chore: production deploy by supabase-cli-releaser[bot] · Pull Request #5657 · supabase/cli

supabase-cli-releaser · 2026-06-23T03:18:00Z

feat(cli): add issue form command (feat(cli): add issue form command #5459)
ci: setup dependency firewall (ci: setup dependency firewall #5581)
ci: add stale issue and PR cleanup workflow (ci: add stale issue and PR cleanup workflow #5456)
feat(cli): port functions deploy (feat(cli): port functions deploy #5561)
ci: read stale cleanup dispatch inputs (ci: read stale cleanup dispatch inputs #5600)
chore: sync API types from infrastructure (chore: sync API types from infrastructure #5599)
ci: derive brew/scoop checksums from the published build (ci: derive brew/scoop checksums from the published build #5604)
ci: enable scheduled stale cleanup (ci: enable scheduled stale cleanup #5606)
fix(cli): reconcile hybrid stitch+stamp identity with shared LegacyIdentityStitch service (fix(cli): reconcile hybrid stitch+stamp identity with shared LegacyIdentityStitch service #5607)
ci: silence stale reopen confirmation (ci: silence stale reopen confirmation #5608)
chore(cli-go): unblock OpenAPI codegen for upgrade warnings (chore(cli-go): unblock OpenAPI codegen for upgrade warnings #5609)
chore(ci): bump actions/github-script from 7.1.0 to 9.0.0 in the actions-major group (chore(ci): bump actions/github-script from 7.1.0 to 9.0.0 in the actions-major group #5613)
fix(docker): bump supabase/realtime from v2.107.5 to v2.108.0 in /apps/cli-go/pkg/config/templates in the docker-minor group (fix(docker): bump supabase/realtime from v2.107.5 to v2.108.0 in /apps/cli-go/pkg/config/templates in the docker-minor group #5611)
fix(deps): bump the npm-major group with 6 updates (fix(deps): bump the npm-major group with 6 updates #5612)
ci(release): free space before artifact cache save (ci(release): free space before artifact cache save #5610)
ci: add post-publish install channel verification workflow (ci: add post-publish install channel verification workflow #5605)
feat(cli): port db dump, query, and schema declarative to native TypeScript (feat(cli): port db dump, query, and schema declarative to native TypeScript #5586)
ci(release): tolerate read-only Go cache cleanup (ci(release): tolerate read-only Go cache cleanup #5617)
fix(cli): merge matching [remotes.*] block on config push (fix(cli): merge matching [remotes.*] block on config push #5618)
fix(cli): mount test file's directory so \ir includes resolve (fix(cli): mount test file's directory so \ir includes resolve #5619)
chore(api): simplify OpenAPI sync workflow (chore(api): simplify OpenAPI sync workflow #5602)
test(cli-e2e): add live e2e suite covering the CLI command matrix (test(cli-e2e): add live e2e suite covering the CLI command matrix #5588)
fix(deps): bump undici from 8.4.1 to 8.5.0 (fix(deps): bump undici from 8.4.1 to 8.5.0 #5623)
fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 3 updates (fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 3 updates #5625)
fix(deps): bump the npm-major group with 11 updates (fix(deps): bump the npm-major group with 11 updates #5626)
ci: add dependency-cache input to setup action (ci: add dependency-cache input to setup action #5627)
fix(cli): improve local start diagnostics (fix(cli): improve local start diagnostics #5616)
chore(cli): downgrade realtime image to v2.108.0 (chore(cli): downgrade realtime image to v2.108.0 #5628)
fix(docker): bump supabase/storage-api from v1.60.21 to v1.60.22 in /apps/cli-go/pkg/config/templates in the docker-minor group (fix(docker): bump supabase/storage-api from v1.60.21 to v1.60.22 in /apps/cli-go/pkg/config/templates in the docker-minor group #5630)
fix(deps): bump the npm-major group with 2 updates (fix(deps): bump the npm-major group with 2 updates #5631)
fix(docker): bump supabase/postgres from 17.6.1.136 to 17.6.1.138 in /apps/cli-go/pkg/config/templates (fix(docker): bump supabase/postgres from 17.6.1.136 to 17.6.1.138 in /apps/cli-go/pkg/config/templates #5636)
feat(cli): add --reveal flag to projects api-keys (feat(cli): add --reveal flag to projects api-keys #5633)
ci(release): register QEMU before containerd restart for arm64 smoke tests (ci(release): register QEMU before containerd restart for arm64 smoke tests #5639)
fix(deps): bump github.com/containerd/containerd/v2 from 2.2.4 to 2.2.5 in /apps/cli-go (fix(deps): bump github.com/containerd/containerd/v2 from 2.2.4 to 2.2.5 in /apps/cli-go #5640)
ci(release): mount binfmt_misc on the host for arm64 smoke tests on cold runners (ci(release): mount binfmt_misc on the host for arm64 smoke tests on cold runners #5641)
fix(docker): bump supabase/storage-api from v1.60.22 to v1.60.26 in /apps/cli-go/pkg/config/templates in the docker-minor group across 1 directory (fix(docker): bump supabase/storage-api from v1.60.22 to v1.60.26 in /apps/cli-go/pkg/config/templates in the docker-minor group across 1 directory #5635)
fix(deps): bump the npm-major group across 1 directory with 11 updates (fix(deps): bump the npm-major group across 1 directory with 11 updates #5642)
chore(ci): use app token for API sync automerge (chore(ci): use app token for API sync automerge #5603)
fix(functions): forward npm auth token to Docker bundler (fix(functions): forward npm auth token to Docker bundler #5645)
fix(cli): chunk storage delete requests to respect API cap (New Studio Version 20240104-dfc02e3 #1814) (fix(cli): chunk storage delete requests to respect API cap (#1814) #5629)
fix(cli): keep test db local connections plaintext (fix(cli): keep test db local connections plaintext #5644)
chore(stack): bump mailpit to v1.30.2 (chore(stack): bump mailpit to v1.30.2 #5647)
chore(cli): read Postgres image from Dockerfile manifest (chore(cli): read Postgres image from Dockerfile manifest #5649)
refactor(cli-go): extract envOrDefault helper and make Kong workers configurable (refactor(cli-go): extract envOrDefault helper and make Kong workers configurable #5648)
chore(api): sync Management API OpenAPI spec (chore(api): sync Management API OpenAPI spec #5621)
feat: clean up report table output and add rules (feat: clean up report table output and add rules #5253)
fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 4 updates (fix(docker): bump the docker-minor group in /apps/cli-go/pkg/config/templates with 4 updates #5656)

Depends on #5458. Adds `supabase issue bug|feature|docs` for opening the repository issue forms with useful fields prefilled from CLI flags and runtime context. Adds a shared issue-template contract test so command field IDs, option values, and required-field policy stay aligned with the YAML issue forms.

## What kind of change does this PR introduce? CI update ## What is the new behavior? Uses Dependency Firewall from DepthFirst: https://depthfirst.com/dependency-firewall --------- Co-authored-by: Julien Goux <hi@jgoux.dev>

## What changed Adds a GitHub Actions workflow for stale issue and pull request cleanup. The workflow runs daily as a dry run so maintainers can see what would be closed, and it can also be run manually. Manual runs stay in dry-run mode unless `execute` is set to `true`. Execute runs comment on and close matching items, skip protected labels, and default to a 25-item batch cap so cleanup can happen gradually. The default stale window is 45 days for issues and 60 days for pull requests. ## Why The CLI repo has a large stale backlog. The workflow gives maintainers a repeatable way to review the next stale batch, close old inactive items with a clear comment, and let users reopen or ask maintainers to reopen anything that is still relevant.

## TL;DR ports `functions deploy` to native ts ## What’s introduced adds the native ts implementation for `supabase functions deploy`, keeping the existing command surface for API deploys, Docker bundling, import maps, static files, pruning, disabled functions, and output & includes coverage around all this! > ~~Behavior change: the default deploy path is now api based / dockerless. but users can still opt back into the previous local Docker bundling path with `--use-docker` if needed~~ (will address as a followup) ## ref: - Closes CLI-1319 --------- Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com>

## What changed Updates the stale cleanup workflow to read manual `workflow_dispatch` inputs from the workflow event payload instead of action inputs. This makes the `execute` checkbox and manual overrides for stale windows, batch size, and excluded labels take effect when maintainers run the workflow manually. ## Why `actions/github-script`'s `core.getInput()` reads inputs passed to the action itself. The stale cleanup workflow needs the values submitted through GitHub's manual workflow form.

This PR was automatically created to sync API types from the infrastructure repository. Changes were detected in the generated API code after syncing with the latest spec from infrastructure. Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com> Co-authored-by: Andrew Valleteau <avallete@users.noreply.github.com>

publish-homebrew and publish-scoop restored the blacksmith build cache (-v1) and computed formula/manifest checksums from its dist/checksums.txt, but the GitHub Release and npm ship the github-hosted build (-github-v1). Bun-compiled binaries are not byte-for-byte reproducible across the two builds, so every sha256 in the published Homebrew formula referenced a tarball that was never released and `brew install supabase/tap/supabase` failed with "Formula reports different checksum". The Scoop manifest had the same latent defect. Restore the -github-v1 cache in both jobs and run them on github-hosted runners so they share a cache store with the publish job whose artifacts they describe. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Y23nV6fJ78f6RKJHjMNZau Co-authored-by: Claude <noreply@anthropic.com>

Updates the stale cleanup workflow so the daily scheduled run performs the same closing behavior as an executed manual run. The per-run item cap has also been removed, so every currently eligible issue or pull request is processed in one run. Issues closed by stale cleanup now receive a stale-closed marker, and a separate issue-comment workflow lets users reopen those issues by commenting with /reopen as the first non-empty line. Manual dispatches can still be used as a dry run unless execute is enabled.

…entityStitch service (#5607) ## Problem The #5366 gate stopped the ephemeral-env `$identify` spike, but at the cost of attribution: in CI, Docker, and `npx supabase`, `cli_*` events stay orphaned on throwaway device IDs and never link to the authenticated user. GROWTH-891 (#5559) fixes that with a hybrid stitch+stamp model. While #5559 was in review, #5579 (db lint/advisors port) landed on develop and independently extracted the legacy identity stitch into a shared `LegacyIdentityStitch` service — one per-command `stitchAttempted` guard so the advisor transports alias at most once. That's the architecture we want, but it's a port of the pre-891 behavior: it only stamps when it aliases (persistent, first login), so it doesn't restore CI/Docker/npx attribution; it sets `stitchAttempted` after the file-read yield; and it reads the `runtime.distinctId` field that 891 replaced with a mutable identity slot. Merging #5559 on top as-is would silently drop the attribution feature and reintroduce the race. This PR reconciles the two: keep #5579's shared-service architecture, fold the hybrid stitch+stamp behavior into it. Supersedes #5559. ## Changes - **The shared `LegacyIdentityStitch` now stamps everywhere.** On the first authenticated response the user UUID is stamped into `runtime.identity` in every runtime, so captures in CI/Docker/npx carry the real user. The `$create_alias` (pre-login history merge) and the `telemetry.json` write still only happen on a persistent machine. - **Hardening preserved:** `stitchAttempted` is set before the first yield (no double-stitch race); when an identity already exists we stamp without aliasing (never merge two person graphs); alias fires at most once across all transports sharing the service. - **`stitchedDistinctId()` returns `runtime.identity.current()`** so the post-run `cli_command_executed` is attributed to the real user in every runtime, including steady state. - `legacy-analytics.layer.ts` resolves `distinctId` from the identity slot while keeping develop's already-keyed `groups` map. - Stitch behavior tests live in `legacy-identity-stitch.integration.test.ts` (CI-stamp-no-alias, stale-identity-stamp-no-alias, concurrent-alias-once); the platform-api layer test keeps develop's service-mocked wiring. A few command test runtimes still using the removed `distinctId` field were updated to `makeTelemetryIdentity`. - Brings the Go + next-TS 891 changes (logout identity reset + device-id rotation, the redundant `$identify` removal, ADR 0013) along through the merge. ## Testing Typecheck clean, full unit suite (1318) green, and the affected integration suites (identity-stitch, platform-api, login, logout, advisors, lint, services, gen/types, issue, linked-project-cache) pass under bun. Also ran an independent Codex review focused on the spike-regression risk — it confirmed no alias in ephemeral runtimes, alias-at-most-once across transports, the pre-yield race guard, and the no-cross-graph-merge invariant, with no findings. GROWTH-891 --------- Co-authored-by: Julien Goux <hi@jgoux.dev>

Removes the extra success comment posted after the stale issue reopen workflow reopens an issue. The workflow still reopens stale-closed issues, removes the marker label, and logs the action in the workflow run.

