fix(deploy): harden runtime config and migrations

2026-03-31 08:44:02 +00:00 · 2026-03-10 17:10:23 +04:00
parent 2efb18a4de
commit 1b490fa4a5
6 changed files with 27 additions and 11 deletions
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -62,7 +62,7 @@ jobs:
    runs-on: ubuntu-latest
    needs: check-secrets
    timeout-minutes: 30
-    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' }}
+    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' }}
    env:
      GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
      ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }}
@@ -90,7 +90,6 @@ jobs:
          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

      - name: Run database migrations
-        if: ${{ needs.check-secrets.outputs.db_secret_ok == 'true' }}
        env:
          DATABASE_URL: ${{ secrets.DATABASE_URL }}
        run: bun run db:migrate
@@ -186,6 +185,18 @@ jobs:
      - name: Print configuration hint
        run: |
          echo "CD skipped: configure required GitHub secrets."
-          echo "Required: GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT"
-          echo "Optional for auto-migrations: DATABASE_URL"
+          echo "Required: GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT, DATABASE_URL"
          echo "Optional repo/service vars: GCP_REGION, ARTIFACT_REPOSITORY, CLOUD_RUN_SERVICE_BOT, CLOUD_RUN_SERVICE_MINI"
+
+  deploy-blocked-db:
+    name: Deploy blocked (missing DATABASE_URL)
+    runs-on: ubuntu-latest
+    needs: check-secrets
+    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok != 'true' }}
+
+    steps:
+      - name: Fail fast on missing DATABASE_URL
+        run: |
+          echo "CD blocked: DATABASE_URL GitHub secret is required."
+          echo "This workflow now refuses to deploy without running migrations against the target database."
+          exit 1
--- a/apps/miniapp/nginx.conf
+++ b/apps/miniapp/nginx.conf
@@ -10,6 +10,11 @@ server {
    return 200 '{"ok":true}';
  }

+  location = /config.js {
+    add_header Cache-Control "no-store, no-cache, must-revalidate" always;
+    try_files $uri =404;
+  }
+
  location / {
    try_files $uri $uri/ /index.html;
  }
--- a/docs/runbooks/dev-setup.md
+++ b/docs/runbooks/dev-setup.md
@@ -82,7 +82,7 @@ bun run review:coderabbit
  - `GCP_PROJECT_ID`
  - `GCP_WORKLOAD_IDENTITY_PROVIDER`
  - `GCP_SERVICE_ACCOUNT`
-  - optional for automated migrations: `DATABASE_URL`
+  - `DATABASE_URL`
 - Optional GitHub variables for deploy:
  - `GCP_REGION` (default `europe-west1`)
  - `ARTIFACT_REPOSITORY` (default `household-bot`)
--- a/docs/runbooks/first-deploy.md
+++ b/docs/runbooks/first-deploy.md
@@ -62,7 +62,7 @@ Required for CD:
 - `GCP_WORKLOAD_IDENTITY_PROVIDER`
 - `GCP_SERVICE_ACCOUNT`

-Recommended:
+Required for a real deploy:

 - `DATABASE_URL`

@@ -152,7 +152,7 @@ Populate GitHub repository secrets with the Terraform outputs:
 - `GCP_PROJECT_ID`
 - `GCP_WORKLOAD_IDENTITY_PROVIDER`
 - `GCP_SERVICE_ACCOUNT`
- optional `DATABASE_URL`
+- `DATABASE_URL`

 If you prefer the GitHub CLI:

@@ -177,7 +177,7 @@ You have two safe options:

 The workflow will:

- optionally run `bun run db:migrate` if `DATABASE_URL` secret is configured
+- run `bun run db:migrate` before deploy
 - build and push bot and mini app images
 - deploy both Cloud Run services

--- a/docs/runbooks/migrations.md
+++ b/docs/runbooks/migrations.md
@@ -47,8 +47,8 @@ bun run build

 ## CD behavior

- CD deploy can run migrations before deploy **if** `DATABASE_URL` secret is present.
- If `DATABASE_URL` is not set, deploy continues without auto-migration.
+- CD deploy runs migrations before deploy and now requires the `DATABASE_URL` GitHub secret.
+- If `DATABASE_URL` is missing, CD fails fast instead of deploying schema-dependent code without migrations.

 ## Safety rules

--- a/docs/specs/HOUSEBOT-062-first-deploy-runbook.md
+++ b/docs/specs/HOUSEBOT-062-first-deploy-runbook.md
@@ -45,7 +45,7 @@ Document the exact first-deploy sequence so one engineer can provision, deploy,
 ## Edge Cases and Failure Modes

 - First Terraform apply may not know the final mini app URL; runbook includes a second apply to set allowed origins.
- Missing `DATABASE_URL` in GitHub secrets skips migration automation.
+- Missing `DATABASE_URL` in GitHub secrets blocks CD entirely so schema-dependent deploys cannot ship without migrations.
 - Scheduler jobs remain paused and dry-run by default to prevent accidental sends.

 ## Test Plan