supabase · supabase-cli-releaser · Jun 4, 2026 · Jun 2, 2026 · Jun 2, 2026 · Jun 2, 2026
@@ -0,0 +1,6 @@
+self-hosted-runner:
+  labels:
+    - blacksmith-32vcpu-ubuntu-2404
+    - blacksmith-8vcpu-ubuntu-2404
+    - blacksmith-6vcpu-macos-latest
+    - blacksmith-8vcpu-windows-2025
@@ -5,16 +5,22 @@ updates:
     schedule:
       interval: "cron"
       cronjob: "0 0 * * *"
+    commit-message:
+      prefix: "chore(ci): "
     groups:
       actions-major:
         patterns:
           - "*"
+    ignore:
+      - dependency-name: "supabase/setup-cli"
+        update-types:
+          - "version-update:semver-major"
     cooldown:
       default-days: 7
   - package-ecosystem: "gomod"
     directories:
-      - "/"
-      - "pkg"
+      - "/apps/cli-go"
+      - "/apps/cli-go/pkg"
     schedule:
       interval: "cron"
       cronjob: "0 0 * * *"
@@ -57,3 +63,5 @@ updates:
       - dependency-name: "timberio/vector"
     cooldown:
       default-days: 7
+      exclude:
+        - "supabase/*"
diff --git a/.github/workflows/apply-release-notes.yml b/.github/workflows/apply-release-notes.yml
@@ -0,0 +1,113 @@
+name: Apply release notes
+
+# Approval-based publish. When a member of the supabase/cli team approves a
+# release-notes PR (head ref `release-notes/v<VERSION>`), this workflow pushes
+# the proposed notes to the GitHub Release body for the corresponding tag,
+# comments the release URL on the PR, and closes the PR without merging. The
+# release-notes PR targets `develop` (not `main`) so an accidental merge can
+# never rewrite `main`'s history; the file is not meant to land on any branch.
+#
+# Mirrors the fast-forward job in release.yml, which already gates on a
+# `pull_request_review` + `approved` event.
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+permissions:
+  contents: read
+
+jobs:
+  authorize:
+    # `state == 'open'` makes re-approvals on an already-closed PR a no-op
+    # (a reviewer can re-approve from the GitHub UI even after close).
+    if: |
+      github.event.review.state == 'approved' &&
+      startsWith(github.event.pull_request.head.ref, 'release-notes/') &&
+      github.event.pull_request.base.ref == 'develop' &&
+      github.event.pull_request.state == 'open'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    outputs:
+      authorized: ${{ steps.check.outputs.authorized }}
+    steps:
+      # App token: needs `orgs/.../teams/.../memberships` read (the org-installed
+      # App has it), repo write to edit the release, and PR write to comment
+      # and close. Matches release.yml's fast-forward step.
+      - id: app-token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          client-id: ${{ vars.GH_APP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      - name: Authorize approver against supabase/cli team
+        id: check
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          APPROVER: ${{ github.event.review.user.login }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        # Fail closed: any response other than an active membership means the
+        # approval is ignored. We post a comment so the reviewer sees why their
+        # approval didn't apply, then exit 0 so the workflow isn't flagged red.
+        run: |
+          set -euo pipefail
+          status=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            "orgs/supabase/teams/cli/memberships/${APPROVER}" \
+            --jq '.state' 2>/dev/null || true)
+          if [ "$status" != "active" ]; then
+            echo "Approver @${APPROVER} is not an active supabase/cli team member (state='${status:-none}'); ignoring approval." >&2
+            gh pr comment "$PR_NUMBER" --repo "${{ github.repository }}" --body \
+              "@${APPROVER} is not an active \`supabase/cli\` team member, so this approval was ignored. Ask a team member to approve to publish the notes."
+            echo "authorized=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "authorized=true" >> "$GITHUB_OUTPUT"
+
+  apply:
+    needs: authorize
+    if: needs.authorize.outputs.authorized == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - id: app-token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+        with:
+          client-id: ${{ vars.GH_APP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      # Checkout the PR head so any reviewer edits made in the GitHub UI before
+      # approval are captured. apply-release-notes.ts reads from the working
+      # tree.
+      - uses: useblacksmith/checkout@41cdeedae8edb2e684ba22896a5fd2a3cb85db6b # v1
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 1
+          persist-credentials: false
+
+      - uses: ./.github/actions/setup
+
+      - name: Apply notes, comment, and close
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          APPROVER: ${{ github.event.review.user.login }}
+        # The branch is named `release-notes/v<VERSION>`, so the tag is just
+        # the basename. apply-release-notes.ts validates the file's existence.
+        run: |
+          set -euo pipefail
+          tag="${HEAD_REF##release-notes/}"
+          if [[ ! "$tag" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-(beta|alpha)\.[0-9]+)?$ ]]; then
+            echo "Unexpected head ref '$HEAD_REF'; cannot derive tag." >&2
+            exit 1
+          fi
+          echo "==> Applying notes for $tag"
+          pnpm exec bun apps/cli/scripts/apply-release-notes.ts --tag "$tag"
+          release_url="https://github.com/${{ github.repository }}/releases/tag/${tag}"
+          gh pr comment "$PR_NUMBER" --repo "${{ github.repository }}" --body \
+            "Applied to [${tag}](${release_url}) after approval by @${APPROVER}."
+          gh pr close "$PR_NUMBER" --repo "${{ github.repository }}" --delete-branch
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Generate token
         id: app-token
         if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           client-id: ${{ vars.GH_APP_CLIENT_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

