Skip to content

Commit 310e453

Browse files
supabase-cli-releaser[bot]jgouxColy0107ttpdependabot[bot]
authored
chore: production deploy (#5471)
- **chore: sync API types from infrastructure (#5417)** - **fix(cli): read Go Windows credentials in legacy TS (#5418)** - **fix(ci): pass release channel to PR smoke workflow (#5419)** - **fix(cli): enable vector buckets by default (#5421)** - **fix(cli): bind a free port for edge-runtime diff containers (#5424)** - **ci(cli): publish pkg.pr.new previews after preview builds (#5420)** - **feat(ci): notify Slack on release failures regardless of channel (#5425)** - **feat(cli): port telemetry (#5422)** - **docs(cli): modernize README and add installer (#5428)** - **fix(docker): check Supabase image updates hourly (#5429)** - **ci(cli): publish pkg.pr.new previews on pull requests (#5427)** - **fix(docker): restore daily Dependabot schedule (#5430)** - **fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 5 updates (#5431)** - **fix(cli): read Go Windows credentials via findCredentials (#5423)** - **chore: sync API types from infrastructure (#5434)** - **chore(ci): update Dependabot Go module paths (#5435)** - **ci(release): use app token for release tag pushes (#5432)** - **fix(deps): bump the go-minor group across 2 directories with 7 updates (#5437)** - **fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 2 updates (#5436)** - **feat(cli): port link and unlink commands to native TypeScript (#5426)** - **feat(cli): port init (#5433)** - **ci(release): use app token checkout for release pushes (#5439)** - **fix(deps): bump the actions-major group across 1 directory with 14 updates (#5342)** - **fix(docker): bump supabase/studio from 2026.06.01-sha-a4334a2 to 2026.06.03-sha-0bca601 in /apps/cli-go/pkg/config/templates in the docker-minor group (#5441)** - **chore(ci): add CLI preview PR comment (#5440)** - **chore(ci): bump the actions-major group with 2 updates (#5443)** - **chore(ci): use non-releasing actions dependabot prefix (#5442)** - **fix(cli): inject S3 and sb key env variables into Studio (#5438)** - **ci(preview): allow preview package PR comment (#5444)** - **chore(release): add LLM release-notes prompt and approval-based publish pipeline (#5330)** - **chore(ci): fix propose release workflow dispatch (#5447)** - **chore(ci): update workflows to skip CI for release-notes PRs (#5455)** - **feat(cli): port login and logout commands to native TypeScript (#5446)** - **chore(ci): bump aws-actions/configure-aws-credentials from 6.1.2 to 6.1.3 in the actions-major group (#5463)** - **fix(docker): bump supabase/realtime from v2.103.1 to v2.103.2 in /apps/cli-go/pkg/config/templates in the docker-minor group (#5464)** - **fix(cli): persist legacy telemetry opt-out (#5465)** - **fix(cli): restore Go debug output parity (#5467)** --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com> Co-authored-by: Julien Goux <hi@jgoux.dev> Co-authored-by: Colum Ferry <cferry09@gmail.com> Co-authored-by: Vaibhav <117663341+7ttp@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: VERSA SYNC STUDIOS <206948228+Versa-Sync-Studios@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>
1 parent 1d1e719 commit 310e453

147 files changed

Lines changed: 9556 additions & 980 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/actionlint.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
self-hosted-runner:
2+
labels:
3+
- blacksmith-32vcpu-ubuntu-2404
4+
- blacksmith-8vcpu-ubuntu-2404
5+
- blacksmith-6vcpu-macos-latest
6+
- blacksmith-8vcpu-windows-2025

