ci(cli): publish pkg.pr.new previews after preview builds (#5420)

## Summary

Adds pkg.pr.new preview publishing for internal PRs after the normal
Test workflow passes. The preview workflow resolves the current PR head,
skips draft/fork/stale runs, builds the legacy release-shaped CLI
artifacts, publishes all platform wrapper packages plus apps/cli to
pkg.pr.new, verifies the PR-scoped npx command, and updates a single PR
comment with the latest preview command.

Extracts the shared CLI artifact build into a reusable workflow so
production releases, manual release smoke tests, and PR previews all
build the same packages/dist artifact shape. Release publishing still
runs the full smoke matrix before npm/GitHub/Homebrew/Scoop publication,
while manual release smoke is available through a dedicated dry-run
workflow.

Adds pkg-pr-new as a root dev dependency and keeps the Windows release
smoke coverage aligned with the published artifacts by checking the
native wrapper, release tarball, and Scoop install paths.

## Reviewer Notes

The preview flow intentionally posts its own pkg.pr.new comment because
it runs after Test via workflow_run and needs to publish the stable
PR-scoped command, not a commit-SHA-only command.

Author: jgoux

.github/workflows/build-cli-artifacts.yml

@@ -0,0 +1,88 @@
+name: Build CLI Artifacts
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: CLI package version to build
+        required: true
+        type: string
+      shell:
+        description: CLI shell to package as the shipped supabase binary
+        required: true
+        type: string
+      ref:
+        description: Optional git ref or SHA to check out before building
+        required: false
+        type: string
+        default: ""
+    secrets:
+      SENTRY_DSN:
+        required: false
+      POSTHOG_API_KEY:
+        required: false
+      POSTHOG_ENDPOINT:
+        required: false
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build CLI artifacts
+    runs-on: blacksmith-32vcpu-ubuntu-2404
+    env:
+      BUN_SHELL: ${{ inputs.shell }}
+      VERSION: ${{ inputs.version }}
+      SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+      POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
+      POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.ref }}
+          persist-credentials: false
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: apps/cli-go/go.mod
+          cache: true
+          cache-dependency-path: apps/cli-go/go.sum
+
+      - name: Pre-download Go modules
+        working-directory: apps/cli-go
+        run: go mod download -x
+
+      - name: Install nfpm
+        run: |
+          echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
+          sudo apt-get update
+          sudo apt-get install -y nfpm
+
+      - name: Sync versions
+        run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}"
+
+      - name: Build selected shell
+        run: pnpm exec bun apps/cli/scripts/build.ts --version "${VERSION}" --shell "${BUN_SHELL}"
+
+      - name: Verify build artifacts
+        run: |
+          for pkg in cli-darwin-arm64 cli-darwin-x64 cli-linux-arm64 cli-linux-arm64-musl cli-linux-x64 cli-linux-x64-musl cli-windows-arm64 cli-windows-x64; do
+            echo "Checking packages/$pkg/bin/..."
+            ls -la "packages/$pkg/bin/"
+          done
+          echo "Checking dist/..."
+          ls -la dist/
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: cli-build-${{ inputs.shell }}-${{ inputs.version }}
+          path: |
+            packages/cli-*/bin/
+            dist/

