Skip to content

test(stack): EQL v3 integration harness + shared test kit, and two Supabase adapter fixes (PR1 of 4) #2

test(stack): EQL v3 integration harness + shared test kit, and two Supabase adapter fixes (PR1 of 4)

test(stack): EQL v3 integration harness + shared test kit, and two Supabase adapter fixes (PR1 of 4) #2

name: Integration — Drizzle (EQL v3)
# Real ZeroKMS ciphertext against a real Postgres. The Drizzle adapter talks
# straight to the database, so no PostgREST here — that is the Supabase job.
#
# Separate from `tests.yml` on purpose: these suites need CipherStash credentials
# and a database, and they THROW rather than skip when unconfigured. Keeping them
# out of the unit job is what lets `pnpm test` stay runnable with neither.
on:
push:
branches: [main]
paths:
- 'packages/stack/src/eql/v3/**'
- 'packages/stack/integration/**'
- 'packages/test-kit/**'
- 'packages/cli/src/installer/**'
- 'local/docker-compose.postgres.yml'
- '.github/workflows/integration-drizzle.yml'
- '.github/actions/integration-setup/**'
pull_request:
branches: ['**']
# Repeated verbatim: GitHub Actions does not support YAML anchors/aliases.
paths:
- 'packages/stack/src/eql/v3/**'
- 'packages/stack/integration/**'
- 'packages/test-kit/**'
- 'packages/cli/src/installer/**'
- 'local/docker-compose.postgres.yml'
- '.github/workflows/integration-drizzle.yml'
- '.github/actions/integration-setup/**'
jobs:
integration:
name: Drizzle v3 integration (db=${{ matrix.db }})
runs-on: blacksmith-4vcpu-ubuntu-2404
# Fork PRs have no secrets. Skip cleanly rather than fail on something the
# contributor cannot fix — `tests.yml` still gives them a green signal.
if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
strategy:
# A one-element matrix, not a cross-product: the Drizzle adapter only runs
# against plain Postgres. Kept as a matrix so adding a variant is one line.
matrix:
db: [postgres]
env:
CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
# Job-level env, not a `.env` file: `dotenv/config` does not override an
# already-set `process.env`, so these win and no secret is written to disk.
DATABASE_URL: postgres://cipherstash:password@localhost:55432/cipherstash
# Scoped to the suites this database serves. `PGRST_URL` is deliberately
# unset — the Supabase suites would throw here, which is the point.
CS_IT_SUITE: >-
integration/drizzle-v3/**/*.integration.test.ts,
integration/harness.integration.test.ts,
integration/ope-term.integration.test.ts,
integration/match-bloom.integration.test.ts
steps:
- uses: actions/checkout@v6
- uses: ./.github/actions/integration-setup
# Fast pre-flight: fail in seconds if a secret was rotated or cleared,
# before the docker pull. The in-test `requireIntegrationEnv` is the
# correctness guarantee; this is the cheap one.
- name: Require CipherStash secrets
uses: ./.github/actions/require-cs-secrets
with:
workspace-crn: ${{ secrets.CS_WORKSPACE_CRN }}
client-id: ${{ secrets.CS_CLIENT_ID }}
client-key: ${{ secrets.CS_CLIENT_KEY }}
client-access-key: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
- name: Start ${{ matrix.db }}
run: docker compose -f local/docker-compose.${{ matrix.db }}.yml up -d --wait
# `globalSetup` installs EQL v3 by shelling out to the real
# `stash eql install --eql-version 3`, so an installer regression fails
# here rather than hiding behind a test-only SQL apply.
- name: Drizzle v3 integration suites
run: pnpm --filter @cipherstash/stack run test:integration
- name: Stop ${{ matrix.db }}
if: always()
run: docker compose -f local/docker-compose.${{ matrix.db }}.yml down -v