## What changed - Removes the unsupported inline discriminator from `ProjectUpgradeEligibilityResponse.warnings` in the OpenAPI overlay. - Regenerates the Go API types so the newly added upgrade warning variants are represented. ## Context The remote API spec now exposes inline `oneOf` warning variants under `ProjectUpgradeEligibilityResponse.warnings` with a discriminator. The current generator fails with `discriminator: not all schemas were mapped` before it can write updated types. I also checked `oapi-codegen` v2.7.1, and it fails with the same error, so a version bump alone does not unblock the sync.

…ons-major group (#5613) Bumps the actions-major group with 1 update: [actions/github-script](https://github.com/actions/github-script). Updates `actions/github-script` from 7.1.0 to 9.0.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/github-script/releases">actions/github-script's releases</a>.</em></p> <blockquote> <h2>v9.0.0</h2> <p><strong>New features:</strong></p> <ul> <li><strong><code>getOctokit</code> factory function</strong> — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See <a href="https://github.com/actions/github-script#creating-additional-clients-with-getoctokit">Creating additional clients with <code>getOctokit</code></a> for details and examples.</li> <li><strong>Orchestration ID in user-agent</strong> — The <code>ACTIONS_ORCHESTRATION_ID</code> environment variable is automatically appended to the user-agent string for request tracing.</li> </ul> <p><strong>Breaking changes:</strong></p> <ul> <li><strong><code>require('@actions/github')</code> no longer works in scripts.</strong> The upgrade to <code>@actions/github</code> v9 (ESM-only) means <code>require('@actions/github')</code> will fail at runtime. If you previously used patterns like <code>const { getOctokit } = require('@actions/github')</code> to create secondary clients, use the new injected <code>getOctokit</code> function instead — it's available directly in the script context with no imports needed.</li> <li><code>getOctokit</code> is now an injected function parameter. Scripts that declare <code>const getOctokit = ...</code> or <code>let getOctokit = ...</code> will get a <code>SyntaxError</code> because JavaScript does not allow <code>const</code>/<code>let</code> redeclaration of function parameters. Use the injected <code>getOctokit</code> directly, or use <code>var getOctokit = ...</code> if you need to redeclare it.</li> <li>If your script accesses other <code>@actions/github</code> internals beyond the standard <code>github</code>/<code>octokit</code> client, you may need to update those references for v9 compatibility.</li> </ul> <h2>What's Changed</h2> <ul> <li>Add ACTIONS_ORCHESTRATION_ID to user-agent string by <a href="https://github.com/Copilot"><code>@Copilot</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/695">actions/github-script#695</a></li> <li>ci: use deployment: false for integration test environments by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/712">actions/github-script#712</a></li> <li>feat!: add getOctokit to script context, upgrade <code>@actions/github</code> v9, <code>@octokit/core</code> v7, and related packages by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/700">actions/github-script#700</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Copilot"><code>@Copilot</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/695">actions/github-script#695</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/github-script/compare/v8.0.0...v9.0.0">https://github.com/actions/github-script/compare/v8.0.0...v9.0.0</a></p> <h2>v8.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update Node.js version support to 24.x by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/637">actions/github-script#637</a></li> <li>README for updating actions/github-script from v7 to v8 by <a href="https://github.com/sneha-krip"><code>@sneha-krip</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/653">actions/github-script#653</a></li> </ul> <h2>⚠️ Minimum Compatible Runner Version</h2> <p><strong>v2.327.1</strong><br /> <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Release Notes</a></p> <p>Make sure your runner is updated to this version or newer to use this release.</p> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/637">actions/github-script#637</a></li> <li><a href="https://github.com/sneha-krip"><code>@sneha-krip</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/653">actions/github-script#653</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/github-script/compare/v7.1.0...v8.0.0">https://github.com/actions/github-script/compare/v7.1.0...v8.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/github-script/commit/3a2844b7e9c422d3c10d287c895573f7108da1b3"><code>3a2844b</code></a> Merge pull request <a href="https://redirect.github.com/actions/github-script/issues/700">#700</a> from actions/salmanmkc/expose-getoctokit + prepare re...</li> <li><a href="https://github.com/actions/github-script/commit/ca10bbdd1a7739de09e99a200c7a59f5d73a4079"><code>ca10bbd</code></a> fix: use <code>@octokit/core/</code>types import for v7 compatibility</li> <li><a href="https://github.com/actions/github-script/commit/86e48e20ac85c970ed1f96e718fd068173948b7b"><code>86e48e2</code></a> merge: incorporate main branch changes</li> <li><a href="https://github.com/actions/github-script/commit/c1084728b5b935ec4ddc1e4cee877b01797b3ff9"><code>c108472</code></a> chore: rebuild dist for v9 upgrade and getOctokit factory</li> <li><a href="https://github.com/actions/github-script/commit/afff112e4f8b57c718168af75b89ce00bc8d091d"><code>afff112</code></a> Merge pull request <a href="https://redirect.github.com/actions/github-script/issues/712">#712</a> from actions/salmanmkc/deployment-false + fix user-ag...</li> <li><a href="https://github.com/actions/github-script/commit/ff8117e5b78c415f814f39ad6998f424fee7b817"><code>ff8117e</code></a> ci: fix user-agent test to handle orchestration ID</li> <li><a href="https://github.com/actions/github-script/commit/81c6b7876079abe10ff715951c9fc7b3e1ab389d"><code>81c6b78</code></a> ci: use deployment: false to suppress deployment noise from integration tests</li> <li><a href="https://github.com/actions/github-script/commit/3953caf8858d318f37b6cc53a9f5708859b5a7b7"><code>3953caf</code></a> docs: update README examples from <a href="https://github.com/v8"><code>@v8</code></a> to <a href="https://github.com/v9"><code>@v9</code></a>, add getOctokit docs and v9 brea...</li> <li><a href="https://github.com/actions/github-script/commit/c17d55b90dcdb3d554d0027a6c180a7adc2daf78"><code>c17d55b</code></a> ci: add getOctokit integration test job</li> <li><a href="https://github.com/actions/github-script/commit/a047196d9a02fe92098771cafbb98c2f1814e408"><code>a047196</code></a> test: add getOctokit integration tests via callAsyncFunction</li> <li>Additional commits viewable in <a href="https://github.com/actions/github-script/compare/f28e40c7f34bde8b3046d885e986cb6290c5673b...3a2844b7e9c422d3c10d287c895573f7108da1b3">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/github-script&package-manager=github_actions&previous-version=7.1.0&new-version=9.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…s/cli-go/pkg/config/templates in the docker-minor group (#5611) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1 update: supabase/realtime. Updates `supabase/realtime` from v2.107.5 to v2.108.0 [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/realtime&package-manager=docker&previous-version=v2.107.5&new-version=v2.108.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the npm-major group with 6 updates: | Package | From | To | | --- | --- | --- | | [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript) | `0.3.170` | `0.3.172` | | [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) | `5.36.8` | `5.36.15` | | [fumadocs-core](https://github.com/fuma-nama/fumadocs) | `16.9.3` | `16.10.0` | | [fumadocs-mdx](https://github.com/fuma-nama/fumadocs) | `15.0.11` | `15.0.12` | | [fumadocs-ui](https://github.com/fuma-nama/fumadocs) | `16.9.3` | `16.10.0` | | [@typescript/native-preview](https://github.com/microsoft/typescript-go) | `7.0.0-dev.20260609.1` | `7.0.0-dev.20260610.1` | Updates `@anthropic-ai/claude-agent-sdk` from 0.3.170 to 0.3.172 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.172</h2> <h2>What's changed</h2> <ul> <li>SDK <code>plugins</code> option now accepts <code>skipMcpDiscovery: true</code> per plugin, so a host that manages a plugin's MCP connections itself can load skills/hooks from the plugin path without the engine re-reading its <code>.mcp.json</code></li> <li>Fixed slash-followed-by-whitespace input (e.g. <code>/ add tests</code>) being silently dropped instead of treated as a plain prompt</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.172 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.172 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.172 # or bun add @anthropic-ai/claude-agent-sdk@0.3.172 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.172</h2> <ul> <li>SDK <code>plugins</code> option now accepts <code>skipMcpDiscovery: true</code> per plugin, so a host that manages a plugin's MCP connections itself can load skills/hooks from the plugin path without the engine re-reading its <code>.mcp.json</code></li> <li>Fixed slash-followed-by-whitespace input (e.g. <code>/ add tests</code>) being silently dropped instead of treated as a plain prompt</li> </ul> <h2>0.3.171</h2> <ul> <li>Updated to parity with Claude Code v2.1.171</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/2cfb79cb3556c965c3ec19f1119f87a95b02dacb"><code>2cfb79c</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.170...v0.3.172">compare view</a></li> </ul> </details> <br /> Updates `posthog-node` from 5.36.8 to 5.36.15 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/releases">posthog-node's releases</a>.</em></p> <blockquote> <h2>posthog-node@5.36.15</h2> <h2>5.36.15</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.1</li> </ul> </li> </ul> <h2>posthog-node@5.36.14</h2> <h2>5.36.14</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/612f97adebd3d863602533180ac4bee3f3ed731d"><code>612f97a</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.0</li> </ul> </li> </ul> <h2>posthog-node@5.36.13</h2> <h2>5.36.13</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.4</li> </ul> </li> </ul> <h2>posthog-node@5.36.12</h2> <h2>5.36.12</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.3</li> </ul> </li> </ul> <h2>posthog-node@5.36.11</h2> <h2>5.36.11</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.2</li> </ul> </li> </ul> <h2>posthog-node@5.36.10</h2> <h2>5.36.10</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.1</li> </ul> </li> </ul> <h2>posthog-node@5.36.9</h2> <h2>5.36.9</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's changelog</a>.</em></p> <blockquote> <h2>5.36.15</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.1</li> </ul> </li> </ul> <h2>5.36.14</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/612f97adebd3d863602533180ac4bee3f3ed731d"><code>612f97a</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.0</li> </ul> </li> </ul> <h2>5.36.13</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.4</li> </ul> </li> </ul> <h2>5.36.12</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.3</li> </ul> </li> </ul> <h2>5.36.11</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.2</li> </ul> </li> </ul> <h2>5.36.10</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.1</li> </ul> </li> </ul> <h2>5.36.9</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/0c2acb9f30d545bb89d1f950ba8f840c76e47dc2"><code>0c2acb9</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.31.0</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-js/commit/defbc62fc22d64fe57ee22e0ade43d1758866a76"><code>defbc62</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/50a666fe03ce61b889c335593cade36dacb74270"><code>50a666f</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/f4d4c8b84663c983d67fffe02e284d9496cff5f1"><code>f4d4c8b</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/8b8b196a19bc32e91970212c26a41119c84c2f32"><code>8b8b196</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/a88dfa10e46e797889bb27a4183f5e44f5327bc1"><code>a88dfa1</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/a116ad3c2079570b77c39bacda5750996a12b005"><code>a116ad3</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/e93fcb168f0dfc546385a2633aaf968b6724f480"><code>e93fcb1</code></a> chore: update versions and lockfile [version bump]</li> <li>See full diff in <a href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.36.15/packages/node">compare view</a></li> </ul> </details> <br /> Updates `fumadocs-core` from 16.9.3 to 16.10.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/fuma-nama/fumadocs/releases">fumadocs-core's releases</a>.</em></p> <blockquote> <h2>fumadocs-core@16.10.0</h2> <h3>Patch Changes</h3> <ul> <li>9b9545f: Add package issue tracker metadata.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/fuma-nama/fumadocs/commit/7974b8655bdb14d91792b9382186afbabe37a00b"><code>7974b86</code></a> Version Packages</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/5d981ab5400c6c7979f41cb005ea065696d70466"><code>5d981ab</code></a> docs: migration guide for OpenAPI v11</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/0415b4ad6a41d67c43e7d9a979accce58cad84dc"><code>0415b4a</code></a> breaking(openapi): drop other deprecated APIs</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/9b9545fd82994ac34b896a2395b80529a63754b5"><code>9b9545f</code></a> Add Fumadocs package bugs metadata (<a href="https://redirect.github.com/fuma-nama/fumadocs/issues/3347">#3347</a>)</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/55c5fdbf8a9e8544960a97c227b020a1f0c87f86"><code>55c5fdb</code></a> feat(core): allow legacy usage of translations API</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/7285343f9068b093120b9db0d503bc54c5ede569"><code>7285343</code></a> feat(openapi): keep more legacy options</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/e8d6cc3048eafba38951e0ae39f772627ae8096c"><code>e8d6cc3</code></a> feat(openapi): backward compat with <code>\<APIPage /></code></li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/2642fa69eb703f4b01cb2ac3ee552cdc11d7832d"><code>2642fa6</code></a> feat(asyncapi): better message example selector</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/c524740641b7f630661c550624fb4fc620e7cd83"><code>c524740</code></a> fix(asyncapi): padding of extension bindings</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/f0e7738d4f03c01722154fd4ab0fbf3ec9efd4aa"><code>f0e7738</code></a> feat(asyncapi): support server bindings UI</li> <li>Additional commits viewable in <a href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-core@16.9.3...fumadocs-core@16.10.0">compare view</a></li> </ul> </details> <br /> Updates `fumadocs-mdx` from 15.0.11 to 15.0.12 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/fuma-nama/fumadocs/releases">fumadocs-mdx's releases</a>.</em></p> <blockquote> <h2>fumadocs-mdx@15.0.12</h2> <h3>Patch Changes</h3> <ul> <li>9b9545f: Add package issue tracker metadata.</li> <li>Updated dependencies [9b9545f] <ul> <li>fumadocs-core@16.10.0</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/fuma-nama/fumadocs/commit/7974b8655bdb14d91792b9382186afbabe37a00b"><code>7974b86</code></a> Version Packages</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/5d981ab5400c6c7979f41cb005ea065696d70466"><code>5d981ab</code></a> docs: migration guide for OpenAPI v11</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/0415b4ad6a41d67c43e7d9a979accce58cad84dc"><code>0415b4a</code></a> breaking(openapi): drop other deprecated APIs</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/9b9545fd82994ac34b896a2395b80529a63754b5"><code>9b9545f</code></a> Add Fumadocs package bugs metadata (<a href="https://redirect.github.com/fuma-nama/fumadocs/issues/3347">#3347</a>)</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/55c5fdbf8a9e8544960a97c227b020a1f0c87f86"><code>55c5fdb</code></a> feat(core): allow legacy usage of translations API</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/7285343f9068b093120b9db0d503bc54c5ede569"><code>7285343</code></a> feat(openapi): keep more legacy options</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/e8d6cc3048eafba38951e0ae39f772627ae8096c"><code>e8d6cc3</code></a> feat(openapi): backward compat with <code>\<APIPage /></code></li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/2642fa69eb703f4b01cb2ac3ee552cdc11d7832d"><code>2642fa6</code></a> feat(asyncapi): better message example selector</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/c524740641b7f630661c550624fb4fc620e7cd83"><code>c524740</code></a> fix(asyncapi): padding of extension bindings</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/f0e7738d4f03c01722154fd4ab0fbf3ec9efd4aa"><code>f0e7738</code></a> feat(asyncapi): support server bindings UI</li> <li>Additional commits viewable in <a href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-mdx@15.0.11...fumadocs-mdx@15.0.12">compare view</a></li> </ul> </details> <br /> Updates `fumadocs-ui` from 16.9.3 to 16.10.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/fuma-nama/fumadocs/releases">fumadocs-ui's releases</a>.</em></p> <blockquote> <h2>fumadocs-ui@16.10.0</h2> <h3>Minor Changes</h3> <ul> <li> <p>779efff: <strong>Introduce new translations API</strong></p> <p>It is now powered by <code>fuma-translate</code>. Be careful: while the API surface is same, some translation keys are changed, unused labels will be ignored.</p> </li> </ul> <h3>Patch Changes</h3> <ul> <li>0cc1fac: Make <code>uiTranslations()</code> optional for translations API</li> <li>Updated dependencies [9b9545f] <ul> <li>fumadocs-core@16.10.0</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/fuma-nama/fumadocs/commit/7974b8655bdb14d91792b9382186afbabe37a00b"><code>7974b86</code></a> Version Packages</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/5d981ab5400c6c7979f41cb005ea065696d70466"><code>5d981ab</code></a> docs: migration guide for OpenAPI v11</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/0415b4ad6a41d67c43e7d9a979accce58cad84dc"><code>0415b4a</code></a> breaking(openapi): drop other deprecated APIs</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/9b9545fd82994ac34b896a2395b80529a63754b5"><code>9b9545f</code></a> Add Fumadocs package bugs metadata (<a href="https://redirect.github.com/fuma-nama/fumadocs/issues/3347">#3347</a>)</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/55c5fdbf8a9e8544960a97c227b020a1f0c87f86"><code>55c5fdb</code></a> feat(core): allow legacy usage of translations API</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/7285343f9068b093120b9db0d503bc54c5ede569"><code>7285343</code></a> feat(openapi): keep more legacy options</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/e8d6cc3048eafba38951e0ae39f772627ae8096c"><code>e8d6cc3</code></a> feat(openapi): backward compat with <code>\<APIPage /></code></li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/2642fa69eb703f4b01cb2ac3ee552cdc11d7832d"><code>2642fa6</code></a> feat(asyncapi): better message example selector</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/c524740641b7f630661c550624fb4fc620e7cd83"><code>c524740</code></a> fix(asyncapi): padding of extension bindings</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/f0e7738d4f03c01722154fd4ab0fbf3ec9efd4aa"><code>f0e7738</code></a> feat(asyncapi): support server bindings UI</li> <li>Additional commits viewable in <a href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-ui@16.9.3...fumadocs-ui@16.10.0">compare view</a></li> </ul> </details> <br /> Updates `@typescript/native-preview` from 7.0.0-dev.20260609.1 to 7.0.0-dev.20260610.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

