fix(cli): retry + cache prebuild downloads in build-dist; add docker test

[saddlepaddle]

Why

After landing #4049, cli-v0.2.4 was re-tagged. Linux now passes (run) — but darwin-arm64 just failed inside build-dist.ts:

[build-dist] fetching Node-ABI better-sqlite3: https://github.com/WiseLibs/better-sqlite3/releases/download/v12.6.2/better-sqlite3-v12.6.2-node-v127-darwin-arm64.tar.gz
curl: (56) The requested URL returned error: 502
error: curl ... exited with 56

A single transient GitHub Releases 502 → full matrix is dead. Same single-shot curl was used for the Node download too, so this is a strictly weaker sibling of the same failure mode.

What changes

1. Resilient prebuild downloads (packages/cli/scripts/build-dist.ts)

• Route all curl through curlDownload(url, dest) with:
  • --retry 6 --retry-delay 2 --retry-all-errors — --retry-all-errors is required for curl to retry on 5xx (default retry only covers transport errors).
  • --connect-timeout 15 --max-time 180
  • Atomic write: download to ${dest}.partial, then renameSync — a half-finished file can't masquerade as a cache hit on the next run.
• Cache the better-sqlite3 prebuild on disk like the Node tarball already is, keyed by version + ABI + target. Re-running build-dist after a transient failure is now free.

2. Local Docker harness (packages/cli/scripts/build-dist-linux-docker.sh)

Reproduces the GH Actions Linux flow exactly (matches .github/workflows/build-cli.yml) inside the oven/bun:<.bun-version> image, for either linux-x64 or linux-arm64. Runs the same bun install --frozen --ignore-scripts → npm rebuild → build-dist → require() smoke test the CI workflow runs.

Usage:

packages/cli/scripts/build-dist-linux-docker.sh linux-x64
packages/cli/scripts/build-dist-linux-docker.sh linux-arm64

We can now validate build-cli.yml / build-dist.ts changes locally without burning release tag pushes.

Verification

• ✅ bun run build:dist --target=darwin-arm64 runs locally end-to-end against the patched build-dist.ts; smoke test (require('better-sqlite3'), node-pty, @parcel/watcher, libsql from the bundled Node) all OK.
• ✅ Cache path verified — second run prints [build-dist] using cached better-sqlite3: ... instead of re-fetching.
• ✅ Typecheck + lint clean.
• 🟡 Docker harness was running for linux-arm64 while writing this PR; will note the result in a follow-up comment.

Test plan

• CI green on this PR
• After merge, re-cut cli-v0.2.4 (delete + re-push the tag at the new main HEAD) to verify all three matrix targets land artifacts and the draft release + cli-latest pointer are created
• Optional: packages/cli/scripts/build-dist-linux-docker.sh linux-arm64 from a contributor's machine runs cleanly end-to-end

---

Summary by cubic

Make build-dist downloads resilient with retries, timeouts, and atomic writes, and cache the better-sqlite3 prebuild to prevent flaky 5xx failures. Add a Docker harness to reproduce the Linux CI build locally for linux-x64 and linux-arm64.

• Bug Fixes

  • Route all downloads through curlDownload() with --retry 6 --retry-delay 2 --retry-all-errors, tight timeouts, and atomic .partial → rename writes.
  • Cache the better-sqlite3 tarball by version/ABI/target in ~/.superset-build-cache; applies the retry wrapper to Node and better-sqlite3 downloads.

• New Features

  • Add packages/cli/scripts/build-dist-linux-docker.sh to mirror the GitHub Actions Linux flow in oven/bun:<.bun-version>.
  • Supports linux-x64 and linux-arm64; runs install, rebuilds node-pty and @parcel/watcher, builds, and smoke-tests (require('better-sqlite3'), node-pty, @parcel/watcher, libsql).

^{Written for commit 2217de4. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Improved Linux CLI build process with Docker support for reproducible builds across architectures
  • Enhanced build caching for native dependencies to accelerate compilation times
  • Added automatic retry mechanism for more reliable downloads during the build process

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Docker-based Linux CLI build automation and improves download/caching infrastructure in the TypeScript build script. The Docker script reproduces Linux builds (linux-x64, linux-arm64) in isolated containers with Node 22.22.2, validating native modules. TypeScript updates introduce atomic downloads and cache better-sqlite3 ABI tarballs.

