SupaForge
GUIDE

How to Safely Promote Database Changes

Dry-run, review, then promote — a three-step workflow for confident deployments.

Note: The SupaForge CLI is currently being prepared for public release. to be notified when it's available.

The Risk of Direct Changes

Applying changes directly to production without review is the leading cause of Supabase incidents. A mistyped RLS policy, a dropped column, or a changed auth setting can take down an application instantly.

SupaForge's diff workflow gives you a safety net: detect differences, preview the exact SQL, and apply them only after review.

The Three-Step Workflow

1. Detect — See What Changed

Run a diff to see every difference across all checks:

Detect drift
supaforge diff

Review the drift score and per-check findings. Each issue includes severity (critical, warning, info) to help you prioritize.

2. Review — Preview the Fix SQL

Use --detail to see every SQL statement and API call that would be executed, without making any changes to the target:

Detailed preview
supaforge diff

This is the review step. Read through each statement. Look for:

  • Destructive operationsDROP TABLE, DROP COLUMN, DELETE FROM.
  • Data loss risk — column type changes that truncate data.
  • Auth changes — disabling a provider that active users depend on.
  • RLS changes — removing a policy that protects sensitive data.

3. Apply — Execute Changes

Once you've reviewed the detail output and are satisfied, add the--apply flag to execute the changes:

Apply all checks
supaforge diff --apply

Apply Specific Checks

You don't have to apply everything at once. Target individual checks for more granular control:

Apply only schema
supaforge diff --check=schema --apply
Preview RLS detail
supaforge diff --check=rls

Save Output for Audit

Pipe the promote preview to a file for team review or compliance records:

Save to file
supaforge diff > change-plan.txt

Rollback Strategy

SupaForge generates both UP (apply) and DOWN (rollback) SQL for schema changes. If a promote goes wrong:

  1. Swap source and target in your config to generate the reverse migration.
  2. Run a dry run with the swapped config to preview the rollback.
  3. Promote to apply the rollback.

For non-SQL changes (auth settings, storage config), the Supabase Dashboard provides immediate manual override.

Summary

The detect → review → apply workflow gives you full visibility and control over every change applied to production. Never apply blind — always review the detail output first.

Ready to try SupaForge?

Detect drift across all your Supabase environments in seconds.

View on GitHub