fix(cli): inject Sentry DSN and PostHog credentials into Go binary#5314
Merged
Conversation
The legacy CLI shell forwards telemetry through the bundled `supabase-go` binary. `utils.SentryDsn`, `utils.PostHogAPIKey`, and `utils.PostHogEndpoint` are assigned at compile time via `-ldflags -X`, but the Bun build script only injected `utils.Version`. As a result the released binary ran with empty credentials: the PostHog client became a no-op and Sentry's crash reporting was disabled. PostHog events stopped flowing on 2026-05-18 after v2.98.2 — the last build produced by the previous goreleaser pipeline. Read `SENTRY_DSN`, `POSTHOG_API_KEY`, and `POSTHOG_ENDPOINT` from `process.env` inside `buildGoTarget` and append a corresponding `-X` flag only when the value is set, so local and PR smoke builds remain credential-free. Expose the three repo secrets to the build step in `release-shared.yml` so release builds get them populated. Fixes CLI-1506
jgoux
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
apps/cli/scripts/build.ts—buildGoTargetnow readsSENTRY_DSN,POSTHOG_API_KEY, andPOSTHOG_ENDPOINTfromprocess.envand appends a matching-X github.com/supabase/cli/internal/utils.{SentryDsn,PostHogAPIKey,PostHogEndpoint}=...segment to the Go linker flags when the value is set..github/workflows/release-shared.yml— thebuildjob'senv:block now exposes the three repo secrets so release builds get the values populated.Why
Companion fix to #5313. The legacy CLI shell forwards telemetry through the bundled
supabase-gobinary, which reads its Sentry DSN and PostHog credentials from-ldflags -X-injected vars. The bun build script only injectedutils.Version, so every release after the goreleaser → bun-script migration shipped with empty credentials:apps/cli-go/internal/telemetry/service.go:61constructs the PostHog client with an empty key and host → the client returns a no-op (internal/telemetry/client.go:32-56).apps/cli-go/cmd/root.go:78initializes Sentry with an empty DSN → no-op client.PostHog event flow stopped on 2026-05-18 with v2.98.2 (the last build produced by the prior pipeline). Restoring these injections matches the historical
.goreleaser.ymlbehavior using the same three repo secrets, which already exist (gh secret list --repo supabase/cli).Reviewer notes
nextshell carries hardcoded PostHog defaults with runtime env overrides (apps/cli/src/next/config/cli-config.layer.ts), andlegacydelegates everything to the Go binary viaLegacyGoProxy.SENTRY_DSN=… POSTHOG_API_KEY=… POSTHOG_ENDPOINT=… pnpm exec bun apps/cli/scripts/build.ts --version 2.100.1 --shell legacyproduces asupabase-gowhosestringsoutput contains the three sentinel values; running the same command with the envs unset produces a binary with none of them.Fixes CLI-1506