Changes

Build Infrastructure: Download Helpers & Caching

Layer / File(s)	Summary
Download Utility packages/cli/scripts/build-dist.ts (lines 27–33, 141–168)	New curlDownload() helper atomically downloads files via curl with retry flags, writing to a .partial temp file before renaming.
Node Runtime Installation packages/cli/scripts/build-dist.ts (lines 170–184)	Node.js download in downloadAndExtractNode() replaced with curlDownload() for consistent, atomic retrieval.
Native Dependency Caching packages/cli/scripts/build-dist.ts (lines 315–330)	fixNativeBinariesForNode() caches better-sqlite3 ABI tarballs in ~/.superset-build-cache keyed by version/ABI/target, reusing cached tarballs on subsequent builds.
Docker Linux Build Automation packages/cli/scripts/build-dist-linux-docker.sh (lines 1–75)	New Bash script orchestrates reproducible Linux CLI builds in Docker; parses target (linux-x64 / linux-arm64), reads Bun version, installs OS dependencies, extracts Node 22.22.2, syncs repo, installs dependencies, rebuilds native modules, builds CLI distribution, and validates output with smoke tests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

In Docker's nest, the builder hops,
Caching tarballs, building blocks,
Linux x64 and arm64 aligned,
Atomic downloads, reproducible and kind,
Smoke tests run with hopeful cheer,
Build infrastructure crystal clear! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main changes: adding retry logic and caching to prebuild downloads, plus a new Docker test harness for local Linux builds.
Description check	✅ Passed	The description includes most required sections with clear explanations of the problem, changes, and verification steps, though some template sections (Screenshots, Related Issues link format) are not applicable or present.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cli-build-dist-curl-retries-and-local-test

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds retry + atomic-write logic to curlDownload() in build-dist.ts so a single transient GitHub Releases 5xx no longer kills the matrix, and caches the better-sqlite3 prebuild tarball the same way Node tarballs already are. A new local Docker harness (build-dist-linux-docker.sh) lets contributors reproduce the Linux CI build without cutting a release tag.

Confidence Score: 4/5

Safe to merge; changes are well-contained build-script improvements with no product-code impact.

Only P2 findings present. The core retry + caching logic in build-dist.ts is correct — atomic partial write, cache-key includes version + ABI + target, and --retry-all-errors is the right flag for 5xx coverage. The Docker script has minor inconsistencies (hardcoded Node version, unretried curl) but neither blocks the intended goal.

No files require special attention.

Important Files Changed

Filename	Overview
packages/cli/scripts/build-dist.ts	Adds curlDownload() helper with 6-retry logic, atomic .partial → rename writes, and disk-caching for the better-sqlite3 prebuild tarball. Both changes are well-scoped and correct.
packages/cli/scripts/build-dist-linux-docker.sh	New local Docker harness that mirrors CI. NODE_VERSION for the build-tool container (22.22.2) is intentionally different from the bundled runtime (22.13.0); ABI compatibility is maintained within Node 22.x, but the lack of a comment explaining this and the unretried curl

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[build-dist.ts starts] --> B{Node tarball cached?}
    B -- No --> C[curlDownload to archivePath.partial\nretry 6, delay 2s, --retry-all-errors]
    C --> D[renameSync .partial → archivePath]
    D --> E[tar -xzf archivePath]
    B -- Yes --> E
    E --> F[Copy node binary to dist]
    F --> G{better-sqlite3 tarball cached?}
    G -- No --> H[curlDownload to cachedTarball.partial\nretry 6, delay 2s, --retry-all-errors]
    H --> I[renameSync .partial → cachedTarball]
    I --> J[tar -xzf cachedTarball to tmp dir]
    G -- Yes --> J
    J --> K[cpSync .node binary to dist]
    K --> L[Build complete]

Loading

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
packages/cli/scripts/build-dist-linux-docker.sh:26
**`NODE_VERSION` differs from the bundled runtime**

The Docker script hardcodes `NODE_VERSION="22.22.2"` for the container's build tooling, while `build-dist.ts` defines `NODE_VERSION = "22.13.0"` as the Node runtime bundled into the distribution. These intentionally serve different roles, but they're both Node 22.x (ABI 127) so native modules compiled against 22.22.2 in the container will still be compatible with the bundled 22.13.0. However, if the CI workflow's *build tool* Node version ever diverges from 22.x (e.g., bumped to v24), the ABI assumption breaks and the smoke test would pass locally while CI fails. Consider extracting the build-tool Node version from `.nvmrc` / `build-cli.yml` or at least adding a comment linking the two constants.

