Skip to main content
Created: 2026-04-28
Purpose: Tracks manual GitHub and Supabase configuration steps that cannot be done through code and must be completed by a repository administrator.

1. Supabase Remote Migration Repair (URGENT)

The Dev Supabase project has 9 remote migrations that are not present in the local repository. The supabase-ci dryrun-push job will continue to fail until this is resolved. Symptoms: supabase db push --dry-run reports:
Resolution options (choose one):

Option A: Mark remote migrations as reverted (if they are genuinely not needed)

Option B: Pull the remote migrations into the repo (if they contain real schema changes)

Option C: Manually trigger supabase-sync-from-dev workflow

Go to Actions → Supabase sync from Dev → Run workflow to capture any real drift as a proper migration PR. Reference: docs/development/supabase/SUPABASE_CLI_LOCAL_WORKFLOW.md

2. Branch Protection Rules

Configure branch protection on dev, main, and production branches to require CI to pass before merge. Go to: Repository Settings → Branches → Add branch protection rule

For dev:

  • Require a pull request before merging
  • Require status checks to pass before merging
    • Required checks: governance, quality, tests, build-and-smoke
  • Require branches to be up to date before merging
  • Do not allow bypassing the above settings

For main:

  • Require a pull request before merging
  • Require status checks to pass before merging
    • Required checks: governance, quality, tests, build-and-smoke
  • Require linear history
  • Do not allow bypassing the above settings

For production:

  • Require a pull request before merging
  • Require status checks to pass before merging
    • Required checks: governance, quality, tests, build-and-smoke, migration-lane (from supabase-promote-pr)
  • Require linear history
  • Restrict who can push to matching branches (admins only)
  • Do not allow force pushes
  • Do not allow bypassing the above settings

3. GitHub Secret Scanning

Enable GitHub’s native secret scanning to prevent accidentally committed credentials. Go to: Repository Settings → Security → Advanced Security
  • Enable Dependabot alerts
  • Enable Secret scanning
  • Enable Push protection (blocks pushes containing detected secrets)
This has zero CI minute cost — it runs on GitHub’s infrastructure.

4. Review Open Dependabot PRs

Several Dependabot PRs are open for GitHub Actions version bumps. Review and merge or close these: Note: Before merging #180, update all remaining upload-artifact@v4 references in the codebase to @v7 so the version is consistent. Currently all workflows use @v4.

5. Verify Sentry Auth Token

The SENTRY_AUTH_TOKEN secret is referenced in build.yml (in the build-and-smoke job) but only runs on push to main or production. Verify the token is still valid: Go to: Repository Settings → Secrets and variables → Actions

6. CODEOWNERS Usernames

The .github/CODEOWNERS file created in this audit uses @JeremyBloom as a placeholder for all critical paths. Update this with the correct GitHub username(s) or team slugs (@org/team-name) for each path. File: .github/CODEOWNERS

7. Required Secrets Reference

The following secrets are required for full CI functionality. Verify all are configured in Repository Settings → Secrets and variables → Actions:

Status Tracking