chore(ci): show perms

Author: mandarini

.github/workflows/publish.yml

@@ -1,135 +1,15 @@
 name: Publish releases
-# Consolidates canary and stable releases into single workflow
-# Trusted workflow for publishing to npm
 
 on:
-  push:
-    branches: [master]
   workflow_dispatch:
-    inputs:
-      version_specifier:
-        description: 'Semver bump (patch|minor|major|pre*) or exact version (v1.2.3)'
-        required: true
-        type: string
 
 env:
   NODE_VERSION: '20'
 
 jobs:
-  # release-stable: # stable releases can only be manually triggered
-  #   if: ${{ github.event_name == 'workflow_dispatch' }}
-  #   runs-on: ubuntu-latest
-  #   permissions:
-  #     contents: read
-  #     id-token: write
-
-  #   steps:
-  #     - name: Generate token
-  #       id: app-token
-  #       uses: actions/create-github-app-token@v2
-  #       with:
-  #         app-id: ${{ secrets.APP_ID }}
-  #         private-key: ${{ secrets.PRIVATE_KEY }}
-  #     - name: Check if actor is member of admin or client-libs team
-  #       id: team-check
-  #       uses: actions/github-script@v7
-  #       with:
-  #         github-token: ${{ steps.app-token.outputs.token }}
-  #         script: |
-  #           const org = 'supabase'
-  #           const { actor } = context
-
-  #           async function isTeamMember(team_slug) {
-  #             try {
-  #               const res = await github.rest.teams.getMembershipForUserInOrg({
-  #                 org,
-  #                 team_slug,
-  #                 username: actor,
-  #               })
-  #               return res && res.status === 200
-  #             } catch (_) {
-  #               return false
-  #             }
-  #           }
-  #           const isAdmin = await isTeamMember('admin')
-  #           const isClientLibs = await isTeamMember('client-libs')
-  #           const isMember = isAdmin || isClientLibs
-  #           core.setOutput('is_team_member', isMember ? 'true' : 'false')
-
-  #     - name: Fail if not authorized
-  #       if: ${{ steps.team-check.outputs.is_team_member != 'true' }}
-  #       run: |
-  #         echo "You must be a member of @supabase/admin or @supabase/client-libs."
-  #         exit 1
-
-  #     - uses: actions/checkout@v5
-  #       with:
-  #         fetch-depth: 0
-
-  #     - uses: actions/setup-node@v4
-  #       with:
-  #         node-version: ${{ env.NODE_VERSION }}
-  #         cache: 'npm'
-  #         registry-url: 'https://registry.npmjs.org'
-
-  #     # Ensure npm 11.5.1 or later is installed for trusted publishing support
-  #     - name: Update npm
-  #       run: npm install -g npm@latest
-
-  #     - name: Install dependencies
-  #       run: npm ci --legacy-peer-deps
-
-  #     - name: Configure git
-  #       run: |
-  #         git config --global user.name "supabase-releaser[bot]"
-  #         git config --global user.email "supabase-releaser[bot]@users.noreply.github.com"
-
-  #     - name: Validate input
-  #       run: |
-  #         VS="${{ github.event.inputs.version_specifier }}"
-  #         echo "Validating: $VS"
-
-  #         if [[ "$VS" =~ ^(patch|minor|major|prepatch|preminor|premajor|prerelease)$ ]]; then
-  #           echo "✔ bump keyword"
-  #         elif [[ "$VS" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$ ]]; then
-  #           echo "✔ explicit version"
-  #         else
-  #           echo "❌ Invalid version_specifier: '$VS'"
-  #           echo "   Use: patch|minor|major|pre*, or v1.2.3"
-  #           exit 1
-  #         fi
-
-  #     - name: Release & create PR
-  #       env:
-  #         NPM_CONFIG_PROVENANCE: true
-  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  #         RELEASE_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-  #         GH_TOKEN: ${{ steps.app-token.outputs.token }}
-  #       run: |
-  #         npm run release-stable -- --versionSpecifier "${{ github.event.inputs.version_specifier }}"
-
-  #     - name: Summary
-  #       if: ${{ success() }}
-  #       run: |
-  #         echo "## ✅ Stable Release" >> $GITHUB_STEP_SUMMARY
-  #         echo "- **Version specifier:** \`${{ github.event.inputs.version_specifier }}\`" >> $GITHUB_STEP_SUMMARY
-  #         echo "- **Source commit:** HEAD of the checked-out branch" >> $GITHUB_STEP_SUMMARY
-  #         echo "- **Dist-tag:** \`latest\`" >> $GITHUB_STEP_SUMMARY
-
-  # docs-after-stable-release:
-  #   name: Generate Documentation
-  #   needs: release-stable
-  #   if: ${{ github.event_name == 'workflow_dispatch' && needs.release-stable.result == 'success' }}
-  #   uses: ./.github/workflows/docs.yml
-  #   permissions:
-  #     actions: read
-  #     contents: write
-
   trigger-update-js-libs:
     name: Trigger Update JS Libs
     runs-on: ubuntu-latest
-    # needs: release-stable
-    # if: ${{ github.event_name == 'workflow_dispatch' && needs.release-stable.result == 'success' }}
     steps:
       - name: Generate token
         id: app-token
@@ -139,6 +19,10 @@ jobs:
           private-key: ${{ secrets.PRIVATE_KEY }}
           owner: supabase
           repositories: supabase, supabase-js
+
+      - name: Show token permissions
+        run: |
+          curl -H "Authorization: token ${{ steps.app-token.outputs.token }}" https://api.github.com/
       - name: Trigger supabase/supabase update-js-libs workflow
         uses: actions/github-script@v7
         with:
@@ -150,16 +34,14 @@ jobs:
               workflow_id: 'update-js-libs.yml',
               ref: 'master',
               inputs: {
-                version: '${{ github.event.inputs.version_specifier }}',
+                version: '2.74.0',
                 source: 'supabase-js-stable-release'
               }
             });
 
