Ci/rc release etc

[mandarini]

Description

What changed?

• Added a new RC release workflow (release-rc job in publish.yml + scripts/release-rc.ts) that allows maintainers to publish versioned RC packages (rc dist-tag) from feature branches before merging to master
• Fixed canary versioning so that the bump type is derived from conventional commits: a feat: commit now produces a minor canary (e.g. 2.101.0-canary.0) instead of always bumping patch regardless of commit type
• Extracted shared getLastStableTag() and getArg() helpers into scripts/utils.ts (previously duplicated in release-stable.ts)
• Added Nx agent skills (.agents/skills/) for monitor-ci, nx-workspace, nx-generate, nx-import, nx-plugins, nx-run-tasks, and link-workspace-packages
• Added AGENTS.md with Nx workspace guidelines for AI agents
• Updated .gitignore to exclude .nx/polygraph, .claude/worktrees, and .claude/settings.local.json
• Updated docs/RELEASE.md to document the RC workflow, canary versioning fix, and updated usage instructions

Why was this change needed?

The previous release workflow only had canary and stable releases with no intermediate step for validating features on feature branches before merging to master. This made it difficult to dogfood or share pre-release builds of unreleased features without polluting the canary stream.

The canary versioning fix ensures that feat: commits correctly produce minor canary bumps rather than patch bumps, which was misleading about the nature of the change.

Breaking changes

• This PR contains no breaking changes

Checklist

• I have read the Contributing Guidelines
• My PR title follows the conventional commit format: <type>(<scope>): <description>
• I have run npx nx format to ensure consistent code formatting
• I have added tests for new functionality (if applicable)
• I have updated documentation (if applicable)

Additional notes

The RC workflow is gated to members of @supabase/admin or @supabase/sdk teams, matching the same authorization used for stable releases. RC changelogs are anchored to the last stable tag so that RC tags never affect the commit range used by future stable or canary releases.

In general, the fix is to add an explicit permissions block to each job that currently relies on default token permissions and grant only the minimal scopes required. For jobs that simply invoke a reusable workflow for Slack notifications, they usually need no repository access, so permissions: {} (no permissions) or, if needed for logging or metadata, permissions: contents: read is typically sufficient.

For this workflow, two jobs lack explicit permissions: notify-rc-failure (line 286 onward) and notify-rc-success (line 296 onward). Both only uses: ./.github/workflows/slack-notify.yml, inherit secrets, and pass some string inputs; nothing here suggests they require any GitHub API write permissions. The least-privilege and clearest fix is to explicitly disable GITHUB_TOKEN permissions for these jobs with permissions: {}. This ensures they do not accidentally gain broader repository access if defaults are read-write or change in the future, without altering their functional behavior.

Concretely:

• In .github/workflows/publish.yml, under notify-rc-failure, insert a permissions: {} key alongside name, needs, if, uses, etc.
• Similarly, under notify-rc-success, insert permissions: {}.
  No imports or additional methods are needed; this is purely a YAML configuration change.

[pkg-pr-new]

Open in StackBlitz

@supabase/auth-js

npm i https://pkg.pr.new/@supabase/auth-js@2188

@supabase/functions-js

npm i https://pkg.pr.new/@supabase/functions-js@2188

@supabase/postgrest-js

npm i https://pkg.pr.new/@supabase/postgrest-js@2188

@supabase/realtime-js

npm i https://pkg.pr.new/@supabase/realtime-js@2188

@supabase/storage-js

npm i https://pkg.pr.new/@supabase/storage-js@2188

@supabase/supabase-js

npm i https://pkg.pr.new/@supabase/supabase-js@2188

commit: 47b2f8e