Prod deploy

.github/workflows/api-sync.yml

@@ -39,15 +39,15 @@ jobs:
 
       - name: Generate token
         id: app-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
       - name: Create Pull Request
         if: steps.check.outputs.has_changes == 'true'
         id: cpr
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           token: ${{ steps.app-token.outputs.token }}
           commit-message: "chore: sync API types from infrastructure"

.github/workflows/automerge.yml

@@ -18,14 +18,14 @@ jobs:
       # will not occur.
       - name: Dependabot metadata
         id: meta
-        uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v3.0.0
+        uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Generate token
         id: app-token
         if: ${{ steps.meta.outputs.update-type == null || steps.meta.outputs.update-type == 'version-update:semver-patch' || (!startsWith(steps.meta.outputs.previous-version, '0.') && steps.meta.outputs.update-type == 'version-update:semver-minor') }}
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/ci.yml

@@ -23,13 +23,13 @@ jobs:
           cache: true
 
       # Required by: internal/utils/credentials/keyring_test.go
-      - uses: t1m0thyj/unlock-keyring@728cc718a07b5e7b62c269fc89295e248b24cba7 # v1.1.0
+      - uses: t1m0thyj/unlock-keyring@cbcf205c879ebd86add70bab3a6abfcce59a5cae # v1.2.0
       - run: |
           pkgs=$(go list ./pkg/... | grep -Ev 'pkg/api' | paste -sd ',' -)
           go tool gotestsum -- -race -v -count=1 ./... \
           -coverpkg="./cmd/...,./internal/...,${pkgs}" -coverprofile=coverage.out
 
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: code-coverage-report
           path: coverage.out

.github/workflows/codeql-analysis.yml

@@ -61,7 +61,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -89,6 +89,6 @@ jobs:
           exit 1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/deploy.yml

@@ -18,7 +18,7 @@ jobs:
         with:
           fetch-depth: 0
       - id: app-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/install.yml

@@ -30,7 +30,7 @@ jobs:
           mv tmp.$$.json package.json
           npm pack
 
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: installer
           path: supabase-1.28.0.tgz
@@ -82,7 +82,13 @@ jobs:
       - run: yarn set version berry
       # - run: yarn config set nodeLinker node-modules
       - run: yarn init -y
+      # Yarn Berry 4.14+ disables install scripts by default (yarnpkg/berry#7089).
+      # The supabase package relies on a postinstall script to fetch its binary,
+      # so we opt in via YARN_ENABLE_SCRIPTS just for this install step (the
+      # Yarn analog to pnpm's --allow-build=supabase).
       - run: yarn add -D ./supabase-1.28.0.tgz
+        env:
+          YARN_ENABLE_SCRIPTS: "true"
       - if: ${{ matrix.os != 'windows-latest' }}
         run: yarn supabase --version
       # Workaround for running extensionless executable on windows

.github/workflows/pg-prove.yml

@@ -13,7 +13,7 @@ jobs:
       image_tag: supabase/pg_prove:${{ steps.version.outputs.pg_prove }}
     steps:
       - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+      - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           load: true
           context: https://github.com/horrendo/pg_prove.git
@@ -51,7 +51,7 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           push: true
           context: https://github.com/horrendo/pg_prove.git

.github/workflows/publish-migra.yml

@@ -13,7 +13,7 @@ jobs:
       image_tag: supabase/migra:${{ steps.version.outputs.migra }}
     steps:
       - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+      - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           load: true
           context: https://github.com/djrobstep/migra.git
@@ -51,7 +51,7 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
       - id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           push: true
           context: https://github.com/djrobstep/migra.git

.github/workflows/release-beta.yml

@@ -44,7 +44,7 @@ jobs:
           go-version-file: go.mod
           cache: true
 
-      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+      - uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0
         with:
           distribution: goreleaser
           version: ~> v2
@@ -75,7 +75,7 @@ jobs:
       # use GitHub app to create a release token that can publish to homebrew-tap and scoop
       - name: Generate token
         id: app-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -99,7 +99,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: latest
           registry-url: https://registry.npmjs.org