### Issue 2 of 2
packages/cli/scripts/build-dist-linux-docker.sh:48-49
**Single-shot `curl | tar` in the container setup**

The whole motivation for this PR is that a transient 502 from GitHub/nodejs.org kills the pipeline. The Node.js installation step inside the container (`curl -fsSL … | tar -xJ`) uses bare curl with no retry flags, so a transient failure here still kills the docker run. Since this is a developer-local script (not CI), the impact is low, but it's inconsistent with the fix being applied to `build-dist.ts`. Adding `--retry 3 --retry-delay 2 --retry-all-errors` to this curl call would make it consistent.

_{Reviews (1): Last reviewed commit: "fix(cli): retry + cache prebuild downloa..." | Re-trigger Greptile}

[greptile-apps]

NODE_VERSION differs from the bundled runtime

The Docker script hardcodes NODE_VERSION="22.22.2" for the container's build tooling, while build-dist.ts defines NODE_VERSION = "22.13.0" as the Node runtime bundled into the distribution. These intentionally serve different roles, but they're both Node 22.x (ABI 127) so native modules compiled against 22.22.2 in the container will still be compatible with the bundled 22.13.0. However, if the CI workflow's build tool Node version ever diverges from 22.x (e.g., bumped to v24), the ABI assumption breaks and the smoke test would pass locally while CI fails. Consider extracting the build-tool Node version from .nvmrc / build-cli.yml or at least adding a comment linking the two constants.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/cli/scripts/build-dist-linux-docker.sh
Line: 26

Comment:
**`NODE_VERSION` differs from the bundled runtime**

The Docker script hardcodes `NODE_VERSION="22.22.2"` for the container's build tooling, while `build-dist.ts` defines `NODE_VERSION = "22.13.0"` as the Node runtime bundled into the distribution. These intentionally serve different roles, but they're both Node 22.x (ABI 127) so native modules compiled against 22.22.2 in the container will still be compatible with the bundled 22.13.0. However, if the CI workflow's *build tool* Node version ever diverges from 22.x (e.g., bumped to v24), the ABI assumption breaks and the smoke test would pass locally while CI fails. Consider extracting the build-tool Node version from `.nvmrc` / `build-cli.yml` or at least adding a comment linking the two constants.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Single-shot curl | tar in the container setup

The whole motivation for this PR is that a transient 502 from GitHub/nodejs.org kills the pipeline. The Node.js installation step inside the container (curl -fsSL … | tar -xJ) uses bare curl with no retry flags, so a transient failure here still kills the docker run. Since this is a developer-local script (not CI), the impact is low, but it's inconsistent with the fix being applied to build-dist.ts. Adding --retry 3 --retry-delay 2 --retry-all-errors to this curl call would make it consistent.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/cli/scripts/build-dist-linux-docker.sh
Line: 48-49

Comment:
**Single-shot `curl | tar` in the container setup**

The whole motivation for this PR is that a transient 502 from GitHub/nodejs.org kills the pipeline. The Node.js installation step inside the container (`curl -fsSL … | tar -xJ`) uses bare curl with no retry flags, so a transient failure here still kills the docker run. Since this is a developer-local script (not CI), the impact is low, but it's inconsistent with the fix being applied to `build-dist.ts`. Adding `--retry 3 --retry-delay 2 --retry-all-errors` to this curl call would make it consistent.

How can I resolve this? If you propose a fix, please make it concise.

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

• ✅ Neon database branch

Thank you for your contribution! 🎉

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/cli/scripts/build-dist-linux-docker.sh (1)

45-46: ⚡ Quick win

Node.js download inside the container is a single-shot curl with no retry flags.

The whole motivation of this PR is resilient downloads, but the container's Node tarball fetch is a plain pipe without --retry, --connect-timeout, or --max-time. A transient 5xx or connection reset here fails the entire Docker run.

♻️ Proposed fix

-    curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
-      | tar -xJ -C /usr/local --strip-components=1
+    curl -fsSL --retry 6 --retry-delay 2 --retry-all-errors \
+         --connect-timeout 15 --max-time 180 \
+         -o /tmp/node.tar.xz \
+         "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz"
+    tar -xJ -C /usr/local --strip-components=1 -f /tmp/node.tar.xz
+    rm /tmp/node.tar.xz

