chore: add Neon database branching workflow for PRs#5
Conversation
📝 WalkthroughWalkthroughA GitHub Actions workflow is introduced to automatically manage Neon database preview branches linked to pull requests. The workflow creates a preview branch when a PR is opened or updated and deletes it when the PR is closed. ChangesNeon Preview Branch Automation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/neon_workflow.yml (2)
7-10: ⚡ Quick winDeclare minimal
permissionsto restrict the default GITHUB_TOKEN scopeNeither job needs write access to repository contents or metadata, yet the workflow inherits GitHub's default broad token permissions. Explicitly setting
permissions: {}at the workflow level (and granting only what's needed per job) prevents the token from being misused if an action step is ever compromised.🛡️ Proposed fix
on: pull_request: types: [opened, synchronize, reopened, closed] +permissions: {} + jobs: setup-neon-branch:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/neon_workflow.yml around lines 7 - 10, Add explicit minimal token permissions to the workflow by declaring a top-level permissions block (e.g., permissions: {}) to restrict the default GITHUB_TOKEN scope, and then grant only the specific permissions needed for the setup-neon-branch job (reference the job name setup-neon-branch) by adding a job-level permissions map; update the workflow YAML to include these permissions entries so the job no longer inherits broad default write access.
1-5: ⚡ Quick winAdd a
concurrencygroup to prevent redundant parallel runs on rapid pushesWithout a
concurrencykey, multiplesynchronizeevents fired in quick succession (e.g., a force-push immediately after a commit) will spawn parallelsetup-neon-branchruns against the same PR branch. Neon's own official guide explicitly addsconcurrency: group: ${{ github.workflow }}-${{ github.ref }}with the note "Ensures only the latest commit runs, preventing race conditions in concurrent PR updates."⚡ Proposed fix
on: pull_request: types: [opened, synchronize, reopened, closed] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/neon_workflow.yml around lines 1 - 5, Add a concurrency key to the GitHub Actions workflow declared as "Neon Database Branching" to prevent redundant parallel runs: add a top-level concurrency: group that uses the workflow and ref (e.g., group: ${{ github.workflow }}-${{ github.ref }}) and set cancel-in-progress: true so only the latest PR commit run for the same branch continues; update the workflow file where "name: Neon Database Branching" is defined to include this concurrency block.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/neon_workflow.yml:
- Around line 7-10: Add explicit minimal token permissions to the workflow by
declaring a top-level permissions block (e.g., permissions: {}) to restrict the
default GITHUB_TOKEN scope, and then grant only the specific permissions needed
for the setup-neon-branch job (reference the job name setup-neon-branch) by
adding a job-level permissions map; update the workflow YAML to include these
permissions entries so the job no longer inherits broad default write access.
- Around line 1-5: Add a concurrency key to the GitHub Actions workflow declared
as "Neon Database Branching" to prevent redundant parallel runs: add a top-level
concurrency: group that uses the workflow and ref (e.g., group: ${{
github.workflow }}-${{ github.ref }}) and set cancel-in-progress: true so only
the latest PR commit run for the same branch continues; update the workflow file
where "name: Neon Database Branching" is defined to include this concurrency
block.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: c14c08d4-5e1f-4637-b3b4-fa4fce811a81
📒 Files selected for processing (1)
.github/workflows/neon_workflow.yml
1 participant
What does this PR do?
This PR introduces a GitHub Actions workflow to automate database branching with Neon.
Specifically, it:
preview/pr-<number>) whenever a Pull Request is opened or synchronized.Why?
This ensures that every PR gets a safe, isolated database environment for testing and preview deployments, completely separated from our production and staging databases.
Type of change
Checklist
Screenshots (if UI changes)
None
Notes for reviewer
Summary by CodeRabbit