From 4e74d14a0a5e58d0061379070ecd99154ea9ef87 Mon Sep 17 00:00:00 2001
From: Colum Ferry <cferry09@gmail.com>
Date: Wed, 20 May 2026 11:46:22 +0100
Subject: [PATCH] fix(cli): inject Sentry DSN and PostHog credentials into Go
 binary
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The legacy CLI shell forwards telemetry through the bundled `supabase-go`
binary. `utils.SentryDsn`, `utils.PostHogAPIKey`, and `utils.PostHogEndpoint`
are assigned at compile time via `-ldflags -X`, but the Bun build script
only injected `utils.Version`. As a result the released binary ran with
empty credentials: the PostHog client became a no-op and Sentry's crash
reporting was disabled. PostHog events stopped flowing on 2026-05-18 after
v2.98.2 — the last build produced by the previous goreleaser pipeline.

Read `SENTRY_DSN`, `POSTHOG_API_KEY`, and `POSTHOG_ENDPOINT` from
`process.env` inside `buildGoTarget` and append a corresponding `-X` flag
only when the value is set, so local and PR smoke builds remain
credential-free. Expose the three repo secrets to the build step in
`release-shared.yml` so release builds get them populated.

Fixes CLI-1506
---
 .github/workflows/release-shared.yml |  3 +++
 apps/cli/scripts/build.ts            | 15 ++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-shared.yml b/.github/workflows/release-shared.yml
index aed96350a..4443f80cb 100644
--- a/.github/workflows/release-shared.yml
+++ b/.github/workflows/release-shared.yml
@@ -49,6 +49,9 @@ jobs:
     env:
       BUN_SHELL: ${{ inputs.shell }}
       VERSION: ${{ inputs.version }}
+      SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+      POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
+      POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
diff --git a/apps/cli/scripts/build.ts b/apps/cli/scripts/build.ts
index 524cae04b..07cca0def 100644
--- a/apps/cli/scripts/build.ts
+++ b/apps/cli/scripts/build.ts
@@ -125,7 +125,20 @@ async function buildGoTarget(target: (typeof TARGETS)[number]) {
   const outfile = path.join(binDir, `supabase-go${target.ext}`);
 
   console.log(`[${target.pkg}] Compiling Go CLI (${goos}/${goarch})...`);
-  const goLdflags = `-s -w -X github.com/supabase/cli/internal/utils.Version=${version}`;
+  const ldflagParts = ["-s", "-w", `-X github.com/supabase/cli/internal/utils.Version=${version}`];
+  const { SENTRY_DSN, POSTHOG_API_KEY, POSTHOG_ENDPOINT } = process.env;
+  if (SENTRY_DSN) {
+    ldflagParts.push(`-X github.com/supabase/cli/internal/utils.SentryDsn=${SENTRY_DSN}`);
+  }
+  if (POSTHOG_API_KEY) {
+    ldflagParts.push(`-X github.com/supabase/cli/internal/utils.PostHogAPIKey=${POSTHOG_API_KEY}`);
+  }
+  if (POSTHOG_ENDPOINT) {
+    ldflagParts.push(
+      `-X github.com/supabase/cli/internal/utils.PostHogEndpoint=${POSTHOG_ENDPOINT}`,
+    );
+  }
+  const goLdflags = ldflagParts.join(" ");
   await $`go build -trimpath -ldflags=${goLdflags} -o ${outfile} .`.cwd(goSource).env({
     ...process.env,
     GOOS: goos,