diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml index 1445e92928..e62330c9eb 100644 --- a/.github/workflows/build_and_deploy.yml +++ b/.github/workflows/build_and_deploy.yml @@ -50,7 +50,7 @@ jobs: - name: Install dependencies run: bun install - name: Install Supabase CLI - uses: supabase/setup-cli@v1.6.0 + uses: supabase/setup-cli@v2.0.0 with: version: latest - name: Show Supabase CLI version diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml index 9dbdc5d1ce..6158e9933c 100644 --- a/.github/workflows/codspeed.yml +++ b/.github/workflows/codspeed.yml @@ -26,15 +26,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@v6 - name: Setup Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + uses: actions/setup-node@v6 with: node-version: 22 - name: Setup bun - uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2 + uses: oven-sh/setup-bun@v2 with: bun-version: latest @@ -42,7 +42,7 @@ jobs: run: bun install - name: Run benchmarks - uses: CodSpeedHQ/action@1c8ae4843586d3ba879736b7f6b7b0c990757fab # v4 + uses: CodSpeedHQ/action@v4 with: mode: simulation run: npx vitest bench --config vitest.config.bench.ts --run diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b90759b829..f440a3bfeb 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -24,16 +24,16 @@ jobs: actions: write steps: - name: Cache Deno dependencies - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@v5 with: path: ${{ env.DENO_DIR }} key: my_cache_key - name: Checkout capgo - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@v6 with: fetch-depth: 2 - name: Setup bun - uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2 + uses: oven-sh/setup-bun@v2 with: bun-version: latest - name: Validate migration timestamps @@ -114,7 +114,7 @@ jobs: echo "✅ Migration filename timestamps are unique and strictly newer than main." - name: Check for typos - uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1 + uses: crate-ci/typos@v1.45.1 - name: Show bun version run: bun --version - name: Show capgo version @@ -139,7 +139,7 @@ jobs: # - name: Lint I18n # run: bunx @inlang/cli lint --project project.inlang - name: Install Supabase CLI - uses: supabase/setup-cli@b60b5899c73b63a2d2d651b1e90db8d4c9392f51 # v1.6.0 + uses: supabase/setup-cli@v2.0.0 with: # Supabase CLI 2.90.0 regressed our local test-db startup on GitHub # Actions runners; pin to the last known-good version until upstream is @@ -157,7 +157,7 @@ jobs: run: supabase test db - name: Lint SQL run: supabase db lint -s public --fail-on warning - - uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 # v1 + - uses: JarvusInnovations/background-action@v1 name: Bootstrap Edge server with: run: supabase functions serve & @@ -182,7 +182,7 @@ jobs: working-directory: . - name: Run all backend and CLI tests run: bun run test:all - - uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 # v1 + - uses: JarvusInnovations/background-action@v1 name: Start Cloudflare Workers for testing with: run: | @@ -209,16 +209,16 @@ jobs: contents: read steps: - name: Cache Deno dependencies - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@v5 with: path: ${{ env.DENO_DIR }} key: my_cache_key - name: Checkout capgo - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@v6 with: fetch-depth: 2 - name: Setup bun - uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2 + uses: oven-sh/setup-bun@v2 with: bun-version: latest - name: Install dependencies @@ -226,7 +226,7 @@ jobs: - name: Install Playwright browser run: bunx playwright install --with-deps chromium - name: Install Supabase CLI - uses: supabase/setup-cli@b60b5899c73b63a2d2d651b1e90db8d4c9392f51 # v1.6.0 + uses: supabase/setup-cli@v2.0.0 with: version: 2.84.2 - name: Link Supabase templates @@ -235,7 +235,7 @@ jobs: run: bun run test:front - name: Upload Playwright artifacts if: failure() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@v6 with: name: playwright-artifacts path: | diff --git a/.sonarcloud.properties b/.sonarcloud.properties index 08e3503bf1..02804041c6 100644 --- a/.sonarcloud.properties +++ b/.sonarcloud.properties @@ -1,2 +1,7 @@ +# +# We intentionally keep workflow refs readable with version tags instead of +# full commit SHAs, so disable Sonar's GitHub Actions hotspot analysis. +sonar.githubactions.activate=false + sonar.exclusions=scripts/**,tests/**,scriptable/**,.cursor/**,playwright/**,formkit.theme.ts,sql/**,supabase/seed.sql,supabase/tests/**,src/components/comp_def.ts,supabase/functions/_backend/utils/supabase.types.ts,src/types/supabase.types.ts sonar.cpd.exclusions=scripts/**,tests/**,scriptable/**,.cursor/**,playwright/**,formkit.theme.ts,sql/**,supabase/seed.sql,supabase/migrations/**,supabase/functions/_backend/utils/conversion.ts,supabase/tests/**,supabase/functions/_backend/plugins/updates_lite.ts,supabase/functions/_backend/utils/pg_lite.ts,supabase/functions/_backend/utils/supabase.types.ts,src/types/supabase.types.ts,src/components/comp_def.ts,src/services/conversion.ts diff --git a/tests/files-security.test.ts b/tests/files-security.test.ts index 047d8fa14d..e44ef5acf2 100644 --- a/tests/files-security.test.ts +++ b/tests/files-security.test.ts @@ -7,6 +7,7 @@ import { getEndpointUrl, getSupabaseClient, headers, + USER_ID, } from './test-utils.ts' const TUS_VERSION = '1.0.0' @@ -20,33 +21,29 @@ function buildAttachmentPath(orgId: string, appId: string, filename: string) { } async function createUploadScopedKey(appId: string, name: string): Promise<{ id: number, key: string }> { - const response = await fetchWithRetry(`${BASE_URL}/apikey`, { - method: 'POST', - headers, - body: JSON.stringify({ - name, + // Seed the scoped key directly so this suite only validates files behavior. + // API key creation behavior is covered in the dedicated apikey suites and can + // otherwise introduce unrelated worker-auth flakiness here. + const plainKey = randomUUID() + const { data: created, error } = await getSupabaseClient() + .from('apikeys') + .insert({ + user_id: USER_ID, + key: plainKey, + key_hash: null, mode: 'upload', + name, limited_to_apps: [appId], - }), - }, 5, 750) - if (response.status !== 200) { - throw new Error(`Failed to create upload-scoped key (${response.status}): ${await response.text()}`) - } - - const created = await response.json() as { id: number, key: string | null } - let key = created.key - - if (!key) { - const { data, error } = await getSupabaseClient() - .from('apikeys') - .select('key') - .eq('id', created.id) - .single() + }) + .select('id, key') + .single() - expect(error).toBeNull() - key = data?.key ?? null + if (error || !created) { + throw new Error(`Failed to seed upload-scoped key: ${error?.message ?? 'missing key row'}`) } + const key = created.key + expect(key).toBeTruthy() return { id: created.id,