• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

supabase / cli / 29030845286
65%
develop: 65%

Build:
Build:
LAST BUILD BRANCH: gh-readonly-queue/develop/pr-5864-6201e4fac7bbcfc0ef29c80720457e7d7eb8b09c
DEFAULT BRANCH: develop
Ran 09 Jul 2026 03:48PM UTC
Jobs 1
Files 229
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

09 Jul 2026 03:46PM UTC coverage: 65.08%. Remained the same
29030845286

push

github

web-flow
fix(config-push): decrypt dotenvx encrypted: secrets instead of skipping (#5842)

## What kind of change does this PR introduce?

Bug fix (Go-parity gap).

## What is the current behavior?

`config push`'s secret-hashing logic
(`config-sync/config-sync.secret.ts`) treats dotenvx `encrypted:` secret
values (e.g. `[auth.captcha] secret = "encrypted:..."`) as unresolved:
it hashes them to `""`, which silently gates them out of both the diff
and the update-request body. The remote secret is left untouched with no
error and no feedback — the user has no idea their encrypted secret was
never pushed.

Go decrypts every `config.Secret` field during `config.Load` (before any
network call) and pushes the plaintext, or aborts the whole command with
`failed to parse config: <cause>` if it can't decrypt.

Fixes
[CLI-1881](https://linear.app/supabase/issue/CLI-1881/config-push-decrypt-dotenvx-encrypted-secrets-instead-of-skipping).

## What is the new behavior?

- `config-sync.secret.ts` (`secretHash`/`secretPlaintext`) now decrypts
an `encrypted:` value with the existing `legacy-vault-decrypt.ts`
decryptor (already used by `db push`/`db reset`/`migration up|down`)
before hashing it for the diff or sending it as plaintext in the auth
update body — the ciphertext itself is never pushed.
- `push.handler.ts` now runs a document-wide "assert every
`config.Secret` is decryptable" pre-check immediately after loading
`config.toml`, before the cost-matrix call or any other network request
— mirroring Go's `config.Load` timing, where the decrypt hook runs over
the *whole* document (not just `auth.*`) regardless of which fields the
current command actually reads. An undecryptable secret anywhere (even
one `config push` never itself pushes, e.g. `studio.openai_api_key`)
aborts with Go's exact `failed to parse config: <cause>` message and
zero network calls.
- Reused/exported `legacyAssertDecryptableSecrets` from
`legacy-db-config.toml-read.ts` (previously private, used only b... (continued)

11145 of 17125 relevant lines covered (65.08%)

10.49 hits per line

Jobs
ID Job ID Ran Files Coverage
1 29030845286.1 09 Jul 2026 03:48PM UTC 229
65.08
GitHub Action Run
Source Files on build 29030845286
  • Tree
  • List 229
  • Changed 0
  • Source Changed 0
  • Coverage Changed 0
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #29030845286
  • 351d0252 on github
  • Prev Build on gh-readonly-queue/develop/pr-5843-1bd4085cfc04129c32c139d5ba112aac6f0a87dd (#29024102918)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc