release(cli): 1.34.5 (#3655 )

Co-authored-by: dbarrosop <dbarrosop@users.noreply.github.com>
chore(cli): bump nhost/dashboard to 2.41.0 (#3669 )
2025-11-06 15:34:31 +01:00 · 2025-11-06 13:42:32 +01:00 · 2025-11-06 13:04:09 +01:00 · 2025-11-06 11:42:33 +01:00 · 2025-11-06 11:40:11 +01:00 · 2025-11-05 10:26:16 +01:00
56 changed files with 933 additions and 570 deletions
--- a/.github/workflows/dashboard_wf_release.yaml
+++ b/.github/workflows/dashboard_wf_release.yaml
@@ -88,7 +88,7 @@ jobs:
      - name: Bump version in source code
        run: |
          find cli -type f -exec sed -i 's/"nhost\/dashboard:[^"]*"/"nhost\/dashboard:${{ inputs.VERSION }}"/g' {} +
-          sed -i 's/"nhost\/dashboard:[^"]*"/"nhost\/dashboard:${{ inputs.VERSION }}"/g' docs/reference/cli/commands.mdx
+          sed -i 's/nhost\/dashboard:[^)]*/nhost\/dashboard:${{ inputs.VERSION }}/g' docs/reference/cli/commands.mdx

      - name: "Create Pull Request"
        uses: peter-evans/create-pull-request@v7
--- a/cli/CHANGELOG.md
+++ b/cli/CHANGELOG.md
@@ -1,3 +1,11 @@
+## [cli@1.34.5] - 2025-11-06
+
+### ⚙️ Miscellaneous Tasks
+
+- *(nixops)* Bump go to 1.25.3 and nixpkgs due to CVEs (#3652)
+- *(cli)* Udpate certs and schema (#3675)
+- *(cli)* Bump nhost/dashboard to 2.41.0 (#3669)
+
 # Changelog

 All notable changes to this project will be documented in this file.
--- a/cli/cmd/dev/cloud.go
+++ b/cli/cmd/dev/cloud.go
@@ -56,7 +56,7 @@ func CommandCloud() *cli.Command {
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagDashboardVersion,
 				Usage:   "Dashboard version to use",
-				Value:   "nhost/dashboard:2.40.0",
+				Value:   "nhost/dashboard:2.41.0",
 				Sources: cli.EnvVars("NHOST_DASHBOARD_VERSION"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
--- a/cli/cmd/dev/up.go
+++ b/cli/cmd/dev/up.go
@@ -111,7 +111,7 @@ func CommandUp() *cli.Command { //nolint:funlen
 			&cli.StringFlag{ //nolint:exhaustruct
 				Name:    flagDashboardVersion,
 				Usage:   "Dashboard version to use",
-				Value:   "nhost/dashboard:2.40.0",
+				Value:   "nhost/dashboard:2.41.0",
 				Sources: cli.EnvVars("NHOST_DASHBOARD_VERSION"),
 			},
 			&cli.StringFlag{ //nolint:exhaustruct
--- a/cli/dockercompose/auth_test.go
+++ b/cli/dockercompose/auth_test.go
@@ -53,6 +53,7 @@ func expectedAuth() *Service {
 			"AUTH_PROVIDER_APPLE_ENABLED":               "true",
 			"AUTH_PROVIDER_APPLE_KEY_ID":                "appleKeyId",
 			"AUTH_PROVIDER_APPLE_PRIVATE_KEY":           "applePrivateKey",
+			"AUTH_PROVIDER_APPLE_SCOPE":                 "",
 			"AUTH_PROVIDER_APPLE_TEAM_ID":               "appleTeamId",
 			"AUTH_PROVIDER_AZUREAD_CLIENT_ID":           "azureadClientId",
 			"AUTH_PROVIDER_AZUREAD_CLIENT_SECRET":       "azureadClientSecret",
@@ -75,9 +76,12 @@ func expectedAuth() *Service {
 			"AUTH_PROVIDER_FACEBOOK_CLIENT_SECRET":      "facebookClientSecret",
 			"AUTH_PROVIDER_FACEBOOK_ENABLED":            "true",
 			"AUTH_PROVIDER_FACEBOOK_SCOPE":              "email",
+			"AUTH_PROVIDER_GITHUB_AUDIENCE":             "audience",
 			"AUTH_PROVIDER_GITHUB_CLIENT_ID":            "githubClientId",
 			"AUTH_PROVIDER_GITHUB_CLIENT_SECRET":        "githubClientSecret",
 			"AUTH_PROVIDER_GITHUB_ENABLED":              "true",
+			"AUTH_PROVIDER_GITHUB_SCOPE":                "user:email",
+			"AUTH_PROVIDER_GITLAB_AUDIENCE":             "audience",
 			"AUTH_PROVIDER_GITLAB_CLIENT_ID":            "gitlabClientId",
 			"AUTH_PROVIDER_GITLAB_CLIENT_SECRET":        "gitlabClientSecret",
 			"AUTH_PROVIDER_GITLAB_ENABLED":              "true",
@@ -97,6 +101,7 @@ func expectedAuth() *Service {
 			"AUTH_PROVIDER_SPOTIFY_CLIENT_SECRET":       "spotifyClientSecret",
 			"AUTH_PROVIDER_SPOTIFY_ENABLED":             "true",
 			"AUTH_PROVIDER_SPOTIFY_SCOPE":               "user-read-email",
+			"AUTH_PROVIDER_STRAVA_AUDIENCE":             "audience",
 			"AUTH_PROVIDER_STRAVA_CLIENT_ID":            "stravaClientId",
 			"AUTH_PROVIDER_STRAVA_CLIENT_SECRET":        "stravaClientSecret",
 			"AUTH_PROVIDER_STRAVA_ENABLED":              "true",
--- a/cli/mcp/resources/nhost_toml_schema.cue
+++ b/cli/mcp/resources/nhost_toml_schema.cue
@@ -223,7 +223,7 @@ import (
 	// Releases:
 	//
 	// https://github.com/nhost/hasura-storage/releases
-	version: string | *"0.8.2"
+	version: string | *"0.9.1"

 	// Networking (custom domains at the moment) are not allowed as we need to do further
 	// configurations in the CDN. We will enable it again in the future.
@@ -311,7 +311,7 @@ import (
 	// Releases:
 	//
 	// https://github.com/nhost/hasura-auth/releases
-	version: string | *"0.42.4"
+	version: string | *"0.43.0"

 	// Resources for the service
 	resources?: #Resources
--- a/cli/ssl/.ssl/local-fullchain.pem
+++ b/cli/ssl/.ssl/local-fullchain.pem
@@ -1,27 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIERDCCA8mgAwIBAgISBmRex3kpZ4Mz1/1kq05iqja/MAoGCCqGSM49BAMDMDIx
+MIIERTCCA8ugAwIBAgISBWD/E+b14mP5jv4DGWRVYv8fMAoGCCqGSM49BAMDMDIx
 CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
-ODAeFw0yNTEwMDIxMDUxNDBaFw0yNTEyMzExMDUxMzlaMB8xHTAbBgNVBAMTFGxv
-Y2FsLmF1dGgubmhvc3QucnVuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2cVM
-ojf8iXZGLneNfnke5LMJIxyTEeGbNOfCv4SOR4K/N4OkpvkUVbH2bRvX99uE9jaK
-515Y48PzPA/4+W1zTKOCAtAwggLMMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAU
-BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUQqan
-raZoU5klAxsgkEVEMIkxmMQwHwYDVR0jBBgwFoAUjw0TovYuftFQbDMYOF1ZjiNy
+ODAeFw0yNTExMDYxMDUxMTBaFw0yNjAyMDQxMDUxMDlaMB8xHTAbBgNVBAMTFGxv
+Y2FsLmF1dGgubmhvc3QucnVuMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOah5
+ZLuUQp3pdMBxBWnT6E6/amW9LerKKEEdy3Nc8iAwG9LlnPH0z3m7a9wgEhpFEdlL
+Rr+qO+NhSRnv6+UF5KOCAtIwggLOMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAU
+BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUGyb1
+TVK/0vf3uHO4x3R094aG2rEwHwYDVR0jBBgwFoAUjw0TovYuftFQbDMYOF1ZjiNy
 kcowMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTguaS5sZW5j
 ci5vcmcvMIHOBgNVHREEgcYwgcOCFGxvY2FsLmF1dGgubmhvc3QucnVughlsb2Nh
 bC5kYXNoYm9hcmQubmhvc3QucnVughJsb2NhbC5kYi5uaG9zdC5ydW6CGWxvY2Fs
 LmZ1bmN0aW9ucy5uaG9zdC5ydW6CF2xvY2FsLmdyYXBocWwubmhvc3QucnVughZs
 b2NhbC5oYXN1cmEubmhvc3QucnVughdsb2NhbC5tYWlsaG9nLm5ob3N0LnJ1boIX
 bG9jYWwuc3RvcmFnZS5uaG9zdC5ydW4wEwYDVR0gBAwwCjAIBgZngQwBAgEwLQYD
-VR0fBCYwJDAioCCgHoYcaHR0cDovL2U4LmMubGVuY3Iub3JnLzY0LmNybDCCAQIG
-CisGAQQB1nkCBAIEgfMEgfAA7gB1AO08S9boBsKkogBX28sk4jgB31Ev7cSGxXAP
-IN23Pj/gAAABmaTCI4YAAAQDAEYwRAIgXLRFL1EAXfvN6kd5m6udqlxfz4+5B6rq
-Cdhp/ZwDAZ8CIFYvalTkl5NEBEMD3vpPvrj8s1Yy2xsropEh/AvpavvLAHUAGYbU
-xyiqb/66A294Kk0BkarOLXIxD67OXXBBLSVMx9QAAAGZpMIjhwAABAMARjBEAiBk
-H1vqU9HNuBcf4UYL/xZ42BeUAARHStiFaIZtnR1kEgIgbIJ0CGqIpxmWuwCunl9p
-ar+rGLdQrCk9BZXq/VjPPAAwCgYIKoZIzj0EAwMDaQAwZgIxAKvk5a2zQsv7JLNj
-NO1ly+DI8qiy5nf4HQrOrHOjtmx5RUu0HSO9P0J0u069qAqXMgIxAMLdME9JUo2c
-TJo3pwWv5MRyg/MkOJ4ImKdDJXfIZNkEIUyP3vwTqImvZe07gJDsYg==
+VR0fBCYwJDAioCCgHoYcaHR0cDovL2U4LmMubGVuY3Iub3JnLzMyLmNybDCCAQQG
+CisGAQQB1nkCBAIEgfUEgfIA8AB2ABmG1Mcoqm/+ugNveCpNAZGqzi1yMQ+uzl1w
+QS0lTMfUAAABmlkAQokAAAQDAEcwRQIgWDtSxJfM2xcjvScVHOkn8bipzBhNhTnm
+B89TDh1/4XUCIQDe08W33PCx2D+akCdW9U9mZKQpIW6deLZSI3ZWpSNKMAB2AA5X
+lLzzrqk+MxssmQez95Dfm8I9cTIl3SGpJaxhxU4hAAABmlkAQn8AAAQDAEcwRQIg
+KnojmNTpNk1OFTQI0EnlPa2bpwqmUgmUCLeqE6SWfgoCIQCrhZbxYPHbGLF/HpRq
+vCTcOh24SRCuxlkqtaowbbfmKjAKBggqhkjOPQQDAwNoADBlAjEArstFIC+KAsfQ
+nLhtqsaNzkhftN5adDyr2CoE0WUPF1sLDi+xDnDO+JgIPL0YKAFNAjATJ4omhpc+
+I6/kWcef2RyO9YCGQQE9pdez5CYKb9o8YAntDSHM3b5nXXj3AX/USdQ=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIEVjCCAj6gAwIBAgIQY5WTY8JOcIJxWRi/w9ftVjANBgkqhkiG9w0BAQsFADBP
--- a/cli/ssl/.ssl/local-privkey.pem
+++ b/cli/ssl/.ssl/local-privkey.pem
@@ -1,5 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfJZOkvawA0vBMw9W
-ph8i1Z+SJQrFscPbqSYpxngzEDahRANCAATZxUyiN/yJdkYud41+eR7kswkjHJMR
-4Zs058K/hI5Hgr83g6Sm+RRVsfZtG9f324T2NornXljjw/M8D/j5bXNM
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgInXN4JRnXNTjx7rM
+avurZrN1EV1iebQeNUlMlFp7VJ+hRANCAAQ5qHlku5RCnel0wHEFadPoTr9qZb0t
+6sooQR3Lc1zyIDAb0uWc8fTPebtr3CASGkUR2UtGv6o742FJGe/r5QXk
 -----END PRIVATE KEY-----
--- a/cli/ssl/.ssl/sub-fullchain.pem
+++ b/cli/ssl/.ssl/sub-fullchain.pem
@@ -1,52 +1,52 @@
 -----BEGIN CERTIFICATE-----
-MIIEWDCCA96gAwIBAgISBbvrSsjDQm4zevwwjxFGmeTMMAoGCCqGSM49BAMDMDIx
+MIIEVzCCA92gAwIBAgISBm54VdkoqD8s8efq7ceHaTihMAoGCCqGSM49BAMDMDIx
 CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
-NzAeFw0yNTEwMDIxMDUyNTdaFw0yNTEyMzExMDUyNTZaMCExHzAdBgNVBAMMFiou
-YXV0aC5sb2NhbC5uaG9zdC5ydW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATG
-x0o7t0pSrOoFc+pljtqJVxgaSW+w9D9C2WdysMeSKKOU+0MzaM4ynLUhETOpBs8E
-612mdcoeak+G1Emj6UVwo4IC4zCCAt8wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW
-MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ+
-lVsLiXSRLAECs9OgkCEBS7jMmzAfBgNVHSMEGDAWgBSuSJ7chx1EoG/aouVgdAR4
-wpwAgDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNy5pLmxl
+ODAeFw0yNTExMDYxMDUyMjBaFw0yNjAyMDQxMDUyMTlaMCExHzAdBgNVBAMMFiou
+YXV0aC5sb2NhbC5uaG9zdC5ydW4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASI
+rTkZOM4ip42DCyDADXGc7oV3+OkimyTM3st2RIZWG28rFRwH0LebJV2cduq1Hdtl
+VxIEr+RhvyIL7gllueXUo4IC4jCCAt4wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW
+MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTw
+bM86O381+aljU3oTUvwhZ90PCDAfBgNVHSMEGDAWgBSPDROi9i5+0VBsMxg4XVmO
+I3KRyjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lOC5pLmxl
 bmNyLm9yZy8wgd4GA1UdEQSB1jCB04IWKi5hdXRoLmxvY2FsLm5ob3N0LnJ1boIb
 Ki5kYXNoYm9hcmQubG9jYWwubmhvc3QucnVughQqLmRiLmxvY2FsLm5ob3N0LnJ1
 boIbKi5mdW5jdGlvbnMubG9jYWwubmhvc3QucnVughkqLmdyYXBocWwubG9jYWwu
 bmhvc3QucnVughgqLmhhc3VyYS5sb2NhbC5uaG9zdC5ydW6CGSoubWFpbGhvZy5s
 b2NhbC5uaG9zdC5ydW6CGSouc3RvcmFnZS5sb2NhbC5uaG9zdC5ydW4wEwYDVR0g
-BAwwCjAIBgZngQwBAgEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2U3LmMubGVu
-Y3Iub3JnLzc3LmNybDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AN3cyjSV1+EW
-BeeVMvrHn/g9HFDf2wA6FBJ2Ciysu8gqAAABmaTDUHkAAAQDAEcwRQIgWudJ8XKA
-BT5jq5Tl0xQLNb953pBi22Tb0TIWk+RSqHgCIQDsTrLVMFaQTV7EFCY1tFhi5qae
-SCpEwwdFcnom/nz6EAB3AO08S9boBsKkogBX28sk4jgB31Ev7cSGxXAPIN23Pj/g
-AAABmaTDWAsAAAQDAEgwRgIhALxIgIiutEwgNcGw7/cAdjFqUugct4HlZezIOLLP
-rg69AiEA8YCaK41rJDYztEKUIJEq2J2ktSqGYcl9gNKC+SiR4acwCgYIKoZIzj0E
-AwMDaAAwZQIwVG9yOiMRfKFFyFj1R8X/5U67QD84OhZ0oM0SZsVhezLedG5b8eFf
-/cWraREi8xbFAjEA/6RXweGzl08F7EtqBDoiqitScI2rbwGtP6s/evL0zXTABZD2
-ih7AGxjtg80IqIRe
+BAwwCjAIBgZngQwBAgEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2U4LmMubGVu
+Y3Iub3JnLzM0LmNybDCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AEmcm2neHXzs
+/DbezYdkprhbrwqHgBnRVVL76esp3fjDAAABmlkBVgkAAAQDAEcwRQIhANH6Ml3u
+IM4nAzwAIjIjBjn8EWbn1ZHfgwO+rlSo5rzpAiATPKE8Mx5LK1IayG5VCK1eCDyc
+rzt1HNbP9WSrpuHx+gB2ABmG1Mcoqm/+ugNveCpNAZGqzi1yMQ+uzl1wQS0lTMfU
+AAABmlkBVgcAAAQDAEcwRQIgIT/DhsIj9Aw7qf/2lknJCr907dEqC3/+QN3zlcOj
+iKoCIQCTguinYjJPZwU2dblaRQ2q7MTCMT2ZENExltxwYG3GzjAKBggqhkjOPQQD
+AwNoADBlAjEA5nFoNrLyeC079YpRvdah/HZIA/lUBh+LOo/NcEBD3aTGs2z8hU8z
+H4vMy3OnfQ9TAjBxigm7zE5/3CAcGoSOr/P0TL52nh+lO4SUVxcbKgYB8A2yo6o/
+kUkG7PiRB0uUpNw=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIEVzCCAj+gAwIBAgIRAKp18eYrjwoiCWbTi7/UuqEwDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
-WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
-RW5jcnlwdDELMAkGA1UEAxMCRTcwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARB6AST
-CFh/vjcwDMCgQer+VtqEkz7JANurZxLP+U9TCeioL6sp5Z8VRvRbYk4P1INBmbef
-QHJFHCxcSjKmwtvGBWpl/9ra8HW0QDsUaJW2qOJqceJ0ZVFT3hbUHifBM/2jgfgw
-gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
-ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSuSJ7chx1EoG/aouVgdAR4
-wpwAgDAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
-AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
-BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
-Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAjx66fDdLk5ywFn3CzA1w1qfylHUD
-aEf0QZpXcJseddJGSfbUUOvbNR9N/QQ16K1lXl4VFyhmGXDT5Kdfcr0RvIIVrNxF
-h4lqHtRRCP6RBRstqbZ2zURgqakn/Xip0iaQL0IdfHBZr396FgknniRYFckKORPG
-yM3QKnd66gtMst8I5nkRQlAg/Jb+Gc3egIvuGKWboE1G89NTsN9LTDD3PLj0dUMr
-OIuqVjLB8pEC6yk9enrlrqjXQgkLEYhXzq7dLafv5Vkig6Gl0nuuqjqfp0Q1bi1o
-yVNAlXe6aUXw92CcghC9bNsKEO1+M52YY5+ofIXlS/SEQbvVYYBLZ5yeiglV6t3S
-M6H+vTG0aP9YHzLn/KVOHzGQfXDP7qM5tkf+7diZe7o2fw6O7IvN6fsQXEQQj8TJ
-UXJxv2/uJhcuy/tSDgXwHM8Uk34WNbRT7zGTGkQRX0gsbjAea/jYAoWv0ZvQRwpq
-Pe79D/i7Cep8qWnA+7AE/3B3S/3dEEYmc0lpe1366A/6GEgk3ktr9PEoQrLChs6I
-tu3wnNLB2euC8IKGLQFpGtOO/2/hiAKjyajaBP25w1jF0Wl8Bbqne3uZ2q1GyPFJ
-YRmT7/OXpmOH/FVLtwS+8ng1cAmpCujPwteJZNcDG0sF2n/sc0+SQf49fdyUK0ty
-+VUwFj9tmWxyR/M=
+MIIEVjCCAj6gAwIBAgIQY5WTY8JOcIJxWRi/w9ftVjANBgkqhkiG9w0BAQsFADBP
+MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
+Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
+Fw0yNzAzMTIyMzU5NTlaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
+bmNyeXB0MQswCQYDVQQDEwJFODB2MBAGByqGSM49AgEGBSuBBAAiA2IABNFl8l7c
+S7QMApzSsvru6WyrOq44ofTUOTIzxULUzDMMNMchIJBwXOhiLxxxs0LXeb5GDcHb
+R6EToMffgSZjO9SNHfY9gjMy9vQr5/WWOrQTZxh7az6NSNnq3u2ubT6HTKOB+DCB
+9TAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFI8NE6L2Ln7RUGwzGDhdWY4j
+cpHKMB8GA1UdIwQYMBaAFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEB
+BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzATBgNVHSAE
+DDAKMAgGBmeBDAECATAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veDEuYy5sZW5j
+ci5vcmcvMA0GCSqGSIb3DQEBCwUAA4ICAQBnE0hGINKsCYWi0Xx1ygxD5qihEjZ0
+RI3tTZz1wuATH3ZwYPIp97kWEayanD1j0cDhIYzy4CkDo2jB8D5t0a6zZWzlr98d
+AQFNh8uKJkIHdLShy+nUyeZxc5bNeMp1Lu0gSzE4McqfmNMvIpeiwWSYO9w82Ob8
+otvXcO2JUYi3svHIWRm3+707DUbL51XMcY2iZdlCq4Wa9nbuk3WTU4gr6LY8MzVA
+aDQG2+4U3eJ6qUF10bBnR1uuVyDYs9RhrwucRVnfuDj29CMLTsplM5f5wSV5hUpm
+Uwp/vV7M4w4aGunt74koX71n4EdagCsL/Yk5+mAQU0+tue0JOfAV/R6t1k+Xk9s2
+HMQFeoxppfzAVC04FdG9M+AC2JWxmFSt6BCuh3CEey3fE52Qrj9YM75rtvIjsm/1
+Hl+u//Wqxnu1ZQ4jpa+VpuZiGOlWrqSP9eogdOhCGisnyewWJwRQOqK16wiGyZeR
+xs/Bekw65vwSIaVkBruPiTfMOo0Zh4gVa8/qJgMbJbyrwwG97z/PRgmLKCDl8z3d
+tA0Z7qq7fta0Gl24uyuB05dqI5J1LvAzKuWdIjT1tP8qCoxSE/xpix8hX2dt3h+/
+jujUgFPFZ0EVZ0xSyBNRF3MboGZnYXFUxpNjTWPKpagDHJQmqrAcDmWJnMsFY3jS
+u1igv3OefnWjSQ==
 -----END CERTIFICATE-----
--- a/cli/ssl/.ssl/sub-privkey.pem
+++ b/cli/ssl/.ssl/sub-privkey.pem
@@ -1,5 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgrfNUSjLV/7j7LSBf
-zL/hvGEuv+uvf3/aimqjecO7vcShRANCAATGx0o7t0pSrOoFc+pljtqJVxgaSW+w
-9D9C2WdysMeSKKOU+0MzaM4ynLUhETOpBs8E612mdcoeak+G1Emj6UVw
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgcrhROXQT85e+S8h8
+RE3Z7TPo3+WA2RmzJsXJbXkbi5qhRANCAASIrTkZOM4ip42DCyDADXGc7oV3+Oki
+myTM3st2RIZWG28rFRwH0LebJV2cduq1HdtlVxIEr+RhvyIL7gllueXU
 -----END PRIVATE KEY-----
--- a/dashboard/CHANGELOG.md
+++ b/dashboard/CHANGELOG.md
@@ -1,3 +1,15 @@
+## [@nhost/dashboard@2.41.0] - 2025-11-04
+
+### 🚀 Features
+
+- *(auth)* Added endpoints to retrieve and refresh oauth2 providers' tokens (#3614)
+- *(dashboard)* Get github repositories from github itself (#3640)
+
+
+### 🐛 Bug Fixes
+
+- *(dashboard)* Update SQL editor to use correct hasura migrations API URL (#3645)
+
 # Changelog

