Skip to content

Native binary self-update #1935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
danepowell wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Native binary self-update #1935

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
42ec549
Native binary self-update
danepowell Dec 1, 2025
be86d2c
add zip to spc
danepowell Dec 2, 2025
8b2e6d1
update workflows
danepowell Dec 2, 2025
59c93d2
Merge branch 'main' into native-binary-updates
danepowell Dec 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,11 +142,10 @@ jobs:
name: acli.phar
- name: "Download SPC and phpmicro"
run: |
curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-${{ matrix.platform }}.tar.gz" -o tmp.tar.gz
tar -xzf tmp.tar.gz
curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-${{ matrix.platform }}.zip" -o tmp.zip
unzip tmp.zip
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The temporary zip file tmp.zip is not being cleaned up after extraction, while the previous implementation removed tmp.tar.gz. Consider adding rm tmp.zip after the unzip command for consistency and to avoid leaving temporary files in the workspace.

Suggested change
unzip tmp.zip
unzip tmp.zip
rm tmp.zip

Copilot uses AI. Check for mistakes.
curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-${{ matrix.platform }}.tar.gz" -o spc.tar.gz
tar -xzf spc.tar.gz
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of chmod +x spc may cause the workflow to fail if the extracted spc binary doesn't have execute permissions. The spc binary is invoked on line 151 with ./spc, which requires execute permissions. Verify that the extracted spc binary from the tar.gz archive has execute permissions by default, or restore this line.

Suggested change
tar -xzf spc.tar.gz
tar -xzf spc.tar.gz
chmod +x spc

Copilot uses AI. Check for mistakes.
chmod +x spc
- name: "Generate Executable"
run: |
./spc micro:combine acli.phar -M micro.sfx -O acli -I "memory_limit=2G"
Expand Down
16 changes: 16 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,22 @@ To test changes in production mode, build and run `acli.phar` using this process
4. Install Box (only need to do this once): `composer box-install`
5. Compile phar: `composer box-compile`

### Building native binaries

We use [static-php-cli](https://github.com/crazywhalecc/static-php-cli) (spc) to compile native binaries for various platforms. Static-php-cli works by combining acli.phar and the php-micro runtime into a single executable, thereby removing any dependence on the system PHP version. We use a custom-built version of php-micro in order to provide only the extensions necessary to run Acquia CLI (and thereby minimize binary size).

To build a new version of php-micro (in order to update PHP versions or extensions):
1. Use the GitHub Actions workflow here: https://github.com/danepowell/static-php-cli/actions/workflows/build-unix.yml
2. Upload the resulting artifacts to this S3 bucket: `s3://acquia-cli/static-php-cli/`

Subsequent builds of Acquia CLI native binaries will automatically pull the latest version of php-micro from that bucket.

To build a native binary locally, after building `acli.phar` and `php-micro` as described above, follow these steps (examples are for macOS aarch64; adjust as necessary for other platforms):

1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz && tar -xzf tmp.tar.gz && rm tmp.tar.gz`
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation example uses .tar.gz format for the php-micro download, but the CI workflow was changed to use .zip format. These should be consistent. Either update the documentation to use .zip or clarify why the local build uses a different format than CI.

Suggested change
1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz && tar -xzf tmp.tar.gz && rm tmp.tar.gz`
1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.zip" -o tmp.zip && unzip tmp.zip && rm tmp.zip`

Copilot uses AI. Check for mistakes.
2. Download spc: `curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz && tar -xzf spc.tar.gz && rm spc.tar.gz`
Comment on lines +37 to +38
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build instructions download and execute binaries (php-micro and spc) using curl without any signature or checksum verification. An attacker who compromises the S3 bucket or release artifacts could serve a tampered tarball that would be executed during build, leading to supply-chain compromise. Verify artifact integrity before use by enforcing SHA256/SHA512 checksum or GPG signature validation, e.g.,

curl -fsSL "$URL" -o artifact.tar.gz \
  && curl -fsSL "$URL.sha256" -o artifact.tar.gz.sha256 \
  && sha256sum -c artifact.tar.gz.sha256 \
  && tar -xzf artifact.tar.gz
Suggested change
1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz && tar -xzf tmp.tar.gz && rm tmp.tar.gz`
2. Download spc: `curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz && tar -xzf spc.tar.gz && rm spc.tar.gz`
1. Download php-micro:

curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz
curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz.sha256" -o tmp.tar.gz.sha256
sha256sum -c tmp.tar.gz.sha256
tar -xzf tmp.tar.gz
rm tmp.tar.gz tmp.tar.gz.sha256

