refactor: replace opaque CI_PROFILES_YML secret with committed template + envsubst

- Add profiles.yml.template with plaintext docker targets and ${VAR} cloud placeholders
- Update test-warehouse.yml to use CI_WAREHOUSE_SECRETS with envsubst (+ PROFILES_YML fallback)
- Split test-all-warehouses.yml into test-docker (pull_request) and test-cloud (pull_request_target)
- Guard BigQuery keyfile extraction against missing key
- Use explicit envsubst '$SCHEMA_NAME' for fork PR path

Co-Authored-By: Itamar Hartstein <haritamar@gmail.com>

Author: devin-ai-integration[bot]

.github/workflows/test-all-warehouses.yml

@@ -35,6 +35,27 @@ on:
         description: Whether to generate new data
 
 jobs:
+  # ── Docker targets ────────────────────────────────────────────────────
+  # No secrets needed — run on pull_request (works for forks without approval).
+  # Skipped on pull_request_target to avoid duplicate runs for internal PRs.
+  test-docker:
+    if: github.event_name != 'pull_request_target'
+    strategy:
+      fail-fast: false
+      matrix:
+        dbt-version: ${{ inputs.dbt-version && fromJSON(format('["{0}"]', inputs.dbt-version)) || fromJSON('[null]') }}
+        warehouse-type: [postgres, clickhouse]
+    uses: ./.github/workflows/test-warehouse.yml
+    with:
+      warehouse-type: ${{ matrix.warehouse-type }}
+      elementary-ref: ${{ inputs.elementary-ref || ((github.event_name == 'pull_request_target' || github.event_name == 'pull_request') && github.event.pull_request.head.sha) || '' }}
+      dbt-data-reliability-ref: ${{ inputs.dbt-data-reliability-ref }}
+      dbt-version: ${{ matrix.dbt-version }}
+      generate-data: ${{ inputs.generate-data || false }}
+
+  # ── Cloud targets ─────────────────────────────────────────────────────
+  # Require secrets — use fork check / approval gate for pull_request_target.
+
   # Determine if this is a fork PR and skip if wrong trigger is used
   check-fork-status:
     runs-on: ubuntu-latest
@@ -74,7 +95,7 @@ jobs:
       - name: Approved
         run: echo "Fork PR approved for testing"
 
-  test:
+  test-cloud:
     needs: [check-fork-status, approve-fork]
     if: |
       ! cancelled() &&
@@ -86,15 +107,7 @@ jobs:
       matrix:
         dbt-version: ${{ inputs.dbt-version && fromJSON(format('["{0}"]', inputs.dbt-version)) || fromJSON('[null]') }}
         warehouse-type:
-          [
-            postgres,
-            snowflake,
-            bigquery,
-            redshift,
-            databricks_catalog,
-            athena,
-            clickhouse,
-          ]
+          [snowflake, bigquery, redshift, databricks_catalog, athena]
     uses: ./.github/workflows/test-warehouse.yml
     with:
       warehouse-type: ${{ matrix.warehouse-type }}

.github/workflows/test-warehouse.yml

@@ -114,12 +114,51 @@ jobs:
 
       - name: Write dbt profiles
         env:
+          # New lean JSON secret (base64 encoded)
+          SECRETS_JSON: ${{ secrets.CI_WAREHOUSE_SECRETS || '' }}
+          # Backwards-compat fallback while migrating secrets
           PROFILES_YML: ${{ secrets.CI_PROFILES_YML }}
         run: |
           mkdir -p ~/.dbt
+
+          if ! command -v envsubst >/dev/null 2>&1; then
+            sudo apt-get update
+            sudo apt-get install -y gettext-base
+          fi
+
           DBT_VERSION=$(pip show dbt-core | grep -i version | awk '{print $2}' | sed 's/\.//g')
           UNDERSCORED_REF_NAME=$(echo "${{ inputs.warehouse-type }}_dbt_${DBT_VERSION}_${BRANCH_NAME}" | awk '{print tolower($0)}' | head -c 40 | sed "s/[-\/]/_/g")
-          echo "$PROFILES_YML" | base64 -d | sed "s/<SCHEMA_NAME>/py_$UNDERSCORED_REF_NAME/g" > ~/.dbt/profiles.yml
+          export SCHEMA_NAME="py_$UNDERSCORED_REF_NAME"
+
+          if [ -n "$SECRETS_JSON" ]; then
+            DECODED=$(echo "$SECRETS_JSON" | base64 -d)
+            BQ_KEYFILE_CONTENT=$(echo "$DECODED" | jq -r '.BIGQUERY_KEYFILE // empty')
+            if [ -n "$BQ_KEYFILE_CONTENT" ]; then
+              BIGQUERY_KEYFILE_PATH="$(mktemp /tmp/bigquery_keyfile.XXXXXX.json)"
+              echo "$BQ_KEYFILE_CONTENT" > "$BIGQUERY_KEYFILE_PATH"
+              chmod 600 "$BIGQUERY_KEYFILE_PATH"
+              export BIGQUERY_KEYFILE_PATH
+            fi
+
+            while IFS= read -r entry; do
+              key=$(jq -r '.key' <<<"$entry")
+              value=$(jq -r '.value' <<<"$entry")
+              if [[ "$key" =~ ^[A-Z_][A-Z0-9_]*$ ]]; then
+                printf -v "$key" '%s' "$value"
+                export "$key"
+              else
+                echo "Skipping invalid secret key: $key" >&2
+              fi
+            done < <(echo "$DECODED" | jq -c 'to_entries[] | select(.key != "BIGQUERY_KEYFILE" and (.value | type == "string"))')
+
+            envsubst < "${{ github.workspace }}/elementary/tests/profiles/profiles.yml.template" > ~/.dbt/profiles.yml
+          elif [ -n "$PROFILES_YML" ]; then
+            echo "$PROFILES_YML" | base64 -d | sed "s/<SCHEMA_NAME>/$SCHEMA_NAME/g" > ~/.dbt/profiles.yml
+          else
+            # Fork PRs: no secrets available — only substitute SCHEMA_NAME so
+            # cloud-target placeholders stay as-is (only docker targets work).
+            envsubst '$SCHEMA_NAME' < "${{ github.workspace }}/elementary/tests/profiles/profiles.yml.template" > ~/.dbt/profiles.yml
+          fi
 
