume: ${{ inputs.auth-role }}
+        role-session-name: github-oidc-session
+
+    - name: Assume Destination Role
+      uses: aws-actions/configure-aws-credentials@v4.1.0
+      with:
+        aws-region: ${{ inputs.region }}
+        role-to-assume: ${{ inputs.download-role }}
+        role-session-name: s3-access
+        role-skip-session-tagging: true
+        role-chaining: true
+
+    - name: Download artifacts from S3
+      shell: bash
+      run: |
+        set -euo pipefail
+        mkdir -p ./dist
+
+        bucket="${{ inputs.bucket }}"
+        prefix="${{ inputs.prefix }}"
+        IFS=$'\n' read -r -d '' -a artifacts <<< "$(printf "%s\n" "${{ inputs.artifacts }}")"$'\0'
+
+        for object_key in "${artifacts[@]}"; do
+          s3_path="s3://${bucket}/${prefix}/${object_key}"
+          echo "Downloading $s3_path"
+          aws s3 cp "$s3_path" "./dist/$object_key"
+        done
diff --git a/.github/workflows/actions/s3/action.yml b/.github/workflows/actions/s3/action.yml
@@ -0,0 +1,56 @@
+name: "Download Supabase project artifacts"
+description: "Authenticate with AWS shared account and download artifacts from S3"
+
+inputs:
+  region:
+    description: "The AWS region"
+    required: true
+  auth-role:
+    description: "The initial role to assume using GitHub OIDC"
+    required: true
+  download-role:
+    description: "The role to assume for S3 access"
+    required: true
+  bucket:
+    description: "The download S3 bucket name"
+    required: true
+  artifacts:
+    description: "List of artifacts in the form: <tool>,<version>,<os-arch>"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: GitHub OIDC Auth
+      uses: aws-actions/configure-aws-credentials@v4.1.0
+      with:
+        aws-region: ${{ inputs.region }}
+        role-to-assume: ${{ inputs.auth-role }}
+        role-session-name: github-oidc-session
+
+    - name: Assume Destination Role
+      uses: aws-actions/configure-aws-credentials@v4.1.0
+      with:
+        aws-region: ${{ inputs.region }}
+        role-to-assume: ${{ inputs.download-role }}
+        role-session-name: s3-access
+        role-skip-session-tagging: true
+        role-chaining: true
+
+    - name: Download Artifacts From S3
+      shell: bash
+      run: |
+        set -euo pipefail
+        mkdir -p /tmp/supabase-dist
+
+        bucket="${{ inputs.bucket }}"
+        mapfile -t entries <<< "${{ inputs.artifacts }}"
+
+        for entry in "${entries[@]}"; do
+          IFS=',' read -r tool version platform <<< "$entry"
+          filename="${tool}-${version}-${platform}.tar.xz"
+          s3_path="s3://${bucket}/${tool}/v${version}/${filename}"
+
+          echo "Downloading $s3_path"
+          aws s3 cp "$s3_path" "/tmp/supabase-dist/$filename"
+        done
diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml
@@ -79,19 +79,19 @@ jobs:
             trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
       - name: Build psql bundle
         run: >
-            nix run "github:Mic92/nix-fast-build?rev=b1dae483ab7d4139a6297e02b6de9e5d30e43d48" 
-            -- --skip-cached --no-nom 
-            --flake ".#checks.$(nix eval --raw --impure --expr 'builtins.currentSystem')"
+          nix run "github:Mic92/nix-fast-build?rev=b1dae483ab7d4139a6297e02b6de9e5d30e43d48" 
+          -- --skip-cached --no-nom 
+          --flake ".#checks.$(nix eval --raw --impure --expr 'builtins.currentSystem')"
         env:
           AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
           AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
-  
+
   run-testinfra:
     needs: build-run-image
     if: ${{ success() }}
     uses: ./.github/workflows/testinfra-ami-build.yml
-    
+
   run-tests:
     needs: build-run-image
     if: ${{ success() }}
diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml
@@ -37,7 +37,7 @@ jobs:
             ubuntu_release: focal
             ubuntu_version: 20.04
             mcpu: neoverse-n1
-    runs-on: ${{ matrix.runner }}    
+    runs-on: ${{ matrix.runner }}
     timeout-minutes: 150
     permissions:
       contents: write
@@ -53,6 +53,18 @@ jobs:
         with:
           cmd: yq 'to_entries | map(select(.value|type == "!!str")) |  map(.key + "=" + .value) | join("\n")' 'ansible/vars.yml'
 
+      - name: Download Supabase Artifacts
+        id: download-artifacts
+        uses: ./.github/actions/download-supabase-artifacts
+        with:
+          region: ap-southeast-1
+          auth-role: arn:aws:iam::279559813984:role/supabase-github-oidc-role
+          download-role: arn:aws:iam::279559813984:role/supabase-repos-s3-get-role-83eb755
+          bucket: supabase-internal-artifacts
+          artifacts: |
+            supabase-admin-agent,1.4.35,linux-arm64
+            supabase-admin-agent,1.4.35,linux-amd64
+
       - run: docker context create builders
 
       - uses: docker/setup-buildx-action@v3
@@ -73,7 +85,7 @@ jobs:
           echo 'postgres-version = "'$PG_VERSION'"' > common-nix.vars.pkr.hcl
           # Ensure there's a newline at the end of the file
           echo "" >> common-nix.vars.pkr.hcl
-  
+
       - name: Build AMI stage 1
         run: |
           packer init amazon-arm64-nix.pkr.hcl
@@ -84,7 +96,7 @@ jobs:
         run: |
           packer init stage2-nix-psql.pkr.hcl
           GIT_SHA=${{github.sha}}
-          packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl"  -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}"  stage2-nix-psql.pkr.hcl 
+          packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl"  -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}"  stage2-nix-psql.pkr.hcl
 
       - name: Run tests
         timeout-minutes: 10
@@ -93,8 +105,8 @@ jobs:
         run: |
           # TODO: use poetry for pkg mgmt
           pip3 install boto3 boto3-stubs[essential] docker ec2instanceconnectcli pytest pytest-testinfra[paramiko,docker] requests
-          pytest -vv -s testinfra/test_ami_nix.py 
-      
+          pytest -vv -s testinfra/test_ami_nix.py
+
       - name: Cleanup resources on build cancellation
         if: ${{ cancelled() }}
         run: |
@@ -111,7 +123,7 @@ jobs:
           # Define AMI name patterns
           STAGE1_AMI_NAME="supabase-postgres-ci-ami-test-stage-1"
           STAGE2_AMI_NAME="${{ steps.random.outputs.random_string }}"
-          
+
           # Function to deregister AMIs by name pattern
           deregister_ami_by_name() {
             local ami_name_pattern=$1
@@ -121,7 +133,7 @@ jobs:
               aws ec2 deregister-image --region ap-southeast-1 --image-id $ami_id
             done
           }
-          
+
           # Deregister AMIs
           deregister_ami_by_name "$STAGE1_AMI_NAME"
           deregister_ami_by_name "$STAGE2_AMI_NAME"
