fix: workflow urls

Author: marcus-pousette

.github/workflows/clone-and-push.yml

@@ -116,6 +116,9 @@ jobs:
         env:
           SUPABASE_URL: ${{ secrets.SUPABASE_URL || secrets.POWERSYNC_SUPABASE_URL }}
           SUPABASE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY || secrets.POWERSYNC_SUPABASE_SERVICE_ROLE_KEY || secrets.SUPABASE_ANON_KEY || secrets.POWERSYNC_SUPABASE_ANON_KEY }}
+          SUPABASE_ANON_KEY: ${{ secrets.SUPABASE_ANON_KEY || secrets.POWERSYNC_SUPABASE_ANON_KEY }}
+          POWERGIT_EMAIL: ${{ secrets.POWERGIT_EMAIL }}
+          POWERGIT_PASSWORD: ${{ secrets.POWERGIT_PASSWORD }}
           JOB_ID: ${{ github.event.inputs.job_id }}
           ORG_ID: ${{ github.event.inputs.org }}
           REPO_ID: ${{ github.event.inputs.repo }}
@@ -131,25 +134,56 @@ jobs:
           }
           const supabase = createClient(process.env.SUPABASE_URL, process.env.SUPABASE_KEY)
           const now = new Date().toISOString()
+
+          const isUuid = (value) =>
+            typeof value === 'string' &&
+            /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value.trim())
+
           const requestedByRaw = (process.env.REQUESTED_BY ?? '').trim()
-          const requestedBy = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(requestedByRaw)
-            ? requestedByRaw
-            : null
-          const payload = {
+          const requestedBy = isUuid(requestedByRaw) ? requestedByRaw : null
+
+          const buildPayload = (requestedByValue) => ({
             id: process.env.JOB_ID,
             org_id: process.env.ORG_ID,
             repo_id: process.env.REPO_ID,
             repo_url: process.env.REPO_URL,
             status: 'running',
             created_at: now,
             updated_at: now,
-            requested_by: requestedBy,
+            requested_by: requestedByValue,
             source: 'actions',
             workflow_url: process.env.WORKFLOW_URL ?? null,
-          }
+          })
+
           ;(async () => {
-            const { error } = await supabase.from('import_jobs').upsert(payload, { onConflict: 'id' })
-            if (error) throw error
+            const initial = await supabase.from('import_jobs').upsert(buildPayload(requestedBy), { onConflict: 'id' })
+            if (!initial.error) return
+
+            if (initial.error.code !== '42501') throw initial.error
+
+            // RLS fallback: authenticate with a known user and record the job as that user.
+            const anonKey = (process.env.SUPABASE_ANON_KEY ?? '').trim()
+            const email = (process.env.POWERGIT_EMAIL ?? '').trim()
+            const password = (process.env.POWERGIT_PASSWORD ?? '').trim()
+            if (!anonKey || !email || !password) {
+              throw initial.error
+            }
+
+            const authed = createClient(process.env.SUPABASE_URL, anonKey, {
+              auth: { persistSession: false, autoRefreshToken: false },
+            })
+            const { data, error: loginError } = await authed.auth.signInWithPassword({ email, password })
+            if (loginError) throw new Error(`Supabase login failed: ${loginError.message}`)
+            const userId = data?.user?.id ?? ''
+            if (!isUuid(userId)) throw new Error('Supabase login did not return a valid user id')
+
+            // Use REQUESTED_BY only when it matches the authenticated user, otherwise
+            // pin the job to the CI user so the insert/update RLS policies pass.
+            const effectiveRequestedBy = requestedBy && requestedBy === userId ? requestedBy : userId
+            const retry = await authed
+              .from('import_jobs')
+              .upsert(buildPayload(effectiveRequestedBy), { onConflict: 'id' })
+            if (retry.error) throw retry.error
           })().catch((err) => {
             console.error('Failed to record import job running', err)
             process.exit(1)
@@ -254,6 +288,9 @@ jobs:
         env:
           SUPABASE_URL: ${{ secrets.SUPABASE_URL || secrets.POWERSYNC_SUPABASE_URL }}
           SUPABASE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY || secrets.POWERSYNC_SUPABASE_SERVICE_ROLE_KEY || secrets.SUPABASE_ANON_KEY || secrets.POWERSYNC_SUPABASE_ANON_KEY }}
+          SUPABASE_ANON_KEY: ${{ secrets.SUPABASE_ANON_KEY || secrets.POWERSYNC_SUPABASE_ANON_KEY }}
+          POWERGIT_EMAIL: ${{ secrets.POWERGIT_EMAIL }}
+          POWERGIT_PASSWORD: ${{ secrets.POWERGIT_PASSWORD }}
           JOB_ID: ${{ github.event.inputs.job_id }}
           WORKFLOW_STATUS: ${{ job.status }}
         run: |
@@ -267,9 +304,35 @@ jobs:
             updated_at: now,
             error: status === 'error' ? 'GitHub Actions import failed' : null,
           }
+
+          const isUuid = (value) =>
+            typeof value === 'string' &&
+            /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value.trim())
+
           ;(async () => {
-            const { error } = await supabase.from('import_jobs').update(update).eq('id', process.env.JOB_ID)
-            if (error) throw error
+            const initial = await supabase.from('import_jobs').update(update).eq('id', process.env.JOB_ID)
+            if (!initial.error) return
+
+            if (initial.error.code !== '42501') throw initial.error
+
+            // RLS fallback: authenticate with a known user and update the job as that user.
+            const anonKey = (process.env.SUPABASE_ANON_KEY ?? '').trim()
+            const email = (process.env.POWERGIT_EMAIL ?? '').trim()
+            const password = (process.env.POWERGIT_PASSWORD ?? '').trim()
+            if (!anonKey || !email || !password) {
+              throw initial.error
+            }
+
+            const authed = createClient(process.env.SUPABASE_URL, anonKey, {
+              auth: { persistSession: false, autoRefreshToken: false },
+            })
+            const { data, error: loginError } = await authed.auth.signInWithPassword({ email, password })
+            if (loginError) throw new Error(`Supabase login failed: ${loginError.message}`)
+            const userId = data?.user?.id ?? ''
+            if (!isUuid(userId)) throw new Error('Supabase login did not return a valid user id')
+
+            const retry = await authed.from('import_jobs').update(update).eq('id', process.env.JOB_ID)
+            if (retry.error) throw retry.error
           })().catch((err) => {
             console.error('Failed to record import job result', err)
             process.exit(1)

packages/apps/explorer/src/routes/org.$orgId.repo.$repoId.commits.tsx

@@ -198,10 +198,13 @@ function Commits() {
           id: j.id,
           status: j.status,
           error: j.error,
+          workflow_url: j.workflow_url,
           updated_at: j.updated_at,
         })),
     [importJobs, orgId, repoId],
-  ) as { data: Array<{ id: string; status: string | null; error: string | null; updated_at: string | null }> }
+  ) as {
+    data: Array<{ id: string; status: string | null; error: string | null; workflow_url: string | null; updated_at: string | null }>
+  }
 
   const packRows = useLiveQuery(
     (q) =>
@@ -298,6 +301,7 @@ function Commits() {
   const [filterResetKey, setFilterResetKey] = React.useState(0)
   const [refreshStatus, setRefreshStatus] = React.useState<'idle' | 'loading' | 'queued' | 'running' | 'done' | 'error'>('idle')
   const [refreshJobId, setRefreshJobId] = React.useState<string | null>(null)
+  const [refreshWorkflowUrl, setRefreshWorkflowUrl] = React.useState<string | null>(null)
   const [refreshMessage, setRefreshMessage] = React.useState<string | null>(null)
   const trackedJob = React.useMemo(() => {
     const job = latestImportJobs[0] ?? null
@@ -693,14 +697,22 @@ function Commits() {
                 : 'inline-flex cursor-pointer items-center gap-1.5 rounded-full border border-slate-300 bg-white px-3 py-1 text-xs font-medium text-slate-700 transition hover:bg-slate-100 focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-emerald-200'
             }
             onClick={async () => {
-              if (refreshBusy) return
+              if (refreshBusy) {
+                const workflowUrl =
+                  (trackedJob?.workflow_url ?? '').trim() || (refreshWorkflowUrl ?? '').trim()
+                if (workflowUrl) {
+                  window.open(workflowUrl, '_blank', 'noopener,noreferrer')
+                }
+                return
+              }
               if (!repoUrl) {
                 setRefreshStatus('error')
                 setRefreshMessage('Repository URL is unavailable.')
                 return
               }
               setRefreshStatus('loading')
               setRefreshJobId(null)
+              setRefreshWorkflowUrl(null)
               setRefreshMessage(null)
               try {
                 const job = await requestGithubImport({
@@ -710,6 +722,9 @@ function Commits() {
                   branch: branchFilter !== 'all' ? branchFilter : repoDefaultBranch,
                 })
                 setRefreshJobId(job.id ?? null)
+                const workflowUrlRaw = (job as unknown as { workflowUrl?: unknown }).workflowUrl
+                const workflowUrl = typeof workflowUrlRaw === 'string' ? workflowUrlRaw.trim() : ''
+                setRefreshWorkflowUrl(workflowUrl.length > 0 ? workflowUrl : null)
                 const initialStatus = (job.status ?? '').toLowerCase()
                 if (initialStatus === 'error') {
                   setRefreshStatus('error')
@@ -727,9 +742,14 @@ function Commits() {
                 setRefreshMessage(message)
               }
             }}
-            title="Re-run import for this repository"
+            title={
+              refreshBusy
+                ? (trackedJob?.workflow_url ?? '').trim() || (refreshWorkflowUrl ?? '').trim()
+                  ? 'View GitHub Actions run'
+                  : 'Refresh already in progress'
+                : 'Re-run import for this repository'
+            }
             data-testid="commit-refresh"
-            disabled={refreshBusy}
           >
             {refreshBusy ? (
               <>

packages/apps/explorer/src/routes/org.$orgId.repo.$repoId.files.tsx

@@ -428,10 +428,13 @@ function Files() {
           id: j.id,
           status: j.status,
           error: j.error,
+          workflow_url: j.workflow_url,
           updated_at: j.updated_at,
         })),
     [importJobs, orgId, repoId],
-  ) as { data: Array<{ id: string; status: string | null; error: string | null; updated_at: string | null }> }
+  ) as {
+    data: Array<{ id: string; status: string | null; error: string | null; workflow_url: string | null; updated_at: string | null }>
+  }
 
   const orgMenuOptions = React.useMemo(() => {
     const orgs = new Set<string>()
@@ -663,6 +666,7 @@ function Files() {
   const [readyCommits, setReadyCommits] = React.useState<Set<string>>(() => new Set())
   const [refreshStatus, setRefreshStatus] = React.useState<'idle' | 'loading' | 'queued' | 'running' | 'done' | 'error'>('idle')
   const [refreshJobId, setRefreshJobId] = React.useState<string | null>(null)
+  const [refreshWorkflowUrl, setRefreshWorkflowUrl] = React.useState<string | null>(null)
   const [refreshMessage, setRefreshMessage] = React.useState<string | null>(null)
   const trackedJob = React.useMemo(() => {
     const job = latestImportJobs[0] ?? null
@@ -1301,14 +1305,22 @@ function Files() {
               type="button"
               className={refreshButtonClass}
               onClick={async () => {
-                if (refreshBusy) return
+                if (refreshBusy) {
+                  const workflowUrl =
+                    (trackedJob?.workflow_url ?? '').trim() || (refreshWorkflowUrl ?? '').trim()
+                  if (workflowUrl) {
+                    window.open(workflowUrl, '_blank', 'noopener,noreferrer')
+                  }
+                  return
+                }
                 if (!repoUrl) {
                   setRefreshStatus('error')
                   setRefreshMessage('Repository URL is unavailable.')
                   return
                 }
                 setRefreshStatus('loading')
                 setRefreshJobId(null)
+                setRefreshWorkflowUrl(null)
                 setRefreshMessage(null)
                 try {
                   const job = await requestGithubImport({
@@ -1318,6 +1330,9 @@ function Files() {
                     branch: selectedBranch?.name ?? repoDefaultBranch ?? null,
                   })
                   setRefreshJobId(job.id ?? null)
+                  const workflowUrlRaw = (job as unknown as { workflowUrl?: unknown }).workflowUrl
+                  const workflowUrl = typeof workflowUrlRaw === 'string' ? workflowUrlRaw.trim() : ''
+                  setRefreshWorkflowUrl(workflowUrl.length > 0 ? workflowUrl : null)
                   const initialStatus = (job.status ?? '').toLowerCase()
                   if (initialStatus === 'error') {
                     setRefreshStatus('error')
@@ -1335,9 +1350,14 @@ function Files() {
                   setRefreshMessage(message)
                 }
               }}
-              title="Re-run import for this repository"
+              title={
+                refreshBusy
+                  ? (trackedJob?.workflow_url ?? '').trim() || (refreshWorkflowUrl ?? '').trim()
+                    ? 'View GitHub Actions run'
+                    : 'Refresh already in progress'
+                  : 'Re-run import for this repository'
+              }
               data-testid="repo-refresh"
-              disabled={refreshBusy}
             >
               {refreshBusy ? (
                 <>