db push --db-url fails when signing_keys_path file is missing

[seyit-ivhed]

Bug report

Describe the bug

supabase db push --db-url <connection_string> fails with:

failed to read signing keys: open supabase/signing_key.json: no such file or directory

when config.toml has signing_keys_path = "./signing_key.json" but the file doesn't exist (e.g. in CI, where the file is gitignored as recommended).

To reproduce

1. Have a supabase/config.toml with signing_keys_path = "./signing_key.json" under [auth]
2. Add supabase/signing_key.json to .gitignore (as recommended by docs)
3. In a clean checkout (e.g. GitHub Actions), run:

   supabase db push --db-url "postgresql://postgres:<password>@db.<ref>.supabase.co:5432/postgres"

4. The command fails with the error above

Expected behavior

supabase db push --db-url should not need to read the auth signing keys file. The signing keys are only relevant for the local auth server (supabase start), not for pushing migrations to a remote database.

The CLI should either:

• Skip parsing signing_keys_path when running commands that don't need it (like db push)
• Gracefully handle a missing file when the command doesn't require it

Environment

• OS: Ubuntu (GitHub Actions ubuntu-latest)
• CLI version: latest (via supabase/setup-cli@v1)

Workaround

Creating an empty signing key file before running the command:

echo '[]' > supabase/signing_key.json
supabase db push --db-url "..."

[seyit-ivhed]

Update: The echo '[]' > supabase/signing_key.json workaround causes a Go panic (runtime error: index out of range [0] with length 0) because the CLI tries to access the first element of the array.

A working workaround is to generate a throwaway key instead:

supabase gen signing-key --algorithm ES256 -o supabase/signing_key.json
supabase db push --db-url "..."

This further confirms that db push --db-url shouldn't need the signing key at all — it's parsing and validating auth config that is irrelevant to pushing migrations.