## Summary - Free disk space before saving the GitHub-hosted release artifact cache. - Keep the cleanup scoped to the `-github` cache producer so the Blacksmith artifact cache path is unchanged. ## Context The release run built the correct `-github-v1` artifacts, but `actions/cache/save` failed while writing `cache.tzst` with `No space left on device`. The downstream macOS smoke test then missed the same `-github-v1` key. This keeps the published/checksum-sensitive path on GitHub-hosted artifacts while reducing disk pressure before the cache archive is created.

Add automated end-to-end verification that published install channels (Homebrew, Scoop, and curl|bash install script) successfully install the released CLI and serve artifacts with matching checksums. ## Summary This adds a new `verify-install-channels.yml` workflow that runs real `brew install`, `scoop install`, and install-script installs against the just-published channels, then verifies the installed version matches. The workflow is triggered automatically after successful Homebrew and Scoop publishes, and can also be manually dispatched for debugging install regressions. ## Key Changes - **New workflow**: `.github/workflows/verify-install-channels.yml` - Homebrew job: installs from the supabase/tap on macOS, verifies version - Scoop job: installs from the supabase/scoop-bucket on Windows, verifies version - Install script job: runs `./install` on Linux and macOS, verifies version - Each job verifies the installed `supabase --version` matches the released version - Accepts `version`, `brew_name`, and `scoop_name` as workflow inputs - **Integration into release pipeline**: Modified `.github/workflows/release-shared.yml` - Added `verify-install-channels` job that runs after successful `publish-homebrew` and `publish-scoop` - Non-gating: runs last so failures surface as post-release signals rather than blocking distribution - Only runs for beta/stable channels (skipped for alpha and dry-run releases) - **Documentation**: Updated `apps/cli/docs/release-process.md` - Added `verify-install-channels` to the release flowchart - Documented the post-publish verification step and its purpose - Explained that it catches regressions like v2.107.0 where brew/scoop checksums mismatched the release tarballs ## Implementation Details The workflow catches checksum mismatches that would cause real user installs to fail, since brew, scoop, and the install script all verify published checksums against downloaded tarballs before installation. By running actual installs against the live channels immediately after publish, this provides the signal that would have caught the v2.107.0 regression where every `brew install` / `scoop install` failed with "Formula reports different checksum". Closes: CLI-1642 https://claude.ai/code/session_01RNp9yTyRoDYJTs5xsWRbAr --------- Co-authored-by: Claude <noreply@anthropic.com>

…Script (#5586) ## What changed Replaces the Go-proxy stubs for `db dump`, `db query`, and `db schema declarative generate`/`sync` with native Effect handlers in the legacy shell, along with the shared infrastructure they need: - **Connection layer** (`legacy-db-connection.sql-pg.layer.ts`): raw `pg` client for the COPY protocol and full-metadata `queryRaw` (command tag via the `commandComplete` protocol message), reusing the winning dial target so TLS/fallback/DoH parity holds. - **Docker run-capture**, db/edge-runtime image resolution, pg-delta SSL + Postgres-URL helpers, edge-runtime script layer, SQL splitter, migration-apply helper. - **Declarative orchestration**: catalog cache, debug bundles, deno templates, the gate/flow logic, and the `__catalog` Go seam (`apps/cli-go/...`) the TS port delegates to for shadow-database provisioning. ## Why / reviewer context - **Strict Go parity** is the contract for the legacy shell. Behaviors that look improvable but match Go are intentional and documented in each `SIDE_EFFECTS.md` (e.g. `db dump --dry-run` prints the resolved `PGPASSWORD` in cleartext like Go's `noExec`; `db query --linked` non-2xx maps to a uniform `unexpected status` message; failed declarative `sync --apply` leaves the migration file on disk). - **`-o`/`--output` parity.** Go registers `--output` per command (`db query` → `json|table|csv`; resource commands → `env|pretty|json|toml|yaml`). The Effect CLI hoists global flags into a single tree-wide registry, so a command cannot redeclare an `output` global to vary its enum. The shared `LegacyOutputFlag` choice is therefore the *union* of all commands' values, and each command re-validates against its own Go enum in `withLegacyCommandInstrumentation` (`outputFormats`), rejecting out-of-enum values with Go's byte-exact pflag message (`invalid argument "x" for "-o, --output" flag: must be one of [ … ]`) before the handler runs and before any telemetry event fires. The validation reads the flag via `Effect.serviceOption`, so it adds no requirement to the wrapper. Net result: `db query -o csv/table` works; resource commands still reject `table`/`csv` exactly as Go does. This change is fully legacy-scoped — `next/` uses its own `--output-format` flag and is untouched. - **Connection error typing.** Establishing the shared raw client now raises `LegacyDbConnectError` (surfaced verbatim by both `copyToCsv` and `queryRaw`) rather than a misleading "failed to copy output" / "failed to execute query". ## Follow-ups (tracked, not in scope) - `db dump --linked` IPv6 suggestion uses the generic `ipv6Suggestion()` text on the no-fallback / failed-retry path rather than Go's `SuggestIPv6Pooler`, which prefills the project's specific pooler connection string. Surfacing that exact URL needs the pooler string exposed at this seam — noted in `dump/SIDE_EFFECTS.md`. (The container-level pooler fallback retry itself is ported, and dump output streams to `--file`.) CLOSES CLI-1315

## Summary - Allow the GitHub-hosted release artifact cleanup to remove read-only Go cache files. - Keep the cleanup scoped to the GitHub-hosted artifact cache producer. ## Context The release workflow failed after building artifacts because the free-space cleanup step tried to remove Go module cache files that were not writable. The chmod guard makes those cache directories writable before deletion so the cleanup can finish and the artifact cache save can continue.