.github/dependabot.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,16 +5,22 @@ updates:
55
schedule:
66
interval: "cron"
77
cronjob: "0 0 * * *"
8+
commit-message:
9+
prefix: "chore(ci): "
810
groups:
911
actions-major:
1012
patterns:
1113
- "*"
14+
ignore:
15+
- dependency-name: "supabase/setup-cli"
16+
update-types:
17+
- "version-update:semver-major"
1218
cooldown:
1319
default-days: 7
1420
- package-ecosystem: "gomod"
1521
directories:
16-
- "/"
17-
- "pkg"
22+
- "/apps/cli-go"
23+
- "/apps/cli-go/pkg"
1824
schedule:
1925
interval: "cron"
2026
cronjob: "0 0 * * *"
@@ -57,3 +63,5 @@ updates:
5763
- dependency-name: "timberio/vector"
5864
cooldown:
5965
default-days: 7
66+
exclude:
67+
- "supabase/*"
Lines changed: 113 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
1+
name: Apply release notes
2+
3+
# Approval-based publish. When a member of the supabase/cli team approves a
4+
# release-notes PR (head ref `release-notes/v<VERSION>`), this workflow pushes
5+
# the proposed notes to the GitHub Release body for the corresponding tag,
6+
# comments the release URL on the PR, and closes the PR without merging. The
7+
# release-notes PR targets `develop` (not `main`) so an accidental merge can
8+
# never rewrite `main`'s history; the file is not meant to land on any branch.
9+
#
10+
# Mirrors the fast-forward job in release.yml, which already gates on a
11+
# `pull_request_review` + `approved` event.
12+
13+
on:
14+
pull_request_review:
15+
types: [submitted]
16+
17+
permissions:
18+
contents: read
19+
20+
jobs:
21+
authorize:
22+
# `state == 'open'` makes re-approvals on an already-closed PR a no-op
23+
# (a reviewer can re-approve from the GitHub UI even after close).
24+
if: |
25+
github.event.review.state == 'approved' &&
26+
startsWith(github.event.pull_request.head.ref, 'release-notes/') &&
27+
github.event.pull_request.base.ref == 'develop' &&
28+
github.event.pull_request.state == 'open'
29+
runs-on: ubuntu-latest
30+
permissions:
31+
pull-requests: write
32+
outputs:
33+
authorized: ${{ steps.check.outputs.authorized }}
34+
steps:
35+
# App token: needs `orgs/.../teams/.../memberships` read (the org-installed
36+
# App has it), repo write to edit the release, and PR write to comment
37+
# and close. Matches release.yml's fast-forward step.
38+
- id: app-token
39+
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
40+
with:
41+
client-id: ${{ vars.GH_APP_CLIENT_ID }}
42+
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
43+
44+
- name: Authorize approver against supabase/cli team
45+
id: check
46+
env:
47+
GH_TOKEN: ${{ steps.app-token.outputs.token }}
48+
APPROVER: ${{ github.event.review.user.login }}
49+
PR_NUMBER: ${{ github.event.pull_request.number }}
50+
# Fail closed: any response other than an active membership means the
51+
# approval is ignored. We post a comment so the reviewer sees why their
52+
# approval didn't apply, then exit 0 so the workflow isn't flagged red.
53+
run: |
54+
set -euo pipefail
55+
status=$(gh api \
56+
-H "Accept: application/vnd.github+json" \
57+
"orgs/supabase/teams/cli/memberships/${APPROVER}" \
58+
--jq '.state' 2>/dev/null || true)
59+
if [ "$status" != "active" ]; then
60+
echo "Approver @${APPROVER} is not an active supabase/cli team member (state='${status:-none}'); ignoring approval." >&2
61+
gh pr comment "$PR_NUMBER" --repo "${{ github.repository }}" --body \
62+
"@${APPROVER} is not an active \`supabase/cli\` team member, so this approval was ignored. Ask a team member to approve to publish the notes."
63+
echo "authorized=false" >> "$GITHUB_OUTPUT"
64+
exit 0
65+
fi
66+
echo "authorized=true" >> "$GITHUB_OUTPUT"
67+
68+
apply:
69+
needs: authorize
70+
if: needs.authorize.outputs.authorized == 'true'
71+
runs-on: ubuntu-latest
72+
permissions:
73+
contents: write
74+
pull-requests: write
75+
steps:
76+
- id: app-token
77+
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
78+
with:
79+
client-id: ${{ vars.GH_APP_CLIENT_ID }}
80+
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
81+
82+
# Checkout the PR head so any reviewer edits made in the GitHub UI before
83+
# approval are captured. apply-release-notes.ts reads from the working
84+
# tree.
85+
- uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1
86+
with:
87+
ref: ${{ github.event.pull_request.head.sha }}
88+
fetch-depth: 1
89+
persist-credentials: false
90+
91+
- uses: ./.github/actions/setup
92+
93+
- name: Apply notes, comment, and close
94+
env:
95+
GH_TOKEN: ${{ steps.app-token.outputs.token }}
96+
HEAD_REF: ${{ github.event.pull_request.head.ref }}
97+
PR_NUMBER: ${{ github.event.pull_request.number }}
98+
APPROVER: ${{ github.event.review.user.login }}
99+
# The branch is named `release-notes/v<VERSION>`, so the tag is just
100+
# the basename. apply-release-notes.ts validates the file's existence.
101+
run: |
102+
set -euo pipefail
103+
tag="${HEAD_REF##release-notes/}"
104+
if [[ ! "$tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-(beta|alpha)\.[0-9]+)?$ ]]; then
105+
echo "Unexpected head ref '$HEAD_REF'; cannot derive tag." >&2
106+
exit 1
107+
fi
108+
echo "==> Applying notes for $tag"
109+
pnpm exec bun apps/cli/scripts/apply-release-notes.ts --tag "$tag"
110+
release_url="https://github.com/${{ github.repository }}/releases/tag/${tag}"
111+
gh pr comment "$PR_NUMBER" --repo "${{ github.repository }}" --body \
112+
"Applied to [${tag}](${release_url}) after approval by @${APPROVER}."
113+
gh pr close "$PR_NUMBER" --repo "${{ github.repository }}" --delete-branch