.github/workflows/publish-preview-cli-packages.yml

@@ -0,0 +1,214 @@
+name: Publish Preview CLI Packages
+
+on:
+  workflow_run:
+    workflows:
+      - Test
+    types:
+      - completed
+
+permissions:
+  actions: read
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  resolve:
+    if: >-
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+    name: Resolve preview build context
+    runs-on: ubuntu-latest
+    env:
+      GH_TOKEN: ${{ github.token }}
+      REPOSITORY: ${{ github.repository }}
+    outputs:
+      should_build: ${{ steps.context.outputs.should_build }}
+      pr_number: ${{ steps.context.outputs.pr_number }}
+      pr_head_sha: ${{ steps.context.outputs.pr_head_sha }}
+      preview_version: ${{ steps.context.outputs.preview_version }}
+    steps:
+      - name: Resolve PR context
+        id: context
+        run: |
+          set -euo pipefail
+
+          should_build=false
+          pr_number="$(jq -r '.workflow_run.pull_requests[0].number // ""' "$GITHUB_EVENT_PATH")"
+          pr_head_sha="$(jq -r '.workflow_run.head_sha // ""' "$GITHUB_EVENT_PATH")"
+          pr_head_branch="$(jq -r '.workflow_run.head_branch // ""' "$GITHUB_EVENT_PATH")"
+
+          if [[ -z "${pr_head_sha}" ]]; then
+            echo "Workflow run has no head SHA; skipping."
+            echo "should_build=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          if [[ -z "${pr_number}" && -n "${pr_head_branch}" ]]; then
+            pr_number="$(
+              gh pr list \
+                --repo "${REPOSITORY}" \
+                --head "${pr_head_branch}" \
+                --state open \
+                --json number,headRefOid \
+                --jq 'map(select(.headRefOid == "'"${pr_head_sha}"'")) | .[0].number // ""'
+            )"
+          fi
+
+          if [[ -z "${pr_number}" ]]; then
+            echo "Test run is not associated with an open pull request; skipping."
+            echo "should_build=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          pr_json="$(gh api "repos/${REPOSITORY}/pulls/${pr_number}")"
+          current_head_sha="$(jq -r '.head.sha' <<< "${pr_json}")"
+          state="$(jq -r '.state' <<< "${pr_json}")"
+          draft="$(jq -r '.draft' <<< "${pr_json}")"
+          head_repo="$(jq -r '.head.repo.full_name' <<< "${pr_json}")"
+          base_repo="$(jq -r '.base.repo.full_name' <<< "${pr_json}")"
+
+          if [[ "${state}" != "open" ]]; then
+            echo "PR #${pr_number} is ${state}; skipping."
+            echo "should_build=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          if [[ "${draft}" == "true" ]]; then
+            echo "PR #${pr_number} is draft; skipping."
+            echo "should_build=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          if [[ "${head_repo}" != "${base_repo}" ]]; then
+            echo "PR #${pr_number} comes from fork ${head_repo}; skipping."
+            echo "should_build=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          if [[ "${pr_head_sha}" != "${current_head_sha}" ]]; then
+            echo "Test SHA ${pr_head_sha} is stale; current PR head is ${current_head_sha}. Skipping."
+            echo "should_build=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          preview_version="0.0.0-pr.${pr_number}"
+          should_build=true
+
+          {
+            echo "should_build=${should_build}"
+            echo "pr_number=${pr_number}"
+            echo "pr_head_sha=${pr_head_sha}"
+            echo "preview_version=${preview_version}"
+          } >> "$GITHUB_OUTPUT"
+
+  build:
+    needs: resolve
+    if: needs.resolve.outputs.should_build == 'true'
+    name: Build preview CLI packages
+    uses: ./.github/workflows/build-cli-artifacts.yml
+    with:
+      version: ${{ needs.resolve.outputs.preview_version }}
+      shell: legacy
+      ref: ${{ needs.resolve.outputs.pr_head_sha }}
+
+  publish:
+    needs: [resolve, build]
+    if: needs.resolve.outputs.should_build == 'true' && needs.build.result == 'success'
+    name: Publish preview package
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      issues: write
+      pull-requests: read
+    env:
+      GH_TOKEN: ${{ github.token }}
+      PREVIEW_VERSION: ${{ needs.resolve.outputs.preview_version }}
+      PR_HEAD_SHA: ${{ needs.resolve.outputs.pr_head_sha }}
+      PR_NUMBER: ${{ needs.resolve.outputs.pr_number }}
+      REPOSITORY: ${{ github.repository }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ needs.resolve.outputs.pr_head_sha }}
+          persist-credentials: false
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Download preview build artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: cli-build-legacy-${{ needs.resolve.outputs.preview_version }}
+
+      - name: Prepare package files
+        run: |
+          set -euo pipefail
+          pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${PREVIEW_VERSION}"
+          pnpm --dir apps/cli build:shim
+          find packages -path '*/bin/supabase*' -type f -exec chmod +x {} +
+
+      - name: Publish preview package
+        run: |
+          pnpm exec pkg-pr-new publish \
+            --pnpm \
+            --bin \
+            --comment=off \
+            --json pkg-pr-new.json \
+            --no-template \
+            './packages/cli-darwin-arm64' \
+            './packages/cli-darwin-x64' \
+            './packages/cli-linux-arm64' \
+            './packages/cli-linux-arm64-musl' \
+            './packages/cli-linux-x64' \
+            './packages/cli-linux-x64-musl' \
+            './packages/cli-windows-arm64' \
+            './packages/cli-windows-x64' \
+            './apps/cli'
+
+      - name: Smoke test preview command
+        run: |
+          set -euo pipefail
+          preview_url="https://pkg.pr.new/supabase@${PR_NUMBER}"
+          npx --yes "${preview_url}" --version
+
+      - name: Update PR comment
+        run: |
+          set -euo pipefail
+          preview_url="https://pkg.pr.new/supabase@${PR_NUMBER}"
+          short_sha="${PR_HEAD_SHA:0:7}"
+          marker="<!-- pkg-pr-new-preview -->"
+          cat > comment.md <<EOF
+          ${marker}
+          ## pkg.pr.new preview
+
+          Published version \`${PREVIEW_VERSION}\` from commit [\`${short_sha}\`](https://github.com/${REPOSITORY}/commit/${PR_HEAD_SHA}) after tests passed.
+
+          \`\`\`sh
+          npx ${preview_url}
+          \`\`\`
+
+          \`\`\`sh
+          npx ${preview_url} --version
+          \`\`\`
+          EOF
+
+          jq -n --rawfile body comment.md '{ body: $body }' > comment.json
+          comment_id="$(
+            gh api "repos/${REPOSITORY}/issues/${PR_NUMBER}/comments" \
+              --paginate \
+              --jq '.[] | select(.body | contains("'"${marker}"'")) | .id' \
+              | head -n1
+          )"
+
+          if [[ -n "${comment_id}" ]]; then
+            gh api --method PATCH "repos/${REPOSITORY}/issues/comments/${comment_id}" --input comment.json >/dev/null
+          else
+            gh api --method POST "repos/${REPOSITORY}/issues/${PR_NUMBER}/comments" --input comment.json >/dev/null
+          fi

