Skip to content

feat(cli): add --skip-vault flag to db push#5780

Open
mittal-parth wants to merge 1 commit into
supabase:developfrom
mittal-parth:feat/db-push-skip-vault
Open

feat(cli): add --skip-vault flag to db push#5780
mittal-parth wants to merge 1 commit into
supabase:developfrom
mittal-parth:feat/db-push-skip-vault

Conversation

@mittal-parth

Copy link
Copy Markdown
Contributor

What is the current behavior?

Previously, supabase db push always upserted [db.vault] secrets from config.toml into the target database before applying pending migrations. There was no way to push schema changes without also overwriting remote vault values with local/dev secrets.

What is the new behavior?

db push now accepts a new flag called --skip-vault.

  • Without the flag, behavior is unchanged: resolved vault secrets are still upserted before migrations run.
  • With --skip-vault, vault updates are skipped and migrations still apply.

Usage:

supabase db push --skip-vault

Ref

Closes #3815

Previously, `supabase db push` always upserted `[db.vault]` secrets from
config.toml into the target database before applying pending migrations.
There was no way to push schema changes without also overwriting remote
vault values with local/dev secrets.

`db push` now accepts `--skip-vault`. Without the flag, behavior is
unchanged: resolved vault secrets are still upserted before migrations run.
With `--skip-vault`, vault updates are skipped and migrations still apply.
@mittal-parth mittal-parth requested a review from a team as a code owner July 3, 2026 19:07

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c683c8439d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment on lines +101 to +105
if !skipVault {
if err := vault.UpsertVaultSecrets(ctx, utils.Config.Db.Vault, conn); err != nil {
return err
}
} else if len(vault.ResolvedSecretNames(utils.Config.Db.Vault)) > 0 {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Let --skip-vault bypass vault decryption

When a project has encrypted [db.vault] values and the DOTENV_PRIVATE_KEY is not available, supabase db push --skip-vault still fails before reaching this branch: the root pre-run calls ParseDatabaseConfig and LoadConfig before Run, and config loading decrypts every config.Secret, returning the missing-key error before vault upserts can be skipped. This leaves the new flag unable to support the case where the user wants to apply migrations without having or using the local vault secret material.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this should be ok otherwise we'll have to plumb this flag into the config loading path, outside the scope of just db push.

Open to discussion / thoughts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

vault: do not push local secrets to remote db

1 participant