 All notable changes to this project will be documented in this file.
--- a/dashboard/next.config.js
+++ b/dashboard/next.config.js
@@ -15,7 +15,7 @@ function getCspHeader() {
      return [
        "default-src 'self' *.nhost.run wss://*.nhost.run nhost.run wss://nhost.run",
        "script-src 'self' 'unsafe-eval' cdn.segment.com js.stripe.com challenges.cloudflare.com googletagmanager.com",
-        "connect-src 'self' *.nhost.run wss://*.nhost.run nhost.run wss://nhost.run discord.com api.segment.io api.segment.com cdn.segment.com nhost.zendesk.com",
+        "connect-src 'self' *.nhost.run wss://*.nhost.run nhost.run wss://nhost.run discord.com api.segment.io api.segment.com cdn.segment.com nhost.zendesk.com api.github.com",
        "style-src 'self' 'unsafe-inline'",
        "img-src 'self' blob: data: github.com avatars.githubusercontent.com s.gravatar.com *.nhost.run nhost.run",
        "font-src 'self' data:",
@@ -126,4 +126,4 @@ module.exports = withBundleAnalyzer({
      },
    ];
  },
-});
+});
--- a/dashboard/src/features/account/settings/components/SocialProvidersSettings/SocialProvidersSettings.tsx
+++ b/dashboard/src/features/account/settings/components/SocialProvidersSettings/SocialProvidersSettings.tsx
@@ -23,7 +23,7 @@ export default function SocialProvidersSettings() {
      if (typeof window !== 'undefined') {
        return nhost.auth.signInProviderURL('github', {
          connect: token,
-          redirectTo: `${window.location.origin}/account`,
+          redirectTo: `${window.location.origin}/account?signinProvider=github`,
        });
      }
      return '';
--- a/dashboard/src/features/auth/AuthProviders/Github/components/GithubAuthButton/GithubAuthButton.tsx
+++ b/dashboard/src/features/auth/AuthProviders/Github/components/GithubAuthButton/GithubAuthButton.tsx
@@ -3,18 +3,21 @@ import {
  useGithubAuthentication,
  type UseGithubAuthenticationHookProps,
 } from '@/features/auth/AuthProviders/Github/hooks/useGithubAuthentication';
+import { cn } from '@/lib/utils';
 import { SiGithub } from '@icons-pack/react-simple-icons';

 interface Props extends UseGithubAuthenticationHookProps {
  buttonText?: string;
  withAnonId?: boolean;
  redirectTo?: string;
+  className?: string;
 }

 function GithubAuthButton({
  buttonText = 'Continue with GitHub',
  withAnonId = false,
  redirectTo,
+  className,
 }: Props) {
  const { mutate: signInWithGithub, isLoading } = useGithubAuthentication({
    withAnonId,
@@ -22,7 +25,10 @@ function GithubAuthButton({
  });
  return (
    <Button
-      className="gap-2 !bg-white text-sm+ !text-black hover:ring-2 hover:ring-white hover:ring-opacity-50 disabled:!text-black disabled:!text-opacity-60"
+      className={cn(
+        'gap-2 !bg-white text-sm+ !text-black hover:ring-2 hover:ring-white hover:ring-opacity-50 disabled:!text-black disabled:!text-opacity-60',
+        className,
+      )}
      disabled={isLoading}
      loading={isLoading}
      onClick={() => signInWithGithub()}
--- a/dashboard/src/features/auth/AuthProviders/Github/hooks/useGithubAuthentication/useGithubAuthentication.ts
+++ b/dashboard/src/features/auth/AuthProviders/Github/hooks/useGithubAuthentication/useGithubAuthentication.ts
@@ -30,8 +30,8 @@ function useGithubAuthentication({
        };
      }

-      const redirectURl = nhost.auth.signInProviderURL('github', options);
-      window.location.href = redirectURl;
+      const redirectURL = nhost.auth.signInProviderURL('github', options);
+      window.location.href = redirectURL;
    },
    {
      onError: () => {
--- a/dashboard/src/features/auth/SignIn/SignInWithGithub/SignInWithGithub.tsx
+++ b/dashboard/src/features/auth/SignIn/SignInWithGithub/SignInWithGithub.tsx
@@ -2,7 +2,7 @@ import { GithubAuthButton } from '@/features/auth/AuthProviders/Github/component
 import { useHostName } from '@/features/orgs/projects/common/hooks/useHostName';

 function SignInWithGithub() {
-  const redirectTo = useHostName();
+  const redirectTo = `${useHostName()}?signinProvider=github`;
  return (
    <GithubAuthButton
      redirectTo={redirectTo}
--- a/dashboard/src/features/auth/SignUp/SignUpWithGithub/SignUpWithGithub.tsx
+++ b/dashboard/src/features/auth/SignUp/SignUpWithGithub/SignUpWithGithub.tsx
@@ -1,8 +1,11 @@
 import { GithubAuthButton } from '@/features/auth/AuthProviders/Github/components/GithubAuthButton';
+import { useHostName } from '@/features/orgs/projects/common/hooks/useHostName';

 function SignUpWithGithub() {
+  const redirectTo = `${useHostName()}?signinProvider=github`;
  return (
    <GithubAuthButton
+      redirectTo={redirectTo}
      buttonText="Sign Up with GitHub"
      errorText="An error occurred while trying to sign up using GitHub. Please try again."
    />
--- a/dashboard/src/features/orgs/projects/git/common/components/ConnectGitHubModal/ConnectGitHubModal.tsx
+++ b/dashboard/src/features/orgs/projects/git/common/components/ConnectGitHubModal/ConnectGitHubModal.tsx
@@ -1,3 +1,4 @@
+import { ErrorMessage } from '@/components/presentational/ErrorMessage';
 import { RetryableErrorBoundary } from '@/components/presentational/RetryableErrorBoundary';
 import { ActivityIndicator } from '@/components/ui/v2/ActivityIndicator';
 import { Avatar } from '@/components/ui/v2/Avatar';
@@ -11,14 +12,33 @@ import { Link } from '@/components/ui/v2/Link';
 import { List } from '@/components/ui/v2/List';
 import { ListItem } from '@/components/ui/v2/ListItem';
 import { Text } from '@/components/ui/v2/Text';
+import { GithubAuthButton } from '@/features/auth/AuthProviders/Github/components/GithubAuthButton';
+import { useHostName } from '@/features/orgs/projects/common/hooks/useHostName';
 import { EditRepositorySettings } from '@/features/orgs/projects/git/common/components/EditRepositorySettings';
-import { useGetGithubRepositoriesQuery } from '@/generated/graphql';
+import {
+  getGitHubToken,
+  saveGitHubToken,
+} from '@/features/orgs/projects/git/common/utils';
+import { useCurrentOrg } from '@/features/orgs/projects/hooks/useCurrentOrg';
+import { useProject } from '@/features/orgs/projects/hooks/useProject';
+import { useGetAuthUserProvidersQuery } from '@/generated/graphql';
+import { useAccessToken } from '@/hooks/useAccessToken';
+import { GitHubAPIError, listGitHubInstallationRepos } from '@/lib/github';
+import { isEmptyValue } from '@/lib/utils';
+import { getToastStyleProps } from '@/utils/constants/settings';
+import { nhost } from '@/utils/nhost';
 import { Divider } from '@mui/material';
 import debounce from 'lodash.debounce';
+import NavLink from 'next/link';
 import type { ChangeEvent } from 'react';
 import { Fragment, useEffect, useMemo, useState } from 'react';
+import toast from 'react-hot-toast';

-export type ConnectGitHubModalState = 'CONNECTING' | 'EDITING';
+export type ConnectGitHubModalState =
+  | 'CONNECTING'
+  | 'EDITING'
+  | 'EXPIRED_GITHUB_SESSION'
+  | 'GITHUB_CONNECTION_REQUIRED';

 export interface ConnectGitHubModalProps {
  /**
@@ -28,18 +48,153 @@ export interface ConnectGitHubModalProps {
  close?: VoidFunction;
 }

