fix: handle restricted refresh

marcus-pousette · marcus-pousette · commit 4e975976fc94 · 2025-12-25T10:50:21.000+01:00
diff --git a/.github/workflows/clone-and-push.yml b/.github/workflows/clone-and-push.yml
@@ -77,6 +77,7 @@ jobs:
           SUPABASE_JWT_SECRET: ${{ secrets.SUPABASE_JWT_SECRET || secrets.POWERSYNC_SUPABASE_JWT_SECRET }}
           POWERGIT_EMAIL: ${{ secrets.POWERGIT_EMAIL }}
           POWERGIT_PASSWORD: ${{ secrets.POWERGIT_PASSWORD }}
+          POWERSYNC_ORG: ${{ github.event.inputs.org }}
           POWERSYNC_DAEMON_PORT: 5030
           POWERSYNC_SUPABASE_ONLY: "true"
         run: |
@@ -85,6 +86,15 @@ jobs:
           if [ -z "$SUPABASE_ANON_KEY" ]; then echo "Missing SUPABASE_ANON_KEY secret" && exit 1; fi
           if [ -z "$POWERGIT_EMAIL" ]; then echo "Missing POWERGIT_EMAIL secret" && exit 1; fi
           if [ -z "$POWERGIT_PASSWORD" ]; then echo "Missing POWERGIT_PASSWORD secret" && exit 1; fi
+          case "${POWERSYNC_ORG:-}" in
+            gh-*|github-*)
+              if [ -z "$SUPABASE_SERVICE_ROLE_KEY" ]; then
+                echo "Missing SUPABASE_SERVICE_ROLE_KEY secret (required to push to ${POWERSYNC_ORG})."
+                echo "Add SUPABASE_SERVICE_ROLE_KEY (or POWERSYNC_SUPABASE_SERVICE_ROLE_KEY) to GitHub repository secrets and re-run."
+                exit 1
+              fi
+              ;;
+          esac
           nohup pnpm --filter @powersync-community/powergit-daemon start -- --port ${POWERSYNC_DAEMON_PORT:-5030} > daemon.log 2>&1 &
           echo $! > daemon.pid
           for i in $(seq 1 30); do
@@ -110,6 +120,7 @@ jobs:
             fi
             sleep 1
           done
+          echo "Daemon supabase writer mode: $(echo "$STATUS_JSON" | jq -r '.context.supabaseWriterMode // ""')"
 
       - name: Record import job running
         if: ${{ github.event.inputs.job_id != '' }}
diff --git a/packages/daemon/src/__tests__/daemon-stream.e2e.test.ts b/packages/daemon/src/__tests__/daemon-stream.e2e.test.ts
@@ -123,6 +123,20 @@ async function authenticateDaemonViaSupabasePassword({
     return devicePayload;
   }
   const challengeId = extractChallengeId(devicePayload);
+  if (!challengeId && devicePayload?.status === 'pending') {
+    const token = typeof devicePayload.token === 'string' && devicePayload.token.trim() ? devicePayload.token.trim() : null;
+    if (token) {
+      return waitFor(async () => {
+        const status = await fetch(`${baseUrl}/auth/status`)
+          .then(async (res) => (res.ok ? ((await res.json().catch(() => null)) as DaemonAuthResponse | null) : null))
+          .catch(() => null);
+        if (status?.status === 'ready' && typeof status.token === 'string' && status.token.trim()) {
+          return status;
+        }
+        return null;
+      }, WAIT_TIMEOUT_MS);
+    }
+  }
   if (!challengeId) {
     const reason = devicePayload && 'reason' in devicePayload ? String((devicePayload as any).reason ?? '') : '';
     throw new Error(`Daemon did not return a device challenge. ${reason}`.trim());
diff --git a/packages/daemon/src/index.ts b/packages/daemon/src/index.ts
@@ -597,6 +597,13 @@ export async function startDaemon(options: ResolveDaemonConfigOptions = {}): Pro
     if (authMetadata) {
       Object.assign(context, authMetadata);
     }
+    const hasActiveSession = Boolean(supabaseSession && authToken && !isJwtExpired(authToken, 5_000));
+    context.supabaseWriterMode = writerUsesServiceRole
+      ? 'service-role key'
+      : hasActiveSession
+        ? 'Supabase session'
+        : 'anon/public key';
+    context.supabaseWriterUsesServiceRole = writerUsesServiceRole;
     return Object.keys(context).length > 0 ? context : null;
   };
 
@@ -1053,9 +1060,13 @@ export async function startDaemon(options: ResolveDaemonConfigOptions = {}): Pro
 
           const role = (membership as { role?: unknown } | null)?.role;
           if (role !== 'admin' && role !== 'write') {
+            const isReservedImportOrg = orgId.startsWith('gh-') || orgId.startsWith('github-');
             throw new Error(
               `Not authorized to push to ${orgId}/${repoId}. ` +
-                'Ask an org admin to add you as a member with write access.',
+                'Ask an org admin to add you as a member with write access.' +
+                (isReservedImportOrg
+                  ? ' (For GitHub imports into gh-*/github-* orgs, set SUPABASE_SERVICE_ROLE_KEY in CI so the daemon can write.)'
+                  : ''),
             );
           }
         }
diff --git a/supabase/functions/github-import/index.ts b/supabase/functions/github-import/index.ts