## What changed `config push` regressed in v2.106.0 (the native-TS port): when a `[remotes.<name>]` block in `config.toml` targeted the project ref, the command aborted with > cannot push config: a [remotes.*] block targets project ***, which config push does not yet support. The Go CLI (v2.105.0) instead merges that remote's subtree over the base config and pushes it. The port had punted on Go's `mergeRemoteConfig`. This ports the merge faithfully and removes the abort. ## Why this location The merge is owned by `@supabase/config`, mirroring Go doing it in `pkg/config`. `loadProjectConfig` / `loadProjectConfigFile` now accept an optional `{ projectRef }`. When set, after `env()` interpolation and **before** schema decode, the matching `[remotes.<name>]` raw subtree is deep-merged over the base document (objects recurse; arrays and scalars replace wholesale — viper's `v.Set` semantics), `db.seed.enabled` is forced `false` when the remote omits it, the `remotes` key is stripped, and the merged document is decoded. Doing it on the raw document (not the decoded config) is essential: the decoded remote section carries full schema defaults that would otherwise clobber every field the block doesn't override. The merge is gated on `projectRef`, so every other `loadProjectConfig` caller is unaffected. ## Notable details for reviewers - New `DuplicateRemoteProjectIdError` (exported from `@supabase/config`) raised when two remotes share the target `project_id`, carrying Go's verbatim message `duplicate project_id for [remotes.<b>] and [remotes.<a>]`. - `LoadedProjectConfig` gains optional `document` (merged, post-interpolation raw doc) and `appliedRemote` fields. - The push handler prints `Loading config override: [remotes.<name>]` to stderr (Go parity) when a remote applies, and now derives optional pointer-section presence (`db.ssl_enforcement`, `storage.image_transformation`, `storage.s3_protocol`, auth subsections) from the merged document instead of re-reading the file — so sections introduced by the remote are detected. Dead code removed (`matchesRemoteProjectRef`, `resolveRemoteByProjectRef`, `LegacyConfigPushUnsupportedRemoteError`). - `functions deploy` is consolidated onto the same shared merge, deleting its divergent partial copy (`configForProjectRef` / `mergeFunctionConfigByPresence`, which only handled `functions.*` and `edge_runtime.deno_version`). Verified behavior-preserving since deploy reads only those fields. This also corrects deploy's duplicate-`project_id` message to match Go (both remote names bracketed). Closes CLI-1808

## What kind of change does this PR introduce? Bug fix. ## What is the current behavior? Running `supabase db test <single_file.sql>` fails when that file pulls in a sibling via psql's `\ir ./other.sql` include: ``` psql:.../storage_object_operations.sql:5: error: .../testing_constants.sql: No such file or directory ``` Running the whole suite (`supabase db test`) works, and so does running a file with no includes. **Root cause:** `buildLegacyPgProveArgs` bind-mounted each test path exactly as given. For a single **file** that mounts only that one file into the pg_prove container. psql's `\ir` (include-relative) resolves relative to the test file's *own directory*, so it looks for `<dir>/sibling.sql` inside the container — which was never mounted. The whole-suite run works because the entire `tests` **directory** is mounted, so all siblings are present. Closes #4850 Fixes CLI-1139 ## What is the new behavior? When a test path is a file, its **containing directory** is bind-mounted read-only instead of the lone file, so `\ir`/`\i` siblings resolve. Directories are still mounted as-is. Binds are deduped by container target so multiple files in the same directory don't emit duplicate `-v` mounts (which Docker rejects). The full file path is still passed to `pg_prove`, so only the requested file runs and the TAP output is byte-identical. Scope is the TS legacy port only (the stable channel). The Go reference has the same latent bug; this is a deliberate, output-preserving divergence noted in the code.

The scheduled API package sync workflow was failing because its inline OpenAPI comparison logic drifted from the package generator. In particular, the workflow reimplemented override handling in jq, so adding new override operations could break the detector before the real generator ever ran. This removes the custom detector job and makes the workflow use `pnpm generate` as the source of truth on every scheduled run. The workflow now regenerates the API package, formats it, checks for changes under `packages/api/src/generated`, and only creates a sync PR when generated output actually changes. This also removes the stale `high_availability` add override now that the upstream spec includes that field directly, and refreshes the generated API files for the current upstream spec. Reviewer context: future OpenAPI override operation support only needs to be implemented in the generator path; the workflow no longer has a second override interpreter to keep in sync.

) ## What Adds a **live** e2e mode to `apps/cli-e2e` and a real-staging command matrix on top of it, per [CLI-1630](https://linear.app/supabase/issue/CLI-1630/set-up-proper-live-e2e-tests-for-the-cli) and [ADR-0013](https://github.com/supabase/cli/blob/develop/docs/adr/0013-live-e2e-bypasses-replay-server.md). Live mode is a third mode (`CLI_E2E_MODE=live`) that, unlike replay/record, **does not use the replay server**. The harness points the CLI straight at the real Management API (`CLI_E2E_API_URL`) and the real Docker socket; tests assert on **real outcomes** — process exit codes, the HTTP responses of deployed functions (status + JSON body), and real DB/Storage state. This is ID-agnostic, so there are no snapshots/normalization by default. ## Changes - **`env.ts`** — `CLI_E2E_MODE` (`replay`/`record`/`live`), `isLive`, `TARGET_API_URL`, `CLI_E2E_PROJECT_HOST`; back-compat `RECORD=true` → `record`. - **`tests/staging-project.ts`** — project-lifecycle helpers extracted from `setup.ts`: create/delete an ephemeral project, resolve the anon JWT, the IPv4 **session-pooler `dbUrl`**, the service-role key, and seed a Storage bucket. Record behavior is unchanged. - **`tests/live-setup.ts`** — global setup that provisions **one ephemeral project per run** (`cli-e2e-live-{target}-{runId}-{short}`), waits `ACTIVE_HEALTHY`, and exposes `projectRef`/`anonKey`/`functionsUrl`/`dbUrl`/`storageBucket` via `inject()`; deletes the project on teardown (even on failure). Intentionally dumb — no in-setup retry. - **`src/tests/live/`** — `testLive` context (direct-wired `run`, HTTP `invoke` sending the anon JWT, a `supabase init`-generated `workspace`, `seedFunctions` to layer the `deploy-e2e-*` fixtures + their `[functions.*]` config) plus live coverage for: functions deploy (the three bundler modes + deploy-all), functions lifecycle (re-deploy + delete), database (`inspect`/`migration list`/`db dump`), db push→pull, `link`, `projects`, `gen types`, `branches`, `storage`, `secrets`. - **`vitest.live.config.ts`** + `test:e2e:live`; the default config excludes `*.live.e2e.test.ts`. - **`harness.ts`** — `projectHost` option so host-derived commands (`storage --linked` → `<ref>.<host>`, `db.<ref>.<host>`) reach the real endpoint instead of `localhost`. - **`.github/workflows/live-e2e.yml`** — `workflow_dispatch` + an hourly `@beta` `schedule`; `go` + `ts-legacy` matrix (`fail-fast: false`); `docker info` preflight; 3× retry; project cleanup scoped to the job's own prefix. - **`apps/cli/.../functions/deploy/deploy.e2e.test.ts`** — collocated integration coverage for the negative/arg-validation cases that don't belong in the live suite. - **`docs/adr/0013-…`** + README index row; `fixtures/live/functions-project/` `deploy-e2e-*` functions. ## Reviewer notes - **Why bypass the replay server.** Live mode is a deliberately different signal from the replay suite: it exercises the real subprocess, real runtime wiring, and real cross-boundary behavior (API + Docker + DB + Storage) that fixtures can't represent. The replay suite stays the fast, deterministic default. - **IPv6 → IPv4 pooler.** Staging's direct DB host (`db.<ref>.supabase.red`) is **IPv6-only by design**, and the CI runners have **no IPv6 egress** — so DB-touching commands connect through the project's **IPv4 session-mode Supavisor pooler** via `--db-url` (the CLI's own blessed fallback). Session mode (not transaction `6543`) is required for `pg_dump`. - **Authoring target is `go`** (source of truth for the port); `ts-legacy` runs the same tests to prove the shim matches. Both run as separate CI jobs (independent green/red signals). - **Trigger model.** There is **no `pull_request` trigger** — run the workflow manually on a branch for pre-merge coverage. `workflow_dispatch` (Actions branch picker; no free-form `ref` input, so the staging token never reaches arbitrary code) and `schedule` only become active once this file is on the default branch (`develop`) — classic GitHub bootstrap. The hourly run exercises the `@beta` channel: `develop` is the default branch and the beta release source, so it builds `develop` from source and runs the same matrix. A `gate` job skips the run unless the published `supabase@beta` version changed since the last green run (an `actions/cache` marker keyed on the version, written by `finalize` only after **both** legs pass). - **Secret / fork safety.** Uses `SUPABASE_E2E_CLI_LIVE_STAGING_ACCESS_TOKEN`; never `pull_request_target`, so the token is never exposed to fork code. - **Out of scope:** `config push` surfaced a TS↔remote config-schema parity bug on `ts-legacy`, tracked separately in [CLI-1810](https://linear.app/supabase/issue/CLI-1810/config-push-fails-on-ts-legacy-ts-config-schema-rejects-remote-storage); it is intentionally not covered here. Refs: CLI-1630 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

