fix: enforce email confirmation requirement for sign-ins with unverified emails

.gitattributes

@@ -0,0 +1,41 @@
+# Set the default behavior
+* text=auto
+
+# Go files
+*.mod text eol=lf
+*.sum text eol=lf
+*.go text eol=lf
+
+# Serialization
+*.yml eol=lf
+*.yaml eol=lf
+*.toml eol=lf
+*.json eol=lf
+
+# Scripts
+*.sh eol=lf
+
+# DB files
+*.sql eol=lf
+
+# Html
+*.html eol=lf
+
+# Text and markdown files
+*.txt text eol=lf
+*.md text eol=lf
+
+# Environment files/examples
+*.env text eol=lf
+
+# Docker files
+.dockerignore text eol=lf
+Dockerfile* text eol=lf
+
+# Makefile
+Makefile text eol=lf
+
+# Git files
+.gitignore text eol=lf
+.gitattributes text eol=lf
+.gitkeep text eol=lf

.github/CODEOWNERS

@@ -1 +1 @@
-*   @netlify/opensource @netlify/backend
+*   @supabase/auth

.github/workflows/conventional-commits-lint.js

@@ -0,0 +1,109 @@
+"use strict";
+
+const fs = require("fs");
+
+const TITLE_PATTERN =
+  /^(?<prefix>[^:!(]+)(?<package>\([^)]+\))?(?<breaking>[!])?:.+$/;
+const RELEASE_AS_DIRECTIVE = /^\s*Release-As:/im;
+const BREAKING_CHANGE_DIRECTIVE = /^\s*BREAKING[ \t]+CHANGE:/im;
+
+const ALLOWED_CONVENTIONAL_COMMIT_PREFIXES = [
+  "revert",
+  "feat",
+  "fix",
+  "ci",
+  "docs",
+  "chore",
+];
+
+const object = process.argv[2];
+const payload = JSON.parse(fs.readFileSync(process.argv[3], "utf-8"));
+
+let validate = [];
+
+if (object === "pr") {
+  validate.push({
+    title: payload.pull_request.title,
+    content: payload.pull_request.body,
+  });
+} else if (object === "push") {
+  validate.push(
+    ...payload.commits
+      .map((commit) => ({
+        title: commit.message.split("\n")[0],
+        content: commit.message,
+      }))
+      .filter(({ title }) => !title.startsWith("Merge branch ") && !title.startsWith("Revert ")),
+  );
+} else {
+  console.error(
+    `Unknown object for first argument "${object}", use 'pr' or 'push'.`,
+  );
+  process.exit(0);
+}
+
+let failed = false;
+
+validate.forEach((payload) => {
+  if (payload.title) {
+    const match = payload.title.match(TITLE_PATTERN);
+    if (!match) {
+      return
+    }
+
+    const { groups } = match
+
+    if (groups) {
+      if (groups.breaking) {
+        console.error(
+          `PRs are not allowed to declare breaking changes at this stage of the project. Please remove the ! in your PR title or commit message and adjust the functionality to be backward compatible.`,
+        );
+        failed = true;
+      }
+
+      if (
+        !ALLOWED_CONVENTIONAL_COMMIT_PREFIXES.find(
+          (prefix) => prefix === groups.prefix,
+        )
+      ) {
+        console.error(
+          `PR (or a commit in it) is using a disallowed conventional commit prefix ("${groups.prefix}"). Only ${ALLOWED_CONVENTIONAL_COMMIT_PREFIXES.join(", ")} are allowed. Make sure the prefix is lowercase!`,
+        );
+        failed = true;
+      }
+
+      if (groups.package && groups.prefix !== "chore") {
+        console.warn(
+          "Avoid using package specifications in PR titles or commits except for the `chore` prefix.",
+        );
+      }
+    } else {
+      console.error(
+        "PR or commit title must match conventional commit structure.",
+      );
+      failed = true;
+    }
+  }
+
+  if (payload.content) {
+    if (payload.content.match(RELEASE_AS_DIRECTIVE)) {
+      console.error(
+        "PR descriptions or commit messages must not contain Release-As conventional commit directives.",
+      );
+      failed = true;
+    }
+
+    if (payload.content.match(BREAKING_CHANGE_DIRECTIVE)) {
+      console.error(
+        "PR descriptions or commit messages must not contain a BREAKING CHANGE conventional commit directive. Please adjust the functionality to be backward compatible.",
+      );
+      failed = true;
+    }
+  }
+});
+
+if (failed) {
+  process.exit(1);
+}
+
+process.exit(0);

