getsentry
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 73 additions & 63 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 73 additions & 63 deletions
diff --git a/‎install‎
Lines changed: 104 additions & 43 deletions b/‎install‎
Lines changed: 104 additions & 43 deletions
@@ -10,6 +10,11 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
+# packages:write is needed for publish-nightly to push to GHCR
+permissions:
+  contents: read
+  packages: write
+
 env:
   # Commit timestamp used for deterministic nightly version strings.
   # Defined at workflow level so build-binary and publish-nightly always agree.
@@ -216,6 +221,73 @@ jobs:
           name: sentry-${{ matrix.target }}
           path: dist-bin/sentry-*
 
+  publish-nightly:
+    name: Publish Nightly to GHCR
+    # Only run on pushes to main, not on PRs or release branches
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    needs: [build-binary]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download all binary artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: sentry-*
+          path: artifacts
+          merge-multiple: true
+
+      - name: Install ORAS CLI
+        run: |
+          VERSION=1.2.3
+          curl -sfL "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz" \
+            | tar -xz -C /usr/local/bin oras
+
+      - name: Compress binaries
+        run: |
+          ls artifacts/
+          for f in artifacts/sentry-linux-* artifacts/sentry-darwin-*; do
+            gzip -k "$f"
+          done
+          # Windows binary — compress but keep .exe name visible in title
+          for f in artifacts/sentry-windows-*.exe; do
+            gzip -k "$f"
+          done
+          ls artifacts/*.gz
+
+      - name: Compute nightly version
+        id: version
+        run: |
+          # Derive a deterministic Unix timestamp from the commit so that all
+          # jobs in this workflow run produce the same version string.
+          TS=$(date -d '${{ github.event.head_commit.timestamp }}' +%s 2>/dev/null \
+               || date -j -f "%Y-%m-%dT%H:%M:%S%z" '${{ github.event.head_commit.timestamp }}' +%s 2>/dev/null \
+               || echo ${{ github.run_number }})
+          VERSION="0.0.0-nightly.${TS}"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Nightly version: ${VERSION}"
+
+      - name: Create version.json
+        run: |
+          echo '{"version":"${{ steps.version.outputs.version }}"}' > version.json
+          cat version.json
+
+      - name: Log in to GHCR
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push to GHCR
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          oras push ghcr.io/getsentry/cli:nightly \
+            --artifact-type application/vnd.sentry.cli.nightly \
+            --annotation "org.opencontainers.image.source=https://github.com/getsentry/cli" \
+            --annotation "version=${VERSION}" \
+            artifacts/*.gz \
+            version.json
+
   test-e2e:
     name: E2E Tests
     needs: [build-binary]
@@ -301,69 +373,6 @@ jobs:
           name: gh-pages
           path: gh-pages.zip
 
-  publish-nightly:
-    name: Publish Nightly
-    # Only publish after a successful main-branch build+test. Skipped on PRs
-    # and release branches.
-    needs: [build-binary, test-e2e]
-    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          sparse-checkout: package.json
-      - name: Compute nightly version
-        # Uses the commit timestamp — the same value as build-binary — so
-        # version.json exactly matches the version baked into the binaries.
-        id: version
-        run: |
-          TS=$(date -d "$COMMIT_TIMESTAMP" +%s)
-          CURRENT=$(jq -r .version package.json)
-          VERSION=$(echo "$CURRENT" | sed "s/-dev\.[0-9]*$/-dev.${TS}/")
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-      - name: Download all binary artifacts
-        uses: actions/download-artifact@v4
-        with:
-          pattern: sentry-*
-          path: artifacts
-          merge-multiple: true
-      - name: Create version.json
-        run: |
-          cat > version.json <<EOF
-          {"version":"${{ steps.version.outputs.version }}","sha":"${{ github.sha }}","date":"$(date -u +%Y-%m-%dT%H:%M:%SZ)"}
-          EOF
-      - name: Create or update nightly release
-        env:
-          GH_TOKEN: ${{ github.token }}
-          GH_REPO: ${{ github.repository }}
-        run: |
-          # Create the release the first time; subsequent runs are a no-op
-          gh release create nightly \
-            --prerelease \
-            --title "Nightly" \
-            --notes "" \
-            2>/dev/null || true
-
-          # Update release notes with the latest version + commit
-          gh release edit nightly \
-            --prerelease \
-            --notes "Latest nightly build from the \`main\` branch.
-
-          **Version:** \`${{ steps.version.outputs.version }}\`
-          **Commit:** ${{ github.sha }}"
-
-          # Delete all existing assets first so removed/renamed files don't linger
-          gh release view nightly --json assets --jq '.assets[].name' | while read -r name; do
-            gh release delete-asset nightly "$name" --yes
-          done
-
-          # Upload the new .gz binaries and the version manifest
-          gh release upload nightly \
-            artifacts/*.gz \
-            version.json
-
   ci-status:
     name: CI Status
     if: always()
@@ -374,6 +383,7 @@ jobs:
       - name: Check CI status
         run: |
           # Check for explicit failures or cancellations in all jobs
+          # publish-nightly is skipped on PRs (if: github.ref == 'refs/heads/main') — that's expected
           results="${{ needs.check-skill.result }} ${{ needs.build-binary.result }} ${{ needs.build-npm.result }} ${{ needs.build-docs.result }} ${{ needs.test-e2e.result }} ${{ needs.publish-nightly.result }}"
           for result in $results; do
             if [[ "$result" == "failure" || "$result" == "cancelled" ]]; then
 