+interface GitHubData {
+  githubAppInstallations: Array<{
+    id: number;
+    accountLogin?: string;
+    accountAvatarUrl?: string;
+  }>;
+  githubRepositories: Array<{
+    id: number;
+    node_id: string;
+    name: string;
+    fullName: string;
+    githubAppInstallation: {
+      accountLogin?: string;
+      accountAvatarUrl?: string;
+    };
+  }>;
+}
+
 export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
  const [filter, setFilter] = useState('');
  const [ConnectGitHubModalState, setConnectGitHubModalState] =
    useState<ConnectGitHubModalState>('CONNECTING');
  const [selectedRepoId, setSelectedRepoId] = useState<string | null>(null);
+  const [githubData, setGithubData] = useState<GitHubData | null>(null);
+  const [loading, setLoading] = useState(true);
+  const { project, loading: loadingProject } = useProject();
+  const { org, loading: loadingOrg } = useCurrentOrg();
+  const hostname = useHostName();
+  const token = useAccessToken();
+  const {
+    data,
+    loading: loadingGithubConnected,
+    error: errorGithubConnected,
+  } = useGetAuthUserProvidersQuery();

-  const { data, loading, error, startPolling } =
-    useGetGithubRepositoriesQuery();
+  const githubProvider = data?.authUserProviders?.find(
+    (item) => item.providerId === 'github',
+  );
+
+  const getGitHubConnectUrl = () => {
+    if (typeof window !== 'undefined') {
+      return nhost.auth.signInProviderURL('github', {
+        connect: token,
+        redirectTo: `${window.location.origin}?signinProvider=github&state=signin-refresh:${org.slug}:${project?.subdomain}`,
+      });
+    }
+    return '';
+  };

  useEffect(() => {
-    startPolling(2000);
-  }, [startPolling]);
+    if (loadingGithubConnected) {
+      return;
+    }
+
+    const fetchGitHubData = async () => {
+      try {
+        setLoading(true);
+
+        if (isEmptyValue(githubProvider)) {
+          setConnectGitHubModalState('GITHUB_CONNECTION_REQUIRED');
+          setLoading(false);
+          return;
+        }
+        const githubToken = getGitHubToken();
+
+        if (
+          !githubToken?.authUserProviderId ||
+          githubProvider!.id !== githubToken.authUserProviderId
+        ) {
+          setConnectGitHubModalState('EXPIRED_GITHUB_SESSION');
+          setLoading(false);
+          return;
+        }
+
+        const { refreshToken, expiresAt: expiresAtString } = githubToken;
+        let accessToken = githubToken?.accessToken;
+
+        const expiresAt = new Date(expiresAtString).getTime();
+
+        const currentTime = Date.now();
+        const expiresAtMargin = 60 * 1000;
+        if (expiresAt - currentTime < expiresAtMargin) {
+          if (!refreshToken) {
+            setConnectGitHubModalState('EXPIRED_GITHUB_SESSION');
+            setLoading(false);
+            return;
+          }
+
+          const refreshResponse = await nhost.auth.refreshProviderToken(
+            'github',
+            { refreshToken },
+          );
+
+          if (!refreshResponse.body) {
+            setConnectGitHubModalState('EXPIRED_GITHUB_SESSION');
+            setLoading(false);
+            return;
+          }
+
+          saveGitHubToken({
+            ...refreshResponse.body,
+            authUserProviderId: githubProvider!.id,
+          });
+
+          accessToken = refreshResponse.body.accessToken;
+        }
+
+        const installations = await listGitHubInstallationRepos(accessToken);
+
+        const transformedData = {
+          githubAppInstallations: installations.map((item) => ({
+            id: item.installation.id,
+            accountLogin: item.installation.account?.login,
+            accountAvatarUrl: item.installation.account?.avatar_url,
+          })),
+          githubRepositories: installations.flatMap((item) =>
+            item.repositories.map((repo) => ({
+              id: repo.id,
+              node_id: repo.node_id,
+              name: repo.name,
+              fullName: repo.full_name,
+              githubAppInstallation: {
+                accountLogin: item.installation.account?.login,
+                accountAvatarUrl: item.installation.account?.avatar_url,
+              },
+            })),
+          ),
+        };
+
+        setGithubData(transformedData);
+        setLoading(false);
+      } catch (err) {
+        console.error('Error fetching GitHub data:', err);
+        if (err instanceof GitHubAPIError && err.status === 401) {
+          setConnectGitHubModalState('EXPIRED_GITHUB_SESSION');
+          setLoading(false);
+          return;
+        }
+
+        toast.error(err?.message, getToastStyleProps());
+        close?.();
+      }
+    };
+
+    fetchGitHubData();
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [githubProvider, loadingGithubConnected]);

  const handleSelectAnotherRepository = () => {
    setSelectedRepoId(null);
@@ -56,13 +211,91 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {

  useEffect(() => () => handleFilterChange.cancel(), [handleFilterChange]);

-  if (error) {
-    throw error;
+  if (errorGithubConnected instanceof Error) {
+    return (
+      <div className="px-1 md:w-[653px]">
+        <div className="flex flex-col">
+          <div className="mx-auto text-center">
+            <div className="mx-auto h-8 w-8">
+              <GitHubIcon className="h-8 w-8" />
+            </div>
+          </div>
+          <div className="flex flex-col gap-2">
+            <Text className="mt-2.5 text-center text-lg font-medium">
+              Error fetching GitHub data
+            </Text>
+            <ErrorMessage>{errorGithubConnected.message}</ErrorMessage>
+          </div>
+        </div>
+      </div>
+    );
  }

-  if (loading) {
+  if (loading || loadingProject || loadingOrg || loadingGithubConnected) {
    return (
-      <ActivityIndicator delay={500} label="Loading GitHub repositories..." />
+      <div className="px-1 md:w-[653px]">
+        <div className="flex flex-col">
+          <div className="mx-auto text-center">
+            <div className="mx-auto h-8 w-8">
+              <GitHubIcon className="h-8 w-8" />
+            </div>
+          </div>
+          <div>
+            <Text className="mt-2.5 text-center text-lg font-medium">
+              Loading repositories...
+            </Text>
+            <Text className="text-center text-xs font-normal" color="secondary">
+              Fetching your GitHub repositories
+            </Text>
+            <div className="mb-2 mt-6 flex w-full">
+              <Input placeholder="Search..." fullWidth disabled value="" />
+            </div>
+          </div>
+          <div className="flex h-import items-center justify-center border-y">
+            <ActivityIndicator delay={0} label="" />
+          </div>
+        </div>
+      </div>
+    );
+  }
+
+  if (ConnectGitHubModalState === 'GITHUB_CONNECTION_REQUIRED') {
+    return (
+      <div className="flex flex-col items-center justify-center gap-5 px-1 py-1 md:w-[653px]">
+        <p className="text-center text-foreground">
+          You need to connect your GitHub account to continue.
+        </p>
+        <NavLink
+          href={getGitHubConnectUrl()}
+          passHref
+          rel="noreferrer noopener"
+          legacyBehavior
+        >
+          <Button
+            className="w-full max-w-72"
+            variant="outlined"
+            color="secondary"
+            startIcon={<GitHubIcon />}
+          >
+            Connect to GitHub
+          </Button>
+        </NavLink>
+      </div>
+    );
+  }
+
+  if (ConnectGitHubModalState === 'EXPIRED_GITHUB_SESSION') {
+    return (
+      <div className="flex w-full flex-col items-center justify-center gap-5 px-1 py-1 md:w-[653px]">
+        <p className="text-center text-foreground">
+          Please sign in with GitHub to continue.
+        </p>
+        <GithubAuthButton
+          redirectTo={`${hostname}?signinProvider=github&state=signin-refresh:${org.slug}:${project!.subdomain}`}
+          buttonText="Sign in with GitHub"
+          className="w-full max-w-72 gap-2 !bg-primary !text-white disabled:!text-white disabled:!text-opacity-60 dark:!bg-white dark:!text-black dark:disabled:!text-black"
+        />
+      </div>
    );
  }

@@ -78,25 +311,27 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
    );
  }

-  const { githubAppInstallations } = data || {};
+  const { githubAppInstallations } = githubData || {};

-  const filteredGitHubAppInstallations = data?.githubAppInstallations.filter(
-    (githubApp) => !!githubApp.accountLogin,
-  );
+  const filteredGitHubAppInstallations =
+    githubData?.githubAppInstallations.filter(
+      (githubApp) => !!githubApp.accountLogin,
+    );

-  const filteredGitHubRepositories = data?.githubRepositories.filter(
+  const filteredGitHubRepositories = githubData?.githubRepositories.filter(
    (repo) => !!repo.githubAppInstallation,
  );

  const filteredGitHubAppInstallationsNullValues =
-    data?.githubAppInstallations.filter((githubApp) => !!githubApp.accountLogin)
-      .length === 0;
+    githubData?.githubAppInstallations.filter(
+      (githubApp) => !!githubApp.accountLogin,
+    ).length === 0;

  const faultyGitHubInstallation =
    githubAppInstallations?.length === 0 ||
    filteredGitHubAppInstallationsNullValues;

-  const noRepositoriesAdded = data?.githubRepositories.length === 0;
+  const noRepositoriesAdded = githubData?.githubRepositories.length === 0;

  if (faultyGitHubInstallation) {
    return (
@@ -115,11 +350,7 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
        </div>

        <Button
-          href={process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}
-          // Both `target` and `rel` are available when `href` is set. This is
-          // a limitation of MUI.
-          // @ts-ignore
-          target="_blank"
+          href={`${process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}?state=install-github-app:${org.slug}:${project!.subdomain}`}
          rel="noreferrer noopener"
          endIcon={<ArrowSquareOutIcon className="h-4 w-4" />}
        >
@@ -179,8 +410,7 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
            </List>

            <Link
-              href={process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}
-              target="_blank"
+              href={`${process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}?state=install-github-app:${org.slug}:${project!.subdomain}`}
              rel="noreferrer noopener"
              underline="hover"
              className="grid grid-flow-col items-center justify-start gap-1"
@@ -199,8 +429,8 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
                className="text-center text-xs font-normal"
                color="secondary"
              >
-                Showing repositories from {data?.githubAppInstallations.length}{' '}
-                GitHub account(s)
+                Showing repositories from{' '}
+                {githubData?.githubAppInstallations.length} GitHub account(s)
              </Text>
              <div className="mb-2 mt-6 flex w-full">
                <Input
@@ -226,7 +456,7 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
                          <Button
                            variant="borderless"
                            color="primary"
-                            onClick={() => setSelectedRepoId(repo.id)}
+                            onClick={() => setSelectedRepoId(repo.node_id)}
                          >
                            Connect
                          </Button>
@@ -268,8 +498,7 @@ export default function ConnectGitHubModal({ close }: ConnectGitHubModalProps) {
            Do you miss a repository, or do you need to connect another GitHub
            account?{' '}
            <Link
-              href={process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}
-              target="_blank"
+              href={`${process.env.NEXT_PUBLIC_GITHUB_APP_INSTALL_URL}?state=install-github-app:${org.slug}:${project!.subdomain}`}
              rel="noreferrer noopener"
              className="text-xs font-medium"
              underline="hover"
--- a/dashboard/src/features/orgs/projects/git/common/components/EditRepositorySettings/EditRepositorySettings.tsx
+++ b/dashboard/src/features/orgs/projects/git/common/components/EditRepositorySettings/EditRepositorySettings.tsx
@@ -6,7 +6,7 @@ import { FormProvider, useForm } from 'react-hook-form';
 export interface EditRepositorySettingsProps {
  close?: () => void;
  openConnectGithubModal?: () => void;
-  selectedRepoId?: string;
+  selectedRepoId: string;
  connectGithubModalState?: ConnectGitHubModalState;
  handleSelectAnotherRepository?: () => void;
 }
--- a/dashboard/src/features/orgs/projects/git/common/components/EditRepositorySettingsModal/EditRepositorySettingsModal.tsx
+++ b/dashboard/src/features/orgs/projects/git/common/components/EditRepositorySettingsModal/EditRepositorySettingsModal.tsx
@@ -6,14 +6,14 @@ import { Text } from '@/components/ui/v2/Text';
 import { EditRepositoryAndBranchSettings } from '@/features/orgs/projects/git/common/components/EditRepositoryAndBranchSettings';
 import type { EditRepositorySettingsFormData } from '@/features/orgs/projects/git/common/components/EditRepositorySettings';
 import { useProject } from '@/features/orgs/projects/hooks/useProject';
-import { useUpdateApplicationMutation } from '@/generated/graphql';
+import { useConnectGithubRepoMutation } from '@/generated/graphql';
 import { analytics } from '@/lib/segment';
 import { discordAnnounce } from '@/utils/discordAnnounce';
 import { triggerToast } from '@/utils/toast';
 import { useFormContext } from 'react-hook-form';

 export interface EditRepositorySettingsModalProps {
-  selectedRepoId?: string;
+  selectedRepoId: string;
  close?: () => void;
  handleSelectAnotherRepository?: () => void;
 }
@@ -33,45 +33,29 @@ export default function EditRepositorySettingsModal({

  const { project, refetch: refetchProject } = useProject();

-  const [updateApp, { loading }] = useUpdateApplicationMutation();
+  const [connectGithubRepo, { loading }] = useConnectGithubRepoMutation();

  const handleEditGitHubIntegration = async (
    data: EditRepositorySettingsFormData,
  ) => {
    try {
-      if (!project?.githubRepository || selectedRepoId) {
-        await updateApp({
-          variables: {
-            appId: project?.id,
-            app: {
-              githubRepositoryId: selectedRepoId,
-              repositoryProductionBranch: data.productionBranch,
-              nhostBaseFolder: data.repoBaseFolder,
-            },
-          },
-        });
+      await connectGithubRepo({
+        variables: {
+          appID: project?.id,
+          githubNodeID: selectedRepoId,
+          productionBranch: data.productionBranch,
+          baseFolder: data.repoBaseFolder,
+        },
+      });

-        if (selectedRepoId) {
-          analytics.track('Project Connected to GitHub', {
-            projectId: project?.id,
-            projectName: project?.name,
-            projectSubdomain: project?.subdomain,
-            repositoryId: selectedRepoId,
-            productionBranch: data.productionBranch,
-            baseFolder: data.repoBaseFolder,
-          });
-        }
-      } else {
-        await updateApp({
-          variables: {
-            appId: project.id,
-            app: {
-              repositoryProductionBranch: data.productionBranch,
-              nhostBaseFolder: data.repoBaseFolder,
-            },
-          },
-        });
-      }
+      analytics.track('Project Connected to GitHub', {
+        projectId: project?.id,
+        projectName: project?.name,
+        projectSubdomain: project?.subdomain,
+        repositoryId: selectedRepoId,
+        productionBranch: data.productionBranch,
+        baseFolder: data.repoBaseFolder,
+      });

      await refetchProject();

