Prod deploy

.github/dependabot.yml

@@ -3,7 +3,8 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "cron"
+      cronjob: "0 0 * * *"
     groups:
       action-minor:
         update-types:
@@ -14,7 +15,8 @@ updates:
       - "/"
       - "pkg"
     schedule:
-      interval: "daily"
+      interval: "cron"
+      cronjob: "0 0 * * *"
     groups:
       go-minor:
         update-types:
@@ -23,7 +25,8 @@ updates:
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "cron"
+      cronjob: "0 0 * * *"
     groups:
       npm-minor:
         update-types:
@@ -32,7 +35,8 @@ updates:
   - package-ecosystem: "docker"
     directory: "pkg/config/templates"
     schedule:
-      interval: "daily"
+      interval: "cron"
+      cronjob: "0 0 * * *"
     commit-message:
       prefix: "fix(docker): "
     groups:

.github/workflows/api-sync.yml

@@ -15,7 +15,7 @@ jobs:
     name: Sync API Types
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-go@v6
         with:

.github/workflows/ci.yml

@@ -14,7 +14,7 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-go@v6
         with:
@@ -51,23 +51,23 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
           # Linter requires no cache
           cache: false
 
-      - uses: golangci/golangci-lint-action@v8
+      - uses: golangci/golangci-lint-action@v9
         with:
           args: --timeout 3m --verbose
 
   start:
     name: Start
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -83,7 +83,7 @@ jobs:
     name: Codegen
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - uses: actions/setup-go@v6
         with:

.github/workflows/codeql-analysis.yml

@@ -56,7 +56,7 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/deploy.yml

@@ -14,7 +14,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - run: gh pr create -B main -H develop --title 'Prod deploy' --fill

.github/workflows/fast-forward.yml

@@ -16,7 +16,7 @@ jobs:
       github.event.review.state == 'approved'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - run: |

.github/workflows/install.yml

@@ -21,7 +21,7 @@ jobs:
   pack:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - run: |
           jq -c '.version = "1.28.0"' package.json > tmp.$$.json

.github/workflows/mirror-image.yml

@@ -29,7 +29,7 @@ jobs:
           TAG=${{ inputs.image }}
           echo "image=${TAG##*/}" >> $GITHUB_OUTPUT
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v5.1.0
+        uses: aws-actions/configure-aws-credentials@v5.1.1
         with:
           role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
           aws-region: us-east-1

.github/workflows/mirror.yml

@@ -30,7 +30,7 @@ jobs:
       tags: ${{ steps.list.outputs.tags }}
       curr: ${{ steps.curr.outputs.tags }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod

.github/workflows/release-beta.yml

@@ -20,9 +20,9 @@ jobs:
       new-release-version: ${{ steps.semantic-release.outputs.new_release_version }}
       new-release-channel: ${{ steps.semantic-release.outputs.new_release_channel }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: semantic-release
-        uses: cycjimmy/semantic-release-action@v5
+        uses: cycjimmy/semantic-release-action@v6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -35,7 +35,7 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -65,7 +65,7 @@ jobs:
     if: needs.release.outputs.new-release-published == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -82,7 +82,7 @@ jobs:
     if: needs.release.outputs.new-release-published == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
         with:
           node-version: "16.x"

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
     outputs:
       release_tag: ${{ steps.prerelease.outputs.tagName }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - id: prerelease
         run: |
           gh release list --limit 1 --json tagName --jq \
@@ -31,7 +31,7 @@ jobs:
       - settings
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -53,7 +53,7 @@ jobs:
     name: Bump self-hosted versions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -69,7 +69,7 @@ jobs:
       - publish
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod
@@ -85,7 +85,7 @@ jobs:
       - settings
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version-file: go.mod

.github/workflows/tag-npm.yml

@@ -21,7 +21,7 @@ jobs:
     name: Move latest tag
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
         with:
           node-version: "16.x"

cmd/functions.go

@@ -49,7 +49,10 @@ var (
 		Long:  "Download the source code for a Function from the linked Supabase project.",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return download.Run(cmd.Context(), args[0], flags.ProjectRef, useLegacyBundle, afero.NewOsFs())
+			if useApi {
+				useDocker = false
+			}
+			return download.Run(cmd.Context(), args[0], flags.ProjectRef, useLegacyBundle, useDocker, afero.NewOsFs())
 		},
 	}
 