@@ -13,7 +13,8 @@ Usage: install [options]
 
 Options:
     -h, --help              Display this help message
-    -v, --version <version> Install a specific version (e.g., 0.2.0) or "nightly"
+    -v, --version <version> Install a specific version (e.g., 0.2.0)
+        --nightly           Install the latest nightly build from GHCR
         --no-modify-path    Don't modify shell config files (.zshrc, .bashrc, etc.)
         --no-completions    Don't install shell completions
 
@@ -24,11 +25,13 @@ Examples:
     curl -fsSL https://cli.sentry.dev/install | bash
     curl -fsSL https://cli.sentry.dev/install | bash -s -- --version nightly
     curl -fsSL https://cli.sentry.dev/install | bash -s -- --version 0.2.0
+    curl -fsSL https://cli.sentry.dev/install | bash -s -- --nightly
     SENTRY_INSTALL_DIR=~/.local/bin curl -fsSL https://cli.sentry.dev/install | bash
 EOF
 }
 
 requested_version=""
+nightly=false
 no_modify_path=false
 no_completions=false
 while [[ $# -gt 0 ]]; do
@@ -43,6 +46,10 @@ while [[ $# -gt 0 ]]; do
         exit 1
       fi
       ;;
+    --nightly)
+      nightly=true
+      shift
+      ;;
     --no-modify-path)
       no_modify_path=true
       shift
@@ -81,61 +88,111 @@ if [[ "$os" == "windows" ]]; then
   fi
 fi
 
-# Resolve version and download tag.
-#
-# "nightly" is a special value that installs from the rolling nightly prerelease
-# built from the main branch. In this case both `version` and `download_tag`
-# are set to the literal string "nightly".
-#
-# For stable releases both are the same version string (e.g. "0.5.0").
-channel="stable"
-download_tag=""
-
-if [[ -z "$requested_version" ]]; then
-  version=$(curl -fsSL https://api.github.com/repos/getsentry/cli/releases/latest | sed -n 's/.*"tag_name": *"\([^"]*\)".*/\1/p')
-  if [[ -z "$version" ]]; then
-    echo -e "${RED}Failed to fetch latest version${NC}"
-    exit 1
-  fi
-  download_tag="$version"
-elif [[ "$requested_version" == "nightly" ]]; then
-  channel="nightly"
-  download_tag="nightly"
-  version="nightly"
-else
-  version="$requested_version"
-  download_tag="$requested_version"
+# Validate flag combinations
+if [[ "$nightly" == "true" && -n "$requested_version" ]]; then
+  echo -e "${RED}Error: --nightly and --version are mutually exclusive${NC}"
+  exit 1
 fi
 
-# Strip leading 'v' if present (releases use version without 'v' prefix)
-version="${version#v}"
-download_tag="${download_tag#v}"
-
-filename="sentry-${os}-${arch}${suffix}"
-url="https://github.com/getsentry/cli/releases/download/${download_tag}/${filename}"
 
 # Download binary to a temp location
 tmpdir="${TMPDIR:-${TMP:-${TEMP:-/tmp}}}"
 tmp_binary="${tmpdir}/sentry-install-$$${suffix}"
+version=""
 