--- a/dashboard/src/features/orgs/projects/git/common/gql/ConnectGithubRepo.gql
+++ b/dashboard/src/features/orgs/projects/git/common/gql/ConnectGithubRepo.gql
@@ -0,0 +1,13 @@
+mutation ConnectGithubRepo(
+  $appID: uuid!
+  $githubNodeID: String!
+  $productionBranch: String!
+  $baseFolder: String!
+) {
+  connectGithubRepo(
+    appID: $appID
+    githubNodeID: $githubNodeID
+    productionBranch: $productionBranch
+    baseFolder: $baseFolder
+  )
+}
--- a/dashboard/src/features/orgs/projects/git/common/hooks/useGitHubModal/useGitHubModal.tsx
+++ b/dashboard/src/features/orgs/projects/git/common/hooks/useGitHubModal/useGitHubModal.tsx
@@ -2,12 +2,12 @@ import { useDialog } from '@/components/common/DialogProvider';
 import { ConnectGitHubModal } from '@/features/orgs/projects/git/common/components/ConnectGitHubModal';

 export default function useGitHubModal() {
-  const { openAlertDialog } = useDialog();
+  const { openAlertDialog, closeAlertDialog } = useDialog();

  function openGitHubModal() {
    openAlertDialog({
      title: 'Connect GitHub Repository',
-      payload: <ConnectGitHubModal />,
+      payload: <ConnectGitHubModal close={closeAlertDialog} />,
      props: {
        hidePrimaryAction: true,
        hideSecondaryAction: true,
--- a/dashboard/src/features/orgs/projects/git/common/utils/githubTokens.ts
+++ b/dashboard/src/features/orgs/projects/git/common/utils/githubTokens.ts
@@ -0,0 +1,23 @@
+import { isNotEmptyValue } from '@/lib/utils';
+import type { ProviderSession } from '@nhost/nhost-js/auth';
+
+const githubProviderTokenKey = 'nhost_provider_tokens_github';
+
+export type GitHubProviderToken = ProviderSession & {
+  authUserProviderId?: string;
+};
+
+export function saveGitHubToken(token: GitHubProviderToken) {
+  localStorage.setItem(githubProviderTokenKey, JSON.stringify(token));
+}
+
+export function getGitHubToken() {
+  const token = localStorage.getItem(githubProviderTokenKey);
+  return isNotEmptyValue(token)
+    ? (JSON.parse(token) as GitHubProviderToken)
+    : null;
+}
+
+export function clearGitHubToken() {
+  localStorage.removeItem(githubProviderTokenKey);
+}
--- a/dashboard/src/features/orgs/projects/git/common/utils/index.ts
+++ b/dashboard/src/features/orgs/projects/git/common/utils/index.ts
@@ -0,0 +1 @@
+export * from './githubTokens';
--- a/dashboard/src/lib/github.ts
+++ b/dashboard/src/lib/github.ts
@@ -0,0 +1,99 @@
+/**
+ * Custom error class for GitHub API errors that preserves HTTP status codes
+ */
+export class GitHubAPIError extends Error {
+  constructor(
+    message: string,
+    public status: number,
+    public statusText: string,
+  ) {
+    super(message);
+    this.name = 'GitHubAPIError';
+  }
+}
+
+interface GitHubAppInstallation {
+  id: number;
+  account?: {
+    login: string;
+    avatar_url: string;
+    [key: string]: unknown;
+  }
+  [key: string]: unknown;
+}
+
+/**
+ * Lists all GitHub App installations accessible to the user
+ * @param accessToken - The GitHub OAuth access token
+ * @returns Array of app installations
+ */
+export async function listGitHubAppInstallations(accessToken: string): Promise<GitHubAppInstallation[]> {
+  const response = await fetch('https://api.github.com/user/installations', {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      Accept: 'application/vnd.github+json',
+      'X-GitHub-Api-Version': '2022-11-28',
+    },
+    cache: 'no-cache',
+  });
+
+  if (!response.ok) {
+    throw new GitHubAPIError(
+      `Failed to list installations: ${response.statusText}`,
+      response.status,
+      response.statusText
+    );
+  }
+
+  const data = await response.json();
+  return data.installations;
+}
+
+interface  GitHubRepo {
+  id: number;
+  node_id: string;
+  name: string;
+  full_name: string;
+  [key: string]: unknown;
+}
+
+/**
+ * Lists all repositories accessible through GitHub App installations
+ * @param accessToken - The GitHub OAuth access token
+ * @returns Array of repositories grouped by installation
+ */
+export async function listGitHubInstallationRepos(accessToken: string) {
+  const installations = await listGitHubAppInstallations(accessToken);
+
+  const reposByInstallation = await Promise.all(
+    installations.map(async (installation) => {
+      const response = await fetch(
+        `https://api.github.com/user/installations/${installation.id}/repositories`,
+        {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            Accept: 'application/vnd.github+json',
+            'X-GitHub-Api-Version': '2022-11-28',
+          },
+          cache: 'no-cache',
+        }
+      );
+
+      if (!response.ok) {
+        throw new GitHubAPIError(
+          `Failed to list repos for installation ${installation.id}: ${response.statusText}`,
+          response.status,
+          response.statusText
+        );
+      }
+
+      const data = await response.json();
+      return {
+        installation,
+        repositories: data.repositories as GitHubRepo[],
+      };
+    })
+  );
+
+  return reposByInstallation;
+}
--- a/dashboard/src/pages/_app.tsx
+++ b/dashboard/src/pages/_app.tsx
@@ -77,12 +77,12 @@ function MyApp({

      <CacheProvider value={emotionCache}>
        <NhostProvider nhost={nhost}>
-          <AuthProvider>
-            <NhostApolloProvider
-              fetchPolicy="cache-and-network"
-              nhost={nhost}
-              connectToDevTools={process.env.NEXT_PUBLIC_ENV === 'dev'}
-            >
+          <NhostApolloProvider
+            fetchPolicy="cache-and-network"
+            nhost={nhost}
+            connectToDevTools={process.env.NEXT_PUBLIC_ENV === 'dev'}
+          >
+            <AuthProvider>
              <UIProvider>
                <Toaster position="bottom-center" />
                <ThemeProvider
@@ -106,8 +106,8 @@ function MyApp({
                  </RetryableErrorBoundary>
                </ThemeProvider>
              </UIProvider>
-            </NhostApolloProvider>
-          </AuthProvider>
+            </AuthProvider>
+          </NhostApolloProvider>
        </NhostProvider>
      </CacheProvider>
    </QueryClientProvider>
--- a/dashboard/src/pages/github-app-installation/index.tsx
+++ b/dashboard/src/pages/github-app-installation/index.tsx
@@ -1,87 +0,0 @@
-import { LoadingScreen } from '@/components/presentational/LoadingScreen';
-import { ActivityIndicator } from '@/components/ui/v2/ActivityIndicator';
-import { nhost } from '@/utils/nhost';
-
-import { useAuth } from '@/providers/Auth';
-import { useRouter } from 'next/router';
-import type { ComponentType } from 'react';
-import { useEffect, useState } from 'react';
-
-export function authProtected<P extends JSX.IntrinsicAttributes>(
-  Comp: ComponentType<P>,
-) {
-  return function AuthProtected(props: P) {
-    const router = useRouter();
-    const { isAuthenticated, isLoading } = useAuth();
-
-    useEffect(() => {
-      if (isLoading || isAuthenticated) {
-        return;
-      }
-
-      router.push('/signin');
-    }, [isLoading, isAuthenticated, router]);
-
-    if (isLoading) {
-      return <LoadingScreen />;
-    }
-
-    return <Comp {...props} />;
-  };
-}
-
-function Page() {
-  const [state, setState] = useState({
-    error: null,
-    loading: true,
-  });
-
-  const router = useRouter();
-  const { installation_id: installationId } = router.query;
-
-  useEffect(() => {
-    async function installGithubApp() {
-      try {
-        await nhost.functions.fetch('/client/github-app-installation', {
-          method: 'POST',
-          body: JSON.stringify({
-            installationId,
-          }),
-          headers: {
-            'Content-Type': 'application/json',
-          },
-        });
-      } catch (error) {
-        setState({
-          error,
-          loading: false,
-        });
-
-        return;
-      }
-
-      setState({
-        error: null,
-        loading: false,
-      });
-
-      window.close();
-    }
-
-    // run in async manner
-    installGithubApp();
-  }, [installationId]);
-
-  if (state.loading) {
-    return <ActivityIndicator delay={500} label="Loading..." />;
-  }
-
-  if (state.error) {
-    // eslint-disable-next-line @typescript-eslint/no-throw-literal
-    throw state.error;
-  }
-
-  return <div>GitHub connection completed. You can close this tab.</div>;
-}
-
-export default authProtected(Page);
--- a/dashboard/src/pages/orgs/[orgSlug]/projects/[appSubdomain]/settings/git.tsx
+++ b/dashboard/src/pages/orgs/[orgSlug]/projects/[appSubdomain]/settings/git.tsx
@@ -1,12 +1,38 @@
 import { Container } from '@/components/layout/Container';
 import { OrgLayout } from '@/features/orgs/layout/OrgLayout';
 import { SettingsLayout } from '@/features/orgs/layout/SettingsLayout';
+import { useGitHubModal } from '@/features/orgs/projects/git/common/hooks/useGitHubModal';
 import { BaseDirectorySettings } from '@/features/orgs/projects/git/settings/components/BaseDirectorySettings';
 import { DeploymentBranchSettings } from '@/features/orgs/projects/git/settings/components/DeploymentBranchSettings';
 import { GitConnectionSettings } from '@/features/orgs/projects/git/settings/components/GitConnectionSettings';
-import type { ReactElement } from 'react';
+import { useRouter } from 'next/router';
+import { useCallback, useEffect, type ReactElement } from 'react';

 export default function GitSettingsPage() {
+  const router = useRouter();
+  const { pathname, replace, isReady: isRouterReady } = router;
+  const { 'github-modal': githubModal, ...remainingQuery } = router.query;
+  const { openGitHubModal } = useGitHubModal();
+
+  const removeQueryParamsFromURL = useCallback(() => {
+    replace({ pathname, query: remainingQuery }, undefined, {
+      shallow: true,
+    });
+  }, [replace, remainingQuery, pathname]);
+
+  useEffect(() => {
+    if (!isRouterReady) {
+      return;
+    }
+
+    if (typeof githubModal === 'string') {
+      removeQueryParamsFromURL();
+
+      openGitHubModal();
+    }
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [githubModal, isRouterReady]);
+
  return (
    <Container
      className="grid max-w-5xl grid-flow-row gap-y-6 bg-transparent"
--- a/dashboard/src/providers/Auth/AuthProvider.tsx
+++ b/dashboard/src/providers/Auth/AuthProvider.tsx
@@ -1,19 +1,27 @@
+import {
+  clearGitHubToken,
+  saveGitHubToken,
+  type GitHubProviderToken,
+} from '@/features/orgs/projects/git/common/utils';
+import { isNotEmptyValue } from '@/lib/utils';
 import { useNhostClient } from '@/providers/nhost/';
+import { useGetAuthUserProvidersLazyQuery } from '@/utils/__generated__/graphql';
 import { getToastStyleProps } from '@/utils/constants/settings';
 import { type Session } from '@nhost/nhost-js/auth';
 import { useRouter } from 'next/router';
 import {
-  type PropsWithChildren,
  useCallback,
  useEffect,
  useMemo,
  useState,
+  type PropsWithChildren,
 } from 'react';
 import { toast } from 'react-hot-toast';
 import { AuthContext, type AuthContextType } from './AuthContext';

 function AuthProvider({ children }: PropsWithChildren) {
  const nhost = useNhostClient();
+  const [getAuthUserProviders] = useGetAuthUserProvidersLazyQuery();
  const {
    query,
    isReady: isRouterReady,
@@ -21,7 +29,15 @@ function AuthProvider({ children }: PropsWithChildren) {
    pathname,
    push,
  } = useRouter();
-  const { refreshToken, error, errorDescription, ...remainingQuery } = query;
+  const {
+    refreshToken,
+    error,
+    errorDescription,
+    signinProvider,
+    state,
+    provider_state: providerState,
+    ...remainingQuery
+  } = query;
  const [session, setSession] = useState<Session | null>(null);
  const [isLoading, setIsLoading] = useState(true);
  const [isSigningOut, setIsSigningOut] = useState(false);
@@ -55,7 +71,6 @@ function AuthProvider({ children }: PropsWithChildren) {
        return;
      }
      setIsLoading(true);
-      // reset state if we have just signed out
      setIsSigningOut(false);
      if (refreshToken && typeof refreshToken === 'string') {
        const sessionResponse = await nhost.auth.refreshToken({
@@ -63,24 +78,84 @@ function AuthProvider({ children }: PropsWithChildren) {
        });
        setSession(sessionResponse.body);
        removeQueryParamsFromURL();
+
+        if (sessionResponse.body && signinProvider === 'github') {
+          try {
+            const providerTokensResponse =
+              await nhost.auth.getProviderTokens(signinProvider);
+            if (providerTokensResponse.body) {
+              const { data } = await getAuthUserProviders();
+              const githubProvider = data?.authUserProviders?.find(
+                (provider) => provider.providerId === 'github',
+              );
+              const newGitHubToken: GitHubProviderToken =
+                providerTokensResponse.body;
+              if (isNotEmptyValue(githubProvider?.id)) {
+                newGitHubToken.authUserProviderId = githubProvider!.id;
+              }
+              saveGitHubToken(newGitHubToken);
+            }
+          } catch (err) {
+            console.error('Failed to fetch provider tokens:', err);
+          }
+        }
      } else {
        const currentSession = nhost.getUserSession();
        setSession(currentSession);
      }

-      // handle OAuth redirect errors (e.g., error=unverified-user)
+      if (
+        state &&
+        typeof state === 'string' &&
+        state.startsWith('signin-refresh:')
+      ) {
+        const [, orgSlug, projectSubdomain] = state.split(':');
+        removeQueryParamsFromURL();
+        await push(
+          `/orgs/${orgSlug}/projects/${projectSubdomain}/settings/git?github-modal`,
+        );
+      }
+
      if (typeof error === 'string') {
-        if (error === 'unverified-user') {
-          removeQueryParamsFromURL();
-          await push('/email/verify');
-        } else {
-          const description =
-            typeof errorDescription === 'string'
-              ? errorDescription
-              : 'An error occurred during the sign-in process. Please try again.';
-          toast.error(description, getToastStyleProps());
-          removeQueryParamsFromURL();
-          await push('/signin');
+        switch (error) {
+          case 'unverified-user': {
+            removeQueryParamsFromURL();
+            await push('/email/verify');
+            break;
+          }
+
+          /*
+           * If the state isn't handled by Hasura auth, it returns `invalid-state`.
+           * However, we check the provider_state search param to see if it has this format:
+           * `install-github-app:<org-slug>:<project-subdomain>`.
+           * If it has this format, that means that we connected to GitHub in `/settings/git`,
+           * thus we need to show the connect GitHub modal again.
+           * Otherwise, we fall through to default error handling.
+           */
+          case 'invalid-state': {
+            if (
+              isNotEmptyValue(providerState) &&
+              typeof providerState === 'string' &&
+              providerState.startsWith('install-github-app:')
+            ) {
+              const [, orgSlug, projectSubdomain] = providerState.split(':');
+              removeQueryParamsFromURL();
+              await push(
+                `/orgs/${orgSlug}/projects/${projectSubdomain}/settings/git?github-modal`,
+              );
+              break;
+            }
+            // Fall through to default error handling if state search param is invalid
+          }
+          default: {
+            const description =
+              typeof errorDescription === 'string'
+                ? errorDescription
+                : 'An error occurred during the sign-in process. Please try again.';
+            toast.error(description, getToastStyleProps());
+            removeQueryParamsFromURL();
+            await push('/signin');
+          }
        }
      }