Splitting the download and extract also means a partial download is never fed to tar.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli/scripts/build-dist-linux-docker.sh` around lines 45 - 46,
Replace the one-shot piped curl+tar with a resilient two-step download and
extract: use curl with --fail plus retry flags (e.g., --retry,
--retry-connrefused, --retry-delay), connection and overall timeouts (e.g.,
--connect-timeout, --max-time) to download the Node tarball to a temporary file
(referencing NODE_VERSION and NODE_ARCH from the script), verify the download
succeeded (non-empty and curl exit code), then run tar -xJ -C /usr/local
--strip-components=1 against that temp file, and finally remove the temp file;
update the block that currently contains the piped curl/tar so it uses the temp
file approach and cleans up on error.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/cli/scripts/build-dist-linux-docker.sh`:
- Around line 58-59: The PTY_DIR assignment uses `ls -d` which can produce
multiple matches and break `cd "$PTY_DIR"`; replace that with shell glob
expansion into an array (matching
node_modules/.bun/node-pty@*/node_modules/node-pty), validate the array
cardinality (if zero -> exit with a clear error, if >1 -> exit with a clear
error instructing to clean the Bun store), then set PTY_DIR to the single
matched path and run the `(cd "$PTY_DIR" && npx --yes node-gyp rebuild)` step;
reference the PTY_DIR variable, the node-pty glob, and the node-gyp rebuild
invocation so reviewers can find and apply the change.

---

Nitpick comments:
In `@packages/cli/scripts/build-dist-linux-docker.sh`:
- Around line 45-46: Replace the one-shot piped curl+tar with a resilient
two-step download and extract: use curl with --fail plus retry flags (e.g.,
--retry, --retry-connrefused, --retry-delay), connection and overall timeouts
(e.g., --connect-timeout, --max-time) to download the Node tarball to a
temporary file (referencing NODE_VERSION and NODE_ARCH from the script), verify
the download succeeded (non-empty and curl exit code), then run tar -xJ -C
/usr/local --strip-components=1 against that temp file, and finally remove the
temp file; update the block that currently contains the piped curl/tar so it
uses the temp file approach and cleans up on error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 45918a7f-ff95-4e62-87d1-50bdcc50f8f6

📥 Commits

Reviewing files that changed from the base of the PR and between 4673929 and 2217de4.

📒 Files selected for processing (2)

• packages/cli/scripts/build-dist-linux-docker.sh
• packages/cli/scripts/build-dist.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

ls -d glob for node-pty directory is fragile with multiple-match results.

If the Bun store contains more than one node-pty@* entry (e.g., after a version bump without a clean install), ls returns multiple lines, PTY_DIR becomes a multi-line string, and cd "$PTY_DIR" fails with "too many arguments" — a confusing error that doesn't point back to this line. Use a glob with explicit cardinality validation instead.

♻️ Proposed fix

-    PTY_DIR=$(ls -d node_modules/.bun/node-pty@*/node_modules/node-pty)
-    (cd "$PTY_DIR" && npx --yes node-gyp rebuild)
+    mapfile -t PTY_DIRS < <(ls -d node_modules/.bun/node-pty@*/node_modules/node-pty 2>/dev/null || true)
+    if [[ ${`#PTY_DIRS`[@]} -ne 1 ]]; then
+      echo "Expected exactly 1 node-pty in Bun store, found ${`#PTY_DIRS`[@]}" >&2; exit 1
+    fi
+    (cd "${PTY_DIRS[0]}" && npx --yes node-gyp rebuild)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	PTY_DIR=$(ls -d node_modules/.bun/node-pty@*/node_modules/node-pty)
	(cd "$PTY_DIR" && npx --yes node-gyp rebuild)
	mapfile -t PTY_DIRS < <(ls -d node_modules/.bun/node-pty@*/node_modules/node-pty 2>/dev/null || true)
	if [[ ${`#PTY_DIRS`[@]} -ne 1 ]]; then
	echo "Expected exactly 1 node-pty in Bun store, found ${`#PTY_DIRS`[@]}" >&2; exit 1
	fi
	(cd "${PTY_DIRS[0]}" && npx --yes node-gyp rebuild)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli/scripts/build-dist-linux-docker.sh` around lines 58 - 59, The
PTY_DIR assignment uses `ls -d` which can produce multiple matches and break `cd
"$PTY_DIR"`; replace that with shell glob expansion into an array (matching
node_modules/.bun/node-pty@*/node_modules/node-pty), validate the array
cardinality (if zero -> exit with a clear error, if >1 -> exit with a clear
error instructing to clean the Bun store), then set PTY_DIR to the single
matched path and run the `(cd "$PTY_DIR" && npx --yes node-gyp rebuild)` step;
reference the PTY_DIR variable, the node-pty glob, and the node-gyp rebuild
invocation so reviewers can find and apply the change.