From 16c3114790130a61a3e24cdd9b218d88833c096e Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Tue, 25 Nov 2025 16:12:07 +0100
Subject: [PATCH 1/2] chore: remove GH_PAT usage and NPM_TOKEN

All npm publishing must be done through Trusted Publisher.
GH_PAT should not be used and a dedicated GitHub app with tightly scoped
permissions is to be used instead.
---
 .github/workflows/api-sync.yml     |  3 +--
 .github/workflows/automerge.yml    | 10 +++++++--
 .github/workflows/release-beta.yml | 17 ++++++++++++---
 .github/workflows/release.yml      | 34 ++++++++++++++++++++++++++----
 .github/workflows/tag-npm.yml      |  7 +++++-
 5 files changed, 59 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/api-sync.yml b/.github/workflows/api-sync.yml
index 8efeabf14..1d1c8dbdc 100644
--- a/.github/workflows/api-sync.yml
+++ b/.github/workflows/api-sync.yml
@@ -41,7 +41,6 @@ jobs:
         id: cpr
         uses: peter-evans/create-pull-request@v7
         with:
-          token: ${{ secrets.GH_PAT }}
           commit-message: "chore: sync API types from infrastructure"
           title: "chore: sync API types from infrastructure"
           body: |
@@ -58,4 +57,4 @@ jobs:
         if: steps.check.outputs.has_changes == 'true'
         run: gh pr merge --auto --squash "${{ steps.cpr.outputs.pull-request-number }}"
         env:
-          GH_TOKEN: ${{ secrets.GH_PAT }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
index 5cf15ef53..e9242b274 100644
--- a/.github/workflows/automerge.yml
+++ b/.github/workflows/automerge.yml
@@ -22,12 +22,18 @@ jobs:
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       # Here the PR gets approved.
       - name: Approve a PR
         if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
         run: gh pr review --approve "${{ github.event.pull_request.html_url }}"
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
       # Finally, this sets the PR to allow auto-merging for patch and minor
       # updates if all checks pass
@@ -35,4 +41,4 @@ jobs:
         if: ${{ steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
         run: gh pr merge --auto --squash "${{ github.event.pull_request.html_url }}"
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/release-beta.yml b/.github/workflows/release-beta.yml
index a74314299..af437211e 100644
--- a/.github/workflows/release-beta.yml
+++ b/.github/workflows/release-beta.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   release:
@@ -65,6 +66,13 @@ jobs:
     if: needs.release.outputs.new-release-published == 'true'
     runs-on: ubuntu-latest
     steps:
+      # use GitHub app to create a release token that can publish to homebrew-tap and scoop
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
@@ -72,7 +80,7 @@ jobs:
           cache: true
       - run: go run tools/publish/main.go --beta "${{ needs.release.outputs.new-release-version }}"
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
   publish:
     name: Publish NPM
@@ -87,7 +95,10 @@ jobs:
         with:
           node-version: "16.x"
           registry-url: "https://registry.npmjs.org"
+
+      # Ensure npm 11.5.1 or later is installed for trusted publishing support
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - run: npm --git-tag-version=false version ${{ needs.release.outputs.new-release-version }}
       - run: npm publish --tag ${{ needs.release.outputs.new-release-channel }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9b85ec4a5..472ecde42 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,7 @@ on:
 permissions:
   contents: write
   packages: write
+  id-token: write
 
 jobs:
   settings:
@@ -31,6 +32,13 @@ jobs:
       - settings
     runs-on: ubuntu-latest
     steps:
+      # use GitHub app to create a release token that can publish to homebrew-tap and scoop
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
@@ -38,7 +46,7 @@ jobs:
           cache: true
       - run: go run tools/publish/main.go ${{ needs.settings.outputs.release_tag }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
   publish:
     name: Publish NPM
@@ -53,6 +61,12 @@ jobs:
     name: Bump self-hosted versions
     runs-on: ubuntu-latest
     steps:
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
@@ -60,7 +74,7 @@ jobs:
           cache: true
       - run: go run tools/selfhost/main.go
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
 
   changelog:
     name: Publish changelog
@@ -69,6 +83,12 @@ jobs:
       - publish
     runs-on: ubuntu-latest
     steps:
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
@@ -76,7 +96,7 @@ jobs:
           cache: true
       - run: go run tools/changelog/main.go ${{ secrets.SLACK_CHANNEL }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
 
   docs:
@@ -85,6 +105,12 @@ jobs:
       - settings
     runs-on: ubuntu-latest
     steps:
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
@@ -92,4 +118,4 @@ jobs:
           cache: true
       - run: go run docs/main.go ${{ needs.settings.outputs.release_tag }} | go run tools/bumpdoc/main.go apps/docs/spec/cli_v1_commands.yaml
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/tag-npm.yml b/.github/workflows/tag-npm.yml
index fe239608c..aa268989e 100644
--- a/.github/workflows/tag-npm.yml
+++ b/.github/workflows/tag-npm.yml
@@ -15,6 +15,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   tag:
@@ -26,7 +27,11 @@ jobs:
         with:
           node-version: "16.x"
           registry-url: "https://registry.npmjs.org"
+
+      # Ensure npm 11.5.1 or later is installed for trusted publishing support
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - run: npm dist-tag add "supabase@${RELEASE_TAG#v}" latest
         env:
           RELEASE_TAG: ${{ inputs.release }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From 34f5f2f2de236dc4e95b9590aeb21e8c6cb8abc5 Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Tue, 25 Nov 2025 17:04:29 +0100
Subject: [PATCH 2/2] chore: token for pr merge

---
 .github/workflows/api-sync.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/api-sync.yml b/.github/workflows/api-sync.yml
index 1d1c8dbdc..0295e028f 100644
--- a/.github/workflows/api-sync.yml
+++ b/.github/workflows/api-sync.yml
@@ -36,11 +36,19 @@ jobs:
             echo "has_changes=true" >> $GITHUB_OUTPUT
           fi
 
+      - name: Generate token
+        id: app-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
       - name: Create Pull Request
         if: steps.check.outputs.has_changes == 'true'
         id: cpr
         uses: peter-evans/create-pull-request@v7
         with:
+          token: ${{ steps.app-token.outputs.token }}
           commit-message: "chore: sync API types from infrastructure"
           title: "chore: sync API types from infrastructure"
           body: |
@@ -57,4 +65,4 @@ jobs:
         if: steps.check.outputs.has_changes == 'true'
         run: gh pr merge --auto --squash "${{ steps.cpr.outputs.pull-request-number }}"
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}