Add Ota readiness contract and cross-OS matrix for www/docs workflows

[bobaikato]

I have read the CONTRIBUTING.md file.

YES

What kind of change does this PR introduce?

Developer experience and CI/docs update: add an optional Ota readiness contract and a cross-OS contract validation matrix for the scoped www/docs workflows.

What is the current behavior?

This repository has strong setup docs, but no machine-readable readiness contract for the www/docs slice and no dedicated cross-OS readiness matrix around that contract.

What is the new behavior?

• Adds ota.yaml (Ota readiness contract: https://ota.run) with a scoped readiness model for www/docs workflows (native + container paths).
• Adds .github/workflows/test-ota-contract-matrix.yml to pressure-test validate/doctor/up/proof surfaces across Ubuntu, macOS, and Windows (including shell variants), with strict E2E parity checks.
• Adds Ota local artifact ignores to .gitignore.
• Adds an optional Ota section in CONTRIBUTING.md with concrete commands.

Matrix run on this branch (rebased head) passed:

• Test: Ota contract matrix #26281955993

Additional context

• Scope is intentionally explicit: this is a www/docs readiness slice, not full monorepo coverage.
• Container jobs on unsupported hosted runners are classified/skipped with annotations rather than reported as false failures.
• Ota setup in matrix is pinned to released 1.6.15.

Summary by CodeRabbit

• New Features

  • Added an end-to-end OTA validation workflow that runs native, container-gated, and strict Ubuntu E2E checks with artifact/log capture, failure classification, and summary reporting.
  • Added an OTA contract defining development workflows, toolchain/container hints, HTTP readiness checks, and ready-to-run tasks for app/docs.

• Documentation

  • Added OTA setup/readiness guidance to the contributor guide.

• Chores

  • Updated ignore rules to exclude local OTA runtime artifacts.

[github-actions]

Thanks for contributing to Supabase! ❤️ Our team will review your PR.

A few tips for a smoother review process:

• If you have a local version of the repo, run pnpm run format to make sure formatting checks pass.
• Once we've reviewed your PR, please don't trivially merge master (don't click Update branch if there are no merge conflicts to be fixed). This invalidates any pre-merge checks we've run.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
design-system	Ready	Preview, Comment	May 22, 2026 5:47pm

[vercel]

@bobaikato is attempting to deploy a commit to the Supabase Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds an OTA contract (ota.yaml), tasks and workflows for www/docs, a GitHub Actions validation matrix (native, container, strict Ubuntu E2E), ignores .ota artifacts in .gitignore, and documents Ota setup/readiness in CONTRIBUTING.md.

Changes

OTA Integration & Testing

Layer / File(s)	Summary
CI workflow metadata & triggers .github/workflows/test-ota-contract-matrix.yml	Workflow metadata: name, dispatch/push/PR filters limited to ota.yaml and the workflow, concurrency group, minimal repo read permission, and global OTA env.
Native platform testing & failure handling .github/workflows/test-ota-contract-matrix.yml	Native job matrix across shells/OSes: installs pinned ota, validates contract, lists tasks, exports topology, runs ota doctor, executes ota proof (instant ± app), classifies failures (bash/pwsh, timeout/install regex), emits annotations, and stores artifacts.
Container platform testing with Docker detection .github/workflows/test-ota-contract-matrix.yml	Container job gates on Docker capability, runs validate/list/topology, container dry-run previews for app:container/docs:container/instant:container, treats a specific host-only-readiness message as non-blocking, and uploads artifacts on failure.
Strict E2E parity testing & process supervision .github/workflows/test-ota-contract-matrix.yml	Ubuntu-only strict-e2e job performing warmup installs, orchestrated native/container runs and ota up variants, HTTP readiness polling, timeout/enforced cleanup, log capture (strict-*.log), and artifact upload on failure.
OTA contract foundation & surfaces ota.yaml	Defines contract header, Node/pnpm toolchain, host/container defaults, and HTTP surfaces (www, docs) with probe configs.
OTA tasks & workflow definitions ota.yaml	Adds setup/install/build/typecheck/format tasks, dev:www/dev:docs with host and container modes, and maps app/docs/instant workflows plus container variants.
OTA agent defaults & repository policy ota.yaml	Adds workspace-dependencies check, verification-after-changes, writable/protected paths, and bootstrap commands to install ota.
Project configuration & contributor guidance .gitignore, CONTRIBUTING.md	Adds .ota/state/, .ota/receipts/, .ota/proof/ to .gitignore and documents optional Ota setup/readiness commands in CONTRIBUTING.md.

