The engine-parity CI job currently runs against my personal Snowflake trial account under ACCOUNTADMIN. The current trial account is tied to a personal email and expires; production account with billing is the durable home.
What needs to happen
-
Provision a CI database + schema in the Flagsmith prod Snowflake account. Suggested layout: a dedicated FS_CI database, scratch schema PUBLIC. The parity tests already create per-run transient IDENTITIES_PARITY_<uuid> / TRAITS_PARITY_<uuid> tables there and drop them on teardown, so concurrent runs don't collide.
-
Create a least-privilege role for CI, e.g. FS_SQL_ENGINE_CI_RW. Required grants:
USE ROLE SECURITYADMIN;
CREATE ROLE FS_SQL_ENGINE_CI_RW;
USE ROLE SYSADMIN;
GRANT USAGE ON DATABASE FS_CI TO ROLE FS_SQL_ENGINE_CI_RW;
GRANT USAGE ON SCHEMA FS_CI.PUBLIC TO ROLE FS_SQL_ENGINE_CI_RW;
GRANT CREATE TABLE ON SCHEMA FS_CI.PUBLIC TO ROLE FS_SQL_ENGINE_CI_RW;
GRANT USAGE ON WAREHOUSE FS_CI_WH TO ROLE FS_SQL_ENGINE_CI_RW;
GRANT ROLE FS_SQL_ENGINE_CI_RW TO USER <ci-user>;
ALTER USER <ci-user> SET DEFAULT_ROLE = FS_SQL_ENGINE_CI_RW;
No grants beyond that — the parity tests do CREATE TRANSIENT TABLE, INSERT, SELECT, DROP TABLE and that's it.
-
Provision a service user for CI (e.g. flagsmith_sql_engine_ci) with key-pair auth. Generate the keypair, register the public key on the user, capture the private key for GH secrets. Disable password auth on the user.
-
Add a resource monitor on FS_CI_WH capping monthly credit spend (suggest $5-10 / month — current usage is ~$0.05 per CI run, ~$2-5 / month at heavy PR volume).
-
Update GH secrets in this repo:
SNOWFLAKE_ACCOUNT → prod account locatorSNOWFLAKE_USER → flagsmith_sql_engine_ciSNOWFLAKE_ROLE → FS_SQL_ENGINE_CI_RWSNOWFLAKE_WAREHOUSE → FS_CI_WHSNOWFLAKE_DATABASE → FS_CISNOWFLAKE_SCHEMA → PUBLICSNOWFLAKE_PRIVATE_KEY → contents of the new key file
The engine-parity CI job currently runs against my personal Snowflake trial account under
ACCOUNTADMIN. The current trial account is tied to a personal email and expires; production account with billing is the durable home.What needs to happen
Provision a CI database + schema in the Flagsmith prod Snowflake account. Suggested layout: a dedicated
FS_CIdatabase, scratch schemaPUBLIC. The parity tests already create per-run transientIDENTITIES_PARITY_<uuid>/TRAITS_PARITY_<uuid>tables there and drop them on teardown, so concurrent runs don't collide.Create a least-privilege role for CI, e.g.
FS_SQL_ENGINE_CI_RW. Required grants:No grants beyond that — the parity tests do
CREATE TRANSIENT TABLE,INSERT,SELECT,DROP TABLEand that's it.Provision a service user for CI (e.g.
flagsmith_sql_engine_ci) with key-pair auth. Generate the keypair, register the public key on the user, capture the private key for GH secrets. Disable password auth on the user.Add a resource monitor on
FS_CI_WHcapping monthly credit spend (suggest $5-10 / month — current usage is ~$0.05 per CI run, ~$2-5 / month at heavy PR volume).Update GH secrets in this repo:
SNOWFLAKE_ACCOUNT→ prod account locatorSNOWFLAKE_USER→flagsmith_sql_engine_ciSNOWFLAKE_ROLE→FS_SQL_ENGINE_CI_RWSNOWFLAKE_WAREHOUSE→FS_CI_WHSNOWFLAKE_DATABASE→FS_CISNOWFLAKE_SCHEMA→PUBLICSNOWFLAKE_PRIVATE_KEY→ contents of the new key file