Skip to main content
Use this when schema changes should fail before merge instead of failing in a deploy. The gate is a command set: scan --reporter json, diff --fail-on-diff, check, and optional verify. Protected deploy jobs can run sync with configured targets and an explicit remote approval environment variable. This repository ships CLI and GitHub Action gates, a licensed standalone type-contract --enforce path, and no hosted CI, live billing deployment, or marketplace distribution.

Use this when

  • The repository owns declarative schema files.
  • Pull requests should fail on drift.
  • Unsafe SQL should show as PR annotations or SARIF.
  • RLS predicate changes need explicit review.

Do this

Start with the free CI layer: 
- uses: jmclaughlin724/supaschema@<tag>
  with:
    argv: '["scan","--reporter","json"]'

- uses: jmclaughlin724/supaschema@<tag>
  with:
    argv: '["diff","--fail-on-diff","--quiet"]'
  env:
    SUPASCHEMA_DATABASE_URL: ${{ secrets.DATABASE_URL }}
Compose required checks from the CLI: 
npx supaschema scan --reporter json
npx supaschema diff --fail-on-diff --quiet
npx supaschema check --reporter github
npx supaschema verify
Use SARIF when the organization wants findings in GitHub code scanning: 
npx supaschema check --reporter sarif

Decide

  • Which branches require drift checks.
  • Whether verify runs on every PR or only protected branches.
  • Who can approve destructive hints.
  • Whether your organization needs additional policy enforcement outside this repository.

CI recipe

Copy a full GitHub Actions workflow.

Check command

Add PR annotations and SARIF output.

Verify command

Run apply-twice verification.

Benchmarks

Review timing and replay-safety evidence.
Last modified on June 18, 2026