chore(ci): only test permissions

Author: mandarini

.github/workflows/publish.yml

@@ -140,18 +140,6 @@ jobs:
           echo "- **Source commit:** HEAD of the checked-out branch" >> $GITHUB_STEP_SUMMARY
           echo "- **Dist-tag:** \`latest\`" >> $GITHUB_STEP_SUMMARY
 
-  # docs-after-stable-release:
-  #   name: Generate Documentation
-  #   needs: release-stable
-  #   if: ${{
-  #     github.event_name == 'workflow_dispatch' &&
-  #     needs.release-stable.result == 'success'
-  #     }}
-  #   uses: ./.github/workflows/docs.yml
-  #   permissions:
-  #     actions: read
-  #     contents: write
-
   trigger-update-js-libs:
     name: Trigger Update JS Libs
     runs-on: ubuntu-latest
@@ -213,104 +201,4 @@ jobs:
                 version: '2.74.0',
                 source: 'supabase-js-stable-release'
               }
-            });
-
-  # preview jobs
-  # ci-core:
-  #   if: ${{ github.event_name == 'push' }}
-  #   name: Core Packages CI
-  #   uses: ./.github/workflows/ci-core.yml
-  #   permissions:
-  #     actions: read
-  #     contents: read
-
-  # ci-supabase-js:
-  #   if: ${{ github.event_name == 'push' }}
-  #   name: Supabase-JS Integration CI
-  #   uses: ./.github/workflows/ci-supabase-js.yml
-  #   permissions:
-  #     actions: read
-  #     contents: read
-
-  # ci-auth-js-node18:
-  #   if: ${{ github.event_name == 'push' }}
-  #   name: Auth-JS Node.js 18 Compatibility
-  #   uses: ./.github/workflows/ci-auth-js-node18.yml
-  #   permissions:
-  #     actions: read
-  #     contents: read
-
-  # ==========================================
-  # CANARY RELEASE (only on master, after all CI passes)
-  # ==========================================
-
-  # release-canary:
-  #   name: Release Canary
-  #   runs-on: ubuntu-latest
-  #   needs: [ci-core, ci-supabase-js, ci-auth-js-node18]
-  #   permissions:
-  #     contents: read
-  #     id-token: write
-  #   # Only run on master branch pushes, and only if all CI jobs succeeded
-  #   if: |
-  #     github.ref == 'refs/heads/master' &&
-  #     github.event_name == 'push' &&
-  #     needs.ci-core.result == 'success' &&
-  #     needs.ci-supabase-js.result == 'success' &&
-  #     needs.ci-auth-js-node18.result == 'success'
-  #   steps:
-  #     - name: Generate token
-  #       id: app-token
-  #       uses: actions/create-github-app-token@v2
-  #       with:
-  #         app-id: ${{ secrets.APP_ID }}
-  #         private-key: ${{ secrets.PRIVATE_KEY }}
-
-  #     - name: Checkout code
-  #       uses: actions/checkout@v5
-  #       with:
-  #         fetch-depth: 0
-
-  #     - name: Setup Node.js
-  #       uses: actions/setup-node@v4
-  #       with:
-  #         node-version: ${{ env.NODE_VERSION }}
-  #         cache: 'npm'
-  #         registry-url: 'https://registry.npmjs.org'
-
-  #     # Ensure npm 11.5.1 or later is installed for trusted publishing support
-  #     - name: Update npm
-  #       run: npm install -g npm@latest
-  #     - name: Install dependencies
-  #       run: npm ci --legacy-peer-deps
-  #     - name: Configure git
-  #       run: |
-  #         git config --global user.name "supabase-releaser[bot]"
-  #         git config --global user.email "supabase-releaser[bot]@users.noreply.github.com"
-
-  #     - name: Release canary version
-  #       id: release
-  #       run: |
-  #         echo "Running nx release..."
-  #         npm run release-canary
-  #       env:
-  #         NPM_CONFIG_PROVENANCE: true
-  #         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  #         RELEASE_GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} # used for tags
-  # notify-stable-failure:
-  #   name: Notify Slack for Stable failure
-  #   needs: release-stable
-  #   if: ${{ always() && github.event_name == 'workflow_dispatch' && needs.release-stable.result == 'failure' }}
-  #   uses: ./.github/workflows/slack-notify.yml
-  #   secrets: inherit
-  #   with:
-  #     subject: 'Stable Release'
-
-  # notify-canary-failure:
-  #   name: Notify Slack for Canary failure
-  #   needs: release-canary
-  #   if: ${{ always() && github.event_name == 'push' && needs.release-canary.result == 'failure' }}
-  #   uses: ./.github/workflows/slack-notify.yml
-  #   secrets: inherit
-  #   with:
-  #     subject: 'Canary Release'
+            });

scripts/release-stable.ts

@@ -40,28 +40,11 @@ if (!validSpecifiers.includes(versionSpecifier) && !isValidVersion) {
 }
 