2. Download spc:

curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz
curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz.sha256" -o spc.tar.gz.sha256
sha256sum -c spc.tar.gz.sha256
tar -xzf spc.tar.gz
rm spc.tar.gz spc.tar.gz.sha256

Copilot uses AI. Check for mistakes.
3. Compile the binary: `./spc micro:combine var/acli.phar -M micro.sfx -O acli -I "memory_limit=2G"`
Comment on lines +35 to +39
Copy link

Copilot AI Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation advises pulling php-micro artifacts from s3://acquia-cli/static-php-cli/ and subsequently using them for builds without any integrity checks. If the S3 bucket or its contents are tampered with, build participants will incorporate malicious binaries, enabling a supply-chain attack. Require checksum/GPG verification and restrict access (e.g., signed URLs, versioned objects) in the documented process before consuming artifacts.

Suggested change
To build a native binary locally, after building `acli.phar` and `php-micro` as described above, follow these steps (examples are for macOS aarch64; adjust as necessary for other platforms):
1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz && tar -xzf tmp.tar.gz && rm tmp.tar.gz`
2. Download spc: `curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz && tar -xzf spc.tar.gz && rm spc.tar.gz`
3. Compile the binary: `./spc micro:combine var/acli.phar -M micro.sfx -O acli -I "memory_limit=2G"`
**Security Note:** To prevent supply-chain attacks, always verify the integrity of downloaded `php-micro` artifacts before using them in builds. Obtain the SHA256 checksum (or GPG signature) for the artifact from a trusted source (e.g., `s3://acquia-cli/static-php-cli/checksums.txt` or a signed file), and verify it after download. Also, restrict access to the S3 bucket using signed URLs or versioned objects to prevent unauthorized modifications.
To build a native binary locally, after building `acli.phar` and `php-micro` as described above, follow these steps (examples are for macOS aarch64; adjust as necessary for other platforms):
1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz`
2. Download the corresponding checksum: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz.sha256" -o tmp.tar.gz.sha256`
3. Verify the checksum: `sha256sum -c tmp.tar.gz.sha256`
- If verification fails, **do not use the artifact** and report the issue.
4. Extract and clean up: `tar -xzf tmp.tar.gz && rm tmp.tar.gz tmp.tar.gz.sha256`
5. Download spc: `curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz && tar -xzf spc.tar.gz && rm spc.tar.gz`
6. Compile the binary: `./spc micro:combine var/acli.phar -M micro.sfx -O acli -I "memory_limit=2G"`

Copilot uses AI. Check for mistakes.

### Writing tests

New code should be covered at 100% (or as close to it as reasonably possible) by PHPUnit tests. It should also minimize the number of escaped mutants (as close to 0% as reasonably possible), which will appear as annotations on your PR after unit tests run.
Expand Down
6 changes: 5 additions & 1 deletion composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@
{
"type": "github",
"url": "https://github.com/danepowell/amplitude-php"
},
{
"type": "github",
"url": "https://github.com/danepowell/self-update"
}
],
"require": {
Expand All @@ -23,7 +27,7 @@
"acquia/drupal-environment-detector": "^1.7.0",
"bugsnag/bugsnag": "^3.29",
"composer/semver": "^3.3",
"consolidation/self-update": "^3.1.0",
"consolidation/self-update": "dev-native-binaries as 3.1.0",
"dflydev/dot-access-data": "^3",
"grasmash/expander": "^3.0.1",
"guzzlehttp/guzzle": "^7.4",
Expand Down
Loading