supabase
diff --git a/‎.github/workflows/publish.yml‎
Lines changed: 248 additions & 7 deletions b/‎.github/workflows/publish.yml‎
Lines changed: 248 additions & 7 deletions
@@ -1,13 +1,63 @@
-name: Minimal App Token Release & PR Test
+name: Publish releases
+# Consolidates canary and stable releases into single workflow
+# Trusted workflow for publishing to npm
 
 on:
+  push:
+    branches: [master]
   workflow_dispatch:
+    inputs:
+      version_specifier:
+        description: 'Semver bump (patch|minor|major|pre*) or exact version (v1.2.3)'
+        required: true
+        type: string
+
+env:
+  NODE_VERSION: '20'
 
 jobs:
-  release-stable-pr:
+  release-stable:
+    if: ${{ github.event_name == 'workflow_dispatch' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
-      - name: Generate App token
+      - name: Check if actor is member of admin or client-libs team
+        id: team-check
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const org = 'supabase'
+            const { actor } = context
+
+            async function isTeamMember(team_slug) {
+              try {
+                const res = await github.rest.teams.getMembershipForUserInOrg({
+                  org,
+                  team_slug,
+                  username: actor,
+                })
+                return res && res.status === 200
+              } catch (_) {
+                return false
+              }
+            }
+
+            const isAdmin = await isTeamMember('admin')
+            const isClientLibs = await isTeamMember('client-libs')
+            const isMember = isAdmin || isClientLibs
+            core.setOutput('is_team_member', isMember ? 'true' : 'false')
+
+      - name: Fail if not authorized
+        if: ${{ steps.team-check.outputs.is_team_member != 'true' }}
+        run: |
+          echo "You must be a member of @supabase/admin or @supabase/client-libs."
+          exit 1
+
+      - name: Generate token
         id: app-token
         uses: actions/create-github-app-token@v2
         with:
@@ -20,19 +70,210 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: ${{ env.NODE_VERSION }}
           cache: 'npm'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Update npm
+        run: npm install -g npm@latest
 
       - name: Install dependencies
         run: npm ci --legacy-peer-deps
 
-      - name: Configure git user
+      - name: Configure git
         run: |
           git config --global user.name "supabase-releaser[bot]"
           git config --global user.email "supabase-releaser[bot]@users.noreply.github.com"
 