Bumps [undici](https://github.com/nodejs/undici) from 8.4.1 to 8.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v8.5.0</h2> <h1>⚠️ Security Release</h1> <p>This release line addresses <strong>8 security advisories</strong>. Most are fixed in <strong>v8.5.0</strong>; the SOCKS5 pool-reuse issue was fixed earlier in <strong>v8.2.0</strong>.</p> <blockquote> <p><strong>Action required:</strong> Upgrade to <strong>undici 8.5.0</strong> or later.</p> <pre lang="sh"><code>npm install undici@^8.5.0 </code></pre> </blockquote> <h2>Summary</h2> <table> <thead> <tr> <th>Advisory</th> <th>CVE</th> <th>Severity (CVSS)</th> <th>Fixed in</th> <th>Fix commit</th> </tr> </thead> <tbody> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></td> <td>CVE-2026-12151</td> <td>High (7.5)</td> <td>8.5.0</td> <td><a href="https://github.com/nodejs/undici/commit/32dbf0b3"><code>32dbf0b3</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq">GHSA-38rv-x7px-6hhq</a></td> <td>CVE-2026-9675</td> <td>High (7.5)</td> <td>8.5.0</td> <td><a href="https://github.com/nodejs/undici/commit/b4c287b3"><code>b4c287b3</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vmh5-mc38-953g">GHSA-vmh5-mc38-953g</a></td> <td>CVE-2026-9697</td> <td>High (7.4)</td> <td>8.5.0</td> <td><a href="https://github.com/nodejs/undici/commit/42d49559"><code>42d49559</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-hm92-r4w5-c3mj">GHSA-hm92-r4w5-c3mj</a></td> <td>CVE-2026-6734</td> <td>High (7.5)</td> <td>8.2.0</td> <td><a href="https://github.com/nodejs/undici/commit/a516f870"><code>a516f870</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-pr7r-676h-xcf6">GHSA-pr7r-676h-xcf6</a></td> <td>CVE-2026-9678</td> <td>Moderate (5.9)</td> <td>8.5.0</td> <td><a href="https://github.com/nodejs/undici/commit/cb105d7c"><code>cb105d7c</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-p88m-4jfj-68fv">GHSA-p88m-4jfj-68fv</a></td> <td>CVE-2026-9679</td> <td>Moderate (5.9)</td> <td>8.5.0</td> <td><a href="https://github.com/nodejs/undici/commit/5655ea43"><code>5655ea43</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-g8m3-5g58-fq7m">GHSA-g8m3-5g58-fq7m</a></td> <td>CVE-2026-11525</td> <td>Low (3.7)</td> <td>8.5.0</td> <td><a href="https://github.com/nodejs/undici/commit/5655ea43"><code>5655ea43</code></a></td> </tr> <tr> <td><a href="https://github.com/nodejs/undici/security/advisories/GHSA-35p6-xmwp-9g52">GHSA-35p6-xmwp-9g52</a></td> <td>CVE-2026-6733</td> <td>Low (3.7)</td> <td>8.5.0</td> <td><a href="https://github.com/nodejs/undici/commit/6ea54ef8"><code>6ea54ef8</code></a></td> </tr> </tbody> </table> <hr /> <h2>High severity</h2> <h3>WebSocket DoS via fragment count bypass — CVE-2026-12151</h3> <p><strong><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q">GHSA-vxpw-j846-p89q</a></strong> · CWE-400, CWE-770 <strong>Fix:</strong> <a href="https://github.com/nodejs/undici/commit/32dbf0b3"><code>32dbf0b3</code></a> <em>websocket: limit the number of fragments in a message</em> (also <a href="https://github.com/nodejs/undici/commit/c5ed7875"><code>c5ed7875</code></a> <em>handle empty fragments and stream limits</em>)</p> <p>A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the <em>number</em> of fragments per message, leading to unbounded memory growth and denial of service.</p> <ul> <li><strong>Affected:</strong> applications using <code>new WebSocket(...)</code> or <code>WebSocketStream</code> against untrusted endpoints.</li> <li><strong>Workaround:</strong> none — upgrade is required.</li> </ul> <h3>WebSocket DoS via cumulative fragment bypass — CVE-2026-9675</h3> <p><strong><a href="https://github.com/nodejs/undici/security/advisories/GHSA-38rv-x7px-6hhq">GHSA-38rv-x7px-6hhq</a></strong> · CWE-400, CWE-770 <strong>Fix:</strong> <a href="https://github.com/nodejs/undici/commit/b4c287b3"><code>b4c287b3</code></a> <em>fix(websocket): enforce max payload size across fragments</em></p> <p>Undici validated the size of individual frames but did not track cumulative size across a fragmented message. An attacker could send many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing memory exhaustion. <strong>This is a regression introduced in 8.1.0</strong> (the</p>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/a0806e1f66a83db0a792b8407c2e97fcf8ed58af"><code>a0806e1</code></a> Bumped v8.5.0 (<a href="https://redirect.github.com/nodejs/undici/issues/5429">#5429</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/8a0392cf0d0148c86ece7dc50c1bf6819f7110eb"><code>8a0392c</code></a> test: detect available python command in wpt runner (<a href="https://redirect.github.com/nodejs/undici/issues/5427">#5427</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/f4045b9d440e4ebfde4bbcc9f530ab042a1c5100"><code>f4045b9</code></a> ci: increase Node.js workflow timeout (<a href="https://redirect.github.com/nodejs/undici/issues/5426">#5426</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/363e44fe4add1528fb3529cde5d71ddc978c8338"><code>363e44f</code></a> chore: removed repro-h2-pipelining-default.mjs and lint (<a href="https://redirect.github.com/nodejs/undici/issues/5420">#5420</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/c5ed78756914b17501223dcc345b3a966351604a"><code>c5ed787</code></a> websocket: handle empty fragments and stream limits</li> <li><a href="https://github.com/nodejs/undici/commit/e114e778de1476172a1a9a0d4668af8cf2c25cac"><code>e114e77</code></a> align EventSource with spec (<a href="https://redirect.github.com/nodejs/undici/issues/5418">#5418</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/6df53c50daf252c2e7a3d8cb631c94b7fb0e3817"><code>6df53c5</code></a> fix: preserve h2 queue on out-of-order completion (<a href="https://redirect.github.com/nodejs/undici/issues/5410">#5410</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/32dbf0b3dd93daf6d87badf506d52e89f2e20e78"><code>32dbf0b</code></a> websocket: limit the number of fragments in a message</li> <li><a href="https://github.com/nodejs/undici/commit/0d6ecc571095a6bff1c2ad4ee43dd6ae4e97411c"><code>0d6ecc5</code></a> add bodymixin.textStream() (<a href="https://redirect.github.com/nodejs/undici/issues/5416">#5416</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/42d4955987a136ab29beff6c4ed424c9209b2600"><code>42d4955</code></a> fix: honor requestTls when proxy is SOCKS5</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v8.4.1...v8.5.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=undici&package-manager=npm_and_yarn&previous-version=8.4.1&new-version=8.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/supabase/cli/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…emplates with 3 updates (#5625) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 3 updates: supabase/realtime, supabase/storage-api and supabase/logflare. Updates `supabase/realtime` from v2.108.0 to v2.109.1 Updates `supabase/storage-api` from v1.60.20 to v1.60.21 Updates `supabase/logflare` from 1.44.3 to 1.45.0 Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the npm-major group with 11 updates: | Package | From | To | | --- | --- | --- | | [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript) | `0.3.172` | `0.3.174` | | [posthog-node](https://github.com/PostHog/posthog-js/tree/HEAD/packages/node) | `5.36.15` | `5.36.17` | | [fumadocs-core](https://github.com/fuma-nama/fumadocs) | `16.10.0` | `16.10.1` | | [fumadocs-ui](https://github.com/fuma-nama/fumadocs) | `16.10.0` | `16.10.1` | | [@effect/atom-react](https://github.com/Effect-TS/effect-smol/tree/HEAD/packages/atom/react) | `4.0.0-beta.78` | `4.0.0-beta.80` | | [@effect/platform-bun](https://github.com/Effect-TS/effect/tree/HEAD/packages/platform-bun) | `4.0.0-beta.78` | `4.0.0-beta.80` | | [@effect/platform-node](https://github.com/Effect-TS/effect/tree/HEAD/packages/platform-node) | `4.0.0-beta.78` | `4.0.0-beta.80` | | [@effect/sql-pg](https://github.com/Effect-TS/effect/tree/HEAD/packages/sql-pg) | `4.0.0-beta.78` | `4.0.0-beta.80` | | [@effect/vitest](https://github.com/Effect-TS/effect/tree/HEAD/packages/vitest) | `4.0.0-beta.78` | `4.0.0-beta.80` | | [@typescript/native-preview](https://github.com/microsoft/typescript-go) | `7.0.0-dev.20260610.1` | `7.0.0-dev.20260611.2` | | [effect](https://github.com/Effect-TS/effect/tree/HEAD/packages/effect) | `4.0.0-beta.78` | `4.0.0-beta.80` | Updates `@anthropic-ai/claude-agent-sdk` from 0.3.172 to 0.3.174 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.174</h2> <h2>What's changed</h2> <ul> <li>SDK consumers now receive the <code>system/model_fallback</code> message for all fallback triggers — <code>overloaded</code>, <code>server_error</code>, and <code>last_resort</code> in addition to <code>model_not_found</code> and <code>permission_denied</code> — and the message's <code>trigger</code> field gained the <code>server_error</code> and <code>last_resort</code> values</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.174 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.174 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.174 # or bun add @anthropic-ai/claude-agent-sdk@0.3.174 </code></pre> <h2>v0.3.173</h2> <h2>What's changed</h2> <ul> <li>Updated to parity with Claude Code v2.1.173</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.173 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.173 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.173 # or bun add @anthropic-ai/claude-agent-sdk@0.3.173 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.174</h2> <ul> <li>SDK consumers now receive the <code>system/model_fallback</code> message for all fallback triggers — <code>overloaded</code>, <code>server_error</code>, and <code>last_resort</code> in addition to <code>model_not_found</code> and <code>permission_denied</code> — and the message's <code>trigger</code> field gained the <code>server_error</code> and <code>last_resort</code> values</li> </ul> <h2>0.3.173</h2> <ul> <li>Updated to parity with Claude Code v2.1.173</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/8ef4c3fe8e1b263cd4e8aef8bf352c0367d53a29"><code>8ef4c3f</code></a> chore: Update CHANGELOG.md</li> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/944ab13cf2d82768ceabb018bfdeb5bbd79cedf2"><code>944ab13</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.172...v0.3.174">compare view</a></li> </ul> </details> <br /> Updates `posthog-node` from 5.36.15 to 5.36.17 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/releases">posthog-node's releases</a>.</em></p> <blockquote> <h2>posthog-node@5.36.17</h2> <h2>5.36.17</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.3</li> </ul> </li> </ul> <h2>posthog-node@5.36.16</h2> <h2>5.36.16</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/25822acc0d16f9f1d6fbbd65da57b3e060c6c558"><code>25822ac</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.2</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/PostHog/posthog-js/blob/main/packages/node/CHANGELOG.md">posthog-node's changelog</a>.</em></p> <blockquote> <h2>5.36.17</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies []: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.3</li> </ul> </li> </ul> <h2>5.36.16</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/PostHog/posthog-js/commit/25822acc0d16f9f1d6fbbd65da57b3e060c6c558"><code>25822ac</code></a>]: <ul> <li><code>@posthog/core</code><a href="https://github.com/1"><code>@1</code></a>.32.2</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PostHog/posthog-js/commit/c7abf85f7af52b8b01fbd61b5749eb7649360287"><code>c7abf85</code></a> chore: update versions and lockfile [version bump]</li> <li><a href="https://github.com/PostHog/posthog-js/commit/5fe3bd488c9809d7ef84e365a2435664ff7fa91d"><code>5fe3bd4</code></a> chore: update versions and lockfile [version bump]</li> <li>See full diff in <a href="https://github.com/PostHog/posthog-js/commits/posthog-node@5.36.17/packages/node">compare view</a></li> </ul> </details> <br /> Updates `fumadocs-core` from 16.10.0 to 16.10.1 <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/fuma-nama/fumadocs/commit/d1c19de6a1a3c3126efccb13c5ac5737c420f6d4"><code>d1c19de</code></a> Merge pull request <a href="https://redirect.github.com/fuma-nama/fumadocs/issues/3351">#3351</a> from fuma-nama/changeset-release/dev</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/86083078b774fa2ce9944eed828507e688b8ee0a"><code>8608307</code></a> fix radix-ui types</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/501728965f78e65bafff04f36f2438be8429b5bd"><code>5017289</code></a> chore: bump deps</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/7a777226f1886235a7ca8f349e20055bac1b6398"><code>7a77722</code></a> fix(ui): language display name</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/fc1beed2b5f8a72819a3f17ce582e5ee7ef36ae0"><code>fc1beed</code></a> docs: add demo for AsyncAPI</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/970ec3c917a8c6bbb4ffbe1997d7409594aecb6e"><code>970ec3c</code></a> fix format</li> <li>See full diff in <a href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-core@16.10.0...fumadocs-core@16.10.1">compare view</a></li> </ul> </details> <br /> Updates `fumadocs-ui` from 16.10.0 to 16.10.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/fuma-nama/fumadocs/releases">fumadocs-ui's releases</a>.</em></p> <blockquote> <h2>fumadocs-ui@16.10.1</h2> <h3>Patch Changes</h3> <ul> <li>5017289: Use stable <code>fuma-translate</code></li> <li>7a77722: fix display name of languages <ul> <li>fumadocs-core@16.10.1</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/fuma-nama/fumadocs/commit/d1c19de6a1a3c3126efccb13c5ac5737c420f6d4"><code>d1c19de</code></a> Merge pull request <a href="https://redirect.github.com/fuma-nama/fumadocs/issues/3351">#3351</a> from fuma-nama/changeset-release/dev</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/86083078b774fa2ce9944eed828507e688b8ee0a"><code>8608307</code></a> fix radix-ui types</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/501728965f78e65bafff04f36f2438be8429b5bd"><code>5017289</code></a> chore: bump deps</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/7a777226f1886235a7ca8f349e20055bac1b6398"><code>7a77722</code></a> fix(ui): language display name</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/fc1beed2b5f8a72819a3f17ce582e5ee7ef36ae0"><code>fc1beed</code></a> docs: add demo for AsyncAPI</li> <li><a href="https://github.com/fuma-nama/fumadocs/commit/970ec3c917a8c6bbb4ffbe1997d7409594aecb6e"><code>970ec3c</code></a> fix format</li> <li>See full diff in <a href="https://github.com/fuma-nama/fumadocs/compare/fumadocs-ui@16.10.0...fumadocs-ui@16.10.1">compare view</a></li> </ul> </details> <br /> Updates `@effect/atom-react` from 4.0.0-beta.78 to 4.0.0-beta.80 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Effect-TS/effect-smol/blob/main/packages/atom/react/CHANGELOG.md">@effect/atom-react's changelog</a>.</em></p> <blockquote> <h2>4.0.0-beta.80</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/Effect-TS/effect-smol/commit/d94433090ee03f426d43e13b883abae4494e55e6"><code>d944330</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/f48659fdcc84930ebc1e5b45b540c0f973389182"><code>f48659f</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/7652aaa3bdbc39f241fe58b54b9a43b713e22e12"><code>7652aaa</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/98630b7c8f679c352ba6796636c85688fa009d8d"><code>98630b7</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/90ae23cf07284da5e1bcd9dffa882e85df7e617b"><code>90ae23c</code></a>]: <ul> <li>effect@4.0.0-beta.80</li> </ul> </li> </ul> <h2>4.0.0-beta.79</h2> <h3>Patch Changes</h3> <ul> <li>Updated dependencies [<a href="https://github.com/Effect-TS/effect-smol/commit/b9704dc9de9f1649ad502371014fe869b69a49a3"><code>b9704dc</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/a207113f66837bb54416926718a9a7d66774d079"><code>a207113</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/5e9b9e217b164ebfd4a002dd4380b3b1563200c3"><code>5e9b9e2</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/7c128aef458a1e2d224712e51c483c9badad1d44"><code>7c128ae</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/0ada457c0513d8d908254ab77ebb7d29d2b523d6"><code>0ada457</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/d7cc5a2bede3de10943aa0c6bdb4f26836a91efd"><code>d7cc5a2</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/aad63becf65e0a6b076e94f8973be7bbe7fbd46f"><code>aad63be</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/09809f60f19ec98232f98b33e33e02ecb7e4fbd6"><code>09809f6</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/2fddda5311929f46b61e503f0ade4fc749e8c77d"><code>2fddda5</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/5f2176833399757c4500d8875b7f2fba0393de75"><code>5f21768</code></a>, <a href="https://github.com/Effect-TS/effect-smol/commit/f27003e00524ff83f20dd9909f62b2f8795efe03"><code>f27003e</code></a>]: <ul> <li>effect@4.0.0-beta.79</li> </ul> </li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Effect-TS/effect-smol/commit/6ca5b218f6587e6736829e08778fdc007bcfa4fe"><code>6ca5b21</code></a> Version Packages (beta) (<a href="https://github.com/Effect-TS/effect-smol/tree/HEAD/packages/atom/react/issues/2370">#2370</a>)</li> <li><a href="https://github.com/Effect-TS/effect-smol/commit/c4b58818ac61bc862567666f1235e49406e97700"><code>c4b5881</code></a> Version Packages (beta) (<a href="https://github.com/Effect-TS/effect-smol/tree/HEAD/packages/atom/react/issues/2340">#2340</a>)</li> <li><a href="https://github.com/Effect-TS/effect-smol/commit/9de58cc0bb4b45d8a30f77abc75071ca5f2e74ea"><code>9de58cc</code></a> Refactor module jsdocs (<a href="https://github.com/Effect-TS/effect-smol/tree/HEAD/packages/atom/react/issues/2330">#2330</a>)</li> <li>See full diff in <a href="https://github.com/Effect-TS/effect-smol/commits/@effect/atom-react@4.0.0-beta.80/packages/atom/react">compare view</a></li> </ul> </details> <br /> Updates `@effect/platform-bun` from 4.0.0-beta.78 to 4.0.0-beta.80 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Effect-TS/effect/commits/HEAD/packages/platform-bun">compare view</a></li> </ul> </details> <br /> Updates `@effect/platform-node` from 4.0.0-beta.78 to 4.0.0-beta.80 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Effect-TS/effect/commits/HEAD/packages/platform-node">compare view</a></li> </ul> </details> <br /> Updates `@effect/sql-pg` from 4.0.0-beta.78 to 4.0.0-beta.80 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Effect-TS/effect/commits/HEAD/packages/sql-pg">compare view</a></li> </ul> </details> <br /> Updates `@effect/vitest` from 4.0.0-beta.78 to 4.0.0-beta.80 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Effect-TS/effect/commits/HEAD/packages/vitest">compare view</a></li> </ul> </details> <br /> Updates `@typescript/native-preview` from 7.0.0-dev.20260610.1 to 7.0.0-dev.20260611.2 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> Updates `effect` from 4.0.0-beta.78 to 4.0.0-beta.80 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/Effect-TS/effect/commits/HEAD/packages/effect">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Add a configurable `dependency-cache` input to the setup action to allow workflows to disable pnpm dependency caching when needed. ## Changes - Added `dependency-cache` input to `.github/actions/setup/action.yml` with a default value of `"true"` - Made the "Configure dependency cache" step conditional based on the new input - Updated `build-cli-artifacts.yml` to disable dependency caching for GitHub-hosted runners, which delete the pnpm store before exiting and would cause the post-job cache save to fail with a path validation error ## Context GitHub-hosted producers in the build workflow free disk space by deleting the pnpm store before exiting. This causes the post-job pnpm cache save step to fail with a path validation error. The new input allows workflows to skip dependency caching in these scenarios while keeping it enabled by default for other use cases. https://claude.ai/code/session_01DDTzGPYndWYVXaqm3mMGXy --------- Co-authored-by: Claude <noreply@anthropic.com>