@@ -103,6 +178,7 @@ function AuthProvider({ children }: PropsWithChildren) {
        nhost.auth.signOut({
          refreshToken: session!.refreshToken,
        });
+        clearGitHubToken();

        await push('/signin');
      },
--- a/dashboard/src/tests/testUtils.tsx
+++ b/dashboard/src/tests/testUtils.tsx
@@ -108,16 +108,16 @@ function Providers({ children }: PropsWithChildren<{}>) {
        <QueryClientProvider client={queryClient}>
          <CacheProvider value={emotionCache}>
            <NhostProvider nhost={nhost}>
-              <AuthProvider>
-                <ApolloProvider client={mockClient}>
+              <ApolloProvider client={mockClient}>
+                <AuthProvider>
                  <UIProvider>
                    <Toaster position="bottom-center" />
                    <ThemeProvider theme={theme}>
                      <DialogProvider>{children}</DialogProvider>
                    </ThemeProvider>
                  </UIProvider>
-                </ApolloProvider>
-              </AuthProvider>
+                </AuthProvider>
+              </ApolloProvider>
            </NhostProvider>
          </CacheProvider>
        </QueryClientProvider>
--- a/dashboard/src/utils/generated/graphql.ts
+++ b/dashboard/src/utils/generated/graphql.ts
@@ -3118,7 +3118,9 @@ export type ConfigSystemConfigPostgres = {
  database: Scalars['String'];
  disk?: Maybe<ConfigSystemConfigPostgresDisk>;
  enabled?: Maybe<Scalars['Boolean']>;
+  encryptColumnKey?: Maybe<Scalars['String']>;
  majorVersion?: Maybe<Scalars['String']>;
+  oldEncryptColumnKey?: Maybe<Scalars['String']>;
 };

 export type ConfigSystemConfigPostgresComparisonExp = {
@@ -3129,7 +3131,9 @@ export type ConfigSystemConfigPostgresComparisonExp = {
  database?: InputMaybe<ConfigStringComparisonExp>;
  disk?: InputMaybe<ConfigSystemConfigPostgresDiskComparisonExp>;
  enabled?: InputMaybe<ConfigBooleanComparisonExp>;
+  encryptColumnKey?: InputMaybe<ConfigStringComparisonExp>;
  majorVersion?: InputMaybe<ConfigStringComparisonExp>;
+  oldEncryptColumnKey?: InputMaybe<ConfigStringComparisonExp>;
 };

 export type ConfigSystemConfigPostgresConnectionString = {
@@ -3193,7 +3197,9 @@ export type ConfigSystemConfigPostgresInsertInput = {
  database: Scalars['String'];
  disk?: InputMaybe<ConfigSystemConfigPostgresDiskInsertInput>;
  enabled?: InputMaybe<Scalars['Boolean']>;
+  encryptColumnKey?: InputMaybe<Scalars['String']>;
  majorVersion?: InputMaybe<Scalars['String']>;
+  oldEncryptColumnKey?: InputMaybe<Scalars['String']>;
 };

 export type ConfigSystemConfigPostgresUpdateInput = {
@@ -3201,7 +3207,9 @@ export type ConfigSystemConfigPostgresUpdateInput = {
  database?: InputMaybe<Scalars['String']>;
  disk?: InputMaybe<ConfigSystemConfigPostgresDiskUpdateInput>;
  enabled?: InputMaybe<Scalars['Boolean']>;
+  encryptColumnKey?: InputMaybe<Scalars['String']>;
  majorVersion?: InputMaybe<Scalars['String']>;
+  oldEncryptColumnKey?: InputMaybe<Scalars['String']>;
 };

 export type ConfigSystemConfigUpdateInput = {
@@ -4426,6 +4434,7 @@ export type Apps = {
  billingDedicatedCompute?: Maybe<Billing_Dedicated_Compute>;
  /** An object relationship */
  billingSubscriptions?: Maybe<Billing_Subscriptions>;
+  /** main entrypoint to the configuration */
  config?: Maybe<ConfigConfig>;
  createdAt: Scalars['timestamptz'];
  /** An object relationship */
@@ -11094,6 +11103,7 @@ export type Deployments = {
  commitSHA: Scalars['String'];
  commitUserAvatarUrl?: Maybe<Scalars['String']>;
  commitUserName?: Maybe<Scalars['String']>;
+  createdAt: Scalars['timestamptz'];
  deploymentEndedAt?: Maybe<Scalars['timestamptz']>;
  /** An array relationship */
  deploymentLogs: Array<DeploymentLogs>;
@@ -11191,6 +11201,7 @@ export type Deployments_Bool_Exp = {
  commitSHA?: InputMaybe<String_Comparison_Exp>;
  commitUserAvatarUrl?: InputMaybe<String_Comparison_Exp>;
  commitUserName?: InputMaybe<String_Comparison_Exp>;
+  createdAt?: InputMaybe<Timestamptz_Comparison_Exp>;
  deploymentEndedAt?: InputMaybe<Timestamptz_Comparison_Exp>;
  deploymentLogs?: InputMaybe<DeploymentLogs_Bool_Exp>;
  deploymentLogs_aggregate?: InputMaybe<DeploymentLogs_Aggregate_Bool_Exp>;
@@ -11222,6 +11233,7 @@ export type Deployments_Insert_Input = {
  commitSHA?: InputMaybe<Scalars['String']>;
  commitUserAvatarUrl?: InputMaybe<Scalars['String']>;
  commitUserName?: InputMaybe<Scalars['String']>;
+  createdAt?: InputMaybe<Scalars['timestamptz']>;
  deploymentEndedAt?: InputMaybe<Scalars['timestamptz']>;
  deploymentLogs?: InputMaybe<DeploymentLogs_Arr_Rel_Insert_Input>;
  deploymentStartedAt?: InputMaybe<Scalars['timestamptz']>;
@@ -11246,6 +11258,7 @@ export type Deployments_Max_Fields = {
  commitSHA?: Maybe<Scalars['String']>;
  commitUserAvatarUrl?: Maybe<Scalars['String']>;
  commitUserName?: Maybe<Scalars['String']>;
+  createdAt?: Maybe<Scalars['timestamptz']>;
  deploymentEndedAt?: Maybe<Scalars['timestamptz']>;
  deploymentStartedAt?: Maybe<Scalars['timestamptz']>;
  deploymentStatus?: Maybe<Scalars['String']>;
@@ -11268,6 +11281,7 @@ export type Deployments_Max_Order_By = {
  commitSHA?: InputMaybe<Order_By>;
  commitUserAvatarUrl?: InputMaybe<Order_By>;
  commitUserName?: InputMaybe<Order_By>;
+  createdAt?: InputMaybe<Order_By>;
  deploymentEndedAt?: InputMaybe<Order_By>;
  deploymentStartedAt?: InputMaybe<Order_By>;
  deploymentStatus?: InputMaybe<Order_By>;
@@ -11291,6 +11305,7 @@ export type Deployments_Min_Fields = {
  commitSHA?: Maybe<Scalars['String']>;
  commitUserAvatarUrl?: Maybe<Scalars['String']>;
  commitUserName?: Maybe<Scalars['String']>;
+  createdAt?: Maybe<Scalars['timestamptz']>;
  deploymentEndedAt?: Maybe<Scalars['timestamptz']>;
  deploymentStartedAt?: Maybe<Scalars['timestamptz']>;
  deploymentStatus?: Maybe<Scalars['String']>;
@@ -11313,6 +11328,7 @@ export type Deployments_Min_Order_By = {
  commitSHA?: InputMaybe<Order_By>;
  commitUserAvatarUrl?: InputMaybe<Order_By>;
  commitUserName?: InputMaybe<Order_By>;
+  createdAt?: InputMaybe<Order_By>;
  deploymentEndedAt?: InputMaybe<Order_By>;
  deploymentStartedAt?: InputMaybe<Order_By>;
  deploymentStatus?: InputMaybe<Order_By>;
@@ -11359,6 +11375,7 @@ export type Deployments_Order_By = {
  commitSHA?: InputMaybe<Order_By>;
  commitUserAvatarUrl?: InputMaybe<Order_By>;
  commitUserName?: InputMaybe<Order_By>;
+  createdAt?: InputMaybe<Order_By>;
  deploymentEndedAt?: InputMaybe<Order_By>;
  deploymentLogs_aggregate?: InputMaybe<DeploymentLogs_Aggregate_Order_By>;
  deploymentStartedAt?: InputMaybe<Order_By>;
@@ -11393,6 +11410,8 @@ export enum Deployments_Select_Column {
  /** column name */
  CommitUserName = 'commitUserName',
  /** column name */
+  CreatedAt = 'createdAt',
+  /** column name */
  DeploymentEndedAt = 'deploymentEndedAt',
  /** column name */
  DeploymentStartedAt = 'deploymentStartedAt',
@@ -11427,6 +11446,7 @@ export type Deployments_Set_Input = {
  commitSHA?: InputMaybe<Scalars['String']>;
  commitUserAvatarUrl?: InputMaybe<Scalars['String']>;
  commitUserName?: InputMaybe<Scalars['String']>;
+  createdAt?: InputMaybe<Scalars['timestamptz']>;
  deploymentEndedAt?: InputMaybe<Scalars['timestamptz']>;
  deploymentStartedAt?: InputMaybe<Scalars['timestamptz']>;
  deploymentStatus?: InputMaybe<Scalars['String']>;
@@ -11457,6 +11477,7 @@ export type Deployments_Stream_Cursor_Value_Input = {
  commitSHA?: InputMaybe<Scalars['String']>;
  commitUserAvatarUrl?: InputMaybe<Scalars['String']>;
  commitUserName?: InputMaybe<Scalars['String']>;
+  createdAt?: InputMaybe<Scalars['timestamptz']>;
  deploymentEndedAt?: InputMaybe<Scalars['timestamptz']>;
  deploymentStartedAt?: InputMaybe<Scalars['timestamptz']>;
  deploymentStatus?: InputMaybe<Scalars['String']>;
@@ -11485,6 +11506,8 @@ export enum Deployments_Update_Column {
  /** column name */
  CommitUserName = 'commitUserName',
  /** column name */
+  CreatedAt = 'createdAt',
+  /** column name */
  DeploymentEndedAt = 'deploymentEndedAt',
  /** column name */
  DeploymentStartedAt = 'deploymentStartedAt',
@@ -13067,6 +13090,7 @@ export type Mutation_Root = {
  billingUpgradeFreeOrganization: Scalars['String'];
  billingUploadReports: Scalars['Boolean'];
  changeDatabaseVersion: Scalars['Boolean'];
+  connectGithubRepo: Scalars['Boolean'];
  /** delete single row from the table: "announcements_read" */
  deleteAnnouncementRead?: Maybe<Announcements_Read>;
  /** delete data from the table: "announcements_read" */
@@ -13968,6 +13992,15 @@ export type Mutation_RootChangeDatabaseVersionArgs = {
 };


+/** mutation root */
+export type Mutation_RootConnectGithubRepoArgs = {
+  appID: Scalars['uuid'];
+  baseFolder: Scalars['String'];
+  githubNodeID: Scalars['String'];
+  productionBranch: Scalars['String'];
+};
+
+
 /** mutation root */
 export type Mutation_RootDeleteAnnouncementReadArgs = {
  id: Scalars['uuid'];
@@ -27517,6 +27550,16 @@ export type ResetDatabasePasswordMutationVariables = Exact<{

 export type ResetDatabasePasswordMutation = { __typename?: 'mutation_root', resetPostgresPassword: boolean };

+export type ConnectGithubRepoMutationVariables = Exact<{
+  appID: Scalars['uuid'];
+  githubNodeID: Scalars['String'];
+  productionBranch: Scalars['String'];
+  baseFolder: Scalars['String'];
+}>;
+
+
+export type ConnectGithubRepoMutation = { __typename?: 'mutation_root', connectGithubRepo: boolean };
+
 export type GetHasuraSettingsQueryVariables = Exact<{
  appId: Scalars['uuid'];
 }>;
@@ -29446,6 +29489,45 @@ export function useResetDatabasePasswordMutation(baseOptions?: Apollo.MutationHo
 export type ResetDatabasePasswordMutationHookResult = ReturnType<typeof useResetDatabasePasswordMutation>;
 export type ResetDatabasePasswordMutationResult = Apollo.MutationResult<ResetDatabasePasswordMutation>;
 export type ResetDatabasePasswordMutationOptions = Apollo.BaseMutationOptions<ResetDatabasePasswordMutation, ResetDatabasePasswordMutationVariables>;
+export const ConnectGithubRepoDocument = gql`
+    mutation ConnectGithubRepo($appID: uuid!, $githubNodeID: String!, $productionBranch: String!, $baseFolder: String!) {
+  connectGithubRepo(
+    appID: $appID
+    githubNodeID: $githubNodeID
+    productionBranch: $productionBranch
+    baseFolder: $baseFolder
+  )
+}
+    `;
+export type ConnectGithubRepoMutationFn = Apollo.MutationFunction<ConnectGithubRepoMutation, ConnectGithubRepoMutationVariables>;
+
+/**
+ * __useConnectGithubRepoMutation__
+ *
+ * To run a mutation, you first call `useConnectGithubRepoMutation` within a React component and pass it any options that fit your needs.
+ * When your component renders, `useConnectGithubRepoMutation` returns a tuple that includes:
+ * - A mutate function that you can call at any time to execute the mutation
+ * - An object with fields that represent the current status of the mutation's execution
+ *
+ * @param baseOptions options that will be passed into the mutation, supported options are listed on: https://www.apollographql.com/docs/react/api/react-hooks/#options-2;
+ *
+ * @example
+ * const [connectGithubRepoMutation, { data, loading, error }] = useConnectGithubRepoMutation({
+ *   variables: {
+ *      appID: // value for 'appID'
+ *      githubNodeID: // value for 'githubNodeID'
+ *      productionBranch: // value for 'productionBranch'
+ *      baseFolder: // value for 'baseFolder'
+ *   },
+ * });
+ */
+export function useConnectGithubRepoMutation(baseOptions?: Apollo.MutationHookOptions<ConnectGithubRepoMutation, ConnectGithubRepoMutationVariables>) {
+        const options = {...defaultOptions, ...baseOptions}
+        return Apollo.useMutation<ConnectGithubRepoMutation, ConnectGithubRepoMutationVariables>(ConnectGithubRepoDocument, options);
+      }
+export type ConnectGithubRepoMutationHookResult = ReturnType<typeof useConnectGithubRepoMutation>;
+export type ConnectGithubRepoMutationResult = Apollo.MutationResult<ConnectGithubRepoMutation>;
+export type ConnectGithubRepoMutationOptions = Apollo.BaseMutationOptions<ConnectGithubRepoMutation, ConnectGithubRepoMutationVariables>;
 export const GetHasuraSettingsDocument = gql`
    query GetHasuraSettings($appId: uuid!) {
  config(appID: $appId, resolve: false) {
--- a/docs/reference/cli/commands.mdx
+++ b/docs/reference/cli/commands.mdx
@@ -254,7 +254,7 @@ Start local development environment

 **--ca-certificates**="": Mounts and everrides path to CA certificates in the containers

-**--dashboard-version**="": Dashboard version to use (default: nhost/dashboard:2.40.0)
+**--dashboard-version**="": Dashboard version to use (default: nhost/dashboard:2.41.0)

 **--disable-tls**: Disable TLS

@@ -284,7 +284,7 @@ Start local development environment connected to an Nhost Cloud project (BETA)

 **--ca-certificates**="": Mounts and everrides path to CA certificates in the containers

-**--dashboard-version**="": Dashboard version to use (default: nhost/dashboard:2.40.0)
+**--dashboard-version**="": Dashboard version to use (default: nhost/dashboard:2.41.0)