.github/workflows/release.yml

@@ -48,7 +48,7 @@ jobs:
           go-version-file: go.mod
           cache: true
       - id: app-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -72,7 +72,7 @@ jobs:
           go-version-file: go.mod
           cache: true
       - id: app-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -96,7 +96,7 @@ jobs:
           go-version-file: go.mod
           cache: true
       - id: app-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -121,7 +121,7 @@ jobs:
           go-version-file: go.mod
           cache: true
       - id: app-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

.github/workflows/tag-npm.yml

@@ -24,7 +24,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: latest
           registry-url: https://registry.npmjs.org

cmd/db.go

@@ -80,15 +80,19 @@ var (
 		},
 	}
 
-	useMigra    bool
-	usePgAdmin  bool
-	usePgSchema bool
-	usePgDelta  bool
-	diffFrom    string
-	diffTo      string
-	outputPath  string
-	schema      []string
-	file        string
+	useMigra       bool
+	usePgAdmin     bool
+	usePgSchema    bool
+	usePgDelta     bool
+	pullDiffEngine = utils.EnumFlag{
+		Allowed: []string{"migra", "pg-delta"},
+		Value:   "migra",
+	}
+	diffFrom   string
+	diffTo     string
+	outputPath string
+	schema     []string
+	file       string
 
 	dbDiffCmd = &cobra.Command{
 		Use:   "diff",
@@ -172,8 +176,13 @@ var (
 			if len(args) > 0 {
 				name = args[0]
 			}
-			useDelta := shouldUsePgDelta()
-			return pull.Run(cmd.Context(), schema, flags.DbConfig, name, useDelta, afero.NewOsFs())
+			pullDiffer := diff.DiffSchemaMigra
+			usePgDeltaDiff := pullDiffEngine.Value == "pg-delta"
+			if usePgDeltaDiff {
+				pullDiffer = diff.DiffPgDelta
+			}
+			useDeclarativePgDelta := shouldUsePgDelta()
+			return pull.Run(cmd.Context(), schema, flags.DbConfig, name, useDeclarativePgDelta, usePgDeltaDiff, pullDiffer, afero.NewOsFs())
 		},
 		PostRun: func(cmd *cobra.Command, args []string) {
 			fmt.Println("Finished " + utils.Aqua("supabase db pull") + ".")
@@ -202,7 +211,7 @@ var (
 		Short:      "Commit remote changes as a new migration",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			useDelta := shouldUsePgDelta()
-			return pull.Run(cmd.Context(), schema, flags.DbConfig, "remote_commit", useDelta, afero.NewOsFs())
+			return pull.Run(cmd.Context(), schema, flags.DbConfig, "remote_commit", useDelta, false, diff.DiffSchemaMigra, afero.NewOsFs())
 		},
 	}
 
@@ -411,11 +420,13 @@ func init() {
 	// This flag activates declarative pull output through pg-delta instead of the
 	// legacy migration SQL pull path.
 	pullFlags.BoolVar(&usePgDelta, "use-pg-delta", false, "Use pg-delta to pull declarative schema.")
+	pullFlags.Var(&pullDiffEngine, "diff-engine", "Diff engine to use for migration-style db pull.")
 	pullFlags.StringSliceVarP(&schema, "schema", "s", []string{}, "Comma separated list of schema to include.")
 	pullFlags.String("db-url", "", "Pulls from the database specified by the connection string (must be percent-encoded).")
 	pullFlags.Bool("linked", true, "Pulls from the linked project.")
 	pullFlags.Bool("local", false, "Pulls from the local database.")
 	dbPullCmd.MarkFlagsMutuallyExclusive("db-url", "linked", "local")
+	dbPullCmd.MarkFlagsMutuallyExclusive("use-pg-delta", "diff-engine")
 	pullFlags.StringVarP(&dbPassword, "password", "p", "", "Password to your remote Postgres database.")
 	cobra.CheckErr(viper.BindPFlag("DB_PASSWORD", pullFlags.Lookup("password")))
 	dbCmd.AddCommand(dbPullCmd)

cmd/db_schema_declarative.go

@@ -321,7 +321,10 @@ func runDeclarativeSync(cmd *cobra.Command, args []string) error {
 		return nil
 	}
 	fmt.Fprintln(os.Stderr, "Generated migration SQL:")
-	fmt.Fprintln(os.Stderr, utils.Bold(result.DiffSQL))
+	// Don't wrap with utils.Bold: lipgloss renders multi-line input as a block
+	// and pads every line with trailing spaces to match the widest line, which
+	// produces a wall of whitespace for long CREATE FUNCTION bodies.
+	fmt.Fprintln(os.Stderr, result.DiffSQL)
 
