chore: production deploy

.github/CODEOWNERS

@@ -10,3 +10,7 @@
 /apps/cli-go/pkg/config/templates/Dockerfile
 /pnpm-lock.yaml
 /pnpm-workspace.yaml
+
+# Generated code. These ownerless rules override the catch-all above so
+# CI-green sync PRs (e.g. Management API OpenAPI spec) can be auto-merged.
+/packages/api/src/generated/

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -104,8 +104,8 @@ body:
   - type: input
     id: ticket-id
     attributes:
-      label: Debug ticket ID
-      description: If possible, rerun the failing command with `--create-ticket` and paste the ticket ID.
+      label: Crash report ID
+      description: If the CLI printed one after rerunning with `--create-ticket`, paste the crash report ID.
       placeholder: ab1ac733e31e4f928a4d7c8402543712
     validations:
       required: false

.github/actions/setup/action.yml

@@ -2,20 +2,26 @@ name: Setup
 
 description: Perform standard setup and install dependencies using pnpm
 
+inputs:
+  dependency-firewall-token:
+    description: Token used to authenticate the Dependency Firewall registry
+    required: false
+    default: ""
+  dependency-cache:
+    description: >-
+      Whether to enable the pnpm dependency cache. Disable this when the job
+      deletes the pnpm store before exiting, otherwise the post-job cache save
+      fails with a path validation error.
+    required: false
+    default: "true"
+
 runs:
   using: "composite"
   steps:
     - name: Resolve Bun version
       shell: bash
       run: echo "BUN_VERSION=1.3.13" >> "$GITHUB_ENV"
 
-    - name: Restore Bun toolchain cache
-      id: bun-toolchain-cache
-      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-      with:
-        path: /opt/hostedtoolcache/bun
-        key: bun-toolchain-${{ runner.os }}-${{ runner.arch }}-${{ env.BUN_VERSION }}
-
     - name: Install Bun
       id: install-bun
       uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
@@ -49,10 +55,25 @@ runs:
       run: npm install --global --force corepack && corepack enable
 
     - name: Configure dependency cache
+      if: inputs.dependency-cache == 'true'
       uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         cache: pnpm
 
     - name: Install dependencies
       shell: bash
-      run: pnpm install --frozen-lockfile
+      env:
+        DEPENDENCY_FIREWALL_TOKEN: ${{ inputs.dependency-firewall-token }}
+      run: |
+        if [ -z "$DEPENDENCY_FIREWALL_TOKEN" ]; then
+          echo "Dependency Firewall token unavailable; using default npm registry."
+          pnpm install --frozen-lockfile
+          exit 0
+        fi
+
+        npmrc="${RUNNER_TEMP}/dependency-firewall.npmrc"
+        {
+          echo "registry=https://firewall.depthfirst.com/npm/"
+          echo "//firewall.depthfirst.com/npm/:_authToken=${DEPENDENCY_FIREWALL_TOKEN}"
+        } > "$npmrc"
+        NPM_CONFIG_USERCONFIG="$npmrc" pnpm install --frozen-lockfile

.github/dependabot.yml

@@ -65,6 +65,12 @@ updates:
       - dependency-name: "axllent/mailpit"
       - dependency-name: "darthsim/imgproxy"
       - dependency-name: "timberio/vector"
+      # Held back: v2.109.0+ adds a setup_supabase_realtime_admin migration
+      # that fails against the CLI's local Postgres and breaks `supabase start`.
+      # Remove once the CLI's local stack is compatible with the new migration.
+      - dependency-name: "supabase/realtime"
+        versions:
+          - ">= 2.109.0"
     cooldown:
       default-days: 7
       exclude:

.github/scripts/sweep-live-projects.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# Delete every staging project whose name starts with the given prefix (the live
+# e2e job's per-run prefix). Shared by the in-run retry sweep (called best-effort
+# with `|| true`) and the always() cleanup step (which propagates the exit code).
+#
+# Reads SUPABASE_ACCESS_TOKEN + CLI_E2E_API_URL from the environment. Exits
+# non-zero if any DELETE failed; a failed *listing* also exits non-zero (pipefail).
+set -o pipefail
+
+PREFIX="${1:?usage: sweep-live-projects.sh PREFIX}"
+: "${SUPABASE_ACCESS_TOKEN:?SUPABASE_ACCESS_TOKEN required}"
+: "${CLI_E2E_API_URL:?CLI_E2E_API_URL required}"
+
+# Capture the list in a var (not a pipe-to-while subshell) so a failed delete is
+# recorded in $failed; a failed listing aborts here via pipefail.
+refs=$(curl -fsS -H "Authorization: Bearer ${SUPABASE_ACCESS_TOKEN}" \
+  "${CLI_E2E_API_URL}/v1/projects" \
+  | jq -r --arg p "$PREFIX" '.[] | select(.name|startswith($p)) | .ref // .id')
+
+failed=0
+for ref in $refs; do
+  [ -n "$ref" ] || continue
+  echo "deleting leftover project $ref"
+  if ! curl -fsS -X DELETE -H "Authorization: Bearer ${SUPABASE_ACCESS_TOKEN}" \
+    "${CLI_E2E_API_URL}/v1/projects/${ref}" >/dev/null; then
+    echo "::error::failed to delete leftover project $ref"
+    failed=1
+  fi
+done
+exit "$failed"