.github/workflows/release-shared.yml

@@ -53,75 +53,27 @@ on:
         required: false
 jobs:
   build:
-    runs-on: blacksmith-32vcpu-ubuntu-2404
-    env:
-      BUN_SHELL: ${{ inputs.shell }}
-      VERSION: ${{ inputs.version }}
+    name: Build CLI artifacts
+    uses: ./.github/workflows/build-cli-artifacts.yml
+    with:
+      version: ${{ inputs.version }}
+      shell: ${{ inputs.shell }}
+    secrets:
       SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
       POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
       POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Setup
-        uses: ./.github/actions/setup
-
-      - name: Setup Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-        with:
-          go-version-file: apps/cli-go/go.mod
-          cache: true
-          cache-dependency-path: apps/cli-go/go.sum
-
-      - name: Pre-download Go modules
-        working-directory: apps/cli-go
-        run: go mod download -x
-
-      - name: Install nfpm
-        run: |
-          echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
-          sudo apt-get update
-          sudo apt-get install -y nfpm
-
-      - name: Sync versions
-        run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}"
-
-      - name: Build selected shell
-        run: pnpm exec bun apps/cli/scripts/build.ts --version "${VERSION}" --shell "${BUN_SHELL}"
-
-      - name: Verify build artifacts
-        run: |
-          for pkg in cli-darwin-arm64 cli-darwin-x64 cli-linux-arm64 cli-linux-arm64-musl cli-linux-x64 cli-linux-x64-musl cli-windows-arm64 cli-windows-x64; do
-            echo "Checking packages/$pkg/bin/..."
-            ls -la "packages/$pkg/bin/"
-          done
-          echo "Checking dist/..."
-          ls -la dist/
-
-      - name: Upload build artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: cli-build-${{ inputs.shell }}-${{ inputs.version }}
-          path: |
-            packages/cli-*/bin/
-            dist/
 
   smoke-test:
     needs: build
     strategy:
       fail-fast: false
-      # macos-15-intel is the slowest smoke leg and the only one not on
-      # Blacksmith (Blacksmith macOS is ARM-only). Drop it from the matrix
-      # on prereleases (PR smoke + develop -> beta) so beta wall-clock isn't
-      # gated by it; stable releases on main still run the full matrix.
-      # The matrix list is built via fromJSON because GitHub Actions does
-      # not allow the `matrix` context in a job-level `if:` (matrix
-      # expansion happens after job conditions are evaluated).
       matrix:
-        runner: ${{ fromJSON(inputs.prerelease && '["blacksmith-8vcpu-ubuntu-2404","blacksmith-6vcpu-macos-latest","blacksmith-8vcpu-windows-2025"]' || '["blacksmith-8vcpu-ubuntu-2404","blacksmith-6vcpu-macos-latest","macos-15-intel","blacksmith-8vcpu-windows-2025"]') }}
+        runner:
+          - blacksmith-8vcpu-ubuntu-2404
+          - blacksmith-6vcpu-macos-latest
+          - macos-15-intel
+          - blacksmith-8vcpu-windows-2025
+          - windows-11-arm
     runs-on: ${{ matrix.runner }}
     env:
       NPM_TAG: ${{ inputs.npm_tag }}