[pull] master from supabase:master

.github/workflows/authorize-vercel-deploys.yml

@@ -0,0 +1,50 @@
+name: Authorize Vercel Deploys
+
+# This workflow is triggered by the validate-pr workflow. When it's triggered, it will run the
+# authorize-vercel-deploys.yml in master branch. If you want to change it, you'll have to merge it into master.
+on:
+  # only run this workflow when the validate-pr workflow completes (successfully or not)
+  workflow_run:
+    workflows: ['Validate pull request']
+    types: [completed]
+
+# Cancel old builds on new commit for same workflow + branch/PR.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  authorize-vercel-deploys:
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+
+    steps:
+      # Checkout the master branch from the supabase repo and run that script to authorize Vercel deploys
+      - name: Check out repo
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        with:
+          ref: master
+          # fetch only the root files and scripts folder
+          sparse-checkout: |
+            scripts
+      - uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+        name: Install pnpm
+        with:
+          run_install: false
+      - name: Setup node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: '.nvmrc'
+          cache: 'pnpm'
+      - name: Download dependencies
+        run: |
+          pnpm install --frozen-lockfile
+      - name: Authorize Vercel Deploys
+        run: |-
+          pnpm run authorize-vercel-deploys
+        env:
+          VERCEL_TOKEN: ${{ secrets.VERCEL_TOKEN }}
+          # The SHA of the commit that triggered the validate-pr workflow
+          HEAD_COMMIT_SHA: ${{ github.event.workflow_run.head_sha }}

.github/workflows/validate-pr.yml

@@ -1,5 +1,6 @@
 name: Validate pull request
 
+# This workflow will trigger the authorize-vercel-deploys workflow when it's finished.
 on:
   pull_request:
     types: [opened, labeled, unlabeled, synchronize, ready_for_review]

apps/docs/public/humans.txt

@@ -171,6 +171,7 @@ Steven Eubank
 Stojan Dimitrovski
 Sugu Sougoumarane
 Supun Sudaraka Kalidasa
+Taha Le Bras
 Taryn King
 Terry Sutton
 Thomas E

apps/docs/spec/common-cli-sections.json

@@ -208,6 +208,12 @@
         "title": "Apply pending migration files",
         "slug": "supabase-migration-up",
         "type": "cli-command"
+      },
+      {
+        "id": "supabase-migration-down",
+        "title": "Reset migrations to a prior version",
+        "slug": "supabase-migration-down",
+        "type": "cli-command"
       }
     ]
   },

apps/studio/components/interfaces/Organization/Documents/SOC2.tsx

@@ -12,6 +12,7 @@ import {
 import NoPermission from 'components/ui/NoPermission'
 import { getDocument } from 'data/documents/document-query'
 import { useSendEventMutation } from 'data/telemetry/send-event-mutation'
+import { useCheckEntitlements } from 'hooks/misc/useCheckEntitlements'
 import { useAsyncCheckPermissions } from 'hooks/misc/useCheckPermissions'
 import { useSelectedOrganizationQuery } from 'hooks/misc/useSelectedOrganization'
 import { Button } from 'ui'
@@ -27,8 +28,8 @@ export const SOC2 = () => {
     PermissionAction.BILLING_READ,
     'stripe.subscriptions'
   )
-
-  const currentPlan = organization?.plan
+  const { hasAccess: hasAccessToSoc2Report, isLoading: isLoadingEntitlement } =
+    useCheckEntitlements('security.soc2_report')
 
   const [isOpen, setIsOpen] = useState(false)
 
@@ -37,11 +38,23 @@ export const SOC2 = () => {
       const soc2Link = await getDocument({ orgSlug, docType: 'soc2-type-2-report' })
       if (soc2Link?.fileUrl) window.open(soc2Link.fileUrl, '_blank')
       setIsOpen(false)
-    } catch (error: any) {
-      toast.error(`Failed to download SOC2 report: ${error.message}`)
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Unknown error occurred'
+      toast.error(`Failed to download SOC2 report: ${message}`)
     }
   }
 