 **--disable-tls**: Disable TLS

--- a/docs/reference/storage.yaml
+++ b/docs/reference/storage.yaml
@@ -206,8 +206,7 @@ paths:
            Last-Modified:
              description: "Date and time the file was last modified"
              schema:
-                type: string
-                format: date-time
+                $ref: '#/components/schemas/RFC2822Date'
            Surrogate-Key:
              description: "Cache key for surrogate caching"
              schema:
@@ -248,8 +247,7 @@ paths:
            Last-Modified:
              description: "Date and time the file was last modified"
              schema:
-                type: string
-                format: date-time
+                $ref: '#/components/schemas/RFC2822Date'
            Surrogate-Key:
              description: "Cache key for surrogate caching"
              schema:
@@ -391,8 +389,7 @@ paths:
            Last-Modified:
              description: "Date and time the file was last modified"
              schema:
-                type: string
-                format: date-time
+                $ref: '#/components/schemas/RFC2822Date'
            Accept-Ranges:
              description: "Always set to bytes. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Ranges"
              schema:
@@ -675,8 +672,7 @@ paths:
            Last-Modified:
              description: "Date and time the file was last modified"
              schema:
-                type: string
-                format: date-time
+                $ref: '#/components/schemas/RFC2822Date'
            Surrogate-Key:
              description: "Cache key for surrogate caching"
              schema:
@@ -717,8 +713,7 @@ paths:
            Last-Modified:
              description: "Date and time the file was last modified"
              schema:
-                type: string
-                format: date-time
+                $ref: '#/components/schemas/RFC2822Date'
            Surrogate-Key:
              description: "Cache key for surrogate caching"
              schema:
--- a/go.mod
+++ b/go.mod
@@ -28,7 +28,7 @@ require (
 	github.com/jackc/pgx/v5 v5.7.2
 	github.com/lmittmann/tint v1.0.7
 	github.com/mark3labs/mcp-go v0.41.1
-	github.com/nhost/be v0.0.0-20251021065906-8abc7d8dfa48
+	github.com/nhost/be v0.0.0-20251106114258-352de15d30f5
 	github.com/oapi-codegen/runtime v1.1.1
 	github.com/pb33f/libopenapi v0.21.12
 	github.com/pelletier/go-toml/v2 v2.2.4
@@ -154,7 +154,7 @@ require (
 	github.com/prometheus/common v0.63.0 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/quic-go/quic-go v0.54.0 // indirect
+	github.com/quic-go/quic-go v0.54.1 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rs/cors v1.11.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -336,8 +336,8 @@ github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/nhost/be v0.0.0-20251021065906-8abc7d8dfa48 h1:+Oh4Rbr1psWlBaQTakoBYFNB8jBioiXuimNMaNPLTHk=
-github.com/nhost/be v0.0.0-20251021065906-8abc7d8dfa48/go.mod h1:feVvqP3dft8hWbp9zNZExdGKbFEYv8aLYohfyAeINNQ=
+github.com/nhost/be v0.0.0-20251106114258-352de15d30f5 h1:D1n4dI9LBk6W61/RIQClauPailPHXIp2V7okg6KQMlk=
+github.com/nhost/be v0.0.0-20251106114258-352de15d30f5/go.mod h1:5aMnG2R3UQWFLlb3BcA0btBleWIn1ez3pSwg37YthuA=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/oapi-codegen/runtime v1.1.1 h1:EXLHh0DXIJnWhdRPN2w4MXAzFyE4CskzhNLUmtpMYro=
 github.com/oapi-codegen/runtime v1.1.1/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
@@ -381,8 +381,8 @@ github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d h1:HWfigq
 github.com/protocolbuffers/txtpbfmt v0.0.0-20241112170944-20d2c9ebc01d/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
 github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
 github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
-github.com/quic-go/quic-go v0.54.0 h1:6s1YB9QotYI6Ospeiguknbp2Znb/jZYjZLRXn9kMQBg=
-github.com/quic-go/quic-go v0.54.0/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
+github.com/quic-go/quic-go v0.54.1 h1:4ZAWm0AhCb6+hE+l5Q1NAL0iRn/ZrMwqHRGQiFwj2eg=
+github.com/quic-go/quic-go v0.54.1/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
--- a/services/storage/CHANGELOG.md
+++ b/services/storage/CHANGELOG.md
@@ -1,3 +1,9 @@
+## [storage@0.9.1] - 2025-11-06
+
+### 🐛 Bug Fixes
+
+- *(storage)* Format date-time headers with RFC2822 (#3672)
+
 ## [storage@0.9.0] - 2025-11-04

 ### 🚀 Features
--- a/services/storage/api/datetime.go
+++ b/services/storage/api/datetime.go
@@ -6,7 +6,7 @@ import (

 const format = time.RFC1123

-type Time time.Time
+type Time time.Time //nolint:recvcheck

 func (dt *Time) UnmarshalText(text []byte) error {
 	if len(text) == 0 || string(text) == `""` {
@@ -24,6 +24,14 @@ func (dt *Time) UnmarshalText(text []byte) error {
 	return nil
 }

+func (dt Time) String() string {
+	if time.Time(dt).IsZero() {
+		return ""
+	}
+
+	return time.Time(dt).Format(format)
+}
+
 func Date(year int, month time.Month, day, hour, minute, sec, nsec int, loc *time.Location) Time {
 	return Time(time.Date(year, month, day, hour, minute, sec, nsec, loc))
 }
--- a/services/storage/api/server.gen.go
+++ b/services/storage/api/server.gen.go
@@ -16,7 +16,6 @@ import (
 	"net/url"
 	"path"
 	"strings"
-	"time"

 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/gin-gonic/gin"
@@ -998,7 +997,7 @@ type GetFile200ResponseHeaders struct {
 	ContentDisposition string
 	ContentType        string
 	Etag               string
-	LastModified       time.Time
+	LastModified       RFC2822Date
 	SurrogateControl   string
 	SurrogateKey       string
 }
@@ -1037,7 +1036,7 @@ type GetFile206ResponseHeaders struct {
 	ContentRange       string
 	ContentType        string
 	Etag               string
-	LastModified       time.Time
+	LastModified       RFC2822Date
 	SurrogateControl   string
 	SurrogateKey       string
 }
@@ -1138,7 +1137,7 @@ type GetFileMetadataHeaders200ResponseHeaders struct {
 	ContentLength      int
 	ContentType        string
 	Etag               string
-	LastModified       time.Time
+	LastModified       RFC2822Date
 	SurrogateControl   string
 	SurrogateKey       string
 }
@@ -1287,7 +1286,7 @@ type GetFileWithPresignedURL200ResponseHeaders struct {
 	ContentDisposition string
 	ContentType        string
 	Etag               string
-	LastModified       time.Time
+	LastModified       RFC2822Date
 	SurrogateControl   string
 	SurrogateKey       string
 }
@@ -1326,7 +1325,7 @@ type GetFileWithPresignedURL206ResponseHeaders struct {
 	ContentRange       string
 	ContentType        string
 	Etag               string
-	LastModified       time.Time
+	LastModified       RFC2822Date
 	SurrogateControl   string
 	SurrogateKey       string
 }
@@ -2117,33 +2116,33 @@ var swaggerSpec = []string{
 	"LBifrwmiSgmVfIhbXlfQcyu1CTQjsNCs1RPf7KYLulREgdEEtkCBlDmVGOaQoq/Qz8RHlqbUpFaAhydH",
 	"g1hEavAOJoNfjo8PB7/YCQft2a60UMFzGiUQPrc5IM9Bkjm7Y+hWl0VAJqcBUUI5U9m1w1smhS+YyoVi",
 	"/sO9fR4j60FVBtuxViWiSGMyARIzlad0CTFhPGU2m0MxWCVUaxolJkt9M1JuUe9yzYh7d6mbumbMV1Tp",
-	"8MDZxDUHe2iqzGFot8aktKatWW5STHLZC44KKcUMm6yFg0FLlTGM2+BQZf8SJtcstZ7vX7BcN1eZyb3d",
-	"4Dj8aOvpp+zxQ+eyT2+717+9HWVV+Pgak1FVBzPrSpYKebNtN9u2sW231yY1TNBWxhkmWiihbePzRjqf",
-	"cbI/reQRHpnGQuKHrzF2OzCxX7lpv+T2/Rzg+7IIwBmfDEeeZJ2EWhZTylJXOeFJoJSsJ49QTCiMHsrm",
-	"pI4Gjch6bYE93kjq1pJqZPyuysy1OftbuFfe0vB1clcRygsZ19Bw2+xemZtbm99DQq9I8BnNWh3blEBb",
-	"MJ2IQlfpsWat5g2TfkaBu+yQqvDUKARYm9QrjxZ+qRTOp+X4ogSiD5sE3ybBt0nwbRJ8mwTfJsF3+wTf",
-	"moyYx+1uVrqV1nST8/p7ReivgM90cov7Ub5xG9txE5VvovJNVP6NRuWbMPwbCMOfY4hZ2oS6at4Xj+eF",
-	"t94mT2kEnWsztkyPw6IyeNaxzCWUtcqVIt5/0SfHSaNcm0xFmoqFwiYKiNKQq/EpH9pm9U0+Mk3pjLDK",
-	"uzAl/fhHRuWHenwTkdkyN3N55pSP7EitnL+pLDOLqVLXZTW+Ky8/5dt98rKVdmCqujz0CP3oHslYBubW",
-	"Uq9BaI+AjvqPT/kp36NRYlaEfakWGYt6ZFJo8wqF/QJ3r+ohq+ZMFMqu31be2jiNoHuJkopoimGdSHG3",
-	"I5X9U95JTjgR3UvVkePQ/ZW53VNZs3E8vHeaWjKuV2BfvWgitnkbe32NcfPmztXVvZ2Lap4bK2uOnB2N",
-	"6PitFu/y1SXdtY53696KA1cW6V9Sq1Kx3GcPrVSxwfdbVyuWinBNOrNdCzuoLqC6K6pX1zK2r6s2azLq",
-	"coy96hppuWexLVOnPMbdnjH3YE99lX3KZoXt4VEaLqPZvDP8ScrjMxXG3h+Kvbej16F5RnUCcjUs/ivQ",
-	"fCSy1dd77gDdG+OsgWxnHK/G9sBxQV0P8rJleRFkHSRtnftDgmUnQ3SiGrwsZEqAx7lg1gCVd0ZtGqtl",
-	"yddkgH4Ld7OP4W46E5LpJHuAtD2XYNhL0wdI3AubuX5oZO3ZhwweIGVH5SsGD5Q2iOsDtge3EzCeUkUW",
-	"Hoj4QfLP2YXwWHwAHvyVBJ2Fm0PMzSHm5hBzc4i5OcTcHGJubilsbilsbilsDlY3txQ2txQ2txQ223ZT",
-	"D7E5dN/cUtiUR/y15RFXnU6sHoT0AjiL0iKGrDwUcQ+a9Zc0u/KUr5Dc1DqQNznw3cN9YldAYpgy7hBs",
-	"3qVkiuwe7vcITVOxQPxEKTNUaUEKjgzTRq8nQOicstT+NoXL0tmLDZmIIfW/S+JmP8ohCm4VopyF5Qo7",
-	"rF9/0r12rQ/gVNgeoVUo+Bl0LRqr1qPVOpnyDc3y8y4W1MC+0BNOpPgAPGyWEvhftfvJNGxVmxg2QYzO",
-	"UdZ6yjahqlkZ8yPRsgBTWGKOKrEvF1XxZ7O6xaQOzRUX7V5YYtbzMi8t1kU5ZhqXrbVw9TzJuO6NJbuU",
-	"g2Z9wicc5K5/kPfGz4CV78zf4FdLPKeunneXyKQtrb8Gxrx5GOw7C17z2uaax5dW11TjvX5bswtwIfOE",
-	"8iuea3xjGlRPutH6uUbEGP7T1Ilx3anEKhDpc3S/vC98fTb8lhTXDzLeG3yrpy0r7F7zsuGdESpabP8a",
-	"AKpW13QNQFOm9Demf18xpb9i7YsTFF+d+kWhqdtqXwNuLnRYNH7sw4/sY8QSU73rQGwqaj8XKo0ufS10",
-	"4+dhviJcJhB9qCwcF/rLvQT6BZDZsNZojvn37uS1qEV5PVS/KjcB+fK3dhIqRfo1eQkWrTf3Eeb1k/1X",
-	"Visq+zK/iahv91MB5ETBtEjtE+6CMy1k+Yh7DJNiNmN85o3Oy8f8P2MNrOfnEzzC+bdnvSvl3e5c4mFG",
-	"8uUj+h65NbM6S6UhQ1gY6Mm5v7q0+07/kWnbeTL/XBWTWGSU8ct++Z7xuYQZE/yyb38HQBZ8MB8GiGBH",
-	"xbnnxxZWEw3u5Lr9sacGhWuQnKaNH0UgLkcR20PzvJikLMLxVT1sncboDmmvwlBOZ/aqQmM31Qf/Tod0",
-	"VrLulxrqro3Puv1LjjdWY5/taFQwN8Yqc3SegYycV0BQ9rIYuHx/+Z8AAAD//yyNKChHeQAA",
+	"8MDZxDUHe2iqzGFot8aktKZ3taPBUSGlmFF9BSYMZKq0YdxGiCr7l1i5Zr31fP+C5bq5ynTu7QbH4Udb",
+	"Tz9lox86v3162w3/7W0rq8fH19iNqkSYWX+y1MqbvbvZu6t7d3ttesOEb2XEYeKGEt82Um8k9hkn+9NK",
+	"KOGRaSwkfvgao7gDEwWWO/dL7uHPgcAviwCc8clw5EnbSahlMaUsdTUUnlRKyXryCMWEwuihbE7quNCI",
+	"rNcW2OONpG4tqUbu76ocXZuzv4V75X0NXyd3KaG8mnENDbfN85VZurWZPiT0ilSfUa/VAU4JtAXTiSh0",
+	"lShrVm3eMP1ntLjLE6kKT42SgLXpvfKQ4ZdK4Xxati9KIPqwSfVtUn2bVN8m1bdJ9W1SfbdP9a3JjXnc",
+	"7mbNW2lNN9mvv1eY/gr4TCe3uCnlG7exHTeh+SY034Tm33JovonFv4FY/DnGmaVhqIvofUF5XnjLb/KU",
+	"RtC5RWOr9jgsKqtnvctcQlm6XGnj/Rd9cpw0qrfJVKSpWChsooAoDbkan/KhbVZf7CPTlM4Iq1wMU+GP",
+	"f2RUfqjHN2GZrXozd2lO+ciO1Mr+m0Izs5gqiV0W57tq81O+3ScvW7kHpqq7RI/Qme6RjGVgLjH1GoT2",
+	"COio//iUn/I9GiVmRdiXapGxqEcmhTaPUtgvcPeqHrJqzkSh7PptIa4N1gj6mCipiKYY24kUdztS2T/l",
+	"nQyFE9G9FCE5Dt1f1ds9VTkb78N7xakl43oF9hGMJmKbl7PXlxw3L/JcXezbubfmucCy5gTa0Yje32ot",
+	"L19d0l3LerfurVZwZZH+JbUKF8t99tAqFxt8v3XxYqkI1+Q026Wxg+o+qruxenVpY/v2arNEo67O2Ktu",
+	"lZZ7Ftsydcpj3O0Zc+/31Dfbp2xW2B4epeHSms0rxJ+kPD5Tnez9odh7WXodmmdUJyBXY+O/As1HIlt9",
+	"zOcO0L0xzhrIdsbxamwPHBfU9SAvW5b3QtZB0pa9PyRYdtJEJ6rBy0KmBHicC2YNUHmF1OayWpZ8TRro",
+	"t3A3+xjupjMhmU6yB0jbcwmGvTR9gMS9sOnrh0bWnn3X4AFSdlQ+avBAaYO4PmV7cDsB4ylVZOGBiB8k",
+	"/5xdCI/FB+DBX0nQWbg5ydycZG5OMjcnmZuTzM1J5ubSwubSwubSwuZ0dXNpYXNpYXNpYbN3N5URm+P3",
+	"zaWFTaHEQymUuOqcYvVIpBfAWZQWMWTl8Yh76ay/pNmV532F5KbqgbzJge8e7hO7AhLDlHGHYPNgJVNk",
+	"93C/R2iaigXiJ0qZoUoLUnBkmDbKPQFC55Sl9kcrXL7O3nPIRAyp/8ESN/tRDlFwq2DlLCxX2GH9+jPv",
+	"tWt9AOfD9jCtQsHPoGvRWLUerVbMlI9rlp93saAG9umecCLFB+Bhs6jA/9zdT6Zhq+7EsAli9JCy1hu3",
+	"CVXNGpkfiZYFmBITc2iJfbmoakGbdS4miWhuvGj39BKz7pd5grEuzzHTuLythavnrcZ1jy/ZpRw0KxU+",
+	"4Uh3/Uu9N34frHyA/gY/Z+I5f/U8yEQmbWn9NTDmzWNh36nwmmc417zKtLqmGu/1o5tdgAuZJ5Rf8Y7j",
+	"G9OgeuuN1u84Isbwn6ZijOtOTVaBSJ+j++V9+uuz4bekuH6p8d7gW715WWH3micP74xQ0WL71wBQtbqm",
+	"awCaMqW/Mf37iin9FWtfnKD46tQvCk3dVvsacHOhw6LxKyB+ZB8jlpjqXQdiU1v7uVBpdOlroRu/G/MV",
+	"4TKB6ENl4bjQX+6J0C+AzIa1RnPMv3dnsEUtyuuh+lW5CciXv7WTUCnSr8lLsGi9uY8wr9/yv7JuUdkn",
+	"+01EfbvfECAnCqZFat92F5xpIcvX3WOYFLMZ4zNvdF6+8v8Zq2E9v6vgEc6/PetdKfR2hxMPM5IvX9f3",
+	"yK2Z1VkqDRnCwkBPzv11pt0H/I9M285b+ueqmMQio4xf9suHjs8lzJjgl337AwGy4IP5MEAEOyrOPb/C",
+	"sJpocGfY7Y891Shcg+Q0bfxaAnE5itgen+fFJGURjq/qYes0RndIeymGcjqzlxYau6kuAXA6pLOSdT/h",
+	"UHdtfNbtX3K8sRr7ikejlrkxVpmj8wxk5LwCgrKXxcDl+8v/BAAA///wREgRYHkAAA==",
 }

 // GetSwagger returns the content of the embedded swagger specification file
--- a/services/storage/controller/get_file.go
+++ b/services/storage/controller/get_file.go
@@ -272,7 +272,7 @@ func (ctrl *Controller) getFileResponse( //nolint: ireturn,dupl
 				),
 				ContentType:      file.mimeType,
 				Etag:             file.fileMetadata.Etag,
-				LastModified:     file.fileMetadata.UpdatedAt,
+				LastModified:     api.RFC2822Date(file.fileMetadata.UpdatedAt),
 				SurrogateControl: file.cacheControl,
 				SurrogateKey:     file.fileMetadata.Id,
 			},
@@ -290,7 +290,7 @@ func (ctrl *Controller) getFileResponse( //nolint: ireturn,dupl
 				ContentRange:     file.extraHeaders.Get("Content-Range"),
 				ContentType:      file.mimeType,
 				Etag:             file.fileMetadata.Etag,
-				LastModified:     file.fileMetadata.UpdatedAt,
+				LastModified:     api.RFC2822Date(file.fileMetadata.UpdatedAt),
 				SurrogateControl: file.cacheControl,
 				SurrogateKey:     file.fileMetadata.Id,
 			},
--- a/services/storage/controller/get_file_metadata_headers.go
+++ b/services/storage/controller/get_file_metadata_headers.go
@@ -115,7 +115,7 @@ func (ctrl *Controller) getFileMetadataHeadersResponseObject( //nolint:ireturn
 				CacheControl:     bucketMetadata.CacheControl,
 				ContentType:      fileMetadata.MimeType,
 				Etag:             fileMetadata.Etag,
-				LastModified:     fileMetadata.UpdatedAt,
+				LastModified:     api.RFC2822Date(fileMetadata.UpdatedAt),
 				SurrogateControl: bucketMetadata.CacheControl,
 				SurrogateKey:     fileMetadata.Id,
 				ContentDisposition: fmt.Sprintf(
--- a/services/storage/controller/get_file_metadata_headers_test.go
+++ b/services/storage/controller/get_file_metadata_headers_test.go
@@ -35,7 +35,7 @@ func TestGetFileInfo(t *testing.T) {
 					ContentLength:      64,
 					ContentType:        "text/plain; charset=utf-8",
 					Etag:               `"55af1e60-0f28-454e-885e-ea6aab2bb288"`,
-					LastModified:       time.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
+					LastModified:       api.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
 					SurrogateControl:   "max-age=3600",
 					SurrogateKey:       "55af1e60-0f28-454e-885e-ea6aab2bb288",
 				},
@@ -57,7 +57,7 @@ func TestGetFileInfo(t *testing.T) {
 					ContentLength:      64,
 					ContentType:        "text/plain; charset=utf-8",
 					Etag:               `"55af1e60-0f28-454e-885e-ea6aab2bb288"`,
-					LastModified:       time.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
+					LastModified:       api.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
 					SurrogateControl:   "max-age=3600",
 					SurrogateKey:       "55af1e60-0f28-454e-885e-ea6aab2bb288",
 				},
@@ -111,7 +111,7 @@ func TestGetFileInfo(t *testing.T) {
 					ContentLength:      64,
 					ContentType:        "text/plain; charset=utf-8",
 					Etag:               `"55af1e60-0f28-454e-885e-ea6aab2bb288"`,
-					LastModified:       time.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
+					LastModified:       api.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
 					SurrogateControl:   "max-age=3600",
 					SurrogateKey:       "55af1e60-0f28-454e-885e-ea6aab2bb288",
 				},
@@ -133,7 +133,7 @@ func TestGetFileInfo(t *testing.T) {
 					ContentLength:      64,
 					ContentType:        "text/plain; charset=utf-8",
 					Etag:               `"55af1e60-0f28-454e-885e-ea6aab2bb288"`,
-					LastModified:       time.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
+					LastModified:       api.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
 					SurrogateControl:   "max-age=3600",
 					SurrogateKey:       "55af1e60-0f28-454e-885e-ea6aab2bb288",
 				},
@@ -171,7 +171,7 @@ func TestGetFileInfo(t *testing.T) {
 					ContentLength:      64,
 					ContentType:        "text/plain; charset=utf-8",
 					Etag:               `"55af1e60-0f28-454e-885e-ea6aab2bb288"`,
-					LastModified:       time.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
+					LastModified:       api.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
 					SurrogateControl:   "max-age=3600",
 					SurrogateKey:       "55af1e60-0f28-454e-885e-ea6aab2bb288",
 				},
--- a/services/storage/controller/get_file_test.go
+++ b/services/storage/controller/get_file_test.go
@@ -40,7 +40,7 @@ func TestGetFile(t *testing.T) { //nolint:maintidx
 					ContentDisposition: `inline; filename="my-file.txt"`,
 					ContentType:        "text/plain; charset=utf-8",
 					Etag:               `"55af1e60-0f28-454e-885e-ea6aab2bb288"`,
-					LastModified:       time.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
+					LastModified:       api.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
 					SurrogateControl:   "max-age=3600",
 					SurrogateKey:       "55af1e60-0f28-454e-885e-ea6aab2bb288",
 				},
@@ -62,7 +62,7 @@ func TestGetFile(t *testing.T) { //nolint:maintidx
 					ContentDisposition: `inline; filename="my-file.txt"`,
 					ContentType:        "text/plain; charset=utf-8",
 					Etag:               `"55af1e60-0f28-454e-885e-ea6aab2bb288"`,
-					LastModified:       time.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
+					LastModified:       api.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
 					SurrogateControl:   "max-age=3600",
 					SurrogateKey:       "55af1e60-0f28-454e-885e-ea6aab2bb288",
 				},
@@ -116,7 +116,7 @@ func TestGetFile(t *testing.T) { //nolint:maintidx
 					ContentDisposition: `inline; filename="my-file.txt"`,
 					ContentType:        "text/plain; charset=utf-8",
 					Etag:               `"55af1e60-0f28-454e-885e-ea6aab2bb288"`,
-					LastModified:       time.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
+					LastModified:       api.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
 					SurrogateControl:   "max-age=3600",
 					SurrogateKey:       "55af1e60-0f28-454e-885e-ea6aab2bb288",
 				},
@@ -138,7 +138,7 @@ func TestGetFile(t *testing.T) { //nolint:maintidx
 					ContentDisposition: `inline; filename="my-file.txt"`,
 					ContentType:        "text/plain; charset=utf-8",
 					Etag:               `"55af1e60-0f28-454e-885e-ea6aab2bb288"`,
-					LastModified:       time.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
+					LastModified:       api.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
 					SurrogateControl:   "max-age=3600",
 					SurrogateKey:       "55af1e60-0f28-454e-885e-ea6aab2bb288",
 				},
@@ -176,7 +176,7 @@ func TestGetFile(t *testing.T) { //nolint:maintidx
 					ContentDisposition: `inline; filename="my-file.txt"`,
 					ContentType:        "text/plain; charset=utf-8",
 					Etag:               `"55af1e60-0f28-454e-885e-ea6aab2bb288"`,
-					LastModified:       time.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
+					LastModified:       api.Date(2021, 12, 27, 9, 58, 11, 0, time.UTC),
 					SurrogateControl:   "max-age=3600",
 					SurrogateKey:       "55af1e60-0f28-454e-885e-ea6aab2bb288",
 				},
--- a/services/storage/controller/get_file_with_presigned_url.go
+++ b/services/storage/controller/get_file_with_presigned_url.go
@@ -99,7 +99,7 @@ func (ctrl *Controller) getFileWithPresignedURLResponseObject( //nolint: ireturn
 				),
 				ContentType:      file.mimeType,
 				Etag:             file.fileMetadata.Etag,
-				LastModified:     file.fileMetadata.UpdatedAt,
+				LastModified:     api.RFC2822Date(file.fileMetadata.UpdatedAt),
 				SurrogateControl: file.cacheControl,
 				SurrogateKey:     file.fileMetadata.Id,
 			},
@@ -117,7 +117,7 @@ func (ctrl *Controller) getFileWithPresignedURLResponseObject( //nolint: ireturn
 				ContentRange:     file.extraHeaders.Get("Content-Range"),
 				ContentType:      file.mimeType,
 				Etag:             file.fileMetadata.Etag,
-				LastModified:     file.fileMetadata.UpdatedAt,
+				LastModified:     api.RFC2822Date(file.fileMetadata.UpdatedAt),
 				SurrogateControl: file.cacheControl,
 				SurrogateKey:     file.fileMetadata.Id,
 			},
--- a/services/storage/controller/main_test.go
+++ b/services/storage/controller/main_test.go
@@ -64,6 +64,10 @@ func FileMetadataMatcher(v api.FileMetadata) gomock.Matcher {
 func assert(t *testing.T, got, wanted interface{}, opts ...cmp.Option) {
 	t.Helper()

+	opts = append(opts, cmpopts.IgnoreUnexported(
+		api.Time{},
+	))
+
 	if !cmp.Equal(got, wanted, opts...) {
 		t.Error(cmp.Diff(got, wanted, opts...))
 	}
--- a/services/storage/controller/openapi.yaml
+++ b/services/storage/controller/openapi.yaml
@@ -206,8 +206,7 @@ paths:
            Last-Modified:
              description: "Date and time the file was last modified"
              schema:
-                type: string
-                format: date-time
+                $ref: '#/components/schemas/RFC2822Date'
            Surrogate-Key:
              description: "Cache key for surrogate caching"
              schema:
@@ -248,8 +247,7 @@ paths:
            Last-Modified:
              description: "Date and time the file was last modified"
              schema:
-                type: string
-                format: date-time
+                $ref: '#/components/schemas/RFC2822Date'
            Surrogate-Key:
              description: "Cache key for surrogate caching"
              schema:
@@ -391,8 +389,7 @@ paths:
            Last-Modified:
              description: "Date and time the file was last modified"
              schema:
-                type: string
-                format: date-time
+                $ref: '#/components/schemas/RFC2822Date'
            Accept-Ranges:
              description: "Always set to bytes. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Ranges"
              schema:
@@ -675,8 +672,7 @@ paths:
            Last-Modified:
              description: "Date and time the file was last modified"
              schema:
-                type: string
-                format: date-time
+                $ref: '#/components/schemas/RFC2822Date'
            Surrogate-Key:
              description: "Cache key for surrogate caching"
              schema:
@@ -717,8 +713,7 @@ paths:
            Last-Modified:
              description: "Date and time the file was last modified"
              schema:
-                type: string
-                format: date-time
+                $ref: '#/components/schemas/RFC2822Date'
            Surrogate-Key:
              description: "Cache key for surrogate caching"
              schema:
--- a/services/storage/example_curl.sh
+++ b/services/storage/example_curl.sh
@@ -1,7 +1,9 @@
 #!/usr/bin/env bash

 URL=http://localhost:8000/v1/files
-AUTH="Authorization: Bearer $(make dev-jwt)"
+
+# token can be generated using build/dev/jwt-gen
+AUTH="Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjIwNzc3NzY0NjYsImh0dHBzOi8vaGFzdXJhLmlvL2p3dC9jbGFpbXMiOnsieC1oYXN1cmEtYWxsb3dlZC1yb2xlcyI6WyJhZG1pbiJdLCJ4LWhhc3VyYS1kZWZhdWx0LXJvbGUiOiJhZG1pbiIsIngtaGFzdXJhLXVzZXItaWQiOiJhYjViYTU4ZS05MzJhLTQwZGMtODdlOC03MzM5OTg3OTRlYzIiLCJ4LWhhc3VyYS11c2VyLWlzQW5vbnltb3VzIjoiZmFsc2UifSwiaWF0IjoxNzYyNDE2NDY2LCJpc3MiOiJoYXN1cmEtYXV0aCIsInN1YiI6ImFiNWJhNThlLTkzMmEtNDBkYy04N2U4LTczMzk5ODc5NGVjMiJ9.msexXYDRzox0giNGRHqPrefYH_uWXMtdCbEZ_Vg-IV8"
 BUCKET=default

 FILE_ID=55af1e60-0f28-454e-885e-ea6aab2bb288
@@ -11,14 +13,12 @@ ETAG=\"588be441fe7a59460850b0aa3e1c5a65\"
 # lead to a JWTIssuedAtFuture error
 sleep 1

-output=`curl $URL/ \
+output=`curl $URL \
  -v \
  -H "$AUTH" \
  -F "bucket-id=$BUCKET" \
-  -F "metadata[]={};type=application/json" \
-  -F "file[]=@go.mod" \
  -F "metadata[]={\"id\":\"7982873d-8e89-4321-ab86-00f80a168c5a\", \"name\":\"config.yaml\",\"metadata\":{\"num\":123,\"list\":[1,2,3]}};type=application/json" \
-  -F "file[]=@storage.yaml" \
+  -F "file[]=@vacuum.yaml" \
  -F "metadata[]={\"id\":\"faa80d51-07c7-4268-942d-8f092c98c71a\", \"name\":\"docs.md\"};type=application/json" \
  -F "file[]=@README.md" \
  -F "metadata[]={\"id\":\"$FILE_ID\", \"name\":\"logo.jpg\"};type=application/json" \
--- a/vendor/github.com/nhost/be/services/mimir/graph/m_insert_run_service_config.go
+++ b/vendor/github.com/nhost/be/services/mimir/graph/m_insert_run_service_config.go
@@ -43,6 +43,24 @@ func nameMustBeUnique(svcs Services, serviceID, name string) error {
 	return nil
 }

+func (r *mutationResolver) checkAppLive(ctx context.Context, appID string) error {
+	appIDUUID, err := uuid.Parse(appID)
+	if err != nil {
+		return fmt.Errorf("invalid app ID: %w", err)
+	}
+
+	desiredState, err := r.nhost.GetAppDesiredState(ctx, appIDUUID)
+	if err != nil {
+		return fmt.Errorf("failed to get app desired state: %w", err)
+	}
+
+	if desiredState != appLive {
+		return ErrAppMustBeLive
+	}
+
+	return nil
+}
+
 func (r *mutationResolver) insertRunServiceConfig(
 	ctx context.Context,
 	appID string,
@@ -58,6 +76,10 @@ func (r *mutationResolver) insertRunServiceConfig(

 	app := r.data[i]

