Added prisma-migration-check ci

[yb175]

#80

Summary by CodeRabbit

• Chores
  • Added automated Prisma migration validation in CI to surface schema/migration issues earlier.
  • Added an automated production deployment workflow to streamline and standardize releases.
  • Removed a deprecated demo workflow no longer in use.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds two new GitHub Actions workflows (Prisma migration check and SSH production deploy) and removes an existing demo workflow. The migration workflow runs Prisma checks against a PostgreSQL service; the deploy workflow performs an SSH-driven backend/frontend deployment sequence on pushes to main.

Changes

Cohort / File(s)	Summary
Prisma Migration Check .github/workflows/prisma-migration-check.yml	New CI workflow that runs on push (main/develop) and pull_request, provisions PostgreSQL 15 service, sets DATABASE_URL, installs Node 20, runs prisma generate, prisma validate, and prisma migrate deploy against the test DB.
Deploy to Production (SSH) .github/workflows/deploy-to-production.yml	New workflow triggered on push to main that runs an SSH action to fetch/reset repo, install/build backend (npm ci, npx prisma generate, npx prisma migrate deploy, npm run build, pm2 reload) and frontend (npm ci, npm run build, rsync to web dir).
Demo Workflow Removal .github/workflows/github-actions-demo.yml	Deleted demo workflow that previously echoed GitHub context and listed workspace files.

Sequence Diagram(s)

sequenceDiagram
  participant GH as GitHub Actions
  participant Runner as Ubuntu runner
  participant PG as PostgreSQL:15 (service)
  participant Backend as backend workspace
  participant Prisma as Prisma CLI

  GH->>Runner: trigger prisma-migration-check (push/PR)
  Runner->>PG: start postgres service
  Runner->>Backend: set DATABASE_URL -> postgres service
  Runner->>Backend: npm ci, npx prisma generate
  Backend->>Prisma: prisma validate
  Backend->>Prisma: prisma migrate deploy
  Prisma-->>Runner: exit status (success/failure)

Loading

sequenceDiagram
  participant GH as GitHub Actions
  participant Runner as Ubuntu runner
  participant Remote as Production server (SSH)
  participant Backend as backend dir on remote
  participant Frontend as frontend dir on remote
  participant PM2 as pm2 process manager

  GH->>Runner: push to main triggers deploy-to-production
  Runner->>Remote: SSH (secret key) -> run deploy script
  Remote->>Remote: git fetch/checkout/reset/clean
  Remote->>Backend: cd backend, npm ci, npx prisma generate, npx prisma migrate deploy, npm run build
  Remote->>PM2: pm2 reload cvpilot-backend
  Remote->>Frontend: cd frontend, npm ci, npm run build, rsync dist -> /var/www/CVPilot/
  Remote-->>Runner: echo "Deployment complete!"

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Ci cd #4: Adds/changes the .github/workflows/github-actions-demo.yml that this PR deletes — direct file-level overlap.
• Building CI/CD pipelines #3: Also modifies the demo workflow file; touches the same workflow lifecycle and triggers.
• added coderabbit.yaml and scripts for running backend server in prod … #1: Changes Prisma client/build behavior that may affect the CI/deploy Prisma commands in these workflows.

Poem

🐇 I nibble logs and follow the trail,

migrations checked, and SSH set sail.
Backend hummed, frontend shone bright,
CI hops steady through day and night.
A carrot-coded cheer — deploys take flight!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Added prisma-migration-check ci' only partially reflects the changeset; it mentions the primary addition but ignores the concurrent addition of deploy-to-production.yml and removal of github-actions-demo.yml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-cd

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/prisma-migration-check.yml:
- Around line 47-48: The CI step titled "Install dependencies" currently runs
`npm install`, which can produce non-deterministic installs; update that step
(`name: Install dependencies`, the `run:` value) to use a lockfile-strict
command such as `npm ci` so the workflow performs a deterministic install from
package-lock.json.
- Around line 12-13: The Prisma-Migration-Check job has no timeout and can hang
CI; add a job-level timeout to the Prisma-Migration-Check workflow job by adding
a timeout-minutes property (e.g., timeout-minutes: 30) under the
Prisma-Migration-Check job definition so the runner is automatically canceled
after the specified time; update the job configuration that defines
Prisma-Migration-Check to include this key.
- Around line 11-13: The workflow relies on default GITHUB_TOKEN permissions;
add an explicit least-privilege permissions block for the Prisma-Migration-Check
job (or top-level workflow) to restrict GITHUB_TOKEN to read-only access. Update
the Prisma-Migration-Check job to include a permissions section (e.g.,
permissions: contents: read) so the job and any steps (like actions/checkout)
only get the minimum required scope instead of full default write permissions.
- Around line 25-28: The Postgres health check uses pg_isready without explicit
connection details causing flakiness; update the health command configured via
--health-cmd to call pg_isready with explicit connection target (e.g., include
-h <host> -p <port> -U <user> or use the CI-provided env vars) so the container
checks the correct host/port/username, and ensure the workflow uses those same
environment variables when setting
--health-interval/--health-timeout/--health-retries for consistent readiness
detection.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: cfe53090-1c59-4b6b-89f3-e09f745ce94b

📥 Commits

Reviewing files that changed from the base of the PR and between b8cc3b9 and faaf88a.