## What changed This improves local stack startup behavior in the Go CLI path used by the TypeScript legacy wrappers. When a local API request fails because the configured API port returns a malformed HTTP response, the CLI now adds a targeted hint that another process may be listening on that port. The hint includes the configured port, an `lsof` command to identify the listener, and the `api.port` config field to change when the port is intentionally occupied. Startup also now waits for all started services to pass health checks before seeding storage buckets declared in `[storage.buckets]`. This keeps bucket creation from appearing to be the failing step when another service, especially edge runtime, has not become healthy yet. The edge-runtime main service keeps its regular remote module imports. This PR does not change the edge-runtime module graph; it focuses on making local-start failures easier to diagnose and preserving clearer startup ordering. ## Why Issue #3265 has shown two recurring local-start failure patterns: a misleading malformed `/storage/v1/bucket` response when another process owns the API port, and bucket seeding logs appearing before edge runtime health failures. These changes make the port-conflict case self-diagnosing and ensure storage bucket seeding only runs after the local stack is healthy.

Downgrades the Supabase Realtime Docker image from v2.109.1 to v2.108.0 in the generated Dockerfile template. This change updates the base image version used in the CLI's Docker configuration for local development environments. https://claude.ai/code/session_01RLY7KJJ6So673p6ung8yFV --------- Co-authored-by: Claude <noreply@anthropic.com>

…apps/cli-go/pkg/config/templates in the docker-minor group (#5630) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1 update: supabase/storage-api. Updates `supabase/storage-api` from v1.60.21 to v1.60.22 [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/storage-api&package-manager=docker&previous-version=v1.60.21&new-version=v1.60.22)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the npm-major group with 2 updates: [@anthropic-ai/claude-agent-sdk](https://github.com/anthropics/claude-agent-sdk-typescript) and [@typescript/native-preview](https://github.com/microsoft/typescript-go). Updates `@anthropic-ai/claude-agent-sdk` from 0.3.174 to 0.3.175 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/releases">@anthropic-ai/claude-agent-sdk's releases</a>.</em></p> <blockquote> <h2>v0.3.175</h2> <h2>What's changed</h2> <ul> <li>Updated to parity with Claude Code v2.1.175</li> </ul> <h2>Update</h2> <pre lang="sh"><code>npm install @anthropic-ai/claude-agent-sdk@0.3.175 # or yarn add @anthropic-ai/claude-agent-sdk@0.3.175 # or pnpm add @anthropic-ai/claude-agent-sdk@0.3.175 # or bun add @anthropic-ai/claude-agent-sdk@0.3.175 </code></pre> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/anthropics/claude-agent-sdk-typescript/blob/main/CHANGELOG.md">@anthropic-ai/claude-agent-sdk's changelog</a>.</em></p> <blockquote> <h2>0.3.175</h2> <ul> <li>Updated to parity with Claude Code v2.1.175</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/anthropics/claude-agent-sdk-typescript/commit/e05f10c790c8e230293c5aae9156d1c28bfd352b"><code>e05f10c</code></a> chore: Update CHANGELOG.md</li> <li>See full diff in <a href="https://github.com/anthropics/claude-agent-sdk-typescript/compare/v0.3.174...v0.3.175">compare view</a></li> </ul> </details> <br /> Updates `@typescript/native-preview` from 7.0.0-dev.20260611.2 to 7.0.0-dev.20260612.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/microsoft/typescript-go/commits">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 39c21c0540

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-06-23T09:34:03Z

+  reveal: Flag.boolean("reveal").pipe(
+    Flag.withDescription("Reveal the secret API keys in full (e.g. sb_secret_...)."),
+  ),


Add --reveal to the Go api-keys path

Adding --reveal only to the TS legacy command leaves the Go target unable to use the new feature: apps/cli-go/cmd/projects.go still registers only --project-ref, so supabase projects api-keys --reveal exits with an unknown flag when the Go binary is used (including the live go harness target). The generated Go client in this same change already exposes V1GetProjectApiKeysParams.Reveal, so the Go command can pass the same query param instead of making the release's api-keys behavior shell-dependent.

Useful? React with 👍 / 👎.

chatgpt-codex-connector · 2026-06-23T09:34:03Z

+): Promise<void> {
+  const res = await fetch(`https://${projectRef}.${projectHost}/storage/v1/bucket`, {
+    method: "POST",
+    headers: { Authorization: `Bearer ${serviceRoleKey}`, "Content-Type": "application/json" },


Authenticate storage seeding with sb_ keys

When getServiceRoleKey selects a new-style sb_secret_ key, this request sends it only as a bearer token. The tenant helpers in this repo authenticate sb_ keys through the apikey header and only add Authorization for legacy JWT keys, so live projects that return only secret keys still fail bucket creation after the reveal query is fixed. Include apikey: serviceRoleKey here and only use bearer auth for non-sb_ JWTs before posting to /storage/v1/bucket.

Useful? React with 👍 / 👎.

This PR was automatically created to sync API types from the infrastructure repository. Changes were detected in the generated API code after syncing with the latest spec from infrastructure. Co-authored-by: supabase-cli-releaser[bot] <246109035+supabase-cli-releaser[bot]@users.noreply.github.com>

## TL;DR ports functions list to native ts ## whats introduced? ports supabase functions list on the legacy cli path replacing the go backed behavior with a fully ts implementation.... ## ref: - towards CLI-1319

chatgpt-codex-connector · 2026-06-23T10:42:38Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

chatgpt-codex-connector · 2026-06-23T10:47:19Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

## Changes Changes the unction.VerifyJWT field from �ool to *bool across the codebase to distinguish between "not configured" and "explicitly set to false". ### Files modified - **pkg/config/config.go**: Changed VerifyJWT type from �ool to *bool - **internal/functions/deploy/deploy.go**: Removed hardcoded VerifyJWT = true for functions not in config.toml; flag override now sets pointer properly - **pkg/function/deploy.go**: Updated reference to match new pointer type - **pkg/function/batch.go**: Updated comparison and assignment for *bool - **internal/functions/serve/serve.go**: Defaults to rue when *bool is nil for local serve - **pkg/function/batch_test.go**: Updated test to use cast.Ptr(true) ## Rationale Previously, the CLI always sent erify_jwt: true in deploy metadata for functions not listed in config.toml, overwriting the dashboard setting. With this fix, when erify_jwt is not specified in config.toml, the field is omitted from the deploy payload ( il), allowing the API to preserve the existing server-side value. Fixes #43608 --------- Co-authored-by: deepshekhardas <deepshekharadas1234@gmail.com> Co-authored-by: Julien Goux <hi@jgoux.dev> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

chatgpt-codex-connector · 2026-06-23T11:04:08Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