diff --git a/.github/workflows/build-cli-artifacts.yml b/.github/workflows/build-cli-artifacts.yml
@@ -0,0 +1,88 @@
+name: Build CLI Artifacts
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: CLI package version to build
+        required: true
+        type: string
+      shell:
+        description: CLI shell to package as the shipped supabase binary
+        required: true
+        type: string
+      ref:
+        description: Optional git ref or SHA to check out before building
+        required: false
+        type: string
+        default: ""
+    secrets:
+      SENTRY_DSN:
+        required: false
+      POSTHOG_API_KEY:
+        required: false
+      POSTHOG_ENDPOINT:
+        required: false
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build CLI artifacts
+    runs-on: blacksmith-32vcpu-ubuntu-2404
+    env:
+      BUN_SHELL: ${{ inputs.shell }}
+      VERSION: ${{ inputs.version }}
+      SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+      POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
+      POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.ref }}
+          persist-credentials: false
+
+      - name: Setup
+        uses: ./.github/actions/setup
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version-file: apps/cli-go/go.mod
+          cache: true
+          cache-dependency-path: apps/cli-go/go.sum
+
+      - name: Pre-download Go modules
+        working-directory: apps/cli-go
+        run: go mod download -x
+
+      - name: Install nfpm
+        run: |
+          echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
+          sudo apt-get update
+          sudo apt-get install -y nfpm
+
+      - name: Sync versions
+        run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}"
+
+      - name: Build selected shell
+        run: pnpm exec bun apps/cli/scripts/build.ts --version "${VERSION}" --shell "${BUN_SHELL}"
+
+      - name: Verify build artifacts
+        run: |
+          for pkg in cli-darwin-arm64 cli-darwin-x64 cli-linux-arm64 cli-linux-arm64-musl cli-linux-x64 cli-linux-x64-musl cli-windows-arm64 cli-windows-x64; do
+            echo "Checking packages/$pkg/bin/..."
+            ls -la "packages/$pkg/bin/"
+          done
+          echo "Checking dist/..."
+          ls -la dist/
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: cli-build-${{ inputs.shell }}-${{ inputs.version }}
+          path: |
+            packages/cli-*/bin/
+            dist/
diff --git a/.github/workflows/cli-go-api-sync.yml b/.github/workflows/cli-go-api-sync.yml
@@ -39,7 +39,7 @@ jobs:
 
       - name: Generate token
         id: app-token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           client-id: ${{ vars.GH_APP_CLIENT_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

diff --git a/.github/workflows/cli-go-ci.yml b/.github/workflows/cli-go-ci.yml
@@ -70,7 +70,7 @@ jobs:
           # Linter requires no cache
           cache: false
 
-      - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+      - uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
         with:
           args: --timeout 5m --verbose
           version: latest

diff --git a/.github/workflows/cli-go-codeql.yml b/.github/workflows/cli-go-codeql.yml
@@ -69,7 +69,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -97,7 +97,7 @@ jobs:
           exit 1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           category: "/language:${{matrix.language}}"
 defaults:

diff --git a/.github/workflows/cli-go-mirror-image.yml b/.github/workflows/cli-go-mirror-image.yml
@@ -34,14 +34,14 @@ jobs:
         run: |
           echo "image=${TAG##*/}" >> $GITHUB_OUTPUT
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
+        uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
         with:
           role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
           aws-region: us-east-1
-      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: public.ecr.aws
-      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

diff --git a/.github/workflows/cli-go-pg-prove.yml b/.github/workflows/cli-go-pg-prove.yml
@@ -13,8 +13,8 @@ jobs:
     outputs:
       image_tag: supabase/pg_prove:${{ steps.version.outputs.pg_prove }}
     steps:
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           load: true
           context: https://github.com/horrendo/pg_prove.git
@@ -44,15 +44,15 @@ jobs:
       image_digest: ${{ steps.build.outputs.digest }}
     steps:
       - run: docker context create builders
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           endpoint: builders
-      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - id: build
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           push: true
           context: https://github.com/horrendo/pg_prove.git
@@ -68,8 +68,8 @@ jobs:
       - build_image
     runs-on: ubuntu-latest
     steps:
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}

diff --git a/.github/workflows/cli-go-publish-migra.yml b/.github/workflows/cli-go-publish-migra.yml
@@ -13,8 +13,8 @@ jobs:
     outputs:
       image_tag: supabase/migra:${{ steps.version.outputs.migra }}
     steps:
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+      - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           load: true
           context: https://github.com/djrobstep/migra.git
@@ -44,15 +44,15 @@ jobs:
       image_digest: ${{ steps.build.outputs.digest }}
     steps:
       - run: docker context create builders
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
         with:
           endpoint: builders
-      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - id: build
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           push: true
           context: https://github.com/djrobstep/migra.git
@@ -68,8 +68,8 @@ jobs:
       - build_image
     runs-on: ubuntu-latest
     steps:
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+      - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -18,7 +18,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
       - id: app-token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           client-id: ${{ vars.GH_APP_CLIENT_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}