       - name: Run Python package unit tests
         run: pytest -vv tests/unit --warehouse-type ${{ inputs.warehouse-type }}

tests/profiles/profiles.yml.template

@@ -0,0 +1,90 @@
+elementary_tests:
+  target: postgres
+  outputs: &outputs
+
+    # ── Docker targets (plaintext, no secrets needed) ──────────────────
+
+    postgres:
+      type: postgres
+      host: 127.0.0.1
+      port: 5432
+      user: admin
+      password: admin
+      dbname: postgres
+      schema: ${SCHEMA_NAME}
+      threads: 32
+
+    clickhouse:
+      type: clickhouse
+      host: localhost
+      port: 8123
+      user: default
+      password: default
+      schema: ${SCHEMA_NAME}
+      threads: 4
+
+    # ── Cloud targets (secrets substituted at CI time) ─────────────────
+
+    snowflake:
+      type: snowflake
+      account: ${SNOWFLAKE_ACCOUNT}
+      user: ${SNOWFLAKE_USER}
+      password: ${SNOWFLAKE_PASSWORD}
+      role: ${SNOWFLAKE_ROLE}
+      database: ${SNOWFLAKE_DATABASE}
+      warehouse: ${SNOWFLAKE_WAREHOUSE}
+      schema: ${SCHEMA_NAME}
+      threads: 4
+
+    bigquery:
+      type: bigquery
+      method: service-account
+      project: ${BIGQUERY_PROJECT}
+      dataset: ${SCHEMA_NAME}
+      keyfile: ${BIGQUERY_KEYFILE_PATH}
+      threads: 4
+
+    redshift:
+      type: redshift
+      host: ${REDSHIFT_HOST}
+      user: ${REDSHIFT_USER}
+      password: ${REDSHIFT_PASSWORD}
+      port: ${REDSHIFT_PORT}
+      dbname: ${REDSHIFT_DBNAME}
+      schema: ${SCHEMA_NAME}
+      threads: 4
+
+    databricks_catalog:
+      type: databricks
+      host: ${DATABRICKS_HOST}
+      http_path: ${DATABRICKS_HTTP_PATH}
+      catalog: ${DATABRICKS_CATALOG}
+      schema: ${SCHEMA_NAME}
+      client_id: ${DATABRICKS_CLIENT_ID}
+      client_secret: ${DATABRICKS_CLIENT_SECRET}
+      threads: 4
+
+    spark:
+      type: spark
+      method: http
+      host: ${SPARK_HOST}
+      token: ${SPARK_TOKEN}
+      cluster: ${SPARK_CLUSTER}
+      schema: ${SCHEMA_NAME}
+      threads: 4
+
+    athena:
+      type: athena
+      s3_staging_dir: ${ATHENA_S3_STAGING_DIR}
+      s3_data_dir: ${ATHENA_S3_DATA_DIR}
+      region_name: ${ATHENA_REGION}
+      database: awsdatacatalog
+      schema: ${SCHEMA_NAME}
+      aws_access_key_id: ${ATHENA_AWS_ACCESS_KEY_ID}
+      aws_secret_access_key: ${ATHENA_AWS_SECRET_ACCESS_KEY}
+      threads: 4
+
+# The internal CLI dbt_project uses profile "elementary", so we alias the same outputs.
+elementary:
+  target: postgres
+  outputs: *outputs