Supabase Deployment
Production Supabase (migrations + api Edge Function) deploys automatically when changes merge to main. Dev uses a separate Supabase org/project and is not touched by CI.
Pipeline config: bitbucket-pipelines.yml.
One-time setup
1. Bitbucket repository variables
In Bitbucket → Repository settings → Repository variables, add these as Secured:
| Variable | Value |
|---|---|
SUPABASE_ACCESS_TOKEN | Supabase access token for the production org |
SUPABASE_PROJECT_REF | Production project reference ID (Settings → General) |
SUPABASE_DB_PASSWORD | Production database password (Settings → Database) |
Use production-org credentials only. Do not add dev-org tokens or dev project refs.
2. Edge Function secrets (production)
Set secrets once on the production project via Dashboard → Edge Functions → Secrets or locally:
# Copy and fill supabase/functions/.env from supabase/functions/.env.examplepnpm exec supabase secrets set --env-file supabase/functions/.env --project-ref <prod-ref>See spec/DEV.md for JWT_SECRET and optional keys.
3. Cron Vault bootstrap (if webhooks / billing cron enabled)
db push schedules pg_cron jobs automatically (migration 20260629120000_cron_jobs_via_vault.sql). Run once per production project to populate Vault and Edge CRON_SECRET:
PROJECT_REF=<prod-ref> CRON_SECRET="$(openssl rand -hex 32)" \ ./scripts/setup-cron-vault.sh --linkedWhat runs on each merge to main
- CI —
pnpm lint,pnpm build,pnpm test - Deploy —
supabase link→db push→functions deploy api --use-api
Secrets are not redeployed on each pipeline run.
Verify after first deploy
curl https://<SUPABASE_PROJECT_REF>.supabase.co/functions/v1/api/health# expect: {"status":"ok"}Check migrations in Supabase Dashboard → Database → Migrations, or locally:
pnpm exec supabase migration list --linkedDeveloper workflow
| Activity | Where |
|---|---|
| Local dev | Dev Supabase org, supabase link to dev project |
| Schema change | Add migration, pnpm db:types, update @tesark/contracts |
| Ship to prod | Merge PR → main → Bitbucket deploys |