Native binary self-update

[danepowell]

Motivation

We need self-updates

Proposed changes

• Update consolidation/self-update to support native binaries: Support non-Phar releases (native binaries) consolidation/self-update#38

Alternatives considered

Testing steps

1. Follow the contribution guide to set up your development environment or download a pre-built acli.phar for this PR.
2. If running from source, clear the kernel cache to pick up new and changed commands: ./bin/acli ckc
3. Check for regressions: (add specific steps for this pr)
4. Check new functionality: (add specific steps for this pr)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.05%. Comparing base (7da12e4) to head (97d1f6e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main    #1935   +/-   ##
=========================================
  Coverage     92.05%   92.05%           
  Complexity     1894     1894           
=========================================
  Files           122      122           
  Lines          6958     6959    +1     
=========================================
+ Hits           6405     6406    +1     
  Misses          553      553           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Try the dev build for this PR: https://acquia-cli.s3.amazonaws.com/build/pr/1935/acli.phar

curl -OL https://acquia-cli.s3.amazonaws.com/build/pr/1935/acli.phar
chmod +x acli.phar

[Copilot]

Pull request overview

This PR enables self-updating functionality for native binary builds of Acquia CLI by integrating a custom fork of the consolidation/self-update package and adding support for ZIP-based artifact distribution.

Key Changes:

• Switched to a development fork of consolidation/self-update that supports native binary updates
• Added ZIP extension to the php-micro build configuration to support compressed artifacts
• Updated CI workflow to use ZIP format for php-micro distribution
• Added comprehensive documentation for building native binaries locally

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
var/craft.yml	Added zip extension to the PHP extensions list (alphabetically sorted) to support ZIP archive operations in native binaries
composer.json	Added custom repository for consolidation/self-update fork and updated dependency to use dev-native-binaries branch
composer.lock	Updated consolidation/self-update to development branch, upgraded Symfony packages to 7.4.x, added symfony/polyfill-php85, and updated several other dependencies
CONTRIBUTING.md	Added comprehensive documentation section on building native binaries, including php-micro build process and local compilation steps
.github/workflows/ci.yml	Changed php-micro artifact format from tar.gz to zip and removed chmod +x spc command

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The documentation example uses .tar.gz format for the php-micro download, but the CI workflow was changed to use .zip format. These should be consistent. Either update the documentation to use .zip or clarify why the local build uses a different format than CI.

Suggested change

	1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz && tar -xzf tmp.tar.gz && rm tmp.tar.gz`
	1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.zip" -o tmp.zip && unzip tmp.zip && rm tmp.zip`

[Copilot]

The build instructions download and execute binaries (php-micro and spc) using curl without any signature or checksum verification. An attacker who compromises the S3 bucket or release artifacts could serve a tampered tarball that would be executed during build, leading to supply-chain compromise. Verify artifact integrity before use by enforcing SHA256/SHA512 checksum or GPG signature validation, e.g.,

curl -fsSL "$URL" -o artifact.tar.gz \
  && curl -fsSL "$URL.sha256" -o artifact.tar.gz.sha256 \
  && sha256sum -c artifact.tar.gz.sha256 \
  && tar -xzf artifact.tar.gz

Suggested change

	1. Download php-micro: `curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz && tar -xzf tmp.tar.gz && rm tmp.tar.gz`
	2. Download spc: `curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz && tar -xzf spc.tar.gz && rm spc.tar.gz`
	1. Download php-micro:

curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz" -o tmp.tar.gz
curl -fsSL "https://acquia-cli.s3.us-east-1.amazonaws.com/static-php-cli/php-micro-8.4-macos-aarch64.tar.gz.sha256" -o tmp.tar.gz.sha256
sha256sum -c tmp.tar.gz.sha256
tar -xzf tmp.tar.gz
rm tmp.tar.gz tmp.tar.gz.sha256

2. Download spc:

curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz" -o spc.tar.gz
curl -fsSL "https://github.com/crazywhalecc/static-php-cli/releases/download/2.7.4/spc-macos-aarch64.tar.gz.sha256" -o spc.tar.gz.sha256
sha256sum -c spc.tar.gz.sha256
tar -xzf spc.tar.gz
rm spc.tar.gz spc.tar.gz.sha256

[danepowell]

Still needs work to make sure this doesn't break phar updates (check for both acli and acli.phar)

[danepowell]

We should find a way to do this without adding zip as a dependency for customers (ironically, the whole point of using native binaries in the first place 😂 )