ci(release): harden release publishing workflow#5536
Merged
Conversation
avallete
approved these changes
Jun 10, 2026
Supabase CLI previewnpx --yes https://pkg.pr.new/supabase@5536Preview package for commit |
mxcl
pushed a commit
to automic-vault/supabase-cli
that referenced
this pull request
Jun 11, 2026
## Summary - Serialize the release workflow per ref so duplicate release runs cannot publish the same computed version concurrently. - Make Homebrew and Scoop updaters use direct git clones with the GitHub App token available to both `gh` and git, and skip no-op downstream commits when the generated file is already current. - Harden the local npm smoke registry publish path by publishing platform packages deterministically and accepting a local conflict only when Verdaccio has already stored the package tarball. - Update the release process docs to match the current downstream updater behavior and GitHub App variable names. ## Context The release failures on June 10 exposed two repo-side release issues: the Homebrew updater depended on `gh repo clone`, which failed during GitHub GraphQL authentication, and duplicate release runs could race the same prerelease version through downstream publish/smoke-test jobs. The npm smoke-test change hardens the local Verdaccio path that surfaced during the duplicate release window. The Alpine setup-cli failure from the same day was a Docker Hub image pull timeout during GitHub Actions container initialization, before any repository step ran.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ghand git, and skip no-op downstream commits when the generated file is already current.Context
The release failures on June 10 exposed two repo-side release issues: the Homebrew updater depended on
gh repo clone, which failed during GitHub GraphQL authentication, and duplicate release runs could race the same prerelease version through downstream publish/smoke-test jobs. The npm smoke-test change hardens the local Verdaccio path that surfaced during the duplicate release window.The Alpine setup-cli failure from the same day was a Docker Hub image pull timeout during GitHub Actions container initialization, before any repository step ran.