Skip to content

fix(ci): skip Link job on fork PRs#4915

Merged
avallete merged 2 commits intosupabase:developfrom
lightstrikelabs:lightstrikelabs/fix/skip-link-ci-on-forks
Mar 10, 2026
Merged

fix(ci): skip Link job on fork PRs#4915
avallete merged 2 commits intosupabase:developfrom
lightstrikelabs:lightstrikelabs/fix/skip-link-ci-on-forks

Conversation

@lightstrike
Copy link
Contributor

@lightstrike lightstrike commented Mar 1, 2026

Summary

Skip the Link CI job on pull requests from forked repositories, where it always fails due to unavailable secrets.

Problem

The Link job requires SUPABASE_ACCESS_TOKEN and SUPABASE_PROJECT_ID repository secrets to run ./main link against a real Supabase project. GitHub Actions does not expose repository secrets to workflows triggered by fork PRs (this is a deliberate security measure).

As a result, every fork PR shows a persistent red Link failure in its CI checks. This is misleading for both contributors and reviewers — it creates the impression that something is broken when the PR's code is actually fine.

Fix

Add a single if condition to the Link job:

if: ${{ !github.event.pull_request.head.repo.fork }}

Behavior after this change:

Trigger Link job
Push to develop Runs normally (github.event.pull_request is null, so head.repo.fork is falsy)
PR from a branch within supabase/cli Runs normally (not a fork)
PR from a fork Skipped (shows as grey "skipped" instead of red "failed")

This is the standard GitHub Actions pattern for guarding jobs that depend on repository secrets.

@lightstrike
fix(ci): skip Link job on fork PRs
0dbe5e5 
The Link job requires SUPABASE_ACCESS_TOKEN and SUPABASE_PROJECT_ID secrets which are unavailable to fork PRs. Without this guard, the job always fails on external contributions, creating a misleading red CI status that distracts both contributors and reviewers. The if condition checks github.event.pull_request.head.repo.fork and skips the job entirely for fork PRs, showing it as 'skipped' instead of 'failed'. On pushes to develop and PRs from branches within the main repo, the job continues to run normally.
@lightstrike lightstrike requested a review from a team as a code owner March 1, 2026 16:37
@coderabbitai
Copy link

coderabbitai bot commented Mar 1, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

Disabled knowledge base sources:

  • Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5726ec3 and 0dbe5e5.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Updated CI/CD configuration to optimize workflow execution.

Walkthrough

The pull request adds a conditional guard to the Link job in the GitHub Actions CI workflow. The condition if: ${{ !github.event.pull_request.head.repo.fork }} prevents the Link job from executing when the pull request originates from a forked repository. This means the Link job will only run for pull requests from the main repository, while being skipped for all forked pull request submissions.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@lightstrike
Copy link
Contributor Author

lightstrike commented Mar 2, 2026

Context for reviewers: longer-term consideration

This PR is a targeted fix — skip the Link job on fork PRs where secrets are unavailable. It's worth noting the broader architectural questions here though.

The Link job was introduced in #4505 (Nov 2025) as a side-item alongside the fsevents mock work. It runs the full link command against a real remote Supabase project, validating authentication, the Management API surface (6 endpoints), tenant service discovery (3 endpoints), and local config file writes.

The reliance on repo secrets (SUPABASE_ACCESS_TOKEN / SUPABASE_PROJECT_ID) means fork PRs will never get coverage from this job. For a project that accepts external contributions, there are a few paths that could eliminate the gap:

  1. Test against the local stack. The Start job already spins up a full Supabase instance via ./main start. The link command could be tested against localhost instead of a remote project, removing the need for secrets entirely.

  2. Dedicated throwaway CI project. A free-tier project with no real data, where the project ref and a scoped access token are treated as non-sensitive and stored as regular env vars (not secrets). The blast radius of exposure is effectively zero.

  3. Expanded unit/integration test coverage. internal/link/link_test.go already mocks API responses extensively. If the mocked tests cover the same surface the CI job validates, the real-project smoke test may be redundant — or at least not critical enough to gate PRs on.

None of this blocks merging the if: !fork fix here, though I believe it would be worth tracking as a follow-up so the Link job provides value to all contributors.

@avallete
Copy link
Member

avallete commented Mar 10, 2026

Thank's for your contribution !

@avallete avallete enabled auto-merge (squash) March 10, 2026 14:01
@avallete avallete merged commit 0335b24 into supabase:develop Mar 10, 2026
11 checks passed
@coveralls
Copy link

coveralls commented Mar 10, 2026

Pull Request Test Coverage Report for Build 22906289681

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 7 unchanged lines in 2 files lost coverage.
  • Overall coverage decreased (-0.02%) to 61.713%
Files with Coverage Reduction New Missed Lines %
internal/storage/rm/rm.go 2 80.61%
internal/utils/git.go 5 57.14%
Totals Coverage Status
Change from base Build 22906236960: -0.02%
Covered Lines: 7719
Relevant Lines: 12508
💛 - Coveralls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avallete avallete avallete approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lightstrike @avallete @coveralls