 	// Step 4: Resolve migration name
 	migrationName := resolveDeclarativeMigrationName(declarativeName, declarativeFile)

cmd/root.go

@@ -173,6 +173,7 @@ func Execute() {
 	executedCmd, err := rootCmd.ExecuteC()
 	if executedCmd != nil {
 		if service := telemetry.FromContext(executedCmd.Context()); service != nil {
+			ensureProjectGroupsCached(executedCmd.Context(), service)
 			_ = service.Capture(executedCmd.Context(), telemetry.EventCommandExecuted, map[string]any{
 				telemetry.PropExitCode:   exitCode(err),
 				telemetry.PropDurationMs: time.Since(startedAt).Milliseconds(),
@@ -200,6 +201,35 @@ func Execute() {
 	}
 }
 
+// ensureProjectGroupsCached populates the telemetry linked-project cache when
+// a project ref is available but no cache exists. This ensures org/project
+// PostHog groups are attached to all CLI events, not just those after `supabase link`.
+//
+// Does not overwrite an existing cache — `supabase link` is the authoritative source.
+// Checks auth before calling the API to avoid the log.Fatalln in GetSupabase().
+func ensureProjectGroupsCached(ctx context.Context, service *telemetry.Service) {
+	ref := flags.ProjectRef
+	if ref == "" {
+		return
+	}
+	fsys := afero.NewOsFs()
+	if telemetry.HasLinkedProject(fsys) {
+		return
+	}
+	if _, err := utils.LoadAccessTokenFS(fsys); err != nil {
+		return
+	}
+	resp, err := utils.GetSupabase().V1GetProjectWithResponse(ctx, ref)
+	if err != nil {
+		fmt.Fprintln(utils.GetDebugLogger(), err)
+		return
+	}
+	if resp.JSON200 == nil {
+		return
+	}
+	telemetry.CacheProjectAndIdentifyGroups(*resp.JSON200, service, fsys)
+}
+
 func exitCode(err error) int {
 	if err != nil {
 		return 1

docs/supabase/db/pull.md

@@ -9,3 +9,5 @@ Requires your local project to be linked to a remote database by running `supaba
 Optionally, a new row can be inserted into the migration history table to reflect the current state of the remote database.
 
 If no entries exist in the migration history table, `pg_dump` will be used to capture all contents of the remote schemas you have created. Otherwise, this command will only diff schema changes against the remote database, similar to running `db diff --linked`.
+
+Pass `--diff-engine pg-delta` to keep the migration-file `db pull` workflow while using pg-delta for the shadow diff step. Pass `--use-pg-delta` to switch to the declarative pg-delta export workflow instead.

internal/db/declarative/declarative.go

@@ -235,10 +235,9 @@ func WriteDeclarativeSchemas(output diff.DeclarativeOutput, fsys afero.Fs) error
 			return err
 		}
 	}
-	// When pg-delta has its own config section, the declarative path is the single
-	// source of truth there; do not overwrite [db.migrations] schema_paths.
-	if utils.IsPgDeltaEnabled() && utils.Config.Experimental.PgDelta != nil &&
-		len(utils.Config.Experimental.PgDelta.DeclarativeSchemaPath) > 0 {
+	// When pg-delta is enabled, the declarative directory (default or configured)
+	// is the source of truth; do not overwrite [db.migrations] schema_paths.
+	if utils.IsPgDeltaEnabled() {
 		return nil
 	}
 	utils.Config.Db.Migrations.SchemaPaths = []string{