Purpose: Tracks manual GitHub and Supabase configuration steps that cannot be done through code and must be completed by a repository administrator.
1. Supabase Remote Migration Repair (URGENT)
The Dev Supabase project has 9 remote migrations that are not present in the local repository. Thesupabase-ci dryrun-push job will continue to fail until this is resolved.
Symptoms: supabase db push --dry-run reports:
Option A: Mark remote migrations as reverted (if they are genuinely not needed)
Option B: Pull the remote migrations into the repo (if they contain real schema changes)
Option C: Manually trigger supabase-sync-from-dev workflow
Go to Actions → Supabase sync from Dev → Run workflow to capture any real drift as a proper migration PR.
Reference: docs/development/supabase/SUPABASE_CLI_LOCAL_WORKFLOW.md
2. Branch Protection Rules
Configure branch protection ondev, main, and production branches to require CI to pass before merge.
Go to: Repository Settings → Branches → Add branch protection rule
For dev:
- Require a pull request before merging
- Require status checks to pass before merging
- Required checks:
governance,quality,tests,build-and-smoke
- Required checks:
- Require branches to be up to date before merging
- Do not allow bypassing the above settings
For main:
- Require a pull request before merging
- Require status checks to pass before merging
- Required checks:
governance,quality,tests,build-and-smoke
- Required checks:
- Require linear history
- Do not allow bypassing the above settings
For production:
- Require a pull request before merging
- Require status checks to pass before merging
- Required checks:
governance,quality,tests,build-and-smoke,migration-lane(fromsupabase-promote-pr)
- Required checks:
- Require linear history
- Restrict who can push to matching branches (admins only)
- Do not allow force pushes
- Do not allow bypassing the above settings
3. GitHub Secret Scanning
Enable GitHub’s native secret scanning to prevent accidentally committed credentials. Go to: Repository Settings → Security → Advanced Security- Enable Dependabot alerts
- Enable Secret scanning
- Enable Push protection (blocks pushes containing detected secrets)
4. Review Open Dependabot PRs
Several Dependabot PRs are open for GitHub Actions version bumps. Review and merge or close these:
Note: Before merging #180, update all remaining
upload-artifact@v4 references in the codebase to @v7 so the version is consistent. Currently all workflows use @v4.
5. Verify Sentry Auth Token
TheSENTRY_AUTH_TOKEN secret is referenced in build.yml (in the build-and-smoke job) but only runs on push to main or production. Verify the token is still valid:
Go to: Repository Settings → Secrets and variables → Actions
- Confirm
SENTRY_AUTH_TOKENexists and is not expired - If expired: Generate a new token at https://sentry.io/settings/account/api/auth-tokens/
- The Sentry step now only fires on post-merge pushes to
main/production, not on PRs
6. CODEOWNERS Usernames
The.github/CODEOWNERS file created in this audit uses @JeremyBloom as a placeholder for all critical paths. Update this with the correct GitHub username(s) or team slugs (@org/team-name) for each path.
File: .github/CODEOWNERS