.github/workflows/conventional-commits.yml

@@ -0,0 +1,48 @@
+name: Check pull requests
+
+on:
+  push:
+    branches-ignore: # Run the checks on all branches but the protected ones
+      - master
+      - release/*
+
+  pull_request:
+    branches:
+      - master
+      - release/*
+    types:
+      - opened
+      - edited
+      - reopened
+      - ready_for_review
+
+permissions:
+  contents: read
+
+jobs:
+  check-conventional-commits:
+    runs-on: ubuntu-latest
+    if: github.actor != 'dependabot[bot]' # skip for dependabot PRs
+    env:
+      EVENT: ${{ toJSON(github.event) }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            .github
+
+      - if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          set -ex
+
+          TMP_FILE=$(mktemp)
+          echo "${EVENT}" > "$TMP_FILE"
+          node .github/workflows/conventional-commits-lint.js pr "${TMP_FILE}"
+
+      - if: ${{ github.event_name == 'push' }}
+        run: |
+          set -ex
+
+          TMP_FILE=$(mktemp)
+          echo "${EVENT}" > "$TMP_FILE"
+          node .github/workflows/conventional-commits-lint.js push "${TMP_FILE}"

.github/workflows/dogfooding.yml

@@ -0,0 +1,60 @@
+name: Dogfooding Check
+
+on:
+  pull_request_review:
+    types: [submitted, edited]
+
+  pull_request:
+    types:
+      - opened
+    branches:
+      - '*'
+
+permissions:
+  contents: read
+
+jobs:
+  check_dogfooding:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        if: github.event.pull_request.base.ref == 'master' && github.event.pull_request.head.ref == 'release-please--branches--master'
+        with:
+          ref: master # used to identify the latest RC version via git describe --tags --match rc*
+          fetch-depth: 0
+
+      - if: github.event.pull_request.base.ref == 'master' && github.event.pull_request.head.ref == 'release-please--branches--master'
+        run: |
+          set -ex
+
+          # finds the latest RC version on master
+          RELEASE_VERSION=$(node -e "const a = '$(git describe --tags --match rc*)'.replace(/^rc/, 'v').split('-'); console.log(a[0] + '-' + a[1]);")
+
+          PROD_VERSION=$(curl 'https://auth.supabase.io/auth/v1/health' | jq -r .version)
+          STAGING_VERSION=$(curl 'https://alt.supabase.green/auth/v1/health' | jq -r .version)
+
+          echo "Expecting RC version $RELEASE_VERSION to be up on prod and staging."
+
+          if [ "$PROD_VERSION" != "$STAGING_VERSION" ]
+          then
+            echo "Versions on prod and staging don't match!"
+
+            exit 1
+          fi
+
+          if [ "$PROD_VERSION" != "$RELEASE_VERSION" ]
+          then
+            echo "Version on prod $PROD_VERSION is not the latest release candidate. Please release this RC first to proof the release before merging this PR."
+            exit 1
+          fi
+
+          echo "Release away!"
+          exit 0
+
+      - if: github.event.pull_request.base.ref != 'master' || github.event.pull_request.head.ref != 'release-please--branches--master'
+        run: |
+          set -ex
+
+          echo "This PR is not subject to dogfooding checks."
+          exit 0
+

.github/workflows/publish.yml

@@ -0,0 +1,100 @@
+name: Publish to Image Registry
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: |
+            supabase/gotrue
+            public.ecr.aws/supabase/gotrue
+            ghcr.io/supabase/gotrue
+            ghcr.io/supabase/auth
+            436098097459.dkr.ecr.us-east-1.amazonaws.com/gotrue
+            646182064048.dkr.ecr.us-east-1.amazonaws.com/gotrue
+            supabase/auth
+            public.ecr.aws/supabase/auth
+            436098097459.dkr.ecr.us-east-1.amazonaws.com/auth
+            646182064048.dkr.ecr.us-east-1.amazonaws.com/auth
+          flavor: |
+            latest=false
+          tags: |
+            type=raw,value=v${{ inputs.version }},enable=true
+
+      - uses: docker/setup-qemu-action@v2
+        with:
+          platforms: amd64,arm64
+
+      - run: |
+          set -ex
+
+          echo "Adding explicit release version to Dockerfile..."
+
+          sed -i 's/RELEASE_VERSION=unspecified/RELEASE_VERSION=${{ inputs.version }}/' Dockerfile
+
+      - uses: docker/setup-buildx-action@v2
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: configure aws credentials - prod
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: us-east-1
+      - name: Login to ECR
+        uses: docker/login-action@v2
+        with:
+          registry: public.ecr.aws
+      - name: Login to ECR account - prod
+        uses: docker/login-action@v2
+        with:
+          registry: 646182064048.dkr.ecr.us-east-1.amazonaws.com
+
+      - name: configure aws credentials - staging
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+          aws-region: us-east-1
+      - name: Login to ECR account - staging
+        uses: docker/login-action@v2
+        with:
+          registry: 436098097459.dkr.ecr.us-east-1.amazonaws.com
+
+      - name: Login to GHCR
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/build-push-action@v3
+        with:
+          context: . # IMPORTANT: Dockerfile is modified above to include the release version. Don't remove this line: https://github.com/docker/build-push-action?tab=readme-ov-file#git-context
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max