Fix Supabase config security for release builds: prevent asset fallback and config leaks#1
Merged
TNT-Likely merged 2 commits intoSep 9, 2025
Conversation
- Modified lib/config.dart to use kReleaseMode and only load assets in non-release builds - Removed assets/config.json from pubspec.yaml to prevent bundling in release - Added CI secret validation and debug steps to GitHub workflow Co-authored-by: TNT-Likely <9278923+TNT-Likely@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Release: use dart-define-only Supabase config; stop bundling assets/config.json; add CI secrets checks
Fix Supabase config security for release builds: prevent asset fallback and config leaks
Sep 9, 2025
TNT-Likely
approved these changes
Sep 9, 2025
3 tasks
Robs87
pushed a commit
to Robs87/BeeCount
that referenced
this pull request
Jun 29, 2026
…ent/persistent error, tests) Address all 4 review items from TNT-Likely#368: - TNT-Likely#1 (blocking): Fix compile error - logger.warning() takes 3 params, not 4. Changed to logger.error() which accepts (tag, message, error, stackTrace). - TNT-Likely#2 (blocking): Fix silent data loss in downgrade path. Added failedChangeIds to _PullPageOutcome. _runPullLoop now filters markResolved() to exclude failed changeIds, so UI can still see them. - TNT-Likely#3: Distinguish transient vs persistent errors in downgrade path. Added _isTransientError() static method, reused by both _applyOneWithBusyRetry and downgrade path. Transient errors abort the page (blocked=true, cursor not advanced). Persistent errors are isolated and skipped. - TNT-Likely#4: Added tests for downgrade path behavior, markResolved filtering, and _isTransientError logic. Also: unified _isTransientError() usage in _applyOneWithBusyRetry.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Release APK/AAB builds could not register or download because Supabase configuration was not being applied correctly at runtime. The code was designed to read from
assets/config.jsonfirst, then apply compile-time defines (--dart-define) as overrides. This created two critical security issues:assets/config.jsonSolution
This PR implements a secure configuration strategy that ensures release builds only use CI-provided secrets while maintaining developer convenience for local builds.
Key Changes
🔒 Release Build Security (
lib/config.dart)kReleaseModecheck to completely skip asset loading in release builds--dart-definevalues from CI secretsassets/config.jsonfor local development📦 Asset Bundling Prevention (
pubspec.yaml)assets/config.jsonfrom the assets list to prevent bundling in release builds🛡️ CI Safeguards (
.github/workflows/release.yml)SUPABASE_URLandSUPABASE_ANON_KEYsecrets exist before buildingBehavior Matrix
API Compatibility
✅ All existing APIs remain unchanged:
AppConfig.supabaseUrlAppConfig.supabaseAnonKeyAppConfig.hasSupabaseAppConfig.init()Testing
The changes maintain backward compatibility while fixing the security issues. Release builds will now:
assets/config.json--dart-defineThis ensures that release artifacts can only connect to production Supabase instances with proper authentication, resolving the registration and download issues.
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
canonical-lgw01.cdn.snapcraftcontent.comhttps://storage.googleapis.com/flutter_infra_release/flutter/ddf47dd3ff96dbde6d9c614db0d7f019d7c7a2b7/dart-sdk-linux-x64.zipcurl --retry 3 --continue-at - --location --output /tmp/flutter/bin/cache/dart-sdk-linux-x64.zip REDACTED(http block)https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_3.27.3-stable.tar.xzcurl -fsSL REDACTED(http block)If you need me to access, download, or install something from one of these locations, you can either:
This pull request was created as a result of the following prompt from Copilot chat.
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.