.github/workflows/automerge.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ jobs:
2424
- name: Generate token
2525
id: app-token
2626
if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
27-
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
27+
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
2828
with:
2929
client-id: ${{ vars.GH_APP_CLIENT_ID }}
3030
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
name: Build CLI Artifacts
2+
3+
on:
4+
workflow_call:
5+
inputs:
6+
version:
7+
description: CLI package version to build
8+
required: true
9+
type: string
10+
shell:
11+
description: CLI shell to package as the shipped supabase binary
12+
required: true
13+
type: string
14+
ref:
15+
description: Optional git ref or SHA to check out before building
16+
required: false
17+
type: string
18+
default: ""
19+
secrets:
20+
SENTRY_DSN:
21+
required: false
22+
POSTHOG_API_KEY:
23+
required: false
24+
POSTHOG_ENDPOINT:
25+
required: false
26+
27+
permissions:
28+
contents: read
29+
30+
jobs:
31+
build:
32+
name: Build CLI artifacts
33+
runs-on: blacksmith-32vcpu-ubuntu-2404
34+
env:
35+
BUN_SHELL: ${{ inputs.shell }}
36+
VERSION: ${{ inputs.version }}
37+
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
38+
POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
39+
POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
40+
steps:
41+
- name: Checkout
42+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
43+
with:
44+
ref: ${{ inputs.ref }}
45+
persist-credentials: false
46+
47+
- name: Setup
48+
uses: ./.github/actions/setup
49+
50+
- name: Setup Go
51+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
52+
with:
53+
go-version-file: apps/cli-go/go.mod
54+
cache: true
55+
cache-dependency-path: apps/cli-go/go.sum
56+
57+
- name: Pre-download Go modules
58+
working-directory: apps/cli-go
59+
run: go mod download -x
60+
61+
- name: Install nfpm
62+
run: |
63+
echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
64+
sudo apt-get update
65+
sudo apt-get install -y nfpm
66+
67+
- name: Sync versions
68+
run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}"
69+
70+
- name: Build selected shell
71+
run: pnpm exec bun apps/cli/scripts/build.ts --version "${VERSION}" --shell "${BUN_SHELL}"
72+
73+
- name: Verify build artifacts
74+
run: |
75+
for pkg in cli-darwin-arm64 cli-darwin-x64 cli-linux-arm64 cli-linux-arm64-musl cli-linux-x64 cli-linux-x64-musl cli-windows-arm64 cli-windows-x64; do
76+
echo "Checking packages/$pkg/bin/..."
77+
ls -la "packages/$pkg/bin/"
78+
done
79+
echo "Checking dist/..."
80+
ls -la dist/
81+
82+
- name: Upload build artifacts
83+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
84+
with:
85+
name: cli-build-${{ inputs.shell }}-${{ inputs.version }}
86+
path: |
87+
packages/cli-*/bin/
88+
dist/

