ci: pin supabase CLI to 2.98.2 (v2.99.0 broke asset naming)

[WcaleNieWolny]

Why this is failing

Supabase CLI v2.99.0, released today at 09:29Z, changed the release-asset naming back to embedding the version in the filename:

Release	supabase_linux_amd64.tar.gz (unversioned)	supabase_<ver>_linux_amd64.tar.gz (versioned)
v2.99.0 (today)	❌ missing	✅ present
v2.98.2 → v2.91.0	✅ present	✅ present

The supabase/setup-cli@v2.0.0 action hardcodes the unversioned name for any CLI version ≥ 1.28.0 (source):

return `.../v${version}/supabase_${platform}_${arch}.tar.gz`

So with version: latest the action requests:

https://github.com/supabase/cli/releases/latest/download/supabase_linux_amd64.tar.gz

which now redirects to v2.99.0 and 404s because that asset doesn't exist anymore.

This broke capgo-12.139.0 deploy at the Install Supabase CLI step at 09:45Z:
https://github.com/Cap-go/capgo/actions/runs/26025913204/job/76500232864

Same break is hitting every repo on GitHub using supabase/setup-cli@v2.0.0 + version: latest today.

The fix

One-line pin: `version: latest` → `version: 2.98.2` in .github/workflows/build_and_deploy.yml. v2.98.2 is the most recent CLI release that still ships the unversioned asset, so the action's hardcoded URL resolves successfully.

Revert plan

Switch back to `version: latest` once either:

• Supabase restores the unversioned supabase_<platform>_<arch>.tar.gz asset in future releases, or
• supabase/setup-cli ships a v2.0.1+ that understands the versioned-only naming.

Tracking: https://github.com/supabase/setup-cli (no open issue yet — this regression is ~1 hour old).

Test plan

• CI passes on this PR (CodeQL etc.; doesn't exercise the workflow itself)
• After merge: the next bump → tag → build_and_deploy.yml deploy reaches Apply Supabase Migrations step and succeeds
• Unblocks PR feat(db): add ai_analyzed flag to build_requests #2285 (already-merged migration) actually landing on the DB

Summary by CodeRabbit

• Bug Fixes

  • Resolved deployment pipeline compatibility issues by pinning the CLI version to a stable release that works reliably with the current infrastructure, preventing build timeouts and deployment failures.

• Documentation

  • Added detailed notes in the deployment configuration explaining why the version constraint is necessary and outlining the plan to remove it once upstream issues are resolved.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c6bac170-b8eb-49a5-8eba-71c29252fc18

📥 Commits

Reviewing files that changed from the base of the PR and between b45834b and c9e470e.

📒 Files selected for processing (1)

• .github/workflows/build_and_deploy.yml

---

📝 Walkthrough

Walkthrough

The supabase_deploy job in the GitHub Actions workflow pins the Supabase CLI setup action to version 2.98.2 instead of latest, with comments explaining that version 2.99.0 introduces versioned assets that conflict with the action's expectations, causing 404 errors. The pin is temporary, pending an upstream fix to asset naming.

Changes

Supabase CLI Version Pin

Layer / File(s)	Summary
Pin Supabase CLI to 2.98.2 .github/workflows/build_and_deploy.yml	The supabase/setup-cli action is pinned to version: 2.98.2 with documentation that version 2.99.0 breaks the workflow due to versioned assets conflicting with the action's expectations; the pin will revert to latest once the upstream issue is resolved.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Cap-go/capgo#1971: Both PRs modify the same supabase/setup-cli step in the deployment workflow, adjusting version behavior.
• Cap-go/capgo#1973: Both PRs change the supabase/setup-cli action usage in the same workflow file, updating version pinning.

Poem

🐰 The CLI danced too high with version numbers new,
Versioned assets broke the path (a 404 too),
So down to 2.98 we gently did retreat,
With comments as a map to make the fix complete! 🗺️

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description deviates significantly from the required template structure, missing key sections like a concise Summary, formal Test plan checklist, Screenshots, and the standardized Checklist format.	Restructure the description to follow the template: add a brief Summary section, convert test steps into a formal Test plan checklist, and include the standard Checklist items (linting, documentation, testing) even if some don't apply.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and accurately summarizes the main change: pinning the Supabase CLI to version 2.98.2 due to a breaking change in v2.99.0's asset naming.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/pin-supabase-cli

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 43 untouched benchmarks
⏩ 2 skipped benchmarks¹

---

_{Comparing ci/pin-supabase-cli (c9e470e) with main (b45834b)}

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​formkit/​core@​2.0.0
	@​iconify-json/​simple-icons@​1.2.82
	@​codspeed/​vitest-plugin@​5.4.0
	@​intlify/​unplugin-vue-i18n@​11.2.3
	@​iconify/​json@​2.2.474
	@​cloudflare/​workers-types@​4.20260429.1

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud