feat: add portable CLI binaries for multi-platform Supabase CLI distribution

This commit implements portable, self-contained PostgreSQL binaries for the
Supabase CLI across macOS (ARM), Linux (x64), and Linux (ARM64), along with
automated CI/CD workflows for building and releasing these artifacts.

The Supabase CLI needs to ship PostgreSQL binaries that work on user machines
without requiring Nix or other system dependencies. This means extracting the
actual binaries from Nix's wrapper scripts, bundling all necessary shared
libraries, and patching them to use relative paths instead of hardcoded Nix
store paths.

A `variant` parameter was added to the postgres build pipeline to distinguish
between "full" (all extensions) and "cli" (minimal extensions for Supabase CLI).
The `cliExtensions` list contains 6 extensions required for running Supabase
migrations: supautils, pg_graphql, pgsodium, supabase_vault, pg_net, and pg_cron.
Built-in extensions (uuid-ossp, pgcrypto, pg_stat_statements) are included
automatically with PostgreSQL. `makeOurPostgresPkgs`/`makePostgresBin` were
modified to accept this parameter. A new `psql_17_cli` package is created using
`variant = "cli"`, while the full extension set is preserved for base packages
(`psql_15`, `psql_17`, `psql_orioledb-17`).

The portable CLI variant (`psql_17_cli_portable`) includes 6 extensions for
migration support while maintaining a significantly smaller size than the full
build. The implementation in
`nix/packages/postgres-portable.nix` extracts binaries from `psql_17_cli` using
a `resolve_binary()` function that follows wrapper layers to find the actual
ELF/Mach-O binaries behind Nix's environment setup scripts.

All Nix-provided libraries (ICU, readline, zlib, etc.) are bundled while
excluding system libraries (`libc`, `libpthread`, `libm`, `glibc`, `libdl`) that
must come from the host. This distinction is critical: Linux bundles must
exclude glibc due to kernel ABI dependencies, while macOS can include more libs
due to its different linking model. Dependency resolution runs multiple passes
to catch transitive deps (e.g., ICU → charset → etc.).

Platform-specific patching is applied: Linux binaries use the system interpreter
(`/lib64/ld-linux-*.so.2`) and `$ORIGIN`-based RPATHs, while macOS binaries use
`@rpath` with `@executable_path`. Wrapper scripts set `LD_LIBRARY_PATH` (Linux)
or `DYLD_LIBRARY_PATH` (macOS) to find bundled libraries. The bundle includes
PostgreSQL config templates (`postgresql.conf`, `pg_hba.conf`, `pg_ident.conf`)
tailored for CLI usage with minimal local dev settings, plus the complete
Supabase migration script (`migrate.sh`) with all init-scripts and migration
SQL files (55 files, 236KB).

A GitHub Actions workflow builds portable binaries across all three platforms
using a matrix strategy. Each build runs automated portability checks that
verify no `/nix/store` references remain, validate RPATH configuration, confirm
transitive dependencies are bundled, ensure system libraries are NOT bundled,
and check wrapper scripts contain proper library path setup. Post-build testing
validates binaries work without Nix (`postgres --version`, `psql --version`). On
tagged releases (`v*-cli`), the workflow creates GitHub releases with tarball
artifacts and checksums.

The test infrastructure needed significant changes to support variants with
different extension sets. An `isCliVariant` parameter was added to
`makeCheckHarness`, and the hardcoded `shared_preload_libraries` list in
`postgresql.conf.in` was replaced with a `@PRELOAD_LIBRARIES@` placeholder. A
`generatePreloadLibs` script now parses `receipt.json` at test time and
dynamically builds the preload list based on available extensions, removing the
previous timescaledb removal hack for OrioleDB.

For CLI variant tests, `prime.sql` is skipped (supautils is preloaded via
`shared_preload_libraries`), 35 extension-specific tests are filtered out, and
migrations tests are skipped as they may depend on extensions.