@@ -133,11 +136,12 @@ func init() {
 	functionsListCmd.Flags().StringVar(&flags.ProjectRef, "project-ref", "", "Project ref of the Supabase project.")
 	functionsDeleteCmd.Flags().StringVar(&flags.ProjectRef, "project-ref", "", "Project ref of the Supabase project.")
 	deployFlags := functionsDeployCmd.Flags()
-	deployFlags.BoolVar(&useApi, "use-api", false, "Use Management API to bundle functions.")
+	deployFlags.BoolVar(&useApi, "use-api", false, "Bundle functions server-side without using Docker.")
 	deployFlags.BoolVar(&useDocker, "use-docker", true, "Use Docker to bundle functions.")
 	deployFlags.BoolVar(&useLegacyBundle, "legacy-bundle", false, "Use legacy bundling mechanism.")
 	functionsDeployCmd.MarkFlagsMutuallyExclusive("use-api", "use-docker", "legacy-bundle")
 	cobra.CheckErr(deployFlags.MarkHidden("legacy-bundle"))
+	cobra.CheckErr(deployFlags.MarkHidden("use-docker"))
 	deployFlags.UintVarP(&maxJobs, "jobs", "j", 1, "Maximum number of parallel jobs.")
 	deployFlags.BoolVar(noVerifyJWT, "no-verify-jwt", false, "Disable JWT verification for the Function.")
 	deployFlags.BoolVar(&prune, "prune", false, "Delete Functions that exist in Supabase project but not locally.")
@@ -152,8 +156,14 @@ func init() {
 	functionsServeCmd.MarkFlagsMutuallyExclusive("inspect", "inspect-mode")
 	functionsServeCmd.Flags().Bool("all", true, "Serve all Functions.")
 	cobra.CheckErr(functionsServeCmd.Flags().MarkHidden("all"))
-	functionsDownloadCmd.Flags().StringVar(&flags.ProjectRef, "project-ref", "", "Project ref of the Supabase project.")
-	functionsDownloadCmd.Flags().BoolVar(&useLegacyBundle, "legacy-bundle", false, "Use legacy bundling mechanism.")
+	downloadFlags := functionsDownloadCmd.Flags()
+	downloadFlags.StringVar(&flags.ProjectRef, "project-ref", "", "Project ref of the Supabase project.")
+	downloadFlags.BoolVar(&useLegacyBundle, "legacy-bundle", false, "Use legacy bundling mechanism.")
+	downloadFlags.BoolVar(&useApi, "use-api", false, "Unbundle functions server-side without using Docker.")
+	downloadFlags.BoolVar(&useDocker, "use-docker", true, "Use Docker to unbundle functions client-side.")
+	functionsDownloadCmd.MarkFlagsMutuallyExclusive("use-api", "use-docker", "legacy-bundle")
+	cobra.CheckErr(downloadFlags.MarkHidden("legacy-bundle"))
+	cobra.CheckErr(downloadFlags.MarkHidden("use-docker"))
 	functionsCmd.AddCommand(functionsListCmd)
 	functionsCmd.AddCommand(functionsDeleteCmd)
 	functionsCmd.AddCommand(functionsDeployCmd)

cmd/projects.go

@@ -75,10 +75,10 @@ var (
 				projectName = args[0]
 			}
 			body := api.V1CreateProjectBody{
-				Name:           projectName,
-				OrganizationId: orgId,
-				DbPass:         dbPassword,
-				Region:         cast.Ptr(api.V1CreateProjectBodyRegion(region.Value)),
+				Name:             projectName,
+				OrganizationSlug: orgId,
+				DbPass:           dbPassword,
+				Region:           cast.Ptr(api.V1CreateProjectBodyRegion(region.Value)),
 			}
 			if cmd.Flags().Changed("size") {
 				body.DesiredInstanceSize = (*api.V1CreateProjectBodyDesiredInstanceSize)(&size.Value)

cmd/restrictions.go

@@ -16,12 +16,13 @@ var (
 
 	dbCidrsToAllow   []string
 	bypassCidrChecks bool
+	appendMode       bool
 
 	restrictionsUpdateCmd = &cobra.Command{
 		Use:   "update",
 		Short: "Update network restrictions",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return update.Run(cmd.Context(), flags.ProjectRef, dbCidrsToAllow, bypassCidrChecks)
+			return update.Run(cmd.Context(), flags.ProjectRef, dbCidrsToAllow, bypassCidrChecks, appendMode)
 		},
 	}
 