 # Clean up temp binary on failure (setup handles cleanup on success)
 trap 'rm -f "$tmp_binary"' EXIT
 
-# For nightly the version string is literally "nightly", not a semver, so
-# skip the "v" prefix that's only meaningful for numbered releases.
-if [[ "$version" == "nightly" ]]; then
-  echo -e "${MUTED}Downloading sentry nightly...${NC}"
+if [[ "$nightly" == "true" ]]; then
+  # Nightly build: download from GHCR via OCI blob protocol.
+  # No jq needed — parse JSON with awk.
+  # ghcr.io blob downloads redirect to Azure Blob Storage. curl -L would
+  # forward the Authorization header to Azure, which returns 404. Instead,
+  # extract the redirect URL and follow it without the auth header.
+
+  echo -e "${MUTED}Fetching nightly build from GHCR...${NC}"
+
+  # Step 1: Get anonymous pull token
+  GHCR_TOKEN=$(curl -sf \
+    "https://ghcr.io/token?scope=repository:getsentry/cli:pull" \
+    | awk -F'"' '{for(i=1;i<=NF;i++) if($i=="token"){print $(i+2);exit}}')
+  if [[ -z "$GHCR_TOKEN" ]]; then
+    echo -e "${RED}Failed to get GHCR token${NC}"
+    exit 1
+  fi
+
+  # Step 2: Fetch the OCI manifest for the :nightly tag
+  MANIFEST=$(curl -sf \
+    -H "Authorization: Bearer $GHCR_TOKEN" \
+    -H "Accept: application/vnd.oci.image.manifest.v1+json" \
+    "https://ghcr.io/v2/getsentry/cli/manifests/nightly")
+  if [[ -z "$MANIFEST" ]]; then
+    echo -e "${RED}Failed to fetch nightly manifest from GHCR${NC}"
+    exit 1
+  fi
+
+  # Step 3: Extract version from manifest annotation
+  version=$(echo "$MANIFEST" \
+    | awk -F'"' '{for(i=1;i<=NF;i++) if($i=="version"){print $(i+2);exit}}')
+  if [[ -z "$version" ]]; then
+    echo -e "${RED}Failed to extract version from nightly manifest${NC}"
+    exit 1
+  fi
+
+  echo -e "${MUTED}Installing nightly sentry ${version}...${NC}"
+
+  # Step 4: Find the blob digest for this platform's .gz file
+  gz_filename="sentry-${os}-${arch}${suffix}.gz"
+  digest=$(echo "$MANIFEST" \
+    | sed 's/},{/}\n{/g' \
+    | awk -F'"' "/\"${gz_filename//./\\.}"'/{for(i=1;i<=NF;i++) if($i=="digest"){print $(i+2);exit}}')
+  if [[ -z "$digest" ]]; then
+    echo -e "${RED}No nightly build found for ${gz_filename}${NC}"
+    exit 1
+  fi
+
+  # Step 5: Get the redirect URL from the blob endpoint (don't use -L: auth
+  # header must NOT be forwarded to the Azure Blob Storage redirect target)
+  redir_url=$(curl -s -w '\n%{redirect_url}' -o /dev/null \
+    -H "Authorization: Bearer $GHCR_TOKEN" \
+    "https://ghcr.io/v2/getsentry/cli/blobs/${digest}" | tail -1)
+  if [[ -z "$redir_url" ]]; then
+    echo -e "${RED}Failed to get blob redirect URL from GHCR${NC}"
+    exit 1
+  fi
+
+  # Step 6: Download the .gz blob and decompress (without auth header)
+  curl -sf "$redir_url" | gunzip > "$tmp_binary"
+
 else
+  # Stable build: resolve version and download from GitHub Releases.
+
+  if [[ -z "$requested_version" ]]; then
+    version=$(curl -fsSL https://api.github.com/repos/getsentry/cli/releases/latest \
+      | sed -n 's/.*"tag_name": *"\([^"]*\)".*/\1/p')
+    if [[ -z "$version" ]]; then
+      echo -e "${RED}Failed to fetch latest version${NC}"
+      exit 1
+    fi
+  else
+    version="$requested_version"
+  fi
+
+  # Strip leading 'v' if present (releases use version without 'v' prefix)
+  version="${version#v}"
+  filename="sentry-${os}-${arch}${suffix}"
+  url="https://github.com/getsentry/cli/releases/download/${version}/${filename}"
+
   echo -e "${MUTED}Downloading sentry v${version}...${NC}"
-fi
 
-# Try gzip-compressed download first (~60% smaller, ~37 MB vs ~99 MB).
-# gunzip is POSIX and available on all Unix systems.
-# Falls back to raw binary if the .gz asset doesn't exist yet.
-if curl -fsSL "${url}.gz" 2>/dev/null | gunzip > "$tmp_binary" 2>/dev/null; then
-  : # Compressed download succeeded
-else
-  curl -fsSL --progress-bar "$url" -o "$tmp_binary"
+  # Try gzip-compressed download first (~60% smaller, ~37 MB vs ~99 MB).
+  # gunzip is POSIX and available on all Unix systems.
+  # Falls back to raw binary if the .gz asset doesn't exist yet.
+  if curl -fsSL "${url}.gz" 2>/dev/null | gunzip > "$tmp_binary" 2>/dev/null; then
+    : # Compressed download succeeded
+  else
+    curl -fsSL --progress-bar "$url" -o "$tmp_binary"
+  fi
 fi
 
 chmod +x "$tmp_binary"
@@ -145,6 +202,10 @@ chmod +x "$tmp_binary"
 # completions, agent skills, and the welcome message.
 # --channel persists the release channel so future `sentry cli upgrade`
 # calls track the same channel without requiring a flag.
+channel="nightly"
+if [[ "$nightly" != "true" ]]; then
+  channel="stable"
+fi
 setup_args="--install --method curl --channel $channel"
 if [[ "$no_modify_path" == "true" ]]; then
   setup_args="$setup_args --no-modify-path"