Author: LGUG2Z

.github/workflows/cli-release.yml

@@ -0,0 +1,243 @@
+name: CLI Release
+
+on:
+  push:
+    tags:
+      - "v*-cli"
+  pull_request:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version tag (e.g., v1.0.0-cli)"
+        required: true
+        type: string
+
+jobs:
+  build-native:
+    name: Build ${{ matrix.arch }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - system: aarch64-darwin
+            runner: macos-14
+            arch: darwin-arm64
+          - system: x86_64-linux
+            runner: ubuntu-latest
+            arch: linux-x64
+          - system: aarch64-linux
+            runner: ubuntu-24.04-arm
+            arch: linux-arm64
+    steps:
+      - name: Checkout repository
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
+      - name: Install Nix
+        uses: ./.github/actions/nix-install-ephemeral
+
+      - name: Run portability check
+        run: |
+          nix build .#checks.${{ matrix.system }}.psql_17_cli_portable --system ${{ matrix.system }} -L --accept-flake-config
+
+      - name: Build portable CLI bundle
+        run: |
+          nix build .#psql_17_cli_portable --system ${{ matrix.system }} -L --accept-flake-config
+
+      - name: Determine version
+        id: version
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            VERSION="${{ github.event.inputs.version }}"
+          else
+            VERSION="${{ github.ref_name }}"
+          fi
+          # Sanitize version by replacing slashes with dashes
+          VERSION="${VERSION//\//-}"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+
+      - name: Prepare build directory
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          ARCH="${{ matrix.arch }}"
+          BUILD_DIR="supabase-postgres-${VERSION}-${ARCH}"
+
+          mkdir -p "${BUILD_DIR}"
+          shopt -s dotglob
+          cp -rL result/* "${BUILD_DIR}/"
+          shopt -u dotglob
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: supabase-postgres-${{ matrix.arch }}
+          path: supabase-postgres-${{ steps.version.outputs.version }}-${{ matrix.arch }}
+          retention-days: 90
+          include-hidden-files: true
+
+  test-portability:
+    name: ${{ matrix.arch }} without Nix
+    needs: [build-native]
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: macos-14
+            arch: darwin-arm64
+          - runner: ubuntu-latest
+            arch: linux-x64
+          - runner: ubuntu-24.04-arm
+            arch: linux-arm64
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: supabase-postgres-${{ matrix.arch }}
+          path: .
+
+      - name: Test binaries work without Nix
+        run: |
+          cd bin
+          find . -maxdepth 1 -type f -exec chmod +x {} +
+          ls -la
+
+          echo "Testing postgres --version..."
+          ./postgres --version
+
+          echo "Testing pg_config --version..."
+          ./pg_config --version
+
+          echo "Testing psql --version..."
+          ./psql --version
+
+          echo "Testing initdb --version..."
+          ./initdb --version
+
+      - name: Test migrations with CLI variant
+        run: |
+          set -e
+
+          # Create getkey script for pgsodium and vault
+          cat > pgsodium_getkey.sh << 'EOF'
+          #!/bin/bash
+          echo "0000000000000000000000000000000000000000000000000000000000000000"
+          EOF
+          chmod +x pgsodium_getkey.sh
+          GETKEY_SCRIPT="$(pwd)/pgsodium_getkey.sh"
+
+          # Initialize test database
+          PGDATA="$(pwd)/pgdata-test"
+          ./bin/initdb -D "$PGDATA" -U supabase_admin --no-instructions
+
+          # Copy CLI config and add pgsodium/vault getkey scripts
+          cp share/supabase-cli/config/postgresql.conf.template "$PGDATA/postgresql.conf"
+          cat >> "$PGDATA/postgresql.conf" << EOF
+
+          # pgsodium and vault configuration for testing
+          pgsodium.getkey_script = '$GETKEY_SCRIPT'
+          vault.getkey_script = '$GETKEY_SCRIPT'
+          EOF
+
+          # Start PostgreSQL
+          ./bin/postgres -D "$PGDATA" -p 54322 > postgres.log 2>&1 &
+          PG_PID=$!
+
+          # Wait for PostgreSQL to be ready
+          for i in {1..30}; do
+            if ./bin/pg_isready -p 54322 -h 127.0.0.1 -U supabase_admin > /dev/null 2>&1; then
+              echo "PostgreSQL is ready"
+              break
+            fi
+            if [ $i -eq 30 ]; then
+              echo "PostgreSQL failed to start"
+              cat postgres.log
+              exit 1
+            fi
+            sleep 1
+          done
+
+          # Run migrations
+          cd share/supabase-cli/migrations
+          chmod +x migrate.sh
+          echo "=========================================="
+          echo "Running migrations..."
+          echo "=========================================="
+          PATH="$(pwd)/../../../bin:$PATH" \
+          POSTGRES_PASSWORD=postgres \
+          POSTGRES_PORT=54322 \
+          POSTGRES_DB=postgres \
+          POSTGRES_USER=supabase_admin \
+          ./migrate.sh 2>&1 | tee migration.log
+          MIGRATION_STATUS=${PIPESTATUS[0]}
+
+          echo ""
+          echo "=========================================="
+          echo "Migration output complete"
+          echo "=========================================="
+
+          # Check migration results (allow pgbouncer migration to fail as it's not in CLI variant)
+          if [ $MIGRATION_STATUS -ne 0 ]; then
+            if grep -q "pgbouncer" migration.log; then
+              echo "Migration failed on expected pgbouncer error (not in CLI variant) - continuing"
+            else
+              echo "Migrations failed with unexpected errors"
+              exit 1
+            fi
+          fi
+
+          # Verify extensions are installed
+          cd ../../..
+          ./bin/psql -p 54322 -h 127.0.0.1 -U supabase_admin -d postgres -c "\dx" | tee extensions.log
+
+          # Check for required extensions
+          for ext in pg_graphql pgcrypto uuid-ossp supabase_vault; do
+            if ! grep -q "$ext" extensions.log; then
+              echo "Required extension $ext not found"
+              exit 1
+            fi
+          done
+
+          # Stop PostgreSQL
+          ./bin/pg_ctl -D "$PGDATA" stop -m fast
+
+          echo "Migration test completed successfully"
+
+  release:
+    name: Create GitHub Release
+    needs: [build-native, test-portability]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      contents: write
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+
+      - name: Prepare release assets
+        run: |
+          mkdir -p release
+
+          # Create tarballs from each artifact directory
+          for dir in artifacts/*/supabase-postgres-*; do
+            if [ -d "$dir" ]; then
+              basename=$(basename "$dir")
+              tarball="release/${basename}.tar.gz"
+
+              echo "Creating tarball: ${tarball}"
+              tar -czhf "${tarball}" -C "$(dirname "$dir")" "$(basename "$dir")"
+
+              # Generate checksum
+              sha256sum "${tarball}" > "${tarball}.sha256"
+            fi
+          done
+
+          ls -lh release/
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: release/*
+          generate_release_notes: true