@@ -38,6 +39,7 @@ func init() {
 	restrictionsCmd.PersistentFlags().StringVar(&flags.ProjectRef, "project-ref", "", "Project ref of the Supabase project.")
 	restrictionsUpdateCmd.Flags().StringSliceVar(&dbCidrsToAllow, "db-allow-cidr", []string{}, "CIDR to allow DB connections from.")
 	restrictionsUpdateCmd.Flags().BoolVar(&bypassCidrChecks, "bypass-cidr-checks", false, "Bypass some of the CIDR validation checks.")
+	restrictionsUpdateCmd.Flags().BoolVar(&appendMode, "append", false, "Append to existing restrictions instead of replacing them.")
 	restrictionsCmd.AddCommand(restrictionsGetCmd)
 	restrictionsCmd.AddCommand(restrictionsUpdateCmd)
 	rootCmd.AddCommand(restrictionsCmd)

cmd/sso.go

@@ -12,6 +12,7 @@ import (
 	"github.com/supabase/cli/internal/sso/update"
 	"github.com/supabase/cli/internal/utils"
 	"github.com/supabase/cli/internal/utils/flags"
+	"github.com/supabase/cli/pkg/api"
 )
 
 var (
@@ -25,6 +26,16 @@ var (
 		Allowed: []string{"saml"},
 		// intentionally no default value so users have to specify --type saml explicitly
 	}
+
+	ssoNameIDFormat = utils.EnumFlag{
+		Allowed: []string{
+			string(api.CreateProviderBodyNameIdFormatUrnOasisNamesTcSAML11NameidFormatEmailAddress),
+			string(api.CreateProviderBodyNameIdFormatUrnOasisNamesTcSAML11NameidFormatUnspecified),
+			string(api.CreateProviderBodyNameIdFormatUrnOasisNamesTcSAML20NameidFormatPersistent),
+			string(api.CreateProviderBodyNameIdFormatUrnOasisNamesTcSAML20NameidFormatTransient),
+		},
+	}
+
 	ssoMetadataFile         string
 	ssoMetadataURL          string
 	ssoSkipURLValidation    bool
@@ -48,6 +59,7 @@ var (
 				MetadataURL:       ssoMetadataURL,
 				SkipURLValidation: ssoSkipURLValidation,
 				AttributeMapping:  ssoAttributeMappingFile,
+				NameIDFormat:      ssoNameIDFormat.String(),
 				Domains:           ssoDomains,
 			})
 		},
@@ -88,6 +100,7 @@ var (
 				MetadataURL:       ssoMetadataURL,
 				SkipURLValidation: ssoSkipURLValidation,
 				AttributeMapping:  ssoAttributeMappingFile,
+				NameIDFormat:      ssoNameIDFormat.String(),
 				Domains:           ssoDomains,
 				AddDomains:        ssoAddDomains,
 				RemoveDomains:     ssoRemoveDomains,
@@ -146,6 +159,7 @@ func init() {
 	ssoAddFlags.StringVar(&ssoMetadataURL, "metadata-url", "", "URL pointing to a SAML 2.0 Metadata XML document describing the identity provider.")
 	ssoAddFlags.BoolVar(&ssoSkipURLValidation, "skip-url-validation", false, "Whether local validation of the SAML 2.0 Metadata URL should not be performed.")
 	ssoAddFlags.StringVar(&ssoAttributeMappingFile, "attribute-mapping-file", "", "File containing a JSON mapping between SAML attributes to custom JWT claims.")
+	ssoAddFlags.Var(&ssoNameIDFormat, "name-id-format", "URI reference representing the classification of string-based identifier information.")
 	ssoAddCmd.MarkFlagsMutuallyExclusive("metadata-file", "metadata-url")
 	cobra.CheckErr(ssoAddCmd.MarkFlagRequired("type"))
 	cobra.CheckErr(ssoAddCmd.MarkFlagFilename("metadata-file", "xml"))
@@ -159,6 +173,7 @@ func init() {
 	ssoUpdateFlags.StringVar(&ssoMetadataURL, "metadata-url", "", "URL pointing to a SAML 2.0 Metadata XML document describing the identity provider.")
 	ssoUpdateFlags.BoolVar(&ssoSkipURLValidation, "skip-url-validation", false, "Whether local validation of the SAML 2.0 Metadata URL should not be performed.")
 	ssoUpdateFlags.StringVar(&ssoAttributeMappingFile, "attribute-mapping-file", "", "File containing a JSON mapping between SAML attributes to custom JWT claims.")
+	ssoUpdateFlags.Var(&ssoNameIDFormat, "name-id-format", "URI reference representing the classification of string-based identifier information.")
 	ssoUpdateCmd.MarkFlagsMutuallyExclusive("metadata-file", "metadata-url")
 	ssoUpdateCmd.MarkFlagsMutuallyExclusive("domains", "add-domains")
 	ssoUpdateCmd.MarkFlagsMutuallyExclusive("domains", "remove-domains")