From d204af54e30752e1b6505752017001cf83463579 Mon Sep 17 00:00:00 2001 From: Martin Donadieu Date: Mon, 27 Apr 2026 18:39:28 +0200 Subject: [PATCH 1/5] ci: upgrade GitHub Actions to node24 --- .github/workflows/build_and_deploy.yml | 2 +- .github/workflows/codspeed.yml | 6 +++--- .github/workflows/tests.yml | 18 +++++++++--------- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml index 1445e92928..be83d82d7c 100644 --- a/.github/workflows/build_and_deploy.yml +++ b/.github/workflows/build_and_deploy.yml @@ -50,7 +50,7 @@ jobs: - name: Install dependencies run: bun install - name: Install Supabase CLI - uses: supabase/setup-cli@v1.6.0 + uses: supabase/setup-cli@df56b21da46c98abb12a9804e4fb1f657773e333 # v2.0.0 with: version: latest - name: Show Supabase CLI version diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml index 9dbdc5d1ce..784497aead 100644 --- a/.github/workflows/codspeed.yml +++ b/.github/workflows/codspeed.yml @@ -26,15 +26,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Node.js - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 - name: Setup bun - uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: latest diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b90759b829..ce22c98187 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -24,16 +24,16 @@ jobs: actions: write steps: - name: Cache Deno dependencies - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ${{ env.DENO_DIR }} key: my_cache_key - name: Checkout capgo - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 - name: Setup bun - uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: latest - name: Validate migration timestamps @@ -139,7 +139,7 @@ jobs: # - name: Lint I18n # run: bunx @inlang/cli lint --project project.inlang - name: Install Supabase CLI - uses: supabase/setup-cli@b60b5899c73b63a2d2d651b1e90db8d4c9392f51 # v1.6.0 + uses: supabase/setup-cli@df56b21da46c98abb12a9804e4fb1f657773e333 # v2.0.0 with: # Supabase CLI 2.90.0 regressed our local test-db startup on GitHub # Actions runners; pin to the last known-good version until upstream is @@ -209,16 +209,16 @@ jobs: contents: read steps: - name: Cache Deno dependencies - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ${{ env.DENO_DIR }} key: my_cache_key - name: Checkout capgo - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 2 - name: Setup bun - uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2 + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 with: bun-version: latest - name: Install dependencies @@ -226,7 +226,7 @@ jobs: - name: Install Playwright browser run: bunx playwright install --with-deps chromium - name: Install Supabase CLI - uses: supabase/setup-cli@b60b5899c73b63a2d2d651b1e90db8d4c9392f51 # v1.6.0 + uses: supabase/setup-cli@df56b21da46c98abb12a9804e4fb1f657773e333 # v2.0.0 with: version: 2.84.2 - name: Link Supabase templates @@ -235,7 +235,7 @@ jobs: run: bun run test:front - name: Upload Playwright artifacts if: failure() - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: playwright-artifacts path: | From 6083ba2b4c000ffe99cfa761563b70b732e9e90a Mon Sep 17 00:00:00 2001 From: Martin Donadieu Date: Mon, 27 Apr 2026 19:35:09 +0200 Subject: [PATCH 2/5] ci: use readable action version tags --- .github/workflows/build_and_deploy.yml | 2 +- .github/workflows/codspeed.yml | 8 ++++---- .github/workflows/tests.yml | 24 ++++++++++++------------ 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml index be83d82d7c..e62330c9eb 100644 --- a/.github/workflows/build_and_deploy.yml +++ b/.github/workflows/build_and_deploy.yml @@ -50,7 +50,7 @@ jobs: - name: Install dependencies run: bun install - name: Install Supabase CLI - uses: supabase/setup-cli@df56b21da46c98abb12a9804e4fb1f657773e333 # v2.0.0 + uses: supabase/setup-cli@v2.0.0 with: version: latest - name: Show Supabase CLI version diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml index 784497aead..6158e9933c 100644 --- a/.github/workflows/codspeed.yml +++ b/.github/workflows/codspeed.yml @@ -26,15 +26,15 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@v6 - name: Setup Node.js - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + uses: actions/setup-node@v6 with: node-version: 22 - name: Setup bun - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + uses: oven-sh/setup-bun@v2 with: bun-version: latest @@ -42,7 +42,7 @@ jobs: run: bun install - name: Run benchmarks - uses: CodSpeedHQ/action@1c8ae4843586d3ba879736b7f6b7b0c990757fab # v4 + uses: CodSpeedHQ/action@v4 with: mode: simulation run: npx vitest bench --config vitest.config.bench.ts --run diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index ce22c98187..f440a3bfeb 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -24,16 +24,16 @@ jobs: actions: write steps: - name: Cache Deno dependencies - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@v5 with: path: ${{ env.DENO_DIR }} key: my_cache_key - name: Checkout capgo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@v6 with: fetch-depth: 2 - name: Setup bun - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + uses: oven-sh/setup-bun@v2 with: bun-version: latest - name: Validate migration timestamps @@ -114,7 +114,7 @@ jobs: echo "✅ Migration filename timestamps are unique and strictly newer than main." - name: Check for typos - uses: crate-ci/typos@cf5f1c29a8ac336af8568821ec41919923b05a83 # v1.45.1 + uses: crate-ci/typos@v1.45.1 - name: Show bun version run: bun --version - name: Show capgo version @@ -139,7 +139,7 @@ jobs: # - name: Lint I18n # run: bunx @inlang/cli lint --project project.inlang - name: Install Supabase CLI - uses: supabase/setup-cli@df56b21da46c98abb12a9804e4fb1f657773e333 # v2.0.0 + uses: supabase/setup-cli@v2.0.0 with: # Supabase CLI 2.90.0 regressed our local test-db startup on GitHub # Actions runners; pin to the last known-good version until upstream is @@ -157,7 +157,7 @@ jobs: run: supabase test db - name: Lint SQL run: supabase db lint -s public --fail-on warning - - uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 # v1 + - uses: JarvusInnovations/background-action@v1 name: Bootstrap Edge server with: run: supabase functions serve & @@ -182,7 +182,7 @@ jobs: working-directory: . - name: Run all backend and CLI tests run: bun run test:all - - uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 # v1 + - uses: JarvusInnovations/background-action@v1 name: Start Cloudflare Workers for testing with: run: | @@ -209,16 +209,16 @@ jobs: contents: read steps: - name: Cache Deno dependencies - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@v5 with: path: ${{ env.DENO_DIR }} key: my_cache_key - name: Checkout capgo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@v6 with: fetch-depth: 2 - name: Setup bun - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + uses: oven-sh/setup-bun@v2 with: bun-version: latest - name: Install dependencies @@ -226,7 +226,7 @@ jobs: - name: Install Playwright browser run: bunx playwright install --with-deps chromium - name: Install Supabase CLI - uses: supabase/setup-cli@df56b21da46c98abb12a9804e4fb1f657773e333 # v2.0.0 + uses: supabase/setup-cli@v2.0.0 with: version: 2.84.2 - name: Link Supabase templates @@ -235,7 +235,7 @@ jobs: run: bun run test:front - name: Upload Playwright artifacts if: failure() - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@v6 with: name: playwright-artifacts path: | From 30fa9d272897effdcf34f89d10fda6c6f396d3a6 Mon Sep 17 00:00:00 2001 From: Martin Donadieu Date: Mon, 27 Apr 2026 19:45:49 +0200 Subject: [PATCH 3/5] ci: disable Sonar GitHub Actions analysis --- .sonarcloud.properties | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.sonarcloud.properties b/.sonarcloud.properties index 08e3503bf1..02804041c6 100644 --- a/.sonarcloud.properties +++ b/.sonarcloud.properties @@ -1,2 +1,7 @@ +# +# We intentionally keep workflow refs readable with version tags instead of +# full commit SHAs, so disable