Ports `supabase seed buckets` (CLI-1322) from the Go binary proxy to a native TypeScript implementation in the legacy shell. ## What `seed buckets` seeds the **local** Storage stack from `supabase/config.toml`: it upserts `[storage.buckets]` (create/update with an overwrite prompt) and `[storage.vector]` buckets (create/prune with graceful "feature unavailable" skips), then uploads each bucket's `objects_path` file tree. ## Why local-only Go's `seed` command is in the `local-dev` group, so the root pre-run never resolves a project ref (`cmd/root.go:108-116`) and `buckets.Run` always receives an empty `projectRef`. `--linked`/`--local` are therefore accepted for surface parity (and their mutual exclusivity is enforced), but seeding always targets the local Storage service gateway. The remote/analytics code paths Go gates on a project ref are unreachable here and are omitted. ## Structure - `seed/buckets/` — `handler`, `gateway` (Storage service-gateway client: bucket/vector/object endpoints, `apikey` + `Bearer` auth), `classify` (vector graceful-skip detectors), `upload` (path/content-type helpers), `flags` (`--local`/`--linked` mutual-exclusivity), `errors`. - `seed/seed.layers.ts` — lean runtime (no Management API stack; local-only). - Local credentials mirror Go's runtime config derivation (`@supabase/config` decodes the file but doesn't reproduce it): API URL from `api.external_url` else `<scheme>://<SUPABASE_SERVICES_HOSTNAME|127.0.0.1>:<port>` (`config.go` + `misc.go:302`); service-role key from `auth.service_role_key` else a JWT signed with `auth.jwt_secret` (`apikeys.go`). - `legacy-size-units.ts` hoisted to `legacy/shared/` (used by `config push` and `seed buckets`). ## Parity notes for reviewers - stderr progress strings, prompt wording (`[Y/n]`/`[y/N]`, overwrite default yes / prune default no), `--yes` echo, and the two yellow vector `WARNING:` fall-throughs match Go. - Object walk mirrors Go's `isUploadableEntry` (`batch.go:65`): symlinks detected no-follow; dangling symlinks / symlinks-to-dirs / other non-regular entries are skipped with `Skipping non-regular file:` (not fatal); symlinked dirs are not descended. - Request bodies follow Go's `omitempty` (`public` `*bool`, `file_size_limit`, `allowed_mime_types`). - Documented divergence: object Content-Type is extension-based (Go's `http.DetectContentType` + `mime.TypeByExtension` is OS-mime-table dependent, so byte-parity isn't achievable). See `SIDE_EFFECTS.md`. - `--output-format json`/`stream-json` emit a structured run summary; text mode emits nothing extra (Go has no machine output). --------- Co-authored-by: Claude <noreply@anthropic.com>

chatgpt-codex-connector · 2026-06-23T11:17:24Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

## TL;DR ports functions serve to ts ## what’s introduced ports functions serve to native ts and wires it through the shared runtime for config resolution, function discovery, local runtime startup, restart handling, and log streaming (for next, intentionally not wiring serve yet so we do not route it through the legacy docker path) which aligns with the existing go behaviour... & adds coverage across all of this! ## ref - closes CLI-1320 --------- Co-authored-by: Colum Ferry <cferry09@gmail.com>

chatgpt-codex-connector · 2026-06-23T11:43:53Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

+    }
+  }
+
+  return new Response(body, { status, headers });


…5620) Ports `supabase db diff` and `supabase db pull` from the Go CLI to native Effect handlers in the legacy shell, replacing their Phase-0 proxy stubs. Linear: CLI-1313. Builds on the pg-delta infrastructure merged in #5586. ## What changed **Shared engine (promotion + new modules)** - Promotes the pg-delta engine — adapter, seam, cache, deno-templates, declarative write, and its errors — out of `db/schema/declarative/` into `db/shared/legacy-pgdelta.*`, so `diff`, `pull`, and `declarative` import one copy. The `generate`/`sync` call sites are updated in the same change; `findDropStatements` is hoisted to `legacy-sql-split.ts`. - New shared modules: `legacy-diff-engine.ts` (pure `resolveDiffEngine` / `resolvePullDiffEngine` / `shouldUsePgDelta`), `legacy-migra.*` (byte-exact Go templates + a `legacyDiffMigra` free function over the pg-delta context with the OOM→`supabase/migra` bash fallback), and migration-file helpers. **Live-shadow Go seam** - Adds a hidden `db __shadow` command (with `PrepareShadowSource` / `PrepareRawShadow`, refactored out of `DiffDatabase` / `pullDeclarativePgDelta`). It provisions the shadow Postgres, prints its connection URL + container id, and leaves it running so the native TS handler runs migra/pg-delta against it and tears it down — mirroring Go's `differ(shadowConfig, config)` for both engines (migra needs a live source, which the catalog-file `__catalog` seam couldn't provide). `start.SetupDatabase` stays unported, which is why provisioning remains in Go. **db diff** - Native pg-delta / migra diff via edge-runtime; explicit `--from`/`--to` mode (always pg-delta). `--use-pgadmin` / `--use-pg-schema` rebuild the argv and delegate to the bundled Go binary (telemetry disabled on the child so the single `cli_command_executed` event comes from the TS command). **db pull** - Native pg-delta / migra migration pull + `--declarative` pg-delta export; reconciles `supabase_migrations.schema_migrations` and updates remote history on confirmation. `--use-pg-delta` is hidden + emits the cobra deprecation line. The `--experimental` structured dump and initial-pull `pg_dump` (migra) sub-branches delegate to the Go binary (unported `pg_dump`). **Cross-cutting** - Adds `--output-format json`/`stream-json` envelopes (text reproduces Go bytes); unit + integration + e2e tests; `SIDE_EFFECTS.md` for both; flips both commands to `ported` in `go-cli-porting-status.md`. ## Reviewer notes - **Architecture decision (vs the stale CLI-1313 issue text):** pg-delta/migra run via the edge-runtime Deno container, not a library import — Docker is intentionally retained for byte-exact Go parity and zero new published deps, following #5586. - **Parity gap to flag:** an empty `db pull` exits **non-zero** (`No schema changes found`), matching Go's `errInSync`; `db diff` exits 0. Documented in `pull/SIDE_EFFECTS.md`. - **Deliberately preserved Go behaviors:** the migra bash-fallback shell construction and `--file`/`--output`/migration-name path handling reproduce pre-existing Go behavior rather than diverging from the strict 1:1 port. - The migra OOM bash fallback and the linked-pull IPv4 pooler fallback for declarative export are the thinnest-tested paths.

chatgpt-codex-connector · 2026-06-23T12:35:47Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

## Summary - When no registry override is set, image pulls now try **ECR → GHCR → Docker Hub** in sequence instead of failing on the first error - Rate-limit errors (429, `toomanyrequests`) from one registry automatically fall through to the next candidate rather than bubbling to the user - An explicit `SUPABASE_INTERNAL_IMAGE_REGISTRY` override still restricts pulls to the single configured registry, preserving existing mirror behaviour ## Changes **Go (`apps/cli-go`)** - `GetRegistryImageUrls(imageName)` — returns the ordered fallback candidate list - `GetRegistryAuthForImage(imageTag)` — per-registry auth lookup backed by a `sync.Map` (replaces the single `sync.Once` that only cached one registry's credentials) - `DockerResolveImageIfNotCached` — tries each candidate for a local inspect hit, then for a pull, and returns the resolved URL; callers use it to set `config.Image` directly - `HasRegistryOverride()` helper for branching between single-registry and multi-fallback paths **TypeScript (`apps/cli`)** - `legacyGetRegistryImageUrlCandidates(imageName)` — mirrors the same ECR/GHCR/Docker Hub logic in `legacy-docker-registry.ts` - `legacy-docker-run.layer.ts` — `resolveImage` tries candidates with per-attempt retries on transient patterns; `withResolvedImage` injects the result into `LegacyDockerRunOpts` before `runCapture`, `runStream`, and `runInteractive` 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

chatgpt-codex-connector · 2026-06-23T12:52:12Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

## TL;DR adds `local_smtp` as the new preferred config key, keeps `inbucket` valid with a deprecation warning and updates the default template to use `local_smtp` ## what's introduced: `local_smtp` is now the preferred config/schema key, while existing `inbucket` configs continue to work for now.... ## why basically this moves the config away from an implementation specific name without breaking existing setups in phase 1 :) ## ref - closes #5222 --------- Co-authored-by: Julien Goux <hi@jgoux.dev> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

chatgpt-codex-connector · 2026-06-23T14:31:28Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

This PR was automatically created to sync the generated `@supabase/api` package with the latest Management API OpenAPI document. Changes were detected in the upstream OpenAPI document exposed by `https://api.supabase.com/api/v1-json`. Co-authored-by: jgoux <1443499+jgoux@users.noreply.github.com>

chatgpt-codex-connector · 2026-06-23T16:04:43Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

Adds an ownerless rule for `/packages/api/src/generated/` to `.github/CODEOWNERS`. The catch-all `* @supabase/cli` requires CLI-team code-owner review on every PR. A later, more-specific rule with no owner removes that required reviewer for matching paths — the same mechanism already used for the Dependabot dependency surfaces. This unblocks the recurring Management API OpenAPI spec sync PRs (e.g. #5662), whose entire diff lives under `packages/api/src/generated/`, so they no longer wait on code-owner review and can be auto-merged once CI is green. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

chatgpt-codex-connector · 2026-06-23T16:10:33Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

Brings the `@supabase/api` package sync workflow in line with the Go CLI API sync workflow ([cli-go-api-sync.yml](.github/workflows/cli-go-api-sync.yml)), which already auto-approves and auto-merges its generated PRs. Previously [api-package-sync.yml](.github/workflows/api-package-sync.yml) created a PR on its hourly cron but stopped there — every sync PR waited on a human even when all checks were green. Changes: - Add `id: cpr` to the Create Pull Request step so its outputs can be referenced. - Add an Approve step that runs only when a PR was actually created (`pull-request-operation == 'created'`), with `continue-on-error: true` so re-runs against an existing PR don't fail the job. - Add an Enable Pull Request Automerge step (`gh pr merge --auto --squash`) so the PR merges once required checks pass. Note: relies on the repo's "Allow auto-merge" setting and branch protection on `develop` requiring checks — the same prerequisites the Go sync workflow already depends on. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

## Summary - Bump the local stack logflare image from `1.44.3` to `1.45.3` in the CLI Dockerfile manifest. - Remove the stale Dependabot ignore for `supabase/logflare` versions `>= 1.45.0` — those tags are now mirrored to GHCR and ECR. Co-authored-by: Cursor <cursoragent@cursor.com>

chatgpt-codex-connector · 2026-06-23T16:44:53Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