.github/workflows/api-package-sync.yml

@@ -9,71 +9,18 @@ permissions:
   contents: read
 
 jobs:
-  detect:
-    name: Detect OpenAPI changes
-    runs-on: blacksmith-8vcpu-ubuntu-2404
-    outputs:
-      has_changes: ${{ steps.compare.outputs.has_changes }}
-    steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
-        with:
-          persist-credentials: false
-
-      - name: Compare upstream OpenAPI spec
-        id: compare
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          remote_spec="$RUNNER_TEMP/openapi.remote.json"
-          remote_normalized="$RUNNER_TEMP/openapi.remote.normalized.json"
-          tracked_normalized="$RUNNER_TEMP/openapi.tracked.normalized.json"
-          normalize_filter="$RUNNER_TEMP/normalize-openapi.jq"
-
-          curl -fsS https://api.supabase.com/api/v1-json -o "$remote_spec"
-
-          cat > "$normalize_filter" <<'JQ'
-          def pointer_path($p): $p | split("/")[1:] | map(gsub("~1"; "/") | gsub("~0"; "~"));
-          reduce ($overrides[0] // [])[] as $op (.;
-            if $op.op == "test" then
-              if getpath(pointer_path($op.path)) == $op.value then
-                .
-              else
-                error("OpenAPI override test failed at \($op.path)")
-              end
-            elif $op.op == "replace" then
-              setpath(pointer_path($op.path); $op.value)
-            else
-              error("Unsupported OpenAPI override op \($op.op)")
-            end
-          )
-          JQ
-
-          jq -S --slurpfile overrides packages/api/scripts/openapi-overrides.json \
-            -f "$normalize_filter" "$remote_spec" > "$remote_normalized"
-          jq -S . packages/api/src/generated/openapi.json > "$tracked_normalized"
-
-          if cmp -s "$remote_normalized" "$tracked_normalized"; then
-            echo "No upstream OpenAPI changes detected."
-            echo "has_changes=false" >> "$GITHUB_OUTPUT"
-          else
-            echo "Upstream OpenAPI changes detected."
-            echo "has_changes=true" >> "$GITHUB_OUTPUT"
-            diff -u "$tracked_normalized" "$remote_normalized" | sed -n '1,160p' || true
-          fi
-
   sync:
     name: Sync API package
-    needs: detect
-    if: needs.detect.outputs.has_changes == 'true'
     runs-on: blacksmith-8vcpu-ubuntu-2404
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
 
       - name: Setup
         uses: ./.github/actions/setup
+        with:
+          dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}
 
       - name: Regenerate API package
         run: pnpm generate
@@ -105,6 +52,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.check.outputs.has_changes == 'true'
+        id: cpr
         uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           token: ${{ steps.app-token.outputs.token }}
@@ -116,3 +64,18 @@ jobs:
             Changes were detected in the upstream OpenAPI document exposed by `https://api.supabase.com/api/v1-json`.
           branch: sync/api-package
           base: develop
+
+      - name: Approve a PR
+        if: steps.check.outputs.has_changes == 'true' && steps.cpr.outputs.pull-request-operation == 'created'
+        continue-on-error: true
+        run: gh pr review --approve --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
+
+      - name: Enable Pull Request Automerge
+        if: steps.check.outputs.has_changes == 'true'
+        run: gh pr merge --auto --squash --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}

.github/workflows/apply-release-notes.yml

@@ -89,6 +89,8 @@ jobs:
           persist-credentials: false
 
       - uses: ./.github/actions/setup
+        with:
+          dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}
 
       - name: Apply notes, comment, and close
         env:

.github/workflows/backfill-release-notes.yml

@@ -17,6 +17,9 @@ on:
         required: false
         type: boolean
         default: false
+    secrets:
+      DF_FIREWALL_TOKEN:
+        required: false
   workflow_dispatch:
     inputs:
       tag:
@@ -48,6 +51,8 @@ jobs:
           persist-credentials: false
 
       - uses: ./.github/actions/setup
+        with:
+          dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}
 
       - name: Backfill release notes
         run: |

.github/workflows/build-cli-artifacts.yml

@@ -33,6 +33,8 @@ on:
         required: false
       POSTHOG_ENDPOINT:
         required: false
+      DF_FIREWALL_TOKEN:
+        required: false
 
 permissions:
   contents: read
@@ -47,15 +49,25 @@ jobs:
       SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
       POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
       POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
+      # Fail the build if the macOS signing tool is missing — release artifacts
+      # must be signed (CLI-1621). Local builds without rcodesign degrade to a
+      # warning instead.
+      SUPABASE_CLI_REQUIRE_SIGNING: "1"
     steps:
       - name: Checkout
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           ref: ${{ inputs.ref }}
           persist-credentials: false
 