+  const handleDownloadClick = () => {
+    if (!slug) return
+
+    sendEvent({
+      action: 'document_view_button_clicked',
+      properties: { documentName: 'SOC2' },
+      groups: { organization: slug },
+    })
+    setIsOpen(true)
+  }
+
   return (
     <ScaffoldSection>
       <ScaffoldSectionDetail className="sticky space-y-6 top-12">
@@ -53,34 +66,28 @@ export const SOC2 = () => {
         </div>
       </ScaffoldSectionDetail>
       <ScaffoldSectionContent>
-        {isLoadingPermissions ? (
+        {isLoadingPermissions || isLoadingEntitlement ? (
           <div className="flex items-center justify-center h-full">
             <ShimmeringLoader className="w-24" />
           </div>
         ) : !canReadSubscriptions ? (
           <NoPermission resourceText="access our SOC2 Type 2 report" />
+        ) : !hasAccessToSoc2Report ? (
+          <div className="flex items-center justify-center h-full">
+            <Link href={`/org/${slug}/billing?panel=subscriptionPlan&source=soc2`}>
+              <Button type="default">Upgrade to Team</Button>
+            </Link>
+          </div>
         ) : (
           <div className="flex items-center justify-center h-full">
-            {currentPlan?.id === 'free' || currentPlan?.id === 'pro' ? (
-              <Link href={`/org/${slug}/billing?panel=subscriptionPlan&source=soc2`}>
-                <Button type="default">Upgrade to Team</Button>
-              </Link>
-            ) : (
-              <Button
-                type="default"
-                icon={<Download />}
-                onClick={() => {
-                  sendEvent({
-                    action: 'document_view_button_clicked',
-                    properties: { documentName: 'SOC2' },
-                    groups: { organization: organization?.slug ?? 'Unknown' },
-                  })
-                  setIsOpen(true)
-                }}
-              >
-                Download SOC2 Type 2 Report
-              </Button>
-            )}
+            <Button
+              type="default"
+              icon={<Download />}
+              onClick={handleDownloadClick}
+              disabled={!slug}
+            >
+              Download SOC2 Type 2 Report
+            </Button>
           </div>
         )}
         <ConfirmationModal

apps/studio/components/interfaces/Organization/Documents/SecurityQuestionnaire.tsx

@@ -11,6 +11,7 @@ import {
 import NoPermission from 'components/ui/NoPermission'
 import { getDocument } from 'data/documents/document-query'
 import { useSendEventMutation } from 'data/telemetry/send-event-mutation'
+import { useCheckEntitlements } from 'hooks/misc/useCheckEntitlements'
 import { useAsyncCheckPermissions } from 'hooks/misc/useCheckPermissions'
 import { useSelectedOrganizationQuery } from 'hooks/misc/useSelectedOrganization'
 import { Button } from 'ui'
@@ -25,8 +26,8 @@ export const SecurityQuestionnaire = () => {
     PermissionAction.BILLING_READ,
     'stripe.subscriptions'
   )
-
-  const currentPlan = organization?.plan
+  const { hasAccess: hasAccessToQuestionnaire, isLoading: isLoadingEntitlement } =
+    useCheckEntitlements('security.questionnaire')
 
   const fetchQuestionnaire = async (orgSlug: string) => {
     try {
@@ -35,11 +36,23 @@ export const SecurityQuestionnaire = () => {
         docType: 'standard-security-questionnaire',
       })
       if (questionnaireLink?.fileUrl) window.open(questionnaireLink.fileUrl, '_blank')
-    } catch (error: any) {
-      toast.error(`Failed to download Security Questionnaire: ${error.message}`)
+    } catch (error: unknown) {
+      const message = error instanceof Error ? error.message : 'Unknown error occurred'
+      toast.error(`Failed to download Security Questionnaire: ${message}`)
     }
   }
 