-      - name: Run release-stable script
+      - name: Validate input
+        run: |
+          VS="${{ github.event.inputs.version_specifier }}"
+          echo "Validating: $VS"
+
+          if [[ "$VS" =~ ^(patch|minor|major|prepatch|preminor|premajor|prerelease)$ ]]; then
+            echo "✔ bump keyword"
+          elif [[ "$VS" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$ ]]; then
+            echo "✔ explicit version"
+          else
+            echo "❌ Invalid version_specifier: '$VS'"
+            echo "   Use: patch|minor|major|pre*, or v1.2.3"
+            exit 1
+          fi
+
+      - name: Release & create PR
         env:
+          NPM_CONFIG_PROVENANCE: true
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RELEASE_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: npm run release-stable
+        run: |
+          npm run release-stable -- --versionSpecifier "${{ github.event.inputs.version_specifier }}"
+
+      - name: Summary
+        if: ${{ success() }}
+        run: |
+          echo "## ✅ Stable Release" >> $GITHUB_STEP_SUMMARY
+          echo "- **Version specifier:** \`${{ github.event.inputs.version_specifier }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Source commit:** HEAD of the checked-out branch" >> $GITHUB_STEP_SUMMARY
+          echo "- **Dist-tag:** \`latest\`" >> $GITHUB_STEP_SUMMARY
+
+  docs-after-stable-release:
+    name: Generate Documentation
+    needs: release-stable
+    if: ${{ github.event_name == 'workflow_dispatch' && needs.release-stable.result == 'success' }}
+    uses: ./.github/workflows/docs.yml
+    permissions:
+      actions: read
+      contents: write
+
+  trigger-update-js-libs:
+    name: Trigger Update JS Libs
+    runs-on: ubuntu-latest
+    needs: release-stable
+    if: ${{ github.event_name == 'workflow_dispatch' && needs.release-stable.result == 'success' }}
+    steps:
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+      - name: Trigger supabase/supabase update-js-libs workflow
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ steps.app-token.outputs.token }}
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: 'supabase',
+              repo: 'supabase',
+              workflow_id: 'update-js-libs.yml',
+              ref: 'master',
+              inputs: {
+                version: '${{ github.event.inputs.version_specifier }}',
+                source: 'supabase-js-stable-release'
+              }
+            });
+
+  trigger-supabase-docs-update:
+    name: Trigger Supabase Docs Update
+    runs-on: ubuntu-latest
+    needs: [release-stable, docs-after-stable-release]
+    if: ${{ github.event_name == 'workflow_dispatch' && needs.release-stable.result == 'success' && needs.docs-after-stable-release.result == 'success' }}
+    steps:
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Trigger supabase/supabase docs workflow
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ steps.app-token.outputs.token }}
+          script: |
+            await github.rest.actions.createWorkflowDispatch({
+              owner: 'supabase',
+              repo: 'supabase',
+              workflow_id: 'docs-js-libs-update.yml',
+              ref: 'master',
+              inputs: {
+                version: '${{ github.event.inputs.version_specifier }}',
+                source: 'supabase-js-stable-release'
+              }
+            });
+
+  # preview jobs
+  ci-core:
+    if: ${{ github.event_name == 'push' }}
+    name: Core Packages CI
+    uses: ./.github/workflows/ci-core.yml
+    permissions:
+      actions: read
+      contents: read
+
+  ci-supabase-js:
+    if: ${{ github.event_name == 'push' }}
+    name: Supabase-JS Integration CI
+    uses: ./.github/workflows/ci-supabase-js.yml
+    permissions:
+      actions: read
+      contents: read
+
+  ci-auth-js-node18:
+    if: ${{ github.event_name == 'push' }}
+    name: Auth-JS Node.js 18 Compatibility
+    uses: ./.github/workflows/ci-auth-js-node18.yml
+    permissions:
+      actions: read
+      contents: read
+
+  release-canary:
+    name: Release Canary
+    runs-on: ubuntu-latest
+    needs: [ci-core, ci-supabase-js, ci-auth-js-node18]
+    permissions:
+      contents: read
+      id-token: write
+    if: |
+      github.ref == 'refs/heads/master' &&
+      github.event_name == 'push' &&
+      needs.ci-core.result == 'success' &&
+      needs.ci-supabase-js.result == 'success' &&
+      needs.ci-auth-js-node18.result == 'success'
+    steps:
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Update npm
+        run: npm install -g npm@latest
+      - name: Install dependencies
+        run: npm ci --legacy-peer-deps
+      - name: Configure git
+        run: |
+          git config --global user.name "supabase-releaser[bot]"
+          git config --global user.email "supabase-releaser[bot]@users.noreply.github.com"
+
+      - name: Release canary version
+        id: release
+        run: |
+          echo "Running nx release..."
+          npm run release-canary
+        env:
+          NPM_CONFIG_PROVENANCE: true
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
+
+  notify-stable-failure:
+    name: Notify Slack for Stable failure
+    needs: release-stable
+    if: ${{ always() && github.event_name == 'workflow_dispatch' && needs.release-stable.result == 'failure' }}
+    uses: ./.github/workflows/slack-notify.yml
+    secrets: inherit
+    with:
+      subject: 'Stable Release'
+
+  notify-canary-failure:
+    name: Notify Slack for Canary failure
+    needs: release-canary
+    if: ${{ always() && github.event_name == 'push' && needs.release-canary.result == 'failure' }}
+    uses: ./.github/workflows/slack-notify.yml
+    secrets: inherit
+    with:
+      subject: 'Canary Release'