From bf3b86055713915a9e3ecd6a8eefe5ab565fadf7 Mon Sep 17 00:00:00 2001 From: Qiao Han Date: Thu, 27 Nov 2025 00:49:46 +0800 Subject: [PATCH 1/3] Revert "chore: move all npm ops to beta workflow" This reverts commit eae61bfad77f3cf8329cef9b3557fc58edab9cb9. --- .github/workflows/release-beta.yml | 35 ++----------------- .github/workflows/release.yml | 54 +++++++++++++++++++++++------- .github/workflows/tag-npm.yml | 34 +++++++++++++++++++ 3 files changed, 79 insertions(+), 44 deletions(-) create mode 100644 .github/workflows/tag-npm.yml diff --git a/.github/workflows/release-beta.yml b/.github/workflows/release-beta.yml index 794f0d802..89645566d 100644 --- a/.github/workflows/release-beta.yml +++ b/.github/workflows/release-beta.yml @@ -14,7 +14,6 @@ permissions: jobs: approved: - name: fast-forward if: | github.event.pull_request.head.ref == 'develop' && github.event.pull_request.base.ref == 'main' && @@ -22,9 +21,6 @@ jobs: runs-on: ubuntu-latest permissions: contents: write - packages: write - outputs: - release_tag: ${{ steps.latest-release.outputs.tagName }} steps: - uses: actions/checkout@v6 with: @@ -33,46 +29,21 @@ jobs: git checkout main git merge --ff-only "${{ github.event.pull_request.head.sha }}" git push origin main - - id: latest-release - run: | - latest=$(gh release list --limit 1 --json tagName --jq '.[].tagName') - gh release edit $latest --latest --prerelease=false - echo "tagName=$latest" >> $GITHUB_OUTPUT - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - tag: - name: Move latest tag + deploy: needs: - approved - runs-on: ubuntu-latest permissions: - contents: read + contents: write + packages: write # Required for npm OIDC id-token: write - steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 - with: - node-version: latest - registry-url: https://registry.npmjs.org - - run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest - env: - RELEASE_TAG: ${{ needs.approved.outputs.release_tag }} - - deploy: - needs: - - approved - - tag # Call workflow explicitly because events from actions cannot trigger more actions uses: ./.github/workflows/release.yml - with: - release: ${{ needs.approved.outputs.release_tag }} secrets: inherit release: name: semantic-release - if: ${{ github.event_name != 'pull_request_review' }} runs-on: ubuntu-latest permissions: contents: write diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6ad527336..9cce7cc90 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,24 +1,36 @@ name: Release on: + push: + branches: + - main workflow_call: - inputs: - release: - required: true - type: string - workflow_dispatch: - inputs: - release: - description: "v1.0.0" - required: true - type: string permissions: contents: read jobs: + settings: + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + outputs: + release_tag: ${{ steps.prerelease.outputs.tagName }} + steps: + - uses: actions/checkout@v6 + - id: prerelease + run: | + gh release list --limit 1 --json tagName --jq \ + '.[]|to_entries|map("\(.key)=\(.value|tostring)")|.[]' >> $GITHUB_OUTPUT + - run: gh release edit ${{ steps.prerelease.outputs.tagName }} --latest --prerelease=false + commit: name: Publish Brew and Scoop + needs: + - settings runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -35,12 +47,26 @@ jobs: repositories: | homebrew-tap scoop-bucket - - run: go run tools/publish/main.go ${{ inputs.release }} + - run: go run tools/publish/main.go ${{ needs.settings.outputs.release_tag }} env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + publish: + name: Publish NPM + needs: + - settings + permissions: + contents: read + id-token: write + uses: ./.github/workflows/tag-npm.yml + with: + release: ${{ needs.settings.outputs.release_tag }} + secrets: inherit + compose: name: Bump self-hosted versions + needs: + - settings runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -63,7 +89,9 @@ jobs: changelog: name: Publish changelog needs: + - settings - commit + - publish runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -86,6 +114,8 @@ jobs: docs: name: Publish reference docs + needs: + - settings runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -101,6 +131,6 @@ jobs: owner: ${{ github.repository_owner }} repositories: | supabase - - run: go run docs/main.go ${{ inputs.release }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml + - run: go run docs/main.go ${{ needs.settings.outputs.release_tag }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/tag-npm.yml b/.github/workflows/tag-npm.yml new file mode 100644 index 000000000..53a7c9a31 --- /dev/null +++ b/.github/workflows/tag-npm.yml @@ -0,0 +1,34 @@ +name: Tag NPM + +on: + workflow_call: + inputs: + release: + required: true + type: string + workflow_dispatch: + inputs: + release: + description: "v1.0.0" + required: true + type: string + +permissions: + contents: read + id-token: write + +jobs: + tag: + name: Move latest tag + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + + - uses: actions/setup-node@v6 + with: + node-version: latest + registry-url: https://registry.npmjs.org + + - run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest + env: + RELEASE_TAG: ${{ inputs.release }} From 33fd875364cbb0469a9aff805102d8ecc7405d93 Mon Sep 17 00:00:00 2001 From: Qiao Han Date: Thu, 27 Nov 2025 00:49:57 +0800 Subject: [PATCH 2/3] Revert "chore: merge fast forward workflow to beta release" This reverts commit 356b2aa5ba03843ac35a480f361371626fa0b892. --- .github/workflows/fast-forward.yml | 37 ++++++++++++++++++++++++++++++ .github/workflows/release-beta.yml | 32 -------------------------- 2 files changed, 37 insertions(+), 32 deletions(-) create mode 100644 .github/workflows/fast-forward.yml diff --git a/.github/workflows/fast-forward.yml b/.github/workflows/fast-forward.yml new file mode 100644 index 000000000..c2c289c04 --- /dev/null +++ b/.github/workflows/fast-forward.yml @@ -0,0 +1,37 @@ +name: Fast-forward + +on: + pull_request_review: + types: + - submitted + +permissions: + contents: write + +jobs: + approved: + if: | + github.event.pull_request.head.ref == 'develop' && + github.event.pull_request.base.ref == 'main' && + github.event.review.state == 'approved' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + - run: | + git checkout main + git merge --ff-only "${{ github.event.pull_request.head.sha }}" + git push origin main + + publish: + needs: + - approved + permissions: + contents: write + packages: write + # Required for npm OIDC + id-token: write + # Call workflow explicitly because events from actions cannot trigger more actions + uses: ./.github/workflows/release.yml + secrets: inherit diff --git a/.github/workflows/release-beta.yml b/.github/workflows/release-beta.yml index 89645566d..fca87826e 100644 --- a/.github/workflows/release-beta.yml +++ b/.github/workflows/release-beta.yml @@ -1,9 +1,6 @@ name: Release (Beta) on: - pull_request_review: - types: - - submitted push: branches: - develop @@ -13,35 +10,6 @@ permissions: contents: read jobs: - approved: - if: | - github.event.pull_request.head.ref == 'develop' && - github.event.pull_request.base.ref == 'main' && - github.event.review.state == 'approved' - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - run: | - git checkout main - git merge --ff-only "${{ github.event.pull_request.head.sha }}" - git push origin main - - deploy: - needs: - - approved - permissions: - contents: write - packages: write - # Required for npm OIDC - id-token: write - # Call workflow explicitly because events from actions cannot trigger more actions - uses: ./.github/workflows/release.yml - secrets: inherit - release: name: semantic-release runs-on: ubuntu-latest From c21560637910eadfd4b15b7d6e5eba6380071231 Mon Sep 17 00:00:00 2001 From: Qiao Han Date: Thu, 27 Nov 2025 00:57:12 +0800 Subject: [PATCH 3/3] chore: merge fast forward and release workflow --- .github/workflows/fast-forward.yml | 37 ---------------------- .github/workflows/release.yml | 49 ++++++++++++++++++------------ .github/workflows/tag-npm.yml | 1 + 3 files changed, 30 insertions(+), 57 deletions(-) delete mode 100644 .github/workflows/fast-forward.yml diff --git