Sequence Diagram

sequenceDiagram
  participant GitHubActions as GitHub Actions
  participant Runner as Runner (ubuntu/macos/windows)
  participant ota as ota CLI
  participant Docker as Docker (when gated)
  participant Artifacts as Artifacts (.ota, JSON, logs)
  GitHubActions->>Runner: dispatch job (native/container/strict)
  Runner->>ota: ota validate -> ota tasks -> ota doctor -> ota proof
  Runner->>Docker: probe & run container dry-runs (container job)
  ota->>Artifacts: write proof/validation JSON and .ota/ state
  Runner->>GitHubActions: upload artifacts on failure

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 I hopped through YAML, tests, and ports so wide,
I planted tasks where dev servers hide,
Native proofs and containers in line,
Strict Ubuntu checks to make things fine,
.ota tucked safe, and docs to guide the stride.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: adding an Ota readiness contract (ota.yaml) and a cross-OS validation matrix for www/docs workflows, matching the core objectives of the PR.
Description check	✅ Passed	The description follows the template structure with all required sections completed: confirms reading CONTRIBUTING.md, specifies the change type (DX and CI/docs update), explains current behavior and gaps, describes new behavior with specific file additions, and includes relevant context (scope, matrix run verification link).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/test-ota-contract-matrix.yml (1)

51-52: 💤 Low value

Consider adding persist-credentials: false to checkout actions.

Static analysis flags that Git credentials persist after checkout. While this workflow has read-only contents: read permissions reducing the risk, adding persist-credentials: false is a defense-in-depth measure that prevents credentials from being accessible to subsequent steps running external tools.

Suggested change

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+       with:
+         persist-credentials: false

Also applies to: 399-400, 569-570

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/test-ota-contract-matrix.yml around lines 51 - 52, The
checkout steps using the actions/checkout action (e.g., the step with "uses:
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" and the other two
occurrences flagged) are currently leaving Git credentials persisted; update
each checkout step to include the input persist-credentials: false so
credentials are not made available to subsequent steps, keeping the rest of the
step config unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test-ota-contract-matrix.yml:
- Around line 76-78: Replace the mutable tag reference to the ota-run/setup
action with a specific commit hash; locate each occurrence of "uses:
ota-run/setup@v1" (appearing around the three workflow steps that currently use
ota-run/setup@v1) and update them to use the immutable pinned form "uses:
ota-run/setup@<commit-sha>" where <commit-sha> is the full commit hash for the
v1 tag (obtain it via git ls-remote --tags https://github.com/ota-run/setup.git
v1) so all three occurrences match the pinned commit.

In `@ota.yaml`:
- Around line 377-380: The ota installer lines (ota -> sh and ota -> powershell)
currently pipe remote scripts directly into shells; change both to download a
pinned release artifact to a temporary file, verify its SHA256 (or signature)
matches the expected value, and only execute if verification succeeds.
Concretely, update the sh entry to use a pinned URL (include the release
tag/version), curl -fsSLo to save to a file, compute sha256sum and compare
against the hard-coded expected checksum, then run sh <file> on success;
likewise update the powershell entry to use a versioned URL, Invoke-WebRequest
to save to a file, compute and compare the file hash (Get-FileHash -Algorithm
SHA256) against the expected value, and only call iex if the hash matches.
Ensure the expected checksum/signature value is stored alongside these entries
and that failures exit non-zero.

---

Nitpick comments:
In @.github/workflows/test-ota-contract-matrix.yml:
- Around line 51-52: The checkout steps using the actions/checkout action (e.g.,
the step with "uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd"
and the other two occurrences flagged) are currently leaving Git credentials
persisted; update each checkout step to include the input persist-credentials:
false so credentials are not made available to subsequent steps, keeping the
rest of the step config unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 8b2a9baa-8755-4703-9053-0476a8467ce6

📥 Commits

Reviewing files that changed from the base of the PR and between c895a8e and fa3d422.

📒 Files selected for processing (4)

• .github/workflows/test-ota-contract-matrix.yml
• .gitignore
• CONTRIBUTING.md
• ota.yaml

[bobaikato]

Follow-up: I switched the bootstrap commands back to the canonical Ota installer endpoint () and pinned install target via for both shell paths. This keeps the contributor path aligned with official Ota install guidance while still avoiding floating target version installs.

[bobaikato]

Correction to previous note (formatting):\n\nFollow-up: I switched the ota.yaml bootstrap commands back to the canonical Ota installer endpoint (https://dist.ota.run/install.sh and https://dist.ota.run/install.ps1) and pinned install target via OTA_VERSION=v1.6.15 for both shell paths. This keeps the contributor path aligned with official Ota install guidance while still avoiding floating target version installs.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ota.yaml`:
- Line 379: The OTA_VERSION environment variable is only applied to curl and not
to the installer shell; change the pipeline so the downloaded script runs with
OTA_VERSION in its environment (for example replace `sh: OTA_VERSION=v1.6.15
curl -fsSL https://dist.ota.run/install.sh | sh` with a form that exports
OTA_VERSION to the shell executing the script, e.g. `curl -fsSL
https://dist.ota.run/install.sh | OTA_VERSION=v1.6.15 sh -s --` or invoke the
script via `sh -c` with the variable set); ensure the unique symbols
OTA_VERSION, curl and sh in that line are updated so the installer receives the
pinned version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 8ce9d9ab-4a63-4eed-b7b6-0cea319c1b74

📥 Commits

Reviewing files that changed from the base of the PR and between 5599fe6 and db83908.

📒 Files selected for processing (1)

• ota.yaml