.github/workflows/cli-go-api-sync.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ jobs:
3939
4040
- name: Generate token
4141
id: app-token
42-
uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
42+
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
4343
with:
4444
client-id: ${{ vars.GH_APP_CLIENT_ID }}
4545
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/cli-go-ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ jobs:
7070
# Linter requires no cache
7171
cache: false
7272

73-
- uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
73+
- uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
7474
with:
7575
args: --timeout 5m --verbose
7676
version: latest

.github/workflows/cli-go-codeql.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ jobs:
6969

7070
# Initializes the CodeQL tools for scanning.
7171
- name: Initialize CodeQL
72-
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
72+
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
7373
with:
7474
languages: ${{ matrix.language }}
7575
build-mode: ${{ matrix.build-mode }}
@@ -97,7 +97,7 @@ jobs:
9797
exit 1
9898
9999
- name: Perform CodeQL Analysis
100-
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
100+
uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
101101
with:
102102
category: "/language:${{matrix.language}}"
103103
defaults:

.github/workflows/cli-go-mirror-image.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -34,14 +34,14 @@ jobs:
3434
run: |
3535
echo "image=${TAG##*/}" >> $GITHUB_OUTPUT
3636
- name: configure aws credentials
37-
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
37+
uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
3838
with:
3939
role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
4040
aws-region: us-east-1
41-
- uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
41+
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
4242
with:
4343
registry: public.ecr.aws
44-
- uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
44+
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
4545
with:
4646
registry: ghcr.io
4747
username: ${{ github.actor }}

.github/workflows/cli-go-pg-prove.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,8 @@ jobs:
1313
outputs:
1414
image_tag: supabase/pg_prove:${{ steps.version.outputs.pg_prove }}
1515
steps:
16-
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
17-
- uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
16+
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
17+
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
1818
with:
1919
load: true
2020
context: https://github.com/horrendo/pg_prove.git
@@ -44,15 +44,15 @@ jobs:
4444
image_digest: ${{ steps.build.outputs.digest }}
4545
steps:
4646
- run: docker context create builders
47-
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
47+
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
4848
with:
4949
endpoint: builders
50-
- uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
50+
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
5151
with:
5252
username: ${{ secrets.DOCKER_USERNAME }}
5353
password: ${{ secrets.DOCKER_PASSWORD }}
5454
- id: build
55-
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
55+
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
5656
with:
5757
push: true
5858
context: https://github.com/horrendo/pg_prove.git
@@ -68,8 +68,8 @@ jobs:
6868
- build_image
6969
runs-on: ubuntu-latest
7070
steps:
71-
- uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
72-
- uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
71+
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
72+
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
7373
with:
7474
username: ${{ secrets.DOCKER_USERNAME }}
7575
password: ${{ secrets.DOCKER_PASSWORD }}

0 commit comments

Comments
 (0)