Merge branch 'develop' into fix/ltree-extension-search-path

Author: 7ttp

.github/dependabot.yml

@@ -6,10 +6,9 @@ updates:
       interval: "cron"
       cronjob: "0 0 * * *"
     groups:
-      action-minor:
-        update-types:
-          - minor
-          - patch
+      actions-major:
+        patterns:
+          - "*"
   - package-ecosystem: "gomod"
     directories:
       - "/"
@@ -28,10 +27,9 @@ updates:
       interval: "cron"
       cronjob: "0 0 * * *"
     groups:
-      npm-minor:
-        update-types:
-          - minor
-          - patch
+      npm-major:
+        patterns:
+          - "*"
   - package-ecosystem: "docker"
     directory: "pkg/config/templates"
     schedule:

.github/workflows/api-sync.yml

@@ -2,7 +2,8 @@ name: API Sync
 
 on:
   repository_dispatch:
-    types: [api-sync]
+    types:
+      - api-sync
   workflow_dispatch: # allow manual triggering
 
 # Add explicit permissions
@@ -57,12 +58,15 @@ jobs:
             Changes were detected in the generated API code after syncing with the latest spec from infrastructure.
           branch: sync/api-types
           base: develop
-          labels: |
-            automated pr
-            api-sync
+
+      - name: Approve a PR
+        if: steps.check.outputs.has_changes == 'true'
+        run: gh pr review --approve "${{ steps.cpr.outputs.pull-request-number }}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Enable Pull Request Automerge
         if: steps.check.outputs.has_changes == 'true'
         run: gh pr merge --auto --squash "${{ steps.cpr.outputs.pull-request-number }}"
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/automerge.yml

@@ -22,24 +22,17 @@ jobs:
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
-      - name: Generate token
-        id: app-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-
       # Here the PR gets approved.
       - name: Approve a PR
         if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
         run: gh pr review --approve "${{ github.event.pull_request.html_url }}"
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       # Finally, this sets the PR to allow auto-merging for patch and minor
       # updates if all checks pass
       - name: Enable auto-merge for Dependabot PRs
         if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
         run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/mirror-image.yml

@@ -1,6 +1,9 @@
 name: Mirror Image
 
 on:
+  repository_dispatch:
+    types:
+      - mirror-image
   workflow_call:
     inputs:
       image:
@@ -15,18 +18,16 @@ on:
 
 permissions:
   contents: read
+  packages: write
+  id-token: write
 
 jobs:
   mirror:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
     steps:
       - id: strip
         run: |
-          TAG=${{ inputs.image }}
+          TAG=${{ github.event.client_payload.image || inputs.image }}
           echo "image=${TAG##*/}" >> $GITHUB_OUTPUT
       - name: configure aws credentials
         uses: aws-actions/[email protected]
@@ -43,7 +44,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - uses: akhilerm/[email protected]
         with:
-          src: docker.io/${{ inputs.image }}
+          src: docker.io/${{ github.event.client_payload.image || inputs.image }}
           dst: |
             public.ecr.aws/supabase/${{ steps.strip.outputs.image }}
             ghcr.io/supabase/${{ steps.strip.outputs.image }}

.github/workflows/mirror.yml

@@ -14,9 +14,6 @@ on:
   # mirrored yet. It's a catch-22!
   #
   # TODO: Make the cli start test run *after* we mirror images (if needed).
-  pull_request_review:
-    types:
-      - submitted
   workflow_dispatch:
 
 permissions:
@@ -25,7 +22,6 @@ permissions:
 jobs:
   setup:
     runs-on: ubuntu-latest
-    if: ${{ github.event_name == 'workflow_dispatch' || github.event.review.state == 'approved' }}
     outputs:
       tags: ${{ steps.list.outputs.tags }}
       curr: ${{ steps.curr.outputs.tags }}

.github/workflows/release-beta.yml

@@ -1,9 +1,6 @@
 name: Release (Beta)
 
 on:
-  pull_request_review:
-    types:
-      - submitted
   push:
     branches:
       - develop
@@ -13,66 +10,8 @@ permissions:
   contents: read
 
 jobs:
-  approved:
-    name: fast-forward
-    if: |
-      github.event.pull_request.head.ref == 'develop' &&
-      github.event.pull_request.base.ref == 'main' &&
-      github.event.review.state == 'approved'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      packages: write
-    outputs:
-      release_tag: ${{ steps.latest-release.outputs.tagName }}
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - run: |
-          git checkout main
-          git merge --ff-only "${{ github.event.pull_request.head.sha }}"
-          git push origin main
-      - id: latest-release
-        run: |
-          latest=$(gh release list --limit 1 --json tagName --jq '.[].tagName')
-          gh release edit $latest --latest --prerelease=false
-          echo "tagName=$latest" >> $GITHUB_OUTPUT
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  tag:
-    name: Move latest tag
-    needs:
-      - approved
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      # Required for npm OIDC
-      id-token: write
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
-        with:
-          node-version: latest
-          registry-url: https://registry.npmjs.org
-      - run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest
-        env:
-          RELEASE_TAG: ${{ needs.approved.outputs.release_tag }}
-
-  deploy:
-    needs:
-      - approved
-      - tag
-    # Call workflow explicitly because events from actions cannot trigger more actions
-    uses: ./.github/workflows/release.yml
-    with:
-      release: ${{ needs.approved.outputs.release_tag }}
-    secrets: inherit
-
   release:
     name: semantic-release
-    if: ${{ github.event_name != 'pull_request_review' }}
     runs-on: ubuntu-latest
     permissions:
       contents: write