+	if err := r.checkAppLive(ctx, appID); err != nil {
+		return nil, err
+	}
+
 	serviceID := uuid.NewString()

 	if _, err := app.IndexService(serviceID); err == nil {
--- a/vendor/github.com/nhost/be/services/mimir/nhost/db.go
+++ b/vendor/github.com/nhost/be/services/mimir/nhost/db.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.29.0
+//   sqlc v1.30.0

 package nhost

--- a/vendor/github.com/nhost/be/services/mimir/nhost/models.go
+++ b/vendor/github.com/nhost/be/services/mimir/nhost/models.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.29.0
+//   sqlc v1.30.0

 package nhost

@@ -309,6 +309,7 @@ type Deployment struct {
 	CommitUserName      pgtype.Text
 	CommitUserAvatarUrl pgtype.Text
 	CommitMessage       pgtype.Text
+	CreatedAt           pgtype.Timestamptz
 }

 type DeploymentLog struct {
--- a/vendor/github.com/nhost/be/services/mimir/nhost/querier.go
+++ b/vendor/github.com/nhost/be/services/mimir/nhost/querier.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.29.0
+//   sqlc v1.30.0

 package nhost

--- a/vendor/github.com/nhost/be/services/mimir/nhost/query.sql.go
+++ b/vendor/github.com/nhost/be/services/mimir/nhost/query.sql.go
@@ -1,6 +1,6 @@
 // Code generated by sqlc. DO NOT EDIT.
 // versions:
-//   sqlc v1.29.0
+//   sqlc v1.30.0
 // source: query.sql

 package nhost
--- a/vendor/github.com/nhost/be/services/mimir/schema/appconfig/hasura_auth.go
+++ b/vendor/github.com/nhost/be/services/mimir/schema/appconfig/hasura_auth.go
@@ -42,7 +42,11 @@ func IsJWTSecretCompatibleWithHasuraAuth(
 }

 func getOauthSettings(c oauthsettings, provider string) []EnvVar {
-	return []EnvVar{
+	if !unptr(c.GetEnabled()) {
+		return []EnvVar{}
+	}
+
+	env := []EnvVar{
 		{
 			Name:       fmt.Sprintf("AUTH_PROVIDER_%s_ENABLED", provider),
 			Value:      Stringify(unptr(c.GetEnabled())),
@@ -61,22 +65,30 @@ func getOauthSettings(c oauthsettings, provider string) []EnvVar {
 			Value:      unptr(c.GetClientSecret()),
 			IsSecret:   false,
 		},
-		{
+	}
+
+	if c.GetAudience() != nil {
+		env = append(env, EnvVar{
 			Name:       fmt.Sprintf("AUTH_PROVIDER_%s_AUDIENCE", provider),
 			Value:      unptr(c.GetAudience()),
 			IsSecret:   false,
 			SecretName: "",
-		},
-		{
+		})
+	}
+
+	if c.GetScope() != nil {
+		env = append(env, EnvVar{
 			Name:       fmt.Sprintf("AUTH_PROVIDER_%s_SCOPE", provider),
 			Value:      Stringify(c.GetScope()),
 			IsSecret:   false,
 			SecretName: "",
-		},
+		})
 	}
+
+	return env
 }

-func HasuraAuthEnv( //nolint:funlen,cyclop,maintidx,gocyclo,gocognit
+func HasuraAuthEnv( //nolint:funlen,cyclop,maintidx
 	config *model.ConfigConfig,
 	hasuraGraphqlURL,
 	authServerURL,
@@ -584,116 +596,45 @@ func HasuraAuthEnv( //nolint:funlen,cyclop,maintidx,gocyclo,gocognit
 		}...)
 	}

-	if unptr(
-		config.GetAuth().GetMethod().GetOauth().GetGithub().GetEnabled(),
-	) {
-		env = append(env, []EnvVar{
-			{
-				Name: "AUTH_PROVIDER_GITHUB_ENABLED",
-				Value: Stringify(
-					unptr(
-						config.
-							GetAuth().
-							GetMethod().
-							GetOauth().
-							GetGithub().
-							GetEnabled(),
-					),
-				),
-				IsSecret:   false,
-				SecretName: "",
-			},
-			{
-				Name: "AUTH_PROVIDER_GITHUB_CLIENT_ID",
-				Value: unptr(
-					config.
-						GetAuth().
-						GetMethod().
-						GetOauth().
-						GetGithub().
-						GetClientId(),
-				),
-				IsSecret:   false,
-				SecretName: "",
-			},
-			{
-				Name:       "AUTH_PROVIDER_GITHUB_CLIENT_SECRET",
-				SecretName: "",
-				Value: unptr(
-					config.GetAuth().GetMethod().GetOauth().GetGithub().GetClientSecret(),
-				),
-				IsSecret: false,
-			},
-		}...)
-	}
+	env = append(env, getOauthSettings(
+		config.GetAuth().GetMethod().GetOauth().GetGithub(),
+		"GITHUB")...,
+	)

-	if unptr(
-		config.GetAuth().GetMethod().GetOauth().GetGoogle().GetEnabled(),
-	) {
-		env = append(env, getOauthSettings(
-			config.GetAuth().GetMethod().GetOauth().GetGoogle(),
-			"GOOGLE")...,
-		)
-	}
+	env = append(env, getOauthSettings(
+		config.GetAuth().GetMethod().GetOauth().GetGoogle(),
+		"GOOGLE")...,
+	)

-	if unptr(
-		config.GetAuth().GetMethod().GetOauth().GetFacebook().GetEnabled(),
-	) {
-		env = append(env, getOauthSettings(
-			config.GetAuth().GetMethod().GetOauth().GetFacebook(),
-			"FACEBOOK")...,
-		)
-	}
+	env = append(env, getOauthSettings(
+		config.GetAuth().GetMethod().GetOauth().GetFacebook(),
+		"FACEBOOK")...,
+	)

-	if unptr(
-		config.GetAuth().GetMethod().GetOauth().GetSpotify().GetEnabled(),
-	) {
-		env = append(env, getOauthSettings(
-			config.GetAuth().GetMethod().GetOauth().GetSpotify(),
-			"SPOTIFY")...,
-		)
-	}
+	env = append(env, getOauthSettings(
+		config.GetAuth().GetMethod().GetOauth().GetSpotify(),
+		"SPOTIFY")...,
+	)

-	if unptr(
-		config.GetAuth().GetMethod().GetOauth().GetLinkedin().GetEnabled(),
-	) {
-		env = append(env, getOauthSettings(
-			config.GetAuth().GetMethod().GetOauth().GetLinkedin(),
-			"LINKEDIN")...,
-		)
-	}
+	env = append(env, getOauthSettings(
+		config.GetAuth().GetMethod().GetOauth().GetLinkedin(),
+		"LINKEDIN")...,
+	)

-	if unptr(
-		config.GetAuth().GetMethod().GetOauth().GetDiscord().GetEnabled(),
-	) {
-		env = append(env, getOauthSettings(
-			config.GetAuth().GetMethod().GetOauth().GetDiscord(),
-			"DISCORD")...,
-		)
-	}
+	env = append(env, getOauthSettings(
+		config.GetAuth().GetMethod().GetOauth().GetDiscord(),
+		"DISCORD")...,
+	)

-	if unptr(
-		config.GetAuth().GetMethod().GetOauth().GetTwitch().GetEnabled(),
-	) {
-		env = append(env, getOauthSettings(
-			config.GetAuth().GetMethod().GetOauth().GetTwitch(),
-			"TWITCH")...,
-		)
-	}
+	env = append(env, getOauthSettings(
+		config.GetAuth().GetMethod().GetOauth().GetTwitch(),
+		"TWITCH")...,
+	)

-	if unptr(
-		config.
-			GetAuth().
-			GetMethod().
-			GetOauth().
-			GetWindowslive().
-			GetEnabled(),
-	) {
-		env = append(env, getOauthSettings(
-			config.GetAuth().GetMethod().GetOauth().GetWindowslive(),
-			"WINDOWS_LIVE")...,
-		)
-	}
+	env = append(env, getOauthSettings(
+		config.GetAuth().GetMethod().GetOauth().GetWindowslive(),
+		"WINDOWS_LIVE")...,
+	)

 	if unptr(
 		config.GetAuth().GetMethod().GetOauth().GetWorkos().GetEnabled(),
@@ -876,6 +817,17 @@ func HasuraAuthEnv( //nolint:funlen,cyclop,maintidx,gocyclo,gocognit
 				SecretName: "",
 			},
 		}...)
+
+		if config.GetAuth().GetMethod().GetOauth().GetApple().GetScope() != nil {
+			env = append(env, EnvVar{
+				Name: "AUTH_PROVIDER_APPLE_SCOPE",
+				Value: Stringify(
+					config.GetAuth().GetMethod().GetOauth().GetApple().GetScope(),
+				),
+				IsSecret:   false,
+				SecretName: "",
+			})
+		}
 	}

 	if unptr( //nolint:dupl
@@ -990,117 +942,15 @@ func HasuraAuthEnv( //nolint:funlen,cyclop,maintidx,gocyclo,gocognit
 		}...)
 	}

-	if unptr( //nolint:dupl
-		config.GetAuth().GetMethod().GetOauth().GetGitlab().GetEnabled(),
-	) {
-		env = append(env, []EnvVar{
-			{
-				Name: "AUTH_PROVIDER_GITLAB_ENABLED",
-				Value: Stringify(
-					unptr(
-						config.
-							GetAuth().
-							GetMethod().
-							GetOauth().
-							GetGitlab().
-							GetEnabled(),
-					),
-				),
-				IsSecret:   false,
-				SecretName: "",
-			},
-			{
-				Name: "AUTH_PROVIDER_GITLAB_CLIENT_ID",
-				Value: unptr(
-					config.
-						GetAuth().
-						GetMethod().
-						GetOauth().
-						GetGitlab().
-						GetClientId(),
-				),
-				IsSecret:   false,
-				SecretName: "",
-			},
-			{
-				Name:       "AUTH_PROVIDER_GITLAB_CLIENT_SECRET",
-				SecretName: "",
-				Value: unptr(
-					config.GetAuth().GetMethod().GetOauth().GetGitlab().GetClientSecret(),
-				),
-				IsSecret: false,
-			},
-			{
-				Name: "AUTH_PROVIDER_GITLAB_SCOPE",
-				Value: Stringify(
-					config.
-						GetAuth().
-						GetMethod().
-						GetOauth().
-						GetGitlab().
-						GetScope(),
-				),
-				IsSecret:   false,
-				SecretName: "",
-			},
-		}...)
-	}
+	env = append(env, getOauthSettings(
+		config.GetAuth().GetMethod().GetOauth().GetGitlab(),
+		"GITLAB")...,
+	)

-	if unptr( //nolint:dupl
-		config.GetAuth().GetMethod().GetOauth().GetStrava().GetEnabled(),
-	) {
-		env = append(env, []EnvVar{
-			{
-				Name: "AUTH_PROVIDER_STRAVA_ENABLED",
-				Value: Stringify(
-					unptr(
-						config.
-							GetAuth().
-							GetMethod().
-							GetOauth().
-							GetStrava().
-							GetEnabled(),
-					),
-				),
-				IsSecret:   false,
-				SecretName: "",
-			},
-			{
-				Name: "AUTH_PROVIDER_STRAVA_CLIENT_ID",
-				Value: unptr(
-					config.
-						GetAuth().
-						GetMethod().
-						GetOauth().
-						GetStrava().
-						GetClientId(),
-				),
-				IsSecret:   false,
-				SecretName: "",
-			},
-			{
-				Name:       "AUTH_PROVIDER_STRAVA_CLIENT_SECRET",
-				SecretName: "",
-				Value: unptr(
-					config.GetAuth().GetMethod().GetOauth().GetStrava().GetClientSecret(),
-				),
-				IsSecret: false,
-			},
-			{
-				Name: "AUTH_PROVIDER_STRAVA_SCOPE",
-				Value: Stringify(
-					config.
-						GetAuth().
-						GetMethod().
-						GetOauth().
-						GetStrava().
-						GetScope(),
-				),
-				IsSecret:   false,
-				SecretName: "",
-			},
-		}...)
-	}
+	env = append(env, getOauthSettings(
+		config.GetAuth().GetMethod().GetOauth().GetStrava(),
+		"STRAVA")...,
+	)

 	if unptr(
 		config.GetAuth().GetMethod().GetOauth().GetBitbucket().GetEnabled(),
--- a/vendor/github.com/nhost/be/services/mimir/schema/schema.cue
+++ b/vendor/github.com/nhost/be/services/mimir/schema/schema.cue
@@ -223,7 +223,7 @@ import (
 	// Releases:
 	//
 	// https://github.com/nhost/hasura-storage/releases
-	version: string | *"0.8.2"
+	version: string | *"0.9.1"

 	// Networking (custom domains at the moment) are not allowed as we need to do further
 	// configurations in the CDN. We will enable it again in the future.
@@ -311,7 +311,7 @@ import (
 	// Releases:
 	//
 	// https://github.com/nhost/hasura-auth/releases
-	version: string | *"0.42.4"
+	version: string | *"0.43.0"

 	// Resources for the service
 	resources?: #Resources
--- a/vendor/github.com/nhost/be/tools/cuegraph/types/int16.go
+++ b/vendor/github.com/nhost/be/tools/cuegraph/types/int16.go
@@ -1,4 +1,4 @@
-package types //nolint: dupl
+package types //nolint: dupl,revive,nolintlint

 import (
 	"encoding/json"
--- a/vendor/github.com/quic-go/quic-go/connection.go
+++ b/vendor/github.com/quic-go/quic-go/connection.go
@@ -845,6 +845,9 @@ func (c *Conn) handleHandshakeComplete(now time.Time) error {
 }

 func (c *Conn) handleHandshakeConfirmed(now time.Time) error {
+	if err := c.dropEncryptionLevel(protocol.EncryptionInitial, now); err != nil {
+		return err
+	}
 	if err := c.dropEncryptionLevel(protocol.EncryptionHandshake, now); err != nil {
 		return err
 	}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -716,8 +716,8 @@ github.com/muesli/termenv
 # github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
 ## explicit
 github.com/munnerz/goautoneg
-# github.com/nhost/be v0.0.0-20251021065906-8abc7d8dfa48
-## explicit; go 1.24.2
+# github.com/nhost/be v0.0.0-20251106114258-352de15d30f5
+## explicit; go 1.25.3
 github.com/nhost/be/lib/graphql
 github.com/nhost/be/lib/graphql/context
 github.com/nhost/be/lib/graphql/handler
@@ -811,7 +811,7 @@ github.com/prometheus/procfs/internal/util
 # github.com/quic-go/qpack v0.5.1
 ## explicit; go 1.22
 github.com/quic-go/qpack
-# github.com/quic-go/quic-go v0.54.0
+# github.com/quic-go/quic-go v0.54.1
 ## explicit; go 1.23
 github.com/quic-go/quic-go
 github.com/quic-go/quic-go/http3
Author	SHA1	Message	Date
github-actions[bot]	f5956f1b2e	release(cli): 1.34.5 (#3655 ) Co-authored-by: dbarrosop <dbarrosop@users.noreply.github.com>	2025-11-06 15:34:31 +01:00
David Barroso	f3b397b0d8	chore(cli): bump nhost/dashboard to 2.41.0 (#3669 ) Co-authored-by: dbarrosop <dbarrosop@users.noreply.github.com>	2025-11-06 13:42:32 +01:00
David Barroso	b7940087ee	chore(cli): udpate certs and schema (#3675 )	2025-11-06 13:04:09 +01:00
github-actions[bot]	3dae655858	release(services/storage): 0.9.1 (#3673 ) Co-authored-by: dbarrosop <dbarrosop@users.noreply.github.com>	2025-11-06 11:42:33 +01:00
David Barroso	2aa269734b	fix(storage): format date-time headers with RFC2822 (#3672 )	2025-11-06 11:40:11 +01:00
David Barroso	bc91836f83	chore(ci): replace the correct string on .github/workflows/dashboard_wf_release.yaml (#3670 ) Co-authored-by: Claude <noreply@anthropic.com>	2025-11-05 10:26:16 +01:00
github-actions[bot]	6d8b243571	release(dashboard): 2.41.0 (#3647 ) Co-authored-by: dbarrosop <dbarrosop@users.noreply.github.com>	2025-11-05 08:26:31 +01:00
David Barroso	c9967b1a6d	feat(dashboard): get github repositories from github itself (#3640 ) Co-authored-by: David BM <correodelnino@gmail.com>	2025-11-04 16:46:01 +01:00