Prod deploy

.github/workflows/api-sync.yml

@@ -36,12 +36,19 @@ jobs:
             echo "has_changes=true" >> $GITHUB_OUTPUT
           fi
 
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       - name: Create Pull Request
         if: steps.check.outputs.has_changes == 'true'
         id: cpr
         uses: peter-evans/create-pull-request@v7
         with:
-          token: ${{ secrets.GH_PAT }}
+          token: ${{ steps.app-token.outputs.token }}
           commit-message: "chore: sync API types from infrastructure"
           title: "chore: sync API types from infrastructure"
           body: |
@@ -58,4 +65,4 @@ jobs:
         if: steps.check.outputs.has_changes == 'true'
         run: gh pr merge --auto --squash "${{ steps.cpr.outputs.pull-request-number }}"
         env:
-          GH_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/automerge.yml

@@ -22,17 +22,24 @@ jobs:
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       # Here the PR gets approved.
       - name: Approve a PR
         if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
         run: gh pr review --approve "${{ github.event.pull_request.html_url }}"
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
       # Finally, this sets the PR to allow auto-merging for patch and minor
       # updates if all checks pass
       - name: Enable auto-merge for Dependabot PRs
         if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
         run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/deploy.yml

@@ -17,6 +17,6 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
-      - run: gh pr create -B main -H develop --title 'Prod deploy' --fill
+      - run: gh pr create -B main -H develop --title 'Prod deploy' --label 'do not merge' --fill
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/fast-forward.yml

@@ -30,6 +30,8 @@ jobs:
     permissions:
       contents: write
       packages: write
+      # Required for npm OIDC
+      id-token: write
     # Call workflow explicitly because events from actions cannot trigger more actions
     uses: ./.github/workflows/release.yml
     secrets: inherit

.github/workflows/release-beta.yml

@@ -70,24 +70,37 @@ jobs:
         with:
           go-version-file: go.mod
           cache: true
+      # use GitHub app to create a release token that can publish to homebrew-tap and scoop
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: |
+            cli
+            homebrew-tap
+            scoop-bucket
       - run: go run tools/publish/main.go --beta "${{ needs.release.outputs.new-release-version }}"
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
   publish:
     name: Publish NPM
     needs:
       - release
       - goreleaser
     if: needs.release.outputs.new-release-published == 'true'
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
         with:
-          node-version: "16.x"
-          registry-url: "https://registry.npmjs.org"
+          node-version: latest
+          registry-url: https://registry.npmjs.org
       - run: npm --git-tag-version=false version ${{ needs.release.outputs.new-release-version }}
       - run: npm publish --tag ${{ needs.release.outputs.new-release-channel }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/release.yml

@@ -9,6 +9,8 @@ on:
 permissions:
   contents: write
   packages: write
+  # Required for npm OIDC
+  id-token: write
 
 jobs:
   settings:
@@ -17,13 +19,25 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     outputs:
       release_tag: ${{ steps.prerelease.outputs.tagName }}
+      app_token: ${{ steps.app-token.outputs.token }}
     steps:
       - uses: actions/checkout@v6
       - id: prerelease
         run: |
           gh release list --limit 1 --json tagName --jq \
           '.[]|to_entries|map("\(.key)=\(.value|tostring)")|.[]' >> $GITHUB_OUTPUT
       - run: gh release edit ${{ steps.prerelease.outputs.tagName }} --latest --prerelease=false
+      - id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
+          repositories: |
+            cli
+            homebrew-tap
+            scoop-bucket
+            supabase
 
   commit:
     name: Publish Brew and Scoop
@@ -38,19 +52,24 @@ jobs:
           cache: true
       - run: go run tools/publish/main.go ${{ needs.settings.outputs.release_tag }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
 
   publish:
     name: Publish NPM
     needs:
       - settings
+    permissions:
+      contents: read
+      id-token: write
     uses: ./.github/workflows/tag-npm.yml
     with:
       release: ${{ needs.settings.outputs.release_tag }}
     secrets: inherit
 
   compose:
     name: Bump self-hosted versions
+    needs:
+      - settings
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
@@ -60,11 +79,12 @@ jobs:
           cache: true
       - run: go run tools/selfhost/main.go
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
 
   changelog:
     name: Publish changelog
     needs:
+      - settings
       - commit
       - publish
     runs-on: ubuntu-latest
@@ -76,7 +96,7 @@ jobs:
           cache: true
       - run: go run tools/changelog/main.go ${{ secrets.SLACK_CHANNEL }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}
           SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
 
   docs:
@@ -92,4 +112,4 @@ jobs:
           cache: true
       - run: go run docs/main.go ${{ needs.settings.outputs.release_tag }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ needs.settings.outputs.app_token }}

.github/workflows/tag-npm.yml

@@ -15,18 +15,20 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   tag:
     name: Move latest tag
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
+
       - uses: actions/setup-node@v6
         with:
-          node-version: "16.x"
-          registry-url: "https://registry.npmjs.org"
+          node-version: latest
+          registry-url: https://registry.npmjs.org
+
       - run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest
         env:
           RELEASE_TAG: ${{ inputs.release }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

internal/utils/flags/db_url.go

@@ -133,7 +133,8 @@ func NewDbConfigWithPassword(ctx context.Context, projectRef string) (pgconn.Con
 	logger := utils.GetDebugLogger()
 	// Use pooler if host is not reachable directly
 	d := net.Dialer{Timeout: 5 * time.Second}
-	if conn, err := d.DialContext(ctx, "udp", config.Host+":53"); err == nil {
+	addr := fmt.Sprintf("%s:%d", config.Host, config.Port)
+	if conn, err := d.DialContext(ctx, "tcp", addr); err == nil {
 		if err := conn.Close(); err != nil {
 			fmt.Fprintln(logger, err)
 		}