mirror of
https://github.com/supabase/supabase.git
synced 2026-05-31 01:42:45 +08:00
c9cc6cd835
## I have read the [CONTRIBUTING.md](https://github.com/supabase/supabase/blob/master/CONTRIBUTING.md) file. YES ## What kind of change does this PR introduce? Chore, CI hardening ## Additional context Hardens all GitHub actions to recommendations of [zizmor](https://docs.zizmor.sh/audits/) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Chores** * Disabled persistence of checkout credentials across many CI workflows to reduce credential exposure. * Upgraded GitHub App token tooling and tightened generated token permissions for automation. * Added cooldown/rate-limiting to dependency update automation to reduce update churn. * Adjusted workflow-level permissions, required secret inputs for workflow callers, and refactored some job step logic. <!-- review_stack_entry_start --> [](https://app.coderabbit.ai/change-stack/supabase/supabase/pull/46454?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack) <!-- review_stack_entry_end --> <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Ali Waseem <waseema393@gmail.com>
30 lines
639 B
YAML
30 lines
639 B
YAML
name: Deploy Function
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
deploy:
|
|
runs-on: ubuntu-latest
|
|
|
|
env:
|
|
SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
|
|
SUPABASE_PROJECT_ID: ${{ secrets.SUPABASE_PROJECT_ID }}
|
|
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- uses: supabase/setup-cli@3c2f5e2ae34c34e428e8e206e2c4d21fa2d20fbf # v2.1.1
|
|
with:
|
|
version: latest
|
|
|
|
- run: supabase functions deploy --project-ref $SUPABASE_PROJECT_ID
|