 ;(async () => {
-  // const { workspaceVersion, projectsVersionData } = await releaseVersion({
-  //   verbose: true,
-  //   gitCommit: false,
-  //   stageChanges: false,
-  //   specifier: versionSpecifier,
-  // })
-
   if (process.env.RELEASE_GITHUB_TOKEN) {
     const remoteUrl = `https://x-access-token:${process.env.RELEASE_GITHUB_TOKEN}@github.com/supabase/supabase-js.git`
     execSync(`git remote set-url origin "${remoteUrl}"`)
-    console.log('Set origin to:', remoteUrl)
   }
 
-  // Update version.ts files with the new versions
-  console.log('\n📦 Updating version.ts files...')
-  // execSync('npx tsx scripts/update-version-files.ts', { stdio: 'inherit' })
-
-  // Rebuild packages with correct versions
-  console.log('\n🔨 Rebuilding packages with new versions...')
-  // execSync('npx nx run-many --target=build --all', { stdio: 'inherit' })
-  console.log('✅ Build complete\n')
-
   // releaseChangelog should use the GitHub token with permission for tagging
   // before switching the token, backup the GITHUB_TOKEN so that it
   // can be restored afterwards and used by releasePublish. We can't use the same
@@ -77,53 +60,15 @@ if (!validSpecifiers.includes(versionSpecifier) && !isValidVersion) {
   const authHeader = `AUTHORIZATION: basic ${Buffer.from(`x-access-token:${process.env.RELEASE_GITHUB_TOKEN}`).toString('base64')}`
   execSync(`git config --local http.https://github.com/.extraheader "${authHeader}"`)
 
-  // const result = await releaseChangelog({
-  //   versionData: projectsVersionData,
-  //   version: workspaceVersion,
-  //   verbose: true,
-  //   gitCommit: false,
-  //   stageChanges: false,
-  // })
-
   // npm publish with OIDC
   // not strictly necessary to restore the header but do it incase  we require it later
   execSync(`git config --local http.https://github.com/.extraheader "${originalAuth}"`)
   // restore the GH token
   process.env.GITHUB_TOKEN = gh_token_bak
 
-  // const publishResult = await releasePublish({
-  //   registry: 'https://registry.npmjs.org/',
-  //   access: 'public',
-  //   tag: 'latest',
-  //   verbose: true,
-  // })
-
-  // Publish gotrue-js as legacy mirror of auth-js
-  // console.log('\n📦 Publishing @supabase/gotrue-js (legacy mirror)...')
-  // try {
-  //   execSync('npx tsx scripts/publish-gotrue-legacy.ts --tag=latest', { stdio: 'inherit' })
-  // } catch (error) {
-  //   console.error('❌ Failed to publish gotrue-js legacy package:', error)
-  //   // Don't fail the entire release if gotrue-js fails
-  //   console.log('⚠️  Continuing with release despite gotrue-js publish failure')
-  // }
-
   // ---- Create release branch + PR ----
   // switch back to the releaser GitHub token
   process.env.GITHUB_TOKEN = process.env.RELEASE_GITHUB_TOKEN
-  // const version = result.workspaceChangelog?.releaseVersion.rawVersion || workspaceVersion
-
-  // Validate version to prevent command injection
-  // Version should match semver pattern or be a valid npm version specifier
-  // if (
-  //   !version ||
-  //   !/^(v?\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?|patch|minor|major|prepatch|preminor|premajor|prerelease)$/.test(
-  //     version
-  //   )
-  // ) {
-  //   console.error(`❌ Invalid version format: ${version}`)
-  //   process.exit(1)
-  // }
 
   const branchName = `release-test}`
 
@@ -145,8 +90,6 @@ if (!validSpecifiers.includes(versionSpecifier) && !isValidVersion) {
       execSync(`git remote set-url origin "${remoteUrl}"`)
     }
 
-    console.log('Remote config before push:')
-    console.log(execSync('git remote -v').toString())
     execSync(`git push origin ${branchName}`)
 
     // Open PR using GitHub CLI
@@ -157,12 +100,7 @@ if (!validSpecifiers.includes(versionSpecifier) && !isValidVersion) {
 
     // Enable auto-merge
     execSync(`gh pr merge --auto --squash`, { stdio: 'inherit' })
-
-    // execSync('git stash')
-    // console.log('✅ Stashed package.json changes')
   } catch (err) {
     console.error('❌ Failed to push release branch or open PR', err)
   }
-
-  // process.exit(Object.values(publishResult).every((r) => r.code === 0) ? 0 : 1)
 })()