a/.github/workflows/fast-forward.yml b/.github/workflows/fast-forward.yml deleted file mode 100644 index c2c289c04..000000000 --- a/.github/workflows/fast-forward.yml +++ /dev/null @@ -1,37 +0,0 @@ -name: Fast-forward - -on: - pull_request_review: - types: - - submitted - -permissions: - contents: write - -jobs: - approved: - if: | - github.event.pull_request.head.ref == 'develop' && - github.event.pull_request.base.ref == 'main' && - github.event.review.state == 'approved' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - run: | - git checkout main - git merge --ff-only "${{ github.event.pull_request.head.sha }}" - git push origin main - - publish: - needs: - - approved - permissions: - contents: write - packages: write - # Required for npm OIDC - id-token: write - # Call workflow explicitly because events from actions cannot trigger more actions - uses: ./.github/workflows/release.yml - secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9cce7cc90..80c496f64 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,36 +1,45 @@ name: Release on: - push: - branches: - - main - workflow_call: + pull_request_review: + types: + - submitted permissions: contents: read jobs: - settings: + fast-forward: + if: | + github.event.pull_request.head.ref == 'develop' && + github.event.pull_request.base.ref == 'main' && + github.event.review.state == 'approved' runs-on: ubuntu-latest permissions: contents: write packages: write - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} outputs: - release_tag: ${{ steps.prerelease.outputs.tagName }} + release_tag: ${{ steps.latest-release.outputs.tagName }} steps: - uses: actions/checkout@v6 - - id: prerelease + with: + fetch-depth: 0 + - run: | + git checkout main + git merge --ff-only "${{ github.event.pull_request.head.sha }}" + git push origin main + - id: latest-release run: | - gh release list --limit 1 --json tagName --jq \ - '.[]|to_entries|map("\(.key)=\(.value|tostring)")|.[]' >> $GITHUB_OUTPUT - - run: gh release edit ${{ steps.prerelease.outputs.tagName }} --latest --prerelease=false + latest=$(gh release list --limit 1 --json tagName --jq '.[].tagName') + gh release edit $latest --latest --prerelease=false + echo "tagName=$latest" >> $GITHUB_OUTPUT + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} commit: name: Publish Brew and Scoop needs: - - settings + - fast-forward runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -47,26 +56,26 @@ jobs: repositories: | homebrew-tap scoop-bucket - - run: go run tools/publish/main.go ${{ needs.settings.outputs.release_tag }} + - run: go run tools/publish/main.go ${{ needs.fast-forward.outputs.release_tag }} env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} publish: name: Publish NPM needs: - - settings + - fast-forward permissions: contents: read id-token: write uses: ./.github/workflows/tag-npm.yml with: - release: ${{ needs.settings.outputs.release_tag }} + release: ${{ needs.fast-forward.outputs.release_tag }} secrets: inherit compose: name: Bump self-hosted versions needs: - - settings + - fast-forward runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -89,7 +98,7 @@ jobs: changelog: name: Publish changelog needs: - - settings + - fast-forward - commit - publish runs-on: ubuntu-latest @@ -115,7 +124,7 @@ jobs: docs: name: Publish reference docs needs: - - settings + - fast-forward runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 @@ -131,6 +140,6 @@ jobs: owner: ${{ github.repository_owner }} repositories: | supabase - - run: go run docs/main.go ${{ needs.settings.outputs.release_tag }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml + - run: go run docs/main.go ${{ needs.fast-forward.outputs.release_tag }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/tag-npm.yml b/.github/workflows/tag-npm.yml index 53a7c9a31..934d42370 100644 --- a/.github/workflows/tag-npm.yml +++ b/.github/workflows/tag-npm.yml @@ -32,3 +32,4 @@ jobs: - run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest env: RELEASE_TAG: ${{ inputs.release }} + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}