supabase db diff generates perpetual postgres GRANT statements for tables created via local SQL Editor

[oakenai]

Describe the bug
supabase db diff generates perpetual postgres GRANT statements for tables created via local SQL Editor

originally posted in https://github.com/orgs/supabase/discussions/43076 and was recommended to submit the issue here.

Problem:
I just created a new table, then every time I run supabase db diff, it generates a migration file containing GRANT ... TO "postgres" statements for tables I created via the local SQL Editor (Supabase Studio). Even after I include those grants in my migration file and run diff again, it regenerates the same grants in a new file - infinitely.

Root cause investigation:
I ran SELECT current_user, session_user in the SQL Editor and found:
Local SQL Editor: supabase_admin
Production (hosted): postgres

Then I checked ACLs with an older table "products" and the new "test" table

SELECT relname, relacl 
FROM pg_class 
WHERE relname IN ('test', 'products');

test: {postgres=arwdDxt/supabase_admin,supabase_admin=arwdDxt/supabase_admin,anon=arwdDxt/supabase_admin,authenticated=arwdDxt/supabase_admin,service_role=arwdDxt/supabase_admin}

products:
{postgres=arwdDxt/postgres,anon=arwdDxt/postgres,authenticated=arwdDxt/postgres,service_role=arwdDxt/postgres}

To Reproduce

1. supabase start
2. Create any table via the local SQL Editor: CREATE TABLE test (id uuid default gen_random_uuid());
3. supabase db diff -f test - generates migration with GRANT ... TO "postgres":

create table "public"."test" (
    "id" uuid default gen_random_uuid()
      );

grant delete on table "public"."test" to "anon";

grant insert on table "public"."test" to "anon";

grant references on table "public"."test" to "anon";

grant select on table "public"."test" to "anon";

grant trigger on table "public"."test" to "anon";

grant truncate on table "public"."test" to "anon";

grant update on table "public"."test" to "anon";

grant delete on table "public"."test" to "authenticated";

grant insert on table "public"."test" to "authenticated";

grant references on table "public"."test" to "authenticated";

grant select on table "public"."test" to "authenticated";

grant trigger on table "public"."test" to "authenticated";

grant truncate on table "public"."test" to "authenticated";

grant update on table "public"."test" to "authenticated";

grant delete on table "public"."test" to "postgres";

grant insert on table "public"."test" to "postgres";

grant references on table "public"."test" to "postgres";

grant select on table "public"."test" to "postgres";

grant trigger on table "public"."test" to "postgres";

grant truncate on table "public"."test" to "postgres";

grant update on table "public"."test" to "postgres";

grant delete on table "public"."test" to "service_role";

grant insert on table "public"."test" to "service_role";

grant references on table "public"."test" to "service_role";

grant select on table "public"."test" to "service_role";

grant trigger on table "public"."test" to "service_role";

grant truncate on table "public"."test" to "service_role";

grant update on table "public"."test" to "service_role";

4. supabase db diff -f test2 - generates the same postgres grants again:

grant delete on table "public"."test" to "postgres";

grant insert on table "public"."test" to "postgres";

grant references on table "public"."test" to "postgres";

grant select on table "public"."test" to "postgres";

grant trigger on table "public"."test" to "postgres";

grant truncate on table "public"."test" to "postgres";

grant update on table "public"."test" to "postgres";

5. supabase db diff -f test3 will generate the same postgres grants again.

Expected behavior
running supabase db diff -f test2 should not generate the same postgres grants again

Screenshots
no screenshots, see grant outputs above

System information
Rerun the failing command with --create-ticket flag.

• Version of OS: macOS 26.2
• Version of CLI: 2.75.0
• Version of Docker: 4.16.2
• Versions of services:
  SERVICE IMAGE | LOCAL
  ------------------------|------------------------
  supabase/postgres | 15.1.0.136
  supabase/gotrue | v2.178.0
  postgrest/postgrest | v11.2.2
  supabase/realtime | v2.73.2
  supabase/storage-api | v1.35.3
  supabase/edge-runtime | v1.70.0
  supabase/studio | 2026.01.27-sha-2a37755
  supabase/postgres-meta | v0.95.2
  supabase/logflare | 1.30.5
  supabase/supavisor | 2.7.4

[7ttp]

hi @oakenai 💚
thanks for this!

sql editor runs as supabase_admin but migrations run as postgres so the acl grantor differs and db diff keeps detecting it
this probably needs an upstream fix ig

workarounds for now:

use migrations instead of sql editor:

supabase migration new create_table
supabase db reset

or fix ownership after:

ALTER TABLE your_table OWNER TO postgres;

lmk if either of these work for you for now