📒 Files selected for processing (1)

• .github/workflows/prisma-migration-check.yml

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.github/workflows/prisma-migration-check.yml (1)

15-17: ⚠️ Potential issue | 🟠 Major

Remove unnecessary pull-requests: write token scope.

This job does not perform any PR write operation, so granting PR write access increases blast radius without benefit.

Suggested fix

     permissions:
       contents: read
-      pull-requests: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/prisma-migration-check.yml around lines 15 - 17, The
workflow grants an unnecessary "pull-requests: write" permission under the
permissions block; remove the "pull-requests: write" entry so the job only has
the minimal required scopes (e.g., keep "contents: read") to reduce blast
radius. Locate the permissions mapping (the "permissions:" block and the
"pull-requests: write" key) in the workflow and delete the pull-requests line,
ensuring YAML remains valid and only required scopes are present.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/test_ssh.yml:
- Around line 3-8: The workflow currently lists a pull_request trigger under the
on: block which exposes secret-backed SSH execution to untrusted PRs; remove the
pull_request trigger from the on: block (or replace it with workflow_dispatch
for manual runs) so the job only runs on safe events (e.g., push to main) and/or
add an explicit guard that limits execution to trusted actors/repos; update the
on: block and any job-level conditionals referencing pull_request to ensure the
SSH job cannot be invoked by arbitrary PRs.
- Line 15: Replace the mutable tag usage string "uses:
appleboy/ssh-action@v1.0.3" with an immutable commit SHA reference (e.g., "uses:
appleboy/ssh-action@<full-commit-sha>"); locate the exact line containing the
uses entry in the workflow and update it to the full commit SHA from the
appleboy/ssh-action repository release you intend to use so the action is pinned
to a specific immutable commit.

---

Duplicate comments:
In @.github/workflows/prisma-migration-check.yml:
- Around line 15-17: The workflow grants an unnecessary "pull-requests: write"
permission under the permissions block; remove the "pull-requests: write" entry
so the job only has the minimal required scopes (e.g., keep "contents: read") to
reduce blast radius. Locate the permissions mapping (the "permissions:" block
and the "pull-requests: write" key) in the workflow and delete the pull-requests
line, ensuring YAML remains valid and only required scopes are present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7d4d23d0-c9e4-4346-8a31-94b723de55ba

📥 Commits

Reviewing files that changed from the base of the PR and between faaf88a and 9d973bd.

📒 Files selected for processing (2)

• .github/workflows/prisma-migration-check.yml
• .github/workflows/test_ssh.yml

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/test_ssh.yml (2)

15-15: ⚠️ Potential issue | 🟠 Major

Pin GitHub Action to an immutable commit SHA.

Line 15 uses a mutable tag (@v1.0.3). Pin to a full commit SHA to prevent tag retargeting/supply-chain drift.

Suggested fix

-        uses: appleboy/ssh-action@v1.0.3
+        uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test_ssh.yml at line 15, Replace the mutable tag
"appleboy/ssh-action@v1.0.3" with a pinned immutable commit SHA for that action;
locate the commit SHA in the appleboy/ssh-action repository (or the action's
release commit) and update the workflow line to use
"appleboy/ssh-action@<full-commit-sha>" so the workflow references a specific
commit instead of a mutable tag.

---

3-8: ⚠️ Potential issue | 🔴 Critical

Block secret-backed SSH execution on PR events.

Line 7 enables pull_request, which allows untrusted PR paths to invoke a job that consumes deployment secrets and accesses remote infrastructure. Restrict this to trusted/manual events only.

Suggested fix

 on:
   push:
     branches:
       - main
-  pull_request:
+  workflow_dispatch:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test_ssh.yml around lines 3 - 8, The workflow currently
triggers on the untrusted "pull_request" event (the pull_request entry under
on:), which allows PRs to run jobs that use secrets; remove the "pull_request"
trigger and instead restrict runs to trusted/manual events (for example, remove
the pull_request key and add workflow_dispatch or other approved triggers) so
secret-backed SSH jobs only run on push to main or on a manual/workflow_dispatch
invocation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/test_ssh.yml:
- Line 15: Replace the mutable tag "appleboy/ssh-action@v1.0.3" with a pinned
immutable commit SHA for that action; locate the commit SHA in the
appleboy/ssh-action repository (or the action's release commit) and update the
workflow line to use "appleboy/ssh-action@<full-commit-sha>" so the workflow
references a specific commit instead of a mutable tag.
- Around line 3-8: The workflow currently triggers on the untrusted
"pull_request" event (the pull_request entry under on:), which allows PRs to run
jobs that use secrets; remove the "pull_request" trigger and instead restrict
runs to trusted/manual events (for example, remove the pull_request key and add
workflow_dispatch or other approved triggers) so secret-backed SSH jobs only run
on push to main or on a manual/workflow_dispatch invocation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 851e0bb6-6d36-424d-94f2-3c5f7686e156