…pps/cli-go/pkg/config/templates in the docker-minor group (#5668) Bumps the docker-minor group in /apps/cli-go/pkg/config/templates with 1 update: supabase/storage-api. Updates `supabase/storage-api` from v1.60.29 to v1.61.0 [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=supabase/storage-api&package-manager=docker&previous-version=v1.60.29&new-version=v1.61.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…in /apps/cli-go in the go-minor group across 1 directory (#5669) Bumps the go-minor group with 1 update in the /apps/cli-go directory: [github.com/getsentry/sentry-go](https://github.com/getsentry/sentry-go). Updates `github.com/getsentry/sentry-go` from 0.46.2 to 0.47.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-go/releases">github.com/getsentry/sentry-go's releases</a>.</em></p> <blockquote> <h2>0.47.0</h2> <h3>Breaking Changes 🛠</h3> <ul> <li>Fix <code>transaction_info</code> source getting set incorrectly across HTTP middleware integrations (http, fasthttp, fiber). Users should now expect traces to properly get grouped with their parameterized path. Transactions in affected integrations may regroup after upgrading. by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1325">#1325</a></li> <li>remove deprecated<code>otel.NewSentrySpanProcessor</code>. Users should now use the <code>sentryotlp.NewTraceExporter</code> instead by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1307">#1307</a> <pre lang="go"><code>// Before sentry.Init(sentry.ClientOptions{Dsn: dsn, EnableTracing: true, TracesSampleRate: 1.0}) <p>tp := sdktrace.NewTracerProvider( sdktrace.WithSpanProcessor(sentryotel.NewSentrySpanProcessor()), ) otel.SetTextMapPropagator(sentryotel.NewSentryPropagator()) otel.SetTracerProvider(tp)</p> <p>// After: sentry.Init(sentry.ClientOptions{ Dsn: dsn, EnableTracing: true, TracesSampleRate: 1.0, Integrations: func(i []sentry.Integration) []sentry.Integration { return append(i, sentryotel.NewOtelIntegration()) }, })</p> <p>exporter, _ := sentryotlp.NewTraceExporter(ctx, dsn) tp := sdktrace.NewTracerProvider(sdktrace.WithBatcher(exporter)) otel.SetTracerProvider(tp) </code></pre></p> </li> <li>Enable logs by default to skip double allow behavior. Enabling logs now happens once when setting up either <code>sentry.NewLogger</code> or any supported integration. Also the EnableLogs flag changes to DisableLogs for a global override switch by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1306">#1306</a></li> <li>Remove the <code>ContextifyFrames</code> integration. The recommended way to add source context is <a href="https://docs.sentry.io/integrations/source-code-mgmt/source-context/">SCM</a> by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1302">#1302</a></li> </ul> <h3>New Features ✨</h3> <ul> <li>Add fiber v3 integration by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1324">#1324</a></li> <li>Bump fasthttp from 1.51.0 to 1.71.0 by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1324">#1324</a></li> <li>Add sentrysql SQL tracing integration by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1305">#1305</a> <ul> <li>Supports multiple integration paths depending on how your app opens database connections: <code>sentrysql.Open(...)</code>, <code>sentrysql.OpenDB(...)</code>, and wrapped drivers/connectors for custom setups.</li> <li>Database metadata is not inferred in every setup. If the database name is not discoverable automatically, pass <code>sentrysql.WithDatabaseName(...)</code> so spans are populated correctly.</li> <li>Example:</li> </ul> <pre lang="go"><code> // Simple driver-based setup db, err := sentrysql.Open("sqlite", ":memory:", sentrysql.WithDatabaseSystem(sentrysql.SystemSQLite), sentrysql.WithDatabaseName("main"), ) </code></pre> </li> </ul> <h3>Internal Changes 🔧</h3> <h4>Deps</h4>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/getsentry/sentry-go/blob/master/CHANGELOG.md">github.com/getsentry/sentry-go's changelog</a>.</em></p> <blockquote> <h2>0.47.0</h2> <h3>Breaking Changes 🛠</h3> <ul> <li>Fix <code>transaction_info</code> source getting set incorrectly across HTTP middleware integrations (http, fasthttp, fiber). Users should now expect traces to properly get grouped with their parameterized path. Transactions in affected integrations may regroup after upgrading. by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1325">#1325</a></li> <li>remove deprecated<code>otel.NewSentrySpanProcessor</code>. Users should now use the <code>sentryotlp.NewTraceExporter</code> instead by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1307">#1307</a> <pre lang="go"><code>// Before sentry.Init(sentry.ClientOptions{Dsn: dsn, EnableTracing: true, TracesSampleRate: 1.0}) <p>tp := sdktrace.NewTracerProvider( sdktrace.WithSpanProcessor(sentryotel.NewSentrySpanProcessor()), ) otel.SetTextMapPropagator(sentryotel.NewSentryPropagator()) otel.SetTracerProvider(tp)</p> <p>// After: sentry.Init(sentry.ClientOptions{ Dsn: dsn, EnableTracing: true, TracesSampleRate: 1.0, Integrations: func(i []sentry.Integration) []sentry.Integration { return append(i, sentryotel.NewOtelIntegration()) }, })</p> <p>exporter, _ := sentryotlp.NewTraceExporter(ctx, dsn) tp := sdktrace.NewTracerProvider(sdktrace.WithBatcher(exporter)) otel.SetTracerProvider(tp) </code></pre></p> </li> <li>Enable logs by default to skip double allow behavior. Enabling logs now happens once when setting up either <code>sentry.NewLogger</code> or any supported integration. Also the EnableLogs flag changes to DisableLogs for a global override switch by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1306">#1306</a></li> <li>Remove the <code>ContextifyFrames</code> integration. The recommended way to add source context is <a href="https://docs.sentry.io/integrations/source-code-mgmt/source-context/">SCM</a> by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1302">#1302</a></li> </ul> <h3>New Features ✨</h3> <ul> <li>Add fiber v3 integration by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1324">#1324</a></li> <li>Bump fasthttp from 1.51.0 to 1.71.0 by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1324">#1324</a></li> <li>Add sentrysql SQL tracing integration by <a href="https://github.com/giortzisg"><code>@giortzisg</code></a> in <a href="https://redirect.github.com/getsentry/sentry-go/pull/1305">#1305</a> <ul> <li>Supports multiple integration paths depending on how your app opens database connections: <code>sentrysql.Open(...)</code>, <code>sentrysql.OpenDB(...)</code>, and wrapped drivers/connectors for custom setups.</li> <li>Database metadata is not inferred in every setup. If the database name is not discoverable automatically, pass <code>sentrysql.WithDatabaseName(...)</code> so spans are populated correctly.</li> <li>Example:</li> </ul> <pre lang="go"><code> // Simple driver-based setup db, err := sentrysql.Open("sqlite", ":memory:", sentrysql.WithDatabaseSystem(sentrysql.SystemSQLite), sentrysql.WithDatabaseName("main"), ) </code></pre> </li> </ul> <h3>Internal Changes 🔧</h3> <h4>Deps</h4>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/getsentry/sentry-go/commit/9b7a5624089638c2ba32feb0f19ada8d43a6cc45"><code>9b7a562</code></a> release: 0.47.0</li> <li><a href="https://github.com/getsentry/sentry-go/commit/320597ca56231b04d8cbecd7fb1638022a5f0f31"><code>320597c</code></a> chore: update bump-version script to also bump crosstest (<a href="https://redirect.github.com/getsentry/sentry-go/issues/1327">#1327</a>)</li> <li><a href="https://github.com/getsentry/sentry-go/commit/02a836d7aa0d9714e7b043165aa8f576e051278c"><code>02a836d</code></a> build(deps): sync go.work (<a href="https://redirect.github.com/getsentry/sentry-go/issues/1326">#1326</a>)</li> <li><a href="https://github.com/getsentry/sentry-go/commit/dc18868e4665622e8754b14693dfe74a03a0353d"><code>dc18868</code></a> feat: add fiberv3 integration (<a href="https://redirect.github.com/getsentry/sentry-go/issues/1324">#1324</a>)</li> <li><a href="https://github.com/getsentry/sentry-go/commit/f970fb569e96394f1bee44e24cdbcdb8c03f3b5e"><code>f970fb5</code></a> feat: add sql transaction instrumentation (<a href="https://redirect.github.com/getsentry/sentry-go/issues/1305">#1305</a>)</li> <li><a href="https://github.com/getsentry/sentry-go/commit/1010c034417791bc4e8863f8d350684e64557a7b"><code>1010c03</code></a> fix!: transaction source for integrations (<a href="https://redirect.github.com/getsentry/sentry-go/issues/1325">#1325</a>)</li> <li><a href="https://github.com/getsentry/sentry-go/commit/97b9ddf7adee2af74ce3b129d4eef204de7cb307"><code>97b9ddf</code></a> build(deps): bump getsentry/github-workflows from 71588ddf95134f804e82c5970a8...</li> <li><a href="https://github.com/getsentry/sentry-go/commit/9cce79eaf28fec76f526628878f0819330bd85c0"><code>9cce79e</code></a> feat(sql): add lexer and obfuscator (<a href="https://redirect.github.com/getsentry/sentry-go/issues/1299">#1299</a>)</li> <li><a href="https://github.com/getsentry/sentry-go/commit/063a5730fdb192c7fe3330f67a7e433841d8aeb9"><code>063a573</code></a> feat(sql): add span instrumentation (<a href="https://redirect.github.com/getsentry/sentry-go/issues/1286">#1286</a>)</li> <li><a href="https://github.com/getsentry/sentry-go/commit/34d7db0afca784b8a73bc1b336ffa04163733c0d"><code>34d7db0</code></a> chore(otel): remove unused semconv helpers (<a href="https://redirect.github.com/getsentry/sentry-go/issues/1321">#1321</a>)</li> <li>Additional commits viewable in <a href="https://github.com/getsentry/sentry-go/compare/v0.46.2...v0.47.0">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/getsentry/sentry-go&package-manager=go_modules&previous-version=0.46.2&new-version=0.47.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

depthfirst-app · 2026-06-23T16:54:28Z

+
+      - name: Enable Pull Request Automerge
+        if: steps.check.outputs.has_changes == 'true'
+        run: gh pr merge --auto --squash --repo "${{ github.repository }}" "${STEPS_CPR_OUTPUTS_PULL_REQUEST_NUMBER}"


🟡 Severity: MEDIUM

This new auto-approve + auto-merge pipeline, combined with the CODEOWNERS change making /packages/api/src/generated/ ownerless, means code generated from an external HTTP endpoint (https://api.supabase.com/api/v1-json via pnpm generate) is now merged into the repository with no human review. A supply-chain compromise of that API endpoint would result in attacker-controlled code being automatically merged.
Helpful? Add 👍 / 👎

💡 Fix Suggestion

Suggestion: This supply-chain risk requires a coordinated set of changes across multiple files to ensure generated code cannot be merged without human review:

Remove the 'Approve a PR' step (lines 68–74 in the workflow): The workflow should not self-approve its own PR. Self-approval using the same app token eliminates any meaningful review gate.

Remove the 'Enable Pull Request Automerge' step (lines 76–81 in the workflow, including line 78): Disabling auto-merge forces a human to explicitly trigger the merge, providing a last line of defense even if the auto-approval gate were left in place.

Re-add a code owner for /packages/api/src/generated/ in .github/CODEOWNERS: The line /packages/api/src/generated/ currently has no owner, which bypasses the default @supabase/cli team requirement. Change it to /packages/api/src/generated/ @supabase/cli (or a dedicated review team) so that GitHub's branch-protection rules enforce at least one human approval before any generated code can be merged.

(Optional but recommended) Add integrity verification before code generation: Before running pnpm generate, download the OpenAPI spec, verify it against a known checksum or a pinned digest, and abort if it does not match. This reduces the blast radius of a compromised upstream endpoint.

Implementing steps 1–3 together ensures that auto-created sync PRs require a genuine human review and approval from a codeowner before they can be merged into the develop branch.

chatgpt-codex-connector · 2026-06-23T16:56:18Z

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

jgoux and others added 30 commits June 17, 2026 13:08

ci: setup dependency firewall (#5581)

41159af

## What kind of change does this PR introduce? CI update ## What is the new behavior? Uses Dependency Firewall from DepthFirst: https://depthfirst.com/dependency-firewall --------- Co-authored-by: Julien Goux <hi@jgoux.dev>

ci: silence stale reopen confirmation (#5608)

c6127da

Removes the extra success comment posted after the stale issue reopen workflow reopens an issue. The workflow still reopens stale-closed issues, removes the marker label, and logs the action in the workflow run.

chatgpt-codex-connector Bot reviewed Jun 23, 2026

View reviewed changes

supabase-cli-releaser Bot and others added 2 commits June 23, 2026 10:37

feat(cli): port functions list (#5652)

69205ff

## TL;DR ports functions list to native ts ## whats introduced? ports supabase functions list on the legacy cli path replacing the go backed behavior with a fully ts implementation.... ## ref: - towards CLI-1319

depthfirst-app Bot reviewed Jun 23, 2026

View reviewed changes

Comment thread .github/actions/setup/action.yml

github-advanced-security AI found potential problems Jun 23, 2026

View reviewed changes

Comment thread apps/cli/src/shared/functions/serve.main.ts

}

}

return new Response(body, { status, headers });

jgoux and others added 2 commits June 23, 2026 16:37

dependabot Bot added 2 commits June 23, 2026 16:50

depthfirst-app Bot reviewed Jun 23, 2026

View reviewed changes

Conversation

supabase-cli-releaser Bot commented Jun 23, 2026

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot Jun 23, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot Jun 23, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

depthfirst-app Bot Jun 23, 2026

Choose a reason for hiding this comment

Uh oh!

chatgpt-codex-connector Bot commented Jun 23, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

10 participants