Skip to content

Pass verification role to migrations#510

Merged
madebygps merged 1 commit into
mainfrom
fix/migration-verification-role-env
May 26, 2026
Merged

Pass verification role to migrations#510
madebygps merged 1 commit into
mainfrom
fix/migration-verification-role-env

Conversation

@madebygps

@madebygps madebygps commented May 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • add migration 0039 to reapply the narrow requirements column grant for the verification Functions database role
  • pass verification_functions_postgres_role from Terraform outputs into the migration job environment
  • set POSTGRES_VERIFICATION_FUNCTIONS_ROLE in CI migration checks so missing env is caught before deploy

Why

Migration 0038 was already stamped as applied, but the deploy job did not pass POSTGRES_VERIFICATION_FUNCTIONS_ROLE when starting the Container Apps job. That made 0038 a safe no-op, so dev kept failing with permission denied on requirements.

Validation

  • cd api && uv run ruff check . ../packages/learn-to-cloud-shared
  • cd api && uv run ruff format --check . ../packages/learn-to-cloud-shared
  • cd api && uv run ty check --exclude scripts --exclude tests .
  • cd packages/learn-to-cloud-shared && uv run ty check --exclude tests .
  • cd apps/verification-functions && uv run ruff check . && uv run ruff format --check . && uv run ty check . && uv run python -c "import function_app"
  • cd api && uv run pytest tests/ -x
  • cd packages/learn-to-cloud-shared && uv run pytest tests/ -x
  • env -i HOME=$HOME PATH=$PATH DATABASE__URL=postgresql+asyncpg://postgres:postgres@db:5432/learntocloud POSTGRES_VERIFICATION_FUNCTIONS_ROLE=ltc_verification_functions_dev uv run alembic upgrade head
  • API smoke checks for /health, /ready, and /openapi.json

@madebygps
Pass verification role to migrations
d19eb7e 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-code-quality[bot]
github-code-quality Bot found potential problems May 26, 2026
View reviewed changes
Comment thread api/alembic/versions/0039_reapply_fn_requirement_kind_lookup_grant.py

from alembic import op

revision: str = "0039_reapply_fn_requirement_kind_lookup_grant"
Comment thread api/alembic/versions/0039_reapply_fn_requirement_kind_lookup_grant.py
from alembic import op

revision: str = "0039_reapply_fn_requirement_kind_lookup_grant"
down_revision: str | None = "0038_grant_fn_requirement_kind_lookup"
Comment thread api/alembic/versions/0039_reapply_fn_requirement_kind_lookup_grant.py

revision: str = "0039_reapply_fn_requirement_kind_lookup_grant"
down_revision: str | None = "0038_grant_fn_requirement_kind_lookup"
branch_labels: str | Sequence[str] | None = None
Comment thread api/alembic/versions/0039_reapply_fn_requirement_kind_lookup_grant.py
revision: str = "0039_reapply_fn_requirement_kind_lookup_grant"
down_revision: str | None = "0038_grant_fn_requirement_kind_lookup"
branch_labels: str | Sequence[str] | None = None
depends_on: str | Sequence[str] | None = None
@madebygps madebygps merged commit d3f809a into main May 26, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@madebygps