📥 Commits

Reviewing files that changed from the base of the PR and between 9d973bd and fe46a70.

📒 Files selected for processing (1)

• .github/workflows/test_ssh.yml

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/deploy-to-production.yml:
- Around line 27-28: Replace the non-deterministic "git pull origin main" step
with a deterministic remote-sync sequence: fetch the remote branch and force the
working tree to match it (e.g., git fetch + git reset --hard origin/main and
optionally git clean -fd to remove untracked files) so the deploy always resets
to the exact remote commit; locate the "git pull origin main" occurrence and
swap it for the fetch/reset/clean sequence in the deploy step.
- Around line 42-44: Replace the unsafe remove-then-copy sequence ("sudo mkdir
-p /var/www/CVPilot/", "sudo rm -rf /var/www/CVPilot/*", "sudo cp -r dist/*
/var/www/CVPilot/") with an atomic-safe publish using rsync or a temp-directory
swap: create a temp dir, rsync the build into it (e.g., rsync -a --delete
--links --chmod=... dist/ /tmp/cvp_build/ to include dotfiles), then move or
atomically swap the temp dir into place (mv /tmp/cvp_build /var/www/CVPilot.new
&& mv -T /var/www/CVPilot.new /var/www/CVPilot or update a symlink), or run
rsync directly to /var/www/CVPilot with --delete (no preceding rm -rf) so
partial failures don't leave the site empty.
- Around line 31-35: The deployment workflow currently runs migrations then
reloads the PM2 process but omits compiling the backend, so add the build step:
after the existing npx prisma migrate deploy command and before the pm2 reload
cvpilot-backend command, run npm run build within the backend working directory
(the same block that does cd backend and npm install) so that PM2's node
./dist/server.js has up-to-date compiled code.
- Around line 9-11: The job "test-ssh" can run concurrently on multiple pushes
and race on commands like "npx prisma migrate deploy", PM2 reload and frontend
publish; add a GitHub Actions concurrency lock to the job to ensure only one
production deploy runs at a time by adding a concurrency block to the "test-ssh"
job (use a stable group name such as "production-deploy" or
"production-deploy-${{ github.ref }}" and set cancel-in-progress: false so new
runs wait rather than overlap/cancel) so all steps in test-ssh (including the
prisma migrate deploy and PM2/frontend publish steps) cannot execute in
parallel.
- Around line 32-40: Replace non-reproducible npm installs with deterministic CI
installs: change the backend "npm install" before "npx prisma generate" / "npx
prisma migrate deploy" / "pm2 reload cvpilot-backend" to "npm ci", and also
change the frontend "npm install" executed after "cd frontend" to "npm ci",
ensuring both use the project's lockfiles for reproducible deployments.
- Around line 15-21: Replace the mutable action tag appleboy/ssh-action@v1.0.3
with the immutable commit SHA
appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262 and add an SSH host
key verification entry under the action inputs (use the `fingerprint` key and
wire it to a secret like `secrets.DO_HOST_FINGERPRINT`); update the `uses:`
value and insert `fingerprint:` alongside `host`, `username`, `key`, `port`, and
`passphrase` in the job step to enforce pinned action and host key verification.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4943292c-b2d5-4a68-8542-b37f71525e35

📥 Commits

Reviewing files that changed from the base of the PR and between fe46a70 and 4136e55.

📒 Files selected for processing (2)

• .github/workflows/deploy-to-production.yml
• .github/workflows/github-actions-demo.yml

💤 Files with no reviewable changes (1)

• .github/workflows/github-actions-demo.yml

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/deploy-to-production.yml (1)

17-23: ⚠️ Potential issue | 🟠 Major

Harden production SSH step with immutable pin + host key verification.

Line 17 still uses a mutable tag and the SSH inputs still omit fingerprint.

Suggested fix

-        uses: appleboy/ssh-action@v1.0.3
+        uses: appleboy/ssh-action@029f5b4aeeeb58fdfe1410a5d17f967dacf36262
         with:
           host: ${{ secrets.DO_HOST }}
           username: ${{ secrets.DO_USERNAME }}
           key: ${{ secrets.DO_SSH_KEY