chore: add workflow to update supabase-js

[mandarini]

Workflow to update supabase-js

[coderabbitai]

Warning

Rate limit exceeded

@mandarini has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 24 minutes and 26 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: b5e4d10c-684b-46a5-80c2-d0edd8101dfe

📥 Commits

Reviewing files that changed from the base of the PR and between 07ff862 and 3780586.

📒 Files selected for processing (1)

• .github/workflows/update-supabase-js.yml

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file is introduced at .github/workflows/update-supabase-js.yml that automates dependency updates for the @supabase/supabase-js package. The workflow is manually triggered via workflow_dispatch with two inputs: a required version parameter and an optional source parameter (defaults to "manual"). When executed, it checks out the repository, sets up Node.js 20, installs the specified version of the package, generates a GitHub App token using credentials from secrets, and creates a pull request with the updated dependency on a feature branch.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/update-supabase-js.yml (1)

21-22: Add concurrency control to avoid duplicate-run branch collisions.

Because Line 58 uses a deterministic branch name per version, rerunning for the same version can cause branch/update conflicts.

♻️ Suggested change

 jobs:
   update-supabase-js:
     runs-on: ubuntu-latest
+    concurrency:
+      group: update-supabase-js-${{ inputs.version }}
+      cancel-in-progress: false

Also applies to: 58-59

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/update-supabase-js.yml around lines 21 - 22, Add
concurrency control to the GitHub Actions job named update-supabase-js to
prevent duplicate-run branch collisions: under the job definition for
update-supabase-js add a concurrency block that uses a stable group key tied to
the version/branch identifier used to create the deterministic branch name
(e.g., include the version or the same expression used when generating the
branch name) and set cancel-in-progress: true so concurrent runs for the same
version are serialized and earlier in-progress runs are cancelled.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/update-supabase-js.yml:
- Around line 36-37: The workflow currently interpolates raw inputs.version into
shell commands and a branch name (e.g., npm i `@supabase/supabase-js`@${{
inputs.version }} and the branch/ref creation), which allows shell injection and
invalid ref names; add validation and sanitization: define a step that validates
inputs.version against a strict pattern (e.g., a semver regex like
^v?\d+\.\d+\.\d+(-[0-9A-Za-z.-]+)?$) and fail the job if it doesn't match, then
assign a sanitized environment variable (e.g., SANITIZED_VERSION) and use that
env var for npm install and branch naming instead of raw inputs.version; also
strip/escape any unsafe characters before using it in shell/refs to ensure the
branch name construction is safe.
- Around line 36-37: The "Update `@supabase/supabase-js`" workflow step installs
the new dependency but does not rebuild the tracked compiled artifacts
(dist/index.js referenced by action.yml); modify the workflow so that
immediately after the run step that executes "npm i `@supabase/supabase-js`@${{
inputs.version }}" you run the build command to regenerate dist (e.g., run "npm
run package") — alternatively run "npm run all" if you also want formatting and
other prep — ensure this new run step is added in the same job after the install
to commit updated built artifacts.

---

Nitpick comments:
In @.github/workflows/update-supabase-js.yml:
- Around line 21-22: Add concurrency control to the GitHub Actions job named
update-supabase-js to prevent duplicate-run branch collisions: under the job
definition for update-supabase-js add a concurrency block that uses a stable
group key tied to the version/branch identifier used to create the deterministic
branch name (e.g., include the version or the same expression used when
generating the branch name) and set cancel-in-progress: true so concurrent runs
for the same version are serialized and earlier in-progress runs are cancelled.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 1a61c2a2-c789-4254-8e7b-402d6eadb742

📥 Commits

Reviewing files that changed from the base of the PR and between 23d1d8f and 07ff862.

📒 Files selected for processing (1)

• .github/workflows/update-supabase-js.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Validate and sanitize inputs.version before use.

On Line 37, raw inputs.version is executed in a shell context; on Line 58, the same unsanitized value is used in a branch name. This can allow shell injection and invalid ref names.

