fix(migrations): tolerate missing postgres role in rls grant migration

Wrap the grant-select-to-postgres block in an existence check so
self-hosted deployments using a non-default DB superuser no longer
crash-loop on first start with `ERROR: role "postgres" does not exist`.

RLS is still enabled unconditionally on every auth table; only the
grants are gated on the role actually existing. This matches the
intent of the upstream Supabase migration without breaking custom
Postgres setups.

Documented in appflowy/APPFLOWY_BRANCH_MIGRATION_HISTORY.md so the
patch is re-applied on every master merge.

Refs AppFlowy-Cloud#1615

Author: appflowy

appflowy/APPFLOWY_BRANCH_MIGRATION_HISTORY.md

@@ -66,6 +66,19 @@ mindmap
 
 ---
 
+### In-Place Patches to Upstream Migrations
+
+In addition to the cherry-picked feature commits, the following upstream files
+have been modified in place. Re-apply these on every merge from master:
+
+| File | Patch | Why |
+|------|-------|-----|
+| `migrations/20240612123726_enable_rls_update_grants.up.sql` | Wraps the `grant select … to postgres with grant option` block in `if exists (select 1 from pg_roles where rolname = 'postgres') then … end if;` | Upstream hardcodes the `postgres` role. Self-hosted deployments using a non-default DB superuser hit `ERROR: role "postgres" does not exist (SQLSTATE 42704)` and crash-loop on first start. RLS is still enabled unconditionally; only the grants are gated. See AppFlowy-Cloud issue #1615. |
+
+**On every master merge:** check `git diff master..HEAD -- migrations/20240612123726_enable_rls_update_grants.up.sql` is non-empty and the conditional is still present. If a merge undoes the patch (e.g., upstream rewrites the file), re-apply the gate before tagging a release.
+
+---
+
 ## Verification: Master Does NOT Have These
 
 ✅ **All 11 commits are necessary** - Verified against current master (commit `4e8275f`):

migrations/20240612123726_enable_rls_update_grants.up.sql

@@ -16,21 +16,26 @@ do $$ begin
     alter table {{ index .Options "Namespace" }}.flow_state enable row level security;
     alter table {{ index .Options "Namespace" }}.identities enable row level security;
     alter table {{ index .Options "Namespace" }}.one_time_tokens enable row level security;
-    -- allow postgres role to select from auth tables and allow it to grant select to other roles
-    grant select on {{ index .Options "Namespace" }}.schema_migrations to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.instances to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.users to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.audit_log_entries to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.saml_relay_states to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.refresh_tokens to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.mfa_factors to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.sessions to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.sso_providers to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.sso_domains to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.mfa_challenges to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.mfa_amr_claims to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.saml_providers to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.flow_state to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.identities to postgres with grant option;
-    grant select on {{ index .Options "Namespace" }}.one_time_tokens to postgres with grant option;
+    -- allow postgres role to select from auth tables and allow it to grant select to other roles.
+    -- AppFlowy patch: skip these grants when the postgres role does not exist, so self-hosted
+    -- deployments that use a non-default DB superuser can still apply this migration.
+    -- See AppFlowy-Cloud issue #1615.
+    if exists (select 1 from pg_roles where rolname = 'postgres') then
+        grant select on {{ index .Options "Namespace" }}.schema_migrations to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.instances to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.users to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.audit_log_entries to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.saml_relay_states to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.refresh_tokens to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.mfa_factors to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.sessions to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.sso_providers to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.sso_domains to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.mfa_challenges to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.mfa_amr_claims to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.saml_providers to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.flow_state to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.identities to postgres with grant option;
+        grant select on {{ index .Options "Namespace" }}.one_time_tokens to postgres with grant option;
+    end if;
 end $$;