Sonar's GitHub Actions hotspot analysis. +sonar.githubactions.activate=false + sonar.exclusions=scripts/**,tests/**,scriptable/**,.cursor/**,playwright/**,formkit.theme.ts,sql/**,supabase/seed.sql,supabase/tests/**,src/components/comp_def.ts,supabase/functions/_backend/utils/supabase.types.ts,src/types/supabase.types.ts sonar.cpd.exclusions=scripts/**,tests/**,scriptable/**,.cursor/**,playwright/**,formkit.theme.ts,sql/**,supabase/seed.sql,supabase/migrations/**,supabase/functions/_backend/utils/conversion.ts,supabase/tests/**,supabase/functions/_backend/plugins/updates_lite.ts,supabase/functions/_backend/utils/pg_lite.ts,supabase/functions/_backend/utils/supabase.types.ts,src/types/supabase.types.ts,src/components/comp_def.ts,src/services/conversion.ts From f59e180b8a485271c055f2574b2af9aaf633faa2 Mon Sep 17 00:00:00 2001 From: Martin Donadieu Date: Mon, 27 Apr 2026 22:36:16 +0200 Subject: [PATCH 4/5] test: seed files security apikey directly --- tests/files-security.test.ts | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/tests/files-security.test.ts b/tests/files-security.test.ts index 047d8fa14d..ddda53f481 100644 --- a/tests/files-security.test.ts +++ b/tests/files-security.test.ts @@ -7,6 +7,7 @@ import { getEndpointUrl, getSupabaseClient, headers, + USER_ID, } from './test-utils.ts' const TUS_VERSION = '1.0.0' @@ -20,20 +21,26 @@ function buildAttachmentPath(orgId: string, appId: string, filename: string) { } async function createUploadScopedKey(appId: string, name: string): Promise<{ id: number, key: string }> { - const response = await fetchWithRetry(`${BASE_URL}/apikey`, { - method: 'POST', - headers, - body: JSON.stringify({ - name, + // Seed the scoped key directly so this suite only validates files behavior. + // API key creation behavior is covered in the dedicated apikey suites and can + // otherwise introduce unrelated worker-auth flakiness here. + const { data: created, error } = await getSupabaseClient() + .from('apikeys') + .insert({ + user_id: USER_ID, + key: null, + key_hash: null, mode: 'upload', + name, limited_to_apps: [appId], - }), - }, 5, 750) - if (response.status !== 200) { - throw new Error(`Failed to create upload-scoped key (${response.status}): ${await response.text()}`) + }) + .select('id, key') + .single() + + if (error || !created) { + throw new Error(`Failed to seed upload-scoped key: ${error?.message ?? 'missing key row'}`) } - const created = await response.json() as { id: number, key: string | null } let key = created.key if (!key) { From 621d39e79baf1d5af84eb03036ba05a282abe9bd Mon Sep 17 00:00:00 2001 From: Martin Donadieu Date: Tue, 28 Apr 2026 17:10:52 +0200 Subject: [PATCH 5/5] test: seed files apikey with plain key --- tests/files-security.test.ts | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/tests/files-security.test.ts b/tests/files-security.test.ts index ddda53f481..e44ef5acf2 100644 --- a/tests/files-security.test.ts +++ b/tests/files-security.test.ts @@ -24,11 +24,12 @@ async function createUploadScopedKey(appId: string, name: string): Promise<{ id: // Seed the scoped key directly so this suite only validates files behavior. // API key creation behavior is covered in the dedicated apikey suites and can // otherwise introduce unrelated worker-auth flakiness here. + const plainKey = randomUUID() const { data: created, error } = await getSupabaseClient() .from('apikeys') .insert({ user_id: USER_ID, - key: null, + key: plainKey, key_hash: null, mode: 'upload', name, @@ -41,18 +42,7 @@ async function createUploadScopedKey(appId: string, name: string): Promise<{ id: throw new Error(`Failed to seed upload-scoped key: ${error?.message ?? 'missing key row'}`) } - let key = created.key - - if (!key) { - const { data, error } = await getSupabaseClient() - .from('apikeys') - .select('key') - .eq('id', created.id) - .single() - - expect(error).toBeNull() - key = data?.key ?? null - } + const key = created.key expect(key).toBeTruthy() return {