feat(prisma-next): source EQL v3 install SQL from @cipherstash/eql at runtime #20
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Integration — prisma-next (EQL v3) | |
| # Real ZeroKMS ciphertext against a real Postgres, on BOTH database variants — | |
| # the prisma-next leg of the shared test-kit family driver (the same catalog, | |
| # oracle, and single-vs-bulk crossover as the Drizzle and Supabase jobs). | |
| # | |
| # The prisma-next adapter talks straight to the database, so it does not need | |
| # PostgREST — but it does need to work on managed Postgres, where the `postgres` | |
| # role is not a superuser, the EQL install takes its self-skipping path, and the | |
| # ORE domains cannot hold data. The Supabase compose file brings up PostgREST | |
| # too; this job simply ignores it. | |
| # | |
| # Separate from `tests.yml` on purpose: these suites need CipherStash credentials | |
| # and a database, and they THROW rather than skip when unconfigured. Keeping them | |
| # out of the unit job is what lets `pnpm test` stay runnable with neither. | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'packages/stack/src/eql/v3/**' | |
| - 'packages/prisma-next/**' | |
| # Source layers the adapter's encoding/round-trip rests on: a break here | |
| # (not just under src/eql/v3) can produce wrong rows, so trigger the live | |
| # suite that would catch it. | |
| - 'packages/stack/src/encryption/**' | |
| - 'packages/stack/src/schema/**' | |
| - 'packages/schema/**' | |
| - 'packages/test-kit/**' | |
| - 'packages/cli/src/installer/**' | |
| - 'local/docker-compose.postgres.yml' | |
| - 'local/docker-compose.supabase.yml' | |
| - 'local/supabase-init.sql' | |
| - '.github/workflows/integration-prisma-next.yml' | |
| - '.github/actions/integration-setup/**' | |
| pull_request: | |
| branches: ['**'] | |
| # Repeated verbatim: GitHub Actions does not support YAML anchors/aliases. | |
| paths: | |
| - 'packages/stack/src/eql/v3/**' | |
| - 'packages/prisma-next/**' | |
| # Source layers the adapter's encoding/round-trip rests on: a break here | |
| # (not just under src/eql/v3) can produce wrong rows, so trigger the live | |
| # suite that would catch it. | |
| - 'packages/stack/src/encryption/**' | |
| - 'packages/stack/src/schema/**' | |
| - 'packages/schema/**' | |
| - 'packages/test-kit/**' | |
| - 'packages/cli/src/installer/**' | |
| - 'local/docker-compose.postgres.yml' | |
| - 'local/docker-compose.supabase.yml' | |
| - 'local/supabase-init.sql' | |
| - '.github/workflows/integration-prisma-next.yml' | |
| - '.github/actions/integration-setup/**' | |
| jobs: | |
| integration: | |
| name: prisma-next v3 integration (db=${{ matrix.db }}) | |
| runs-on: blacksmith-4vcpu-ubuntu-2404 | |
| # Serialize every job that brings up the SAME docker-compose stack — same | |
| # rationale and keys as the Drizzle/Supabase workflows, so the jobs queue | |
| # on a shared runner rather than collide on the fixed host ports. | |
| concurrency: | |
| group: integration-live-db-${{ matrix.db }} | |
| cancel-in-progress: false | |
| # Fork PRs have no secrets. Skip cleanly rather than fail on something the | |
| # contributor cannot fix — `tests.yml` still gives them a green signal. | |
| if: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }} | |
| strategy: | |
| fail-fast: false | |
| # prisma-next talks straight to Postgres, so it runs against BOTH | |
| # databases. The Supabase variant is not a formality: its `postgres` role | |
| # is not a superuser, so the EQL install takes its self-skipping path. A | |
| # suite that passes on a superuser database can still fail there. | |
| matrix: | |
| include: | |
| - db: postgres | |
| database-url: postgres://cipherstash:password@localhost:55432/cipherstash | |
| pgrest-url: '' | |
| - db: supabase | |
| database-url: postgres://postgres:password@localhost:55433/postgres | |
| pgrest-url: http://localhost:55430 | |
| env: | |
| CS_WORKSPACE_CRN: ${{ vars.CS_WORKSPACE_CRN }} | |
| CS_CLIENT_ID: ${{ vars.CS_CLIENT_ID }} | |
| CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }} | |
| CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }} | |
| # Job-level env, not a `.env` file: `dotenv/config` does not override an | |
| # already-set `process.env`, so these win and no secret is written to disk. | |
| DATABASE_URL: ${{ matrix.database-url }} | |
| PGRST_URL: ${{ matrix.pgrest-url }} | |
| # EXPLICIT, never inferred — same rationale as the Drizzle workflow. | |
| CS_IT_DB_VARIANT: ${{ matrix.db }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: ./.github/actions/integration-setup | |
| # Fast pre-flight: fail in seconds if a secret was rotated or cleared, | |
| # before the docker pull. The in-test `requireIntegrationEnv` is the | |
| # correctness guarantee; this is the cheap one. | |
| - name: Require CipherStash secrets | |
| uses: ./.github/actions/require-cs-secrets | |
| with: | |
| workspace-crn: ${{ vars.CS_WORKSPACE_CRN }} | |
| client-id: ${{ vars.CS_CLIENT_ID }} | |
| client-key: ${{ secrets.CS_CLIENT_KEY }} | |
| client-access-key: ${{ secrets.CS_CLIENT_ACCESS_KEY }} | |
| # Belt-and-braces for the concurrency guard: a run that was hard-killed | |
| # can skip its `down` and leak a container holding the host port onto a | |
| # REUSED runner. `|| true` so a clean runner is not an error. | |
| - name: Clear any leaked containers from a prior run | |
| run: docker compose -f local/docker-compose.${{ matrix.db }}.yml down -v --remove-orphans || true | |
| - name: Start ${{ matrix.db }} | |
| run: docker compose -f local/docker-compose.${{ matrix.db }}.yml up -d --wait | |
| # `globalSetup` installs EQL v3 by shelling out to the real | |
| # `stash eql install --eql-version 3`, so an installer regression fails | |
| # here rather than hiding behind a test-only SQL apply. | |
| - name: prisma-next v3 family suites | |
| run: pnpm --filter @cipherstash/prisma-next run test:integration | |
| - name: Stop ${{ matrix.db }} | |
| if: always() | |
| run: docker compose -f local/docker-compose.${{ matrix.db }}.yml down -v |