🔧 Proposed fix

 jobs:
   update-supabase-js:
     runs-on: ubuntu-latest

     steps:
+      - name: Validate version input
+        id: version
+        shell: bash
+        run: |
+          set -euo pipefail
+          VERSION="${{ inputs.version }}"
+          if [[ ! "$VERSION" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?(\+[0-9A-Za-z.-]+)?$ ]]; then
+            echo "Invalid version: $VERSION" >&2
+            exit 1
+          fi
+          VERSION="${VERSION#v}"
+          SAFE_VERSION="${VERSION//[^0-9A-Za-z._-]/-}"
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "safe_version=$SAFE_VERSION" >> "$GITHUB_OUTPUT"
+
       - name: Update `@supabase/supabase-js`
-        run: npm i `@supabase/supabase-js`@${{ inputs.version }}
+        run: npm i "@supabase/supabase-js@${{ steps.version.outputs.version }}"
@@
-          commit-message: "feat: update `@supabase/supabase-js` to v${{ inputs.version }}"
-          title: "feat: update `@supabase/supabase-js` to v${{ inputs.version }}"
+          commit-message: "feat: update `@supabase/supabase-js` to v${{ steps.version.outputs.version }}"
+          title: "feat: update `@supabase/supabase-js` to v${{ steps.version.outputs.version }}"
@@
-            This PR updates `@supabase/supabase-js` to v${{ inputs.version }}.
+            This PR updates `@supabase/supabase-js` to v${{ steps.version.outputs.version }}.
@@
-          branch: "gha/auto-update-supabase-js-v${{ inputs.version }}"
+          branch: "gha/auto-update-supabase-js-v${{ steps.version.outputs.safe_version }}"

Also applies to: 50-51, 58-58

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/update-supabase-js.yml around lines 36 - 37, The workflow
currently interpolates raw inputs.version into shell commands and a branch name
(e.g., npm i `@supabase/supabase-js`@${{ inputs.version }} and the branch/ref
creation), which allows shell injection and invalid ref names; add validation
and sanitization: define a step that validates inputs.version against a strict
pattern (e.g., a semver regex like ^v?\d+\.\d+\.\d+(-[0-9A-Za-z.-]+)?$) and fail
the job if it doesn't match, then assign a sanitized environment variable (e.g.,
SANITIZED_VERSION) and use that env var for npm install and branch naming
instead of raw inputs.version; also strip/escape any unsafe characters before
using it in shell/refs to ensure the branch name construction is safe.

---

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Action metadata (check main entrypoint) =="
fd -HI 'action.y*ml' --exec sh -c 'echo "--- $1 ---"; sed -n "1,140p" "$1"' sh {}

echo
echo "== Tracked dist artifacts =="
git ls-files | rg -n '^dist/' || true

echo
echo "== package.json scripts =="
fd -HI '^package\.json$' --exec sh -c 'echo "--- $1 ---"; jq ".scripts" "$1"' sh {}

Repository: supabase/embeddings-generator

Length of output: 1268

---

Add a build step after updating the dependency.

The workflow updates @supabase/supabase-js in line 37, but this action uses compiled artifacts (dist/index.js as configured in action.yml). Since dist/ is tracked in git, the PR will include stale compiled code unless the build step is regenerated.

Add npm run package after line 37 to rebuild the artifacts with the updated dependency, or use npm run all to include formatting as well.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/update-supabase-js.yml around lines 36 - 37, The "Update
`@supabase/supabase-js`" workflow step installs the new dependency but does not
rebuild the tracked compiled artifacts (dist/index.js referenced by action.yml);
modify the workflow so that immediately after the run step that executes "npm i
`@supabase/supabase-js`@${{ inputs.version }}" you run the build command to
regenerate dist (e.g., run "npm run package") — alternatively run "npm run all"
if you also want formatting and other prep — ensure this new run step is added
in the same job after the install to commit updated built artifacts.