chore: add Neon database branching workflow for PRs

[onerandomdevv]

What does this PR do?

This PR introduces a GitHub Actions workflow to automate database branching with Neon.

Specifically, it:

• Automatically creates an isolated Neon database branch (preview/pr-<number>) whenever a Pull Request is opened or synchronized.
• Automatically deletes the associated database branch when the Pull Request is closed.

Why?
This ensures that every PR gets a safe, isolated database environment for testing and preview deployments, completely separated from our production and staging databases.

Type of change

• Feature
• Bug fix
• Config / setup
• Refactor
• Docs

Checklist

• I have read AGENTS.md
• pnpm build passes locally with no errors
• No TypeScript errors (pnpm tsc --noEmit)
• No hardcoded secrets or API keys
• All new API routes check for admin session before executing
• No UI libraries were installed
• Fonts are loaded via next/font/google only
• pnpm was used (not npm or yarn)

Screenshots (if UI changes)

None

Notes for reviewer

Summary by CodeRabbit

• Chores
  • Added automatic database preview branch management for pull requests, with branches created on PR opening and automatically deleted on PR closure.

[coderabbitai]

📝 Walkthrough

Walkthrough

A GitHub Actions workflow is introduced to automatically manage Neon database preview branches linked to pull requests. The workflow creates a preview branch when a PR is opened or updated and deletes it when the PR is closed.

Changes

Neon Preview Branch Automation

Layer / File(s)	Summary
Workflow Trigger .github/workflows/neon_workflow.yml (lines 1–6)	Workflow named "Neon Database Branching" triggers on pull request events: opened, synchronize, reopened, and closed.
Branch Creation Job .github/workflows/neon_workflow.yml (lines 7–18)	setup-neon-branch job runs when PR is not closed, creates a Neon preview branch named preview/pr-${{ github.event.number }} using neondatabase/create-branch-action@v5 with project ID and API key.
Branch Deletion Job .github/workflows/neon_workflow.yml (lines 19–28)	delete-neon-branch job runs when PR is closed, deletes the corresponding Neon preview branch using neondatabase/delete-branch-action@v3 with the same branch naming scheme.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A branch is born with every PR,
A Neon spark to test from far!
When merged or closed, it fades away,
Preview branches—here to stay! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change—adding a Neon database branching workflow for PRs—which directly matches the changeset content.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description includes all required sections from the template with appropriate detail and completeness.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/updates

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/neon_workflow.yml (2)

7-10: ⚡ Quick win

Declare minimal permissions to restrict the default GITHUB_TOKEN scope

Neither job needs write access to repository contents or metadata, yet the workflow inherits GitHub's default broad token permissions. Explicitly setting permissions: {} at the workflow level (and granting only what's needed per job) prevents the token from being misused if an action step is ever compromised.

🛡️ Proposed fix

 on:
   pull_request:
     types: [opened, synchronize, reopened, closed]

+permissions: {}
+
 jobs:
   setup-neon-branch:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/neon_workflow.yml around lines 7 - 10, Add explicit
minimal token permissions to the workflow by declaring a top-level permissions
block (e.g., permissions: {}) to restrict the default GITHUB_TOKEN scope, and
then grant only the specific permissions needed for the setup-neon-branch job
(reference the job name setup-neon-branch) by adding a job-level permissions
map; update the workflow YAML to include these permissions entries so the job no
longer inherits broad default write access.

---

1-5: ⚡ Quick win

Add a concurrency group to prevent redundant parallel runs on rapid pushes

Without a concurrency key, multiple synchronize events fired in quick succession (e.g., a force-push immediately after a commit) will spawn parallel setup-neon-branch runs against the same PR branch. Neon's own official guide explicitly adds concurrency: group: ${{ github.workflow }}-${{ github.ref }} with the note "Ensures only the latest commit runs, preventing race conditions in concurrent PR updates."

⚡ Proposed fix

 on:
   pull_request:
     types: [opened, synchronize, reopened, closed]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true

 jobs:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/neon_workflow.yml around lines 1 - 5, Add a concurrency
key to the GitHub Actions workflow declared as "Neon Database Branching" to
prevent redundant parallel runs: add a top-level concurrency: group that uses
the workflow and ref (e.g., group: ${{ github.workflow }}-${{ github.ref }}) and
set cancel-in-progress: true so only the latest PR commit run for the same
branch continues; update the workflow file where "name: Neon Database Branching"
is defined to include this concurrency block.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/neon_workflow.yml:
- Around line 7-10: Add explicit minimal token permissions to the workflow by
declaring a top-level permissions block (e.g., permissions: {}) to restrict the
default GITHUB_TOKEN scope, and then grant only the specific permissions needed
for the setup-neon-branch job (reference the job name setup-neon-branch) by
adding a job-level permissions map; update the workflow YAML to include these
permissions entries so the job no longer inherits broad default write access.
- Around line 1-5: Add a concurrency key to the GitHub Actions workflow declared
as "Neon Database Branching" to prevent redundant parallel runs: add a top-level
concurrency: group that uses the workflow and ref (e.g., group: ${{
github.workflow }}-${{ github.ref }}) and set cancel-in-progress: true so only
the latest PR commit run for the same branch continues; update the workflow file
where "name: Neon Database Branching" is defined to include this concurrency
block.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c14c08d4-5e1f-4637-b3b4-fa4fce811a81

📥 Commits

Reviewing files that changed from the base of the PR and between 1b397a7 and 0fa396e.

📒 Files selected for processing (1)

• .github/workflows/neon_workflow.yml