Enhance config.toml to support Saml 2 config

[IdrisCelik]

The current GitHub integration for Supabase only supports deploying functions and migrations as code, but does not fully utilize the config.toml for the rest of the project configuration. This limits the ability to have the entire Supabase project configured as code, requiring additional manual or custom CI/CD setups.

Feature Request

Add options in the GitHub integration to selectively apply configuration categories from config.toml. This would allow users to manage and apply all relevant Supabase settings directly from their repository, enabling full configuration-as-code workflows.

Desired Behavior

• Allow toggling which configuration sections from config.toml to apply during deployment, for example:

  • api (API exposure, ports, schemas, TLS)
  • db (database settings, pooling, migrations, network restrictions)
  • realtime (real-time settings)
  • storage (file storage, bucket limits/configuration)
  • auth (JWT expiry, signup rules, password policies, MFA, external providers)
  • functions (edge/serverless functions deployment, pruning) WITH --PRUNE (CLI OPTION) so that functions deleted in config also get deleted in the env, since the config.toml should be the source of truth
  • edge_runtime (runtime, debugging, versioning)
  • etc

• When a commit or merge to the production branch happens, the integration should:

• run supabase config push

Benefits

• Enables full configuration as code for Supabase projects
• Removes the need for custom CD pipelines to manage non-function/migration config (so i can get rid of the CD that does supabase config push)
• Provides greater flexibility and control over project deployment via GitHub integration

Additional Notes

This enhancement would align the GitHub integration closer to a true "infrastructure as code" model, improving consistency and automation for Supabase users.

[sweatybridge]

We have supabase config push that updates your remote project based on local config.toml file in your repo. Does that satisfy your needs?

[IdrisCelik]

Thanks for the quick reply! Yes, supabase config push does cover most of what I need — I’m already using it in my own CD pipeline, and it works great overall. The only gap I’ve noticed is that it doesn’t update the realtime.enabled setting from the config.

What I’d really like is to move away from maintaining a custom CD setup and rely fully on the existing GitHub integration. The integration already handles migrations and functions (though it currently lacks a --prune option for functions, so that should be a option in the settings of the intergration), but it doesn’t push the config yet.

So to clarify, the main request is for the GitHub integration (https://supabase.com/docs/guides/deployment/branching/github-integration) to:

• Include a step that runs functions deploy --prune
• Support config push that applies all config sections (including [realtime] enabled)

And the CLI should also sync realtime enabled/disabled from config.toml

I wasn’t entirely sure if this issue belongs in this repo, but it seemed like the best fit since the CLI already implements part of this functionality.

So currently this is everything the interrgation does:

• New migrations are applied
• Edge Functions declared in config.toml are deployed
• Storage buckets declared in config.toml are deployed

So no supabase config push

[IdrisCelik]

For completeness the following things dont get pushed when running config push that should be pushed:

• Realtime enabled, public access enabled and all other settings in https://supabase.com/dashboard/project/_/realtime/settings
• Disable s3 protecol https://supabase.com/dashboard/project/_/storage/s3
• image transformation https://supabase.com/dashboard/project/_/storage/files/settings
• A way to have a different auth config in config.toml since i use different site_url and keys when developing locally compared to in prod
• set SSL enforcement for db connections
  These are changes that should happen to config push

To Github intrergration we should have a option to run supabase config push as part of the intergration instead of making a seperate config for this.

[sweatybridge]

Thank you for the detailed request. I will prioritise this as soon as I can.

[IdrisCelik]

Thank you for the detailed request. I will prioritise this as soon as I can.

Awesome thanks a lot!

[IdrisCelik]

Also wanted to add, as part of the config push update, perhaps we should also have a way to implement SAML2 as code. Where you can set them in config.toml with
a link or path to the metadata and domains,
attr mapping,
SAML being enabled at all and settings like allow encrypted SAML assertions