       - name: Setup
         uses: ./.github/actions/setup
+        with:
+          dependency-firewall-token: ${{ secrets.DF_FIREWALL_TOKEN }}
+          # The GitHub-hosted producer frees disk space by deleting the pnpm
+          # store before exiting, which would make the post-job pnpm cache save
+          # fail with a path validation error. Skip the dependency cache there.
+          dependency-cache: ${{ inputs.cache_key_suffix != '-github' }}
 
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -74,9 +86,41 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y nfpm
 
+      - name: Install rcodesign
+        env:
+          RCODESIGN_VERSION: "0.29.0"
+          RCODESIGN_SHA256: "dbe85cedd8ee4217b64e9a0e4c2aef92ab8bcaaa41f20bde99781ff02e600002"
+        run: |
+          set -euo pipefail
+          asset="apple-codesign-${RCODESIGN_VERSION}-x86_64-unknown-linux-musl.tar.gz"
+          curl -fsSL -o /tmp/rcodesign.tar.gz \
+            "https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${RCODESIGN_VERSION}/${asset}"
+          echo "${RCODESIGN_SHA256}  /tmp/rcodesign.tar.gz" | sha256sum -c
+          tar -xzf /tmp/rcodesign.tar.gz -C /tmp
+          sudo install -m 0755 "/tmp/apple-codesign-${RCODESIGN_VERSION}-x86_64-unknown-linux-musl/rcodesign" /usr/local/bin/rcodesign
+          rcodesign --version
+
       - name: Sync versions
         run: pnpm exec bun apps/cli/scripts/sync-versions.ts --version "${VERSION}"
 
+      # The GitHub-hosted ubuntu-latest runner ships only ~14 GB free on /, and
+      # build.ts cross-compiles 8 Bun binaries (each embeds the full Bun runtime)
+      # plus 6 Go binaries in parallel, then writes archives + Linux packages —
+      # which tips over "no space left on device" non-deterministically depending
+      # on the runner the attempt lands on. Reclaim the preinstalled toolchains we
+      # don't use (~25 GB) before building. Blacksmith runners have ample disk so
+      # this is gated to the github-hosted producer.
+      #   - tool-cache stays false: setup-go installed Go into
+      #     /opt/hostedtoolcache above, so removing it would break the Go build.
+      #   - swap-storage stays (false = keep): the parallel bun --compile fan-out
+      #     is memory-heavy and the swapfile guards against OOM kills.
+      - name: Free disk space before building
+        if: inputs.cache_key_suffix == '-github'
+        uses: supabase/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # supabase fork of jlumbroso/free-disk-space
+        with:
+          tool-cache: false
+          swap-storage: false
+
       - name: Build selected shell
         run: pnpm exec bun apps/cli/scripts/build.ts --version "${VERSION}" --shell "${BUN_SHELL}"
 
@@ -89,6 +133,27 @@ jobs:
           echo "Checking dist/..."
           ls -la dist/
 
+      - name: Verify macOS signatures
+        run: |
+          set -euo pipefail
+          for bin in packages/cli-darwin-*/bin/supabase packages/cli-darwin-*/bin/supabase-go; do
+            [ -f "$bin" ] || continue
+            echo "::group::$bin"
+            info="$(rcodesign print-signature-info "$bin")"
+            echo "$info" | grep -E 'identifier:|flags:'
+            echo "$info" | grep -q 'identifier: com.supabase.cli' || { echo "::error::$bin missing supabase identifier"; exit 1; }
+            if echo "$info" | grep -q 'LINKER_SIGNED'; then echo "::error::$bin still linker-signed"; exit 1; fi
+            echo "::endgroup::"
+          done
+
+      - name: Free space before saving GitHub-hosted artifacts cache
+        if: inputs.cache_key_suffix == '-github'
+        run: |
+          rm -rf node_modules apps/*/node_modules packages/*/node_modules
+          chmod -R u+w "$HOME/.cache/go-build" "$HOME/go/pkg/mod" 2>/dev/null || true
+          rm -rf "$(pnpm store path --silent)" "$HOME/.cache/go-build" "$HOME/go/pkg/mod"
+          df -h
+
       - name: Check existing build artifacts cache
         id: build-artifacts-cache
         uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5

.github/workflows/cli-go-api-sync.yml

@@ -14,7 +14,7 @@ jobs:
     name: Sync API Types
     runs-on: blacksmith-2vcpu-ubuntu-2404
     steps:
-      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
         with:
           persist-credentials: false
 
@@ -73,7 +73,7 @@ jobs:
         if: steps.check.outputs.has_changes == 'true'
         run: gh pr merge --auto --squash --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}"
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
 defaults:
   run: