From cbe1cf26fa3dd4e1eef807ff125274b76f160396 Mon Sep 17 00:00:00 2001
From: nessi <sascha@nesterovic.cc>
Date: Sat, 14 Feb 2026 16:07:36 +0100
Subject: [PATCH] [NX-104 Issue] Add migration safety CI workflow

Introduces a GitHub Actions workflow to ensure Alembic migrations are safe and reversible. The workflow validates schema consistency by testing upgrade and downgrade operations and comparing schemas before and after the roundtrip.
---
 .github/workflows/migration-safety.yml | 84 ++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100644 .github/workflows/migration-safety.yml

diff --git a/.github/workflows/migration-safety.yml b/.github/workflows/migration-safety.yml
new file mode 100644
index 0000000..452a474
--- /dev/null
+++ b/.github/workflows/migration-safety.yml
@@ -0,0 +1,84 @@
+name: Migration Safety
+
+on:
+  push:
+    branches: ["main", "master"]
+  pull_request:
+
+jobs:
+  migration-safety:
+    name: Alembic upgrade/downgrade safety
+    runs-on: ubuntu-latest
+
+    services:
+      postgres:
+        image: postgres:16
+        env:
+          POSTGRES_DB: nexapg
+          POSTGRES_USER: nexapg
+          POSTGRES_PASSWORD: nexapg
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U nexapg -d nexapg"
+          --health-interval 5s
+          --health-timeout 5s
+          --health-retries 30
+
+    env:
+      DB_HOST: postgres
+      DB_PORT: 5432
+      DB_NAME: nexapg
+      DB_USER: nexapg
+      DB_PASSWORD: nexapg
+      JWT_SECRET_KEY: ci-jwt-secret-key
+      ENCRYPTION_KEY: MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA=
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install backend dependencies
+        run: pip install -r backend/requirements.txt
+
+      - name: Install PostgreSQL client tools
+        run: sudo apt-get update && sudo apt-get install -y postgresql-client
+
+      - name: Wait for PostgreSQL
+        env:
+          PGPASSWORD: nexapg
+        run: |
+          for i in $(seq 1 60); do
+            if pg_isready -h postgres -p 5432 -U nexapg -d nexapg; then
+              exit 0
+            fi
+            sleep 2
+          done
+          echo "PostgreSQL did not become ready in time."
+          exit 1
+
+      - name: Alembic upgrade -> downgrade -1 -> upgrade
+        working-directory: backend
+        run: |
+          alembic upgrade head
+          alembic downgrade -1
+          alembic upgrade head
+
+      - name: Validate schema consistency after roundtrip
+        env:
+          PGPASSWORD: nexapg
+        run: |
+          cd backend
+          alembic upgrade head
+          pg_dump -h postgres -p 5432 -U nexapg -d nexapg --schema-only --no-owner --no-privileges > /tmp/schema_head_before.sql
+
+          alembic downgrade -1
+          alembic upgrade head
+          pg_dump -h postgres -p 5432 -U nexapg -d nexapg --schema-only --no-owner --no-privileges > /tmp/schema_head_after.sql
+
+          diff -u /tmp/schema_head_before.sql /tmp/schema_head_after.sql