Prevent accidental `db push` deployments to remote

[daniel-j-h]

A common use case is to develop locally, run and test database migrations, and having CI/CD such as github actions to deploy to production using e.g. https://github.com/supabase/setup-cli running

supabase db push

in a release job.

At the moment it's very easy to accidentally run supabase db push from your local development environment deploying to production.

Ideally we'd have a way to prevent local database deployments to remote and restrict it to CI/CD.

What's the best way to achieve this? Can we have e.g. a config option in supabase/config.toml restricting db pushes to remote (with a --force flag to overwrite it) or how can we best make sure to not have developers pushing to remote by accident and instead rely on CI/CD?

[sweatybridge]

I think the long term solution may be to use branching so that developers don't need the production password to develop locally.

Until then, I've implemented a stop gap solution in the linked PR by asking users to confirm pushing to remote. Do you think that's sufficient for your use case?

[daniel-j-h]

Gotcha, yeah the stop gap solution looks good!

I'm a liittle bit worried tho by how easy it it to reset the remote database and push changes to it :see_no_evil: Ideally I want developers to have a read-only view of the remote database, only, and only CI/CD being able to write to it.

If branching gives us this in the long term then :+1:

[sweatybridge]

The patch has been released in npx supabase@beta db push. It will go into stable channel in 2 weeks time.