   trigger-supabase-docs-update:
     name: Trigger Supabase Docs Update
     runs-on: ubuntu-latest
-    # needs: [release-stable, docs-after-stable-release]
-    # if: ${{ github.event_name == 'workflow_dispatch' && needs.release-stable.result == 'success' && needs.docs-after-stable-release.result == 'success' }}
     steps:
       - name: Generate token
         id: app-token
@@ -181,108 +63,9 @@ jobs:
               workflow_id: 'docs-js-libs-update.yml',
               ref: 'master',
               inputs: {
-                version: '${{ github.event.inputs.version_specifier }}',
+                version: '2.74.0',
                 source: 'supabase-js-stable-release'
               }
             });
 
-  # preview jobs
-  # ci-core:
-  #   if: ${{ github.event_name == 'push' }}
-  #   name: Core Packages CI
-  #   uses: ./.github/workflows/ci-core.yml
-  #   permissions:
-  #     actions: read
-  #     contents: read
-
-  # ci-supabase-js:
-  #   if: ${{ github.event_name == 'push' }}
-  #   name: Supabase-JS Integration CI
-  #   uses: ./.github/workflows/ci-supabase-js.yml
-  #   permissions:
-  #     actions: read
-  #     contents: read
-
-  # ci-auth-js-node18:
-  #   if: ${{ github.event_name == 'push' }}
-  #   name: Auth-JS Node.js 18 Compatibility
-  #   uses: ./.github/workflows/ci-auth-js-node18.yml
-  #   permissions:
-  #     actions: read
-  #     contents: read
-
-  # ==========================================
-  # CANARY RELEASE (only on master, after all CI passes)
-  # ==========================================
-
-  # release-canary:
-  #   name: Release Canary
-  #   runs-on: ubuntu-latest
-  #   needs: [ci-core, ci-supabase-js, ci-auth-js-node18]
-  #   permissions:
-  #     contents: read
-  #     id-token: write
-  #   # Only run on master branch pushes, and only if all CI jobs succeeded
-  #   if: |
-  #     github.ref == 'refs/heads/master' &&
-  #     github.event_name == 'push' &&
-  #     needs.ci-core.result == 'success' &&
-  #     needs.ci-supabase-js.result == 'success' &&
-  #     needs.ci-auth-js-node18.result == 'success'
-  #   steps:
-  #     - name: Generate token
-  #       id: app-token
-  #       uses: actions/create-github-app-token@v2
-  #       with:
-  #         app-id: ${{ secrets.APP_ID }}
-  #         private-key: ${{ secrets.PRIVATE_KEY }}
-
-  #     - name: Checkout code
-  #       uses: actions/checkout@v5
-  #       with:
-  #         fetch-depth: 0
-
-  #     - name: Setup Node.js
-  #       uses: actions/setup-node@v4
-  #       with:
-  #         node-version: ${{ env.NODE_VERSION }}
-  #         cache: 'npm'
-  #         registry-url: 'https://registry.npmjs.org'
-
-  #     # Ensure npm 11.5.1 or later is installed for trusted publishing support
-  #     - name: Update npm
-  #       run: npm install -g npm@latest
-  #     - name: Install dependencies
-  #       run: npm ci --legacy-peer-deps
-  #     - name: Configure git
-  #       run: |
-  #         git config --global user.name "supabase-releaser[bot]"
-  #         git config --global user.email "supabase-releaser[bot]@users.noreply.github.com"
-
-  #     - name: Release canary version
-  #       id: release
-  #       run: |
-  #         echo "Running nx release..."
-  #         npm run release-canary
-  #       env:
-  #         NPM_CONFIG_PROVENANCE: true
-  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  #         RELEASE_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-
-  # notify-stable-failure:
-  #   name: Notify Slack for Stable failure
-  #   # needs: release-stable
-  #   # if: ${{ always() && github.event_name == 'workflow_dispatch' && needs.release-stable.result == 'failure' }}
-  #   uses: ./.github/workflows/slack-notify.yml
-  #   secrets: inherit
-  #   with:
-  #     subject: 'Stable Release'
-
-  # notify-canary-failure:
-  #   name: Notify Slack for Canary failure
-  #   needs: release-canary
-  #   if: ${{ always() && github.event_name == 'push' && needs.release-canary.result == 'failure' }}
-  #   uses: ./.github/workflows/slack-notify.yml
-  #   secrets: inherit
-  #   with:
-  #     subject: 'Canary Release'
+