fix: add contents:read permission to pypi workflow and fix migration check to use temp DB (#27)

tedivm · web-flow · commit fe75efca758d · 2026-03-30T16:12:47.000-05:00
- pypi workflow only had id-token:write; declaring any permissions key drops
  all others to none, so checkout failed with 'repository not found' on
  private repos. Added contents:read to restore checkout access.

- check_ungenerated_migrations ran alembic check against whatever database
  DATABASE_URL pointed to. In CI there is no pre-existing database, so alembic
  reported 'Target database is not up to date' before comparing models to
  migrations at all. Updated the target to create a fresh temp DB, run
  upgrade head, then check, then clean up — matching the create_migration
  pattern.
diff --git a/{{cookiecutter.__package_slug}}/.github/workflows/pypi.yaml b/{{cookiecutter.__package_slug}}/.github/workflows/pypi.yaml
@@ -19,6 +19,7 @@ jobs:
   pypi:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       id-token: write
     steps:
       - uses: actions/checkout@v6
diff --git a/{{cookiecutter.__package_slug}}/makefile b/{{cookiecutter.__package_slug}}/makefile
@@ -180,6 +180,9 @@ create_migration:
 
 .PHONY: check_ungenerated_migrations
 check_ungenerated_migrations:
-	$(UV) run alembic check
+	rm -f $(MIGRATION_DATABASE)
+	DATABASE_URL=sqlite:///$(MIGRATION_DATABASE) $(UV) run alembic upgrade head
+	DATABASE_URL=sqlite:///$(MIGRATION_DATABASE) $(UV) run alembic check
+	rm -f $(MIGRATION_DATABASE)
 
 {% endif %}
