Native binary self-update

[danepowell]

Motivation

We need self-updates

Proposed changes

• Use zipped versions of php-micro, which spc produces natively via GitHub Actions
• Update consolidation/self-update to support native binaries and add zip as a php-micro dependencies (since our native binary releases are also zipped): Support non-Phar releases (native binaries) consolidation/self-update#38

Alternatives considered

Testing steps

1. Follow the contribution guide to set up your development environment or download a pre-built acli.phar for this PR.
2. If running from source, clear the kernel cache to pick up new and changed commands: ./bin/acli ckc
3. Check for regressions: (add specific steps for this pr)
4. Check new functionality: (add specific steps for this pr)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.04%. Comparing base (b3eef81) to head (59c93d2).

Additional details and impacted files

@@            Coverage Diff            @@
##               main    #1935   +/-   ##
=========================================
  Coverage     92.04%   92.04%           
  Complexity     1888     1888           
=========================================
  Files           122      122           
  Lines          6948     6948           
=========================================
  Hits           6395     6395           
  Misses          553      553           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Try the dev build for this PR: https://acquia-cli.s3.amazonaws.com/build/pr/1935/acli.phar

curl -OL https://acquia-cli.s3.amazonaws.com/build/pr/1935/acli.phar
chmod +x acli.phar

[Copilot]

Pull request overview

This PR enables self-updating functionality for native binary builds of Acquia CLI by integrating a custom fork of the consolidation/self-update package and adding support for ZIP-based artifact distribution.

Key Changes:

• Switched to a development fork of consolidation/self-update that supports native binary updates
• Added ZIP extension to the php-micro build configuration to support compressed artifacts
• Updated CI workflow to use ZIP format for php-micro distribution
• Added comprehensive documentation for building native binaries locally

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
var/craft.yml	Added zip extension to the PHP extensions list (alphabetically sorted) to support ZIP archive operations in native binaries
composer.json	Added custom repository for consolidation/self-update fork and updated dependency to use dev-native-binaries branch
composer.lock	Updated consolidation/self-update to development branch, upgraded Symfony packages to 7.4.x, added symfony/polyfill-php85, and updated several other dependencies
CONTRIBUTING.md	Added comprehensive documentation section on building native binaries, including php-micro build process and local compilation steps
.github/workflows/ci.yml	Changed php-micro artifact format from tar.gz to zip and removed chmod +x spc command

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The documentation example uses .tar.gz format for the php-micro download, but the CI workflow was changed to use .zip format. These should be consistent. Either update the documentation to use .zip or clarify why the local build uses a different format than CI.

Suggested change

	1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz && tar -xzf tmp.tar.gz && rm tmp.tar.gz`
	1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.zip" -o tmp.zip && unzip tmp.zip && rm tmp.zip`

[Copilot]

The removal of chmod +x spc may cause the workflow to fail if the extracted spc binary doesn't have execute permissions. The spc binary is invoked on line 151 with ./spc, which requires execute permissions. Verify that the extracted spc binary from the tar.gz archive has execute permissions by default, or restore this line.

Suggested change

	tar -xzf spc.tar.gz
	tar -xzf spc.tar.gz
	chmod +x spc

[Copilot]

[nitpick] The temporary zip file tmp.zip is not being cleaned up after extraction, while the previous implementation removed tmp.tar.gz. Consider adding rm tmp.zip after the unzip command for consistency and to avoid leaving temporary files in the workspace.

Suggested change

	unzip tmp.zip
	unzip tmp.zip
	rm tmp.zip

[Copilot]

The build instructions download and execute binaries (php-micro and spc) using curl without any signature or checksum verification. An attacker who compromises the S3 bucket or release artifacts could serve a tampered tarball that would be executed during build, leading to supply-chain compromise. Verify artifact integrity before use by enforcing SHA256/SHA512 checksum or GPG signature validation, e.g.,

curl -fsSL "$URL" -o artifact.tar.gz \
  && curl -fsSL "$URL.sha256" -o artifact.tar.gz.sha256 \
  && sha256sum -c artifact.tar.gz.sha256 \
  && tar -xzf artifact.tar.gz

Suggested change

	1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz && tar -xzf tmp.tar.gz && rm tmp.tar.gz`
	2. Download spc: `curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz && tar -xzf spc.tar.gz && rm spc.tar.gz`
	1. Download php-micro:

curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz
curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz.sha256" -o tmp.tar.gz.sha256
sha256sum -c tmp.tar.gz.sha256
tar -xzf tmp.tar.gz
rm tmp.tar.gz tmp.tar.gz.sha256

2. Download spc:

curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz
curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz.sha256" -o spc.tar.gz.sha256
sha256sum -c spc.tar.gz.sha256
tar -xzf spc.tar.gz
rm spc.tar.gz spc.tar.gz.sha256

[Copilot]

The documentation advises pulling php-micro artifacts from s3://acquia-cli/static-php-cli/ and subsequently using them for builds without any integrity checks. If the S3 bucket or its contents are tampered with, build participants will incorporate malicious binaries, enabling a supply-chain attack. Require checksum/GPG verification and restrict access (e.g., signed URLs, versioned objects) in the documented process before consuming artifacts.

Suggested change

	To build a native binary locally, after building `acli.phar` and `php-micro` as described above, follow these steps (examples are for macOS aarch64; adjust as necessary for other platforms):
	1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz && tar -xzf tmp.tar.gz && rm tmp.tar.gz`
	2. Download spc: `curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz && tar -xzf spc.tar.gz && rm spc.tar.gz`
	3. Compile the binary: `./spc micro:combine var/acli.phar -M micro.sfx -O acli -I "memory_limit=2G"`
	**Security Note:** To prevent supply-chain attacks, always verify the integrity of downloaded `php-micro` artifacts before using them in builds. Obtain the SHA256 checksum (or GPG signature) for the artifact from a trusted source (e.g., `s3://acquia-cli/static-php-cli/checksums.txt` or a signed file), and verify it after download. Also, restrict access to the S3 bucket using signed URLs or versioned objects to prevent unauthorized modifications.
	To build a native binary locally, after building `acli.phar` and `php-micro` as described above, follow these steps (examples are for macOS aarch64; adjust as necessary for other platforms):
	1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz`
	2. Download the corresponding checksum: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz.sha256" -o tmp.tar.gz.sha256`
	3. Verify the checksum: `sha256sum -c tmp.tar.gz.sha256`
	- If verification fails, **do not use the artifact** and report the issue.
	4. Extract and clean up: `tar -xzf tmp.tar.gz && rm tmp.tar.gz tmp.tar.gz.sha256`
	5. Download spc: `curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz && tar -xzf spc.tar.gz && rm spc.tar.gz`
	6. Compile the binary: `./spc micro:combine var/acli.phar -M micro.sfx -O acli -I "memory_limit=2G"`

[danepowell]

Still needs work to make sure this doesn't break phar updates (check for both acli and acli.phar)