tenseleyflow/shithub / 970ad46

+      - name: Lint - migration versions

+        run: scripts/lint-migration-versions.sh

+

+.PHONY: help dev build test test-race lint lint-policy lint-markdown lint-secret-logs lint-spdx lint-unused lint-migrations verify-api-docs fmt tidy clean ci assets install-tools version deploy deploy-check restore-drill bench-staging docs docs-serve docs-verify gen-third-party-notices audit-a11y audit-a11y-pa11y audit-a11y-axe load-test

+ci: lint lint-policy lint-markdown lint-secret-logs lint-spdx lint-unused lint-migrations verify-api-docs test build ## Full CI pipeline (matches .github/workflows/ci.yml).

+lint-migrations: ## Fail when goose migration numeric versions collide.

+	@scripts/lint-migration-versions.sh

+

+Actions migrations currently span 0042–0051 and 0053. Migration 0052 belongs to

+the repo source-remotes feature and was already deployed before the runner JWT

+replay table landed.

+| 0053  | `runner_jwt_used`           | Single-use replay gate for runner job JWTs                    |

+  is monotonically increasing and globally unique. `scripts/lint-migration-versions.sh`

+  enforces this in CI because goose panics on duplicate numeric versions before

+  it can run any migration.

+- Database migrations are current through `0053_runner_jwt_used.sql`.

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package migrationsfs

+

+import (

+	"fmt"

+	"io/fs"

+	"sort"

+	"strings"

+	"testing"

+)

+

+func TestMigrationVersionsAreUnique(t *testing.T) {

+	t.Parallel()

+

+	entries, err := fs.ReadDir(FS(), ".")

+	if err != nil {

+		t.Fatalf("ReadDir migrations: %v", err)

+	}

+

+	byVersion := make(map[string][]string)

+	for _, entry := range entries {

+		if entry.IsDir() || !isGooseMigrationName(entry.Name()) {

+			continue

+		}

+		version := entry.Name()[:4]

+		byVersion[version] = append(byVersion[version], entry.Name())

+	}

+

+	duplicates := make([]string, 0)

+	for version, names := range byVersion {

+		if len(names) <= 1 {

+			continue

+		}

+		sort.Strings(names)

+		duplicates = append(duplicates, fmt.Sprintf("%s: %s", version, strings.Join(names, ", ")))

+	}

+	sort.Strings(duplicates)

+	if len(duplicates) > 0 {

+		t.Fatalf("duplicate goose migration versions:\n%s", strings.Join(duplicates, "\n"))

+	}

+}

+

+func isGooseMigrationName(name string) bool {

+	if len(name) < len("0000_.sql") || !strings.HasSuffix(name, ".sql") || name[4] != '_' {

+		return false

+	}

+	for _, r := range name[:4] {

+		if r < '0' || r > '9' {

+			return false

+		}

+	}

+	return true

+}

+#!/usr/bin/env bash

+# SPDX-License-Identifier: AGPL-3.0-or-later

+#

+# Goose keys migrations by numeric version, not the rest of the filename.

+# Duplicate NNNN prefixes panic at runtime before any migration runs, so

+# catch them in CI before a deploy has to discover the conflict.

+

+set -euo pipefail

+

+cd "$(git rev-parse --show-toplevel)"

+

+migrations=$(find internal/migrationsfs/migrations -maxdepth 1 -type f -name '[0-9][0-9][0-9][0-9]_*.sql' | sort)

+versions=$(printf '%s\n' "$migrations" | sed -E 's#^.*/([0-9][0-9][0-9][0-9])_.*$#\1#')

+duplicates=$(printf '%s\n' "$versions" | sort | uniq -d)

+

+if [ -n "$duplicates" ]; then

+  echo "lint-migration-versions: duplicate migration versions found:" >&2

+  echo >&2

+  while IFS= read -r version; do

+    [ -z "$version" ] && continue

+    echo "  version $version:" >&2

+    printf '%s\n' "$migrations" | grep "/${version}_" | sed 's/^/    /' >&2

+  done <<< "$duplicates"

+  echo >&2

+  echo "Goose requires each numeric NNNN prefix to be globally unique." >&2

+  exit 1

+fi

+

+echo "lint-migration-versions: ok"