feat(ci): Check migrations exist

[armenzg]

If migrations get added, make sure that there's an associated migration lockfile.

[sentry]

Bug: The migration-lockfile-guard job uses a git diff command that works for pull requests but will always fail on a push to the master branch, blocking the CI pipeline.
_{Severity: CRITICAL}

Suggested Fix

Restrict the migration-lockfile-guard job to only run on pull_request events. Alternatively, modify the script to use the correct Git references for a push event, such as comparing HEAD with ${{ github.event.before }} to get the correct diff.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/backend.yml#L329

Potential issue: The `migration-lockfile-guard` job in the `backend.yml` workflow is
configured to run on both `pull_request` and `push` events to the `master` branch.
However, the command it uses, `git diff --name-only origin/master HEAD`, is only
effective in a pull request context. When a commit is pushed to `master`, both `HEAD`
and `origin/master` point to the same commit, resulting in an empty diff. Consequently,
the subsequent `grep` command fails to find the `migrations_lockfile.txt` file, causing
the script to exit with an error and fail the CI build on the `master` branch. This will
block deployments that include database migrations.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[markstory]

Are people not doing this? Or is this a safeguard against LLMs?

[armenzg]

I think they forgot to commit the migrations file

[armenzg]

I have changed the wording.

[armenzg]

We will only run this check on pull requests.

[sentry]

Bug: The migration-lockfile-guard job hardcodes origin/master for its git diff. This will cause incorrect validation for pull requests targeting branches other than master.
_{Severity: HIGH}

Suggested Fix

Replace the hardcoded origin/master with a dynamic reference to the pull request's base branch. Use origin/${{ github.base_ref }} or origin/${{ github.event.pull_request.base.ref }} to ensure the diff is always against the correct target branch.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/backend.yml#L329

Potential issue: The `migration-lockfile-guard` job is configured to run on pull
requests targeting any branch. However, the script at line 329 uses `git diff
--name-only origin/master HEAD` to check for changes. This hardcoded reference to
`origin/master` is incorrect when a pull request's base branch is not `master` (e.g., a
release branch). This will cause the migration lockfile check to compare against the
wrong set of changes, potentially leading to false positives or false negatives, and
allowing migrations to be merged without a corresponding lockfile update.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[cursor]

Exclusion pattern uses unsupported git pathspec syntax

Medium Severity

The exclusion pattern :!src/sentry/**/migrations/__init__.py uses git pathspec syntax, which is not supported by dorny/paths-filter. This action uses picomatch for glob matching, which doesn't recognize :! as an exclusion operator. The pattern will have no effect, so adding __init__.py files to migration directories will still incorrectly trigger the migration-lockfile-guard check. Other patterns in this file correctly use picomatch extglob syntax like !(tests)/**/*.py for exclusions.