+  const handleDownloadClick = () => {
+    if (!slug) return
+
+    sendEvent({
+      action: 'document_view_button_clicked',
+      properties: { documentName: 'Standard Security Questionnaire' },
+      groups: { organization: slug },
+    })
+    fetchQuestionnaire(slug)
+  }
+
   return (
     <>
       <ScaffoldSection>
@@ -53,39 +66,31 @@ export const SecurityQuestionnaire = () => {
           </div>
         </ScaffoldSectionDetail>
         <ScaffoldSectionContent>
-          {isLoadingPermissions ? (
+          {isLoadingPermissions || isLoadingEntitlement ? (
             <div className="flex items-center justify-center h-full">
               <ShimmeringLoader className="w-24" />
             </div>
           ) : !canReadSubscriptions ? (
             <NoPermission resourceText="access our security questionnaire" />
+          ) : !hasAccessToQuestionnaire ? (
+            <div className="flex items-center justify-center h-full">
+              <Link
+                href={`/org/${slug}/billing?panel=subscriptionPlan&source=securityQuestionnaire`}
+              >
+                <Button type="default">Upgrade to Team</Button>
+              </Link>
+            </div>
           ) : (
-            <>
-              <div className="flex items-center justify-center h-full">
-                {currentPlan?.id === 'free' || currentPlan?.id === 'pro' ? (
-                  <Link
-                    href={`/org/${slug}/billing?panel=subscriptionPlan&source=securityQuestionnaire`}
-                  >
-                    <Button type="default">Upgrade to Team</Button>
-                  </Link>
-                ) : (
-                  <Button
-                    type="default"
-                    icon={<Download />}
-                    onClick={() => {
-                      sendEvent({
-                        action: 'document_view_button_clicked',
-                        properties: { documentName: 'Standard Security Questionnaire' },
-                        groups: { organization: organization?.slug ?? 'Unknown' },
-                      })
-                      if (slug) fetchQuestionnaire(slug)
-                    }}
-                  >
-                    Download Questionnaire
-                  </Button>
-                )}
-              </div>
-            </>
+            <div className="flex items-center justify-center h-full">
+              <Button
+                type="default"
+                icon={<Download />}
+                onClick={handleDownloadClick}
+                disabled={!slug}
+              >
+                Download Questionnaire
+              </Button>
+            </div>
           )}
         </ScaffoldSectionContent>
       </ScaffoldSection>

apps/studio/components/interfaces/Settings/Integrations/AWSPrivateLink/AWSPrivateLinkSection.tsx

@@ -11,7 +11,7 @@ import { ResourceList } from 'components/ui/Resource/ResourceList'
 import { UpgradeToPro } from 'components/ui/UpgradeToPro'
 import { useAWSAccountDeleteMutation } from 'data/aws-accounts/aws-account-delete-mutation'
 import { useAWSAccountsQuery } from 'data/aws-accounts/aws-accounts-query'
-import { useSelectedOrganizationQuery } from 'hooks/misc/useSelectedOrganization'
+import { useCheckEntitlements } from 'hooks/misc/useCheckEntitlements'
 import { useSelectedProjectQuery } from 'hooks/misc/useSelectedProject'
 import { IS_PLATFORM } from 'lib/constants'
 import { Button, Card, CardContent, cn } from 'ui'
@@ -22,7 +22,6 @@ import { AWSPrivateLinkForm } from './AWSPrivateLinkForm'
 
 export const AWSPrivateLinkSection = () => {
   const { data: project } = useSelectedProjectQuery()
-  const { data: organization } = useSelectedOrganizationQuery()
   const { data: accounts } = useAWSAccountsQuery({ projectRef: project?.ref })
 
   const [selectedAccount, setSelectedAccount] = useState<any>(null)
@@ -37,9 +36,8 @@ export const AWSPrivateLinkSection = () => {
     },
   })
 
-  const isTeamsOrEnterpriseAndUp =
-    organization?.plan?.id === 'enterprise' || organization?.plan?.id === 'team'
-  const promptPlanUpgrade = IS_PLATFORM && !isTeamsOrEnterpriseAndUp
+  const { hasAccess: hasPrivateLinkAccess } = useCheckEntitlements('security.private_link')
+  const promptPlanUpgrade = IS_PLATFORM && !hasPrivateLinkAccess
 
   const onAddAccount = () => {
     setSelectedAccount(null)