From 57299ddaecd4fd3793027521f85c28d8e1ed1dd7 Mon Sep 17 00:00:00 2001 From: Dmitrii Andreev Date: Mon, 27 Apr 2026 16:49:50 -0500 Subject: [PATCH] HYPERFLEET-975 - ci: add migration immutability check --- Makefile | 6 +++++- hack/verify-migrations.sh | 31 +++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100755 hack/verify-migrations.sh diff --git a/Makefile b/Makefile index 6cb4dd0d..d89732a9 100755 --- a/Makefile +++ b/Makefile @@ -112,6 +112,10 @@ verify: ## Verify source passes standard checks lint: $(GOLANGCI_LINT) ## Run golangci-lint $(GOLANGCI_LINT) run ./cmd/... ./pkg/... ./test/... +.PHONY: verify-migrations +verify-migrations: ## Verify migration files follow project conventions + @hack/verify-migrations.sh + ##@ Code Generation .PHONY: generate @@ -222,7 +226,7 @@ test-all: lint test test-integration test-helm ## Run all checks (lint, unit, in ##@ Agent Verification .PHONY: verify-all -verify-all: verify lint test ## Run all static checks + unit tests (no database required) +verify-all: verify lint verify-migrations test ## Run all static checks + unit tests (no database required) @echo "All static checks and unit tests passed." @echo "Run 'make test-integration' separately for integration tests (requires database)." diff --git a/hack/verify-migrations.sh b/hack/verify-migrations.sh new file mode 100755 index 00000000..b4e0de19 --- /dev/null +++ b/hack/verify-migrations.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +# Verifies migration files follow project conventions. +set -euo pipefail + +MIGRATION_DIR="pkg/db/migrations" + +# In Prow, compare against PULL_BASE_SHA (the upstream commit the PR targets — +# a fork's origin/main may be stale). Locally, fall back to merge-base with +# origin/main; this also catches uncommitted changes in the working tree. +BASE="${PULL_BASE_SHA:-$(git merge-base HEAD origin/main)}" + +# Migration implementation files must not be modified, renamed, or deleted. +# migration_structs.go is excluded — it must change when registering new migrations. +# Schema changes must be additive — add a new migration file instead. +VIOLATIONS=$(git diff --diff-filter=MRCD --name-only "${BASE}" -- \ + "${MIGRATION_DIR}/*.go" \ + ":(exclude)${MIGRATION_DIR}/migration_structs.go") + +if [[ -n "${VIOLATIONS}" ]]; then + echo "FAIL: migration immutability — these files were modified, renamed, or deleted:" + echo "${VIOLATIONS}" | sed 's/^/ - /' + echo + echo "Migrations must not change after they have been applied." + echo "Create a new migration file with the required changes instead." + echo + echo "If the modification is intentional, a root OWNERS approver can merge by" + echo "commenting: /override ci/prow/verify-migrations" + exit 1 +fi + +echo "Migration verification passed."