.github/workflows/release.yml

@@ -1,24 +1,45 @@
 name: Release
 
 on:
-  workflow_call:
-    inputs:
-      release:
-        required: true
-        type: string
-  workflow_dispatch:
-    inputs:
-      release:
-        description: "v1.0.0"
-        required: true
-        type: string
+  pull_request_review:
+    types:
+      - submitted
 
 permissions:
   contents: read
 
 jobs:
+  fast-forward:
+    if: |
+      github.event.pull_request.head.ref == 'develop' &&
+      github.event.pull_request.base.ref == 'main' &&
+      github.event.review.state == 'approved'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+    outputs:
+      release_tag: ${{ steps.latest-release.outputs.tagName }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - run: |
+          git checkout main
+          git merge --ff-only "${{ github.event.pull_request.head.sha }}"
+          git push origin main
+      - id: latest-release
+        run: |
+          latest=$(gh release list --limit 1 --json tagName --jq '.[].tagName')
+          gh release edit $latest --latest --prerelease=false
+          echo "tagName=$latest" >> $GITHUB_OUTPUT
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   commit:
     name: Publish Brew and Scoop
+    needs:
+      - fast-forward
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -35,12 +56,14 @@ jobs:
           repositories: |
             homebrew-tap
             scoop-bucket
-      - run: go run tools/publish/main.go ${{ inputs.release }}
+      - run: go run tools/publish/main.go ${{ needs.fast-forward.outputs.release_tag }}
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
   compose:
     name: Bump self-hosted versions
+    needs:
+      - fast-forward
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -63,6 +86,7 @@ jobs:
   changelog:
     name: Publish changelog
     needs:
+      - fast-forward
       - commit
     runs-on: ubuntu-latest
     steps:
@@ -86,6 +110,8 @@ jobs:
 
   docs:
     name: Publish reference docs
+    needs:
+      - fast-forward
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -101,6 +127,6 @@ jobs:
           owner: ${{ github.repository_owner }}
           repositories: |
             supabase
-      - run: go run docs/main.go ${{ inputs.release }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml
+      - run: go run docs/main.go ${{ needs.fast-forward.outputs.release_tag }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/tag-npm.yml

@@ -0,0 +1,35 @@
+name: Tag NPM
+
+on:
+  workflow_call:
+    inputs:
+      release:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      release:
+        description: "v1.0.0"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  tag:
+    name: Move latest tag
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: latest
+          registry-url: https://registry.npmjs.org
+
+      - run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest
+        env:
+          RELEASE_TAG: ${{ inputs.release }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

go.mod

@@ -39,6 +39,7 @@ require (
 	github.com/mithrandie/csvq-driver v1.7.0
 	github.com/muesli/reflow v0.3.0
 	github.com/oapi-codegen/nullable v1.1.0
+	github.com/olekukonko/tablewriter v1.1.0
 	github.com/slack-go/slack v0.17.3
 	github.com/spf13/afero v1.15.0
 	github.com/spf13/cobra v1.10.1
@@ -315,7 +316,8 @@ require (
 	github.com/oapi-codegen/runtime v1.1.2 // indirect
 	github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 // indirect
 	github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/olekukonko/errors v1.1.0 // indirect
+	github.com/olekukonko/ll v0.0.9 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect

go.sum

@@ -719,7 +719,6 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
-github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
@@ -829,8 +828,12 @@ github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//J
 github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw=
 github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c=
 github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90/go.mod h1:y5+oSEHCPT/DGrS++Wc/479ERge0zTFxaF8PbGKcg2o=
-github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
-github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
+github.com/olekukonko/errors v1.1.0 h1:RNuGIh15QdDenh+hNvKrJkmxxjV4hcS50Db478Ou5sM=
+github.com/olekukonko/errors v1.1.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
+github.com/olekukonko/ll v0.0.9 h1:Y+1YqDfVkqMWuEQMclsF9HUR5+a82+dxJuL1HHSRpxI=
+github.com/olekukonko/ll v0.0.9/go.mod h1:En+sEW0JNETl26+K8eZ6/W4UQ7CYSrrgg/EdIYT2H8g=
+github.com/olekukonko/tablewriter v1.1.0 h1:N0LHrshF4T39KvI96fn6GT8HEjXRXYNDrDjKFDB7RIY=
+github.com/olekukonko/tablewriter v1.1.0/go.mod h1:5c+EBPeSqvXnLLgkm9isDdzR3wjfBkHR9Nhfp3NWrzo=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg=