Source:
ocean/docs/adr/ADR-044-gitleaks-integration-and-stripe-version-standardization.md| ✏️ Edit on GitHub
ADR-044: GitLeaks Integration and Stripe Version Standardization
Status
Accepted
Context
The Supabase deployment pipeline was experiencing multiple failures:
-
Missing Secret Scanning: The CI/CD pipeline was attempting to run gitleaks for secret scanning but the tool wasn't installed, causing deployment failures.
-
Stripe Version Inconsistency: Edge Functions were using multiple different versions of the Stripe SDK:
- Legacy ESM imports:
https://esm.sh/stripe@14.21.0 - Non-existent version:
npm:stripe@17.12.0 - Intermediate version:
npm:stripe@18.4.0 - Latest version:
npm:stripe@18.5.0
- Legacy ESM imports:
-
Protected Branch Restrictions: GitHub Actions couldn't automatically commit generated TypeScript types due to protected branch rules on
main.
Decision
1. GitLeaks Integration
We properly integrated gitleaks into the CI/CD pipeline:
- Added gitleaks installation step to the deployment workflow
- Updated
.gitleaks.tomlto exclude the.huskydirectory (contains the gitleaks license key) - Modified git commands in CI to use
--no-verifyflag to bypass pre-commit hooks
2. Stripe Version Standardization
We standardized all Stripe imports to use npm:stripe@18.5.0:
- Migrated from legacy ESM.sh CDN format to modern npm import format
- Updated all Edge Functions to use the same Stripe version
- Fixed non-existent version references
3. Type Generation Handling
We removed automatic type commits from the deployment workflow:
- Replaced automatic git push with a warning message
- Provided manual instructions for updating types when schema changes are detected
- This respects protected branch rules while maintaining visibility of schema changes
Implementation
GitLeaks Installation
- name: Install gitleaks
run: |
echo "🔐 Installing gitleaks for secret scanning..."
wget -q https://github.com/gitleaks/gitleaks/releases/download/v8.18.1/gitleaks_8.18.1_linux_x64.tar.gz
tar -xzf gitleaks_8.18.1_linux_x64.tar.gz
sudo mv gitleaks /usr/local/bin/
rm gitleaks_8.18.1_linux_x64.tar.gz
echo "✅ Gitleaks installed successfully"
gitleaks version
Updated Files for Stripe Standardization
/supabase/functions/_shared/clients.ts/supabase/functions/_shared/error-handling.ts/supabase/functions/_shared/stripe-operations.ts/supabase/functions/_shared/function-wrapper.ts/supabase/functions/cleanup-resources/index.ts/supabase/functions/graphql-v2/deno.json/supabase/functions/graphql-v2/resolvers/billing/stripe-client.ts/supabase/functions/stripe-billing/index.ts/supabase/functions/stripe-portal/index.ts/supabase/functions/stripe-products/index.ts
Type Generation Warning
When database schema changes are detected, the workflow now outputs:
⚠️ IMPORTANT: The database schema has changed!
Please run the following command locally to update the types:
supabase gen types typescript --project-id $SUPABASE_PROJECT_ID > src/types/database.generated.ts
Then commit and push the changes.
Consequences
Positive
- Enhanced Security: All commits are now scanned for secrets before deployment
- Consistency: All Edge Functions use the same Stripe SDK version
- Reliability: Deployments no longer fail due to missing dependencies or version conflicts
- Compliance: Protected branch rules are respected while maintaining visibility
Negative
- Manual Step: Developers must manually update TypeScript types when schema changes occur
- CI Complexity: Additional installation step increases deployment time slightly
Neutral
- Security Tool Maintenance: GitLeaks version is pinned and will need periodic updates
- Stripe SDK Updates: Future Stripe SDK updates will require updating all Edge Functions
Lessons Learned
- Install Dependencies: Always ensure required tools are installed in CI environments
- Version Consistency: Standardize dependency versions across all functions to prevent conflicts
- Respect Branch Protection: Work within repository security constraints rather than bypassing them
- Clear Communication: Provide clear instructions when manual intervention is required
References
- GitLeaks Documentation
- Stripe SDK npm Package
- GitHub Protected Branches
- Related ADRs:
- ADR-009: Secret Scanning in Pre-commit Hooks
- ADR-021: Edge Function Dependency Management
- ADR-036: Unified Field Naming Convention