Feat: Add Supabase - Set Secrets community step template

[itsmebenwalker]

Background

Supabase is an open-source alternative to Firebase built on PostgreSQL. It includes a managed database, authentication, storage, realtime subscriptions, and Edge Functions - globally distributed TypeScript/Deno serverless functions.

The rise of AI-assisted development tools such as Cursor, Windsurf, and Claude Code has also led to broader adoption of Supabase. Its generated SDKs, built-in APIs, and CLI tooling make it easy to stand up and evolve a backend, which works well for teams building applications with AI coding tools. Many people are now deploying applications built with Supabase, and Edge Functions are increasingly where application logic is implemented. This presents a strong opportunity for Octopus to further support and streamline these deployment workflows.

The Octopus Library already has a Supabase - Run Migrations step template for pushing database schema changes and a Supabase - Deploy Edge Function step template (added in #1688) for deploying functions. This PR adds the missing companion step: pushing environment variable secrets to a Supabase project so they are in place before Edge Functions first execute.

Results

Adds a new community step template Supabase - Set Secrets (step-templates/supabase-set-secrets.json) that:

• Installs the Supabase CLI on the worker if not already present (Linux binary from GitHub releases, Homebrew on macOS), with optional version pinning
• Authenticates via the SUPABASE_ACCESS_TOKEN environment variable - no interactive login required, safe for CI/CD workers
• Accepts secrets as inline KEY=VALUE pairs (one per line, referencing Octopus sensitive variables) or as a path to a .env-style file on the worker - if both are provided, inline pairs take precedence
• Writes inline secrets to a mktemp file with trap cleanup, ensuring secret values never appear in process listings and the temp file is removed even on failure
• Calls supabase secrets set --env-file in a single CLI invocation
• Optionally runs supabase secrets list after setting and prints key names (never values) to the task log for confirmation

Intended pipeline order:

1. Supabase - Set Secrets          ← this step
2. Supabase - Deploy Edge Function
3. Supabase - Run Migrations       (if applicable)

Parameters

Parameter	Type	Required
SupabaseProjectRef	String	Yes
SupabaseAccessToken	Sensitive	Yes
SupabaseSecrets	MultiLineText	No - at least one of Secrets or Env File Path required
SupabaseEnvFile	String	No - at least one of Secrets or Env File Path required
SupabaseListAfterSet	Checkbox	No - default: enabled
SupabaseCliVersion	String	No - default: latest

Before

Setting Supabase secrets from an Octopus deployment required a custom Run a Script step, manually scripting CLI installation, authentication, and supabase secrets set - with no built-in protection against secret values appearing in process listings or logs.

After

Task log: ServerTasks-2521.log.txt

Pre-requisites

• Id is a GUID (9a8b7c6d-5e4f-4321-8fed-cba987654321) and not all zeros
• Version is 1 (new template)
• Parameter names do not start with $
• All parameter names are prefixed with Supabase to avoid clashing with user-defined project variables
• LastModifiedBy is present (itsmebenwalker)
• Category is supabase - existing category, no new logo or gulpfile.babel.js change required

[github-actions]

Review this PR in Hyponome for a side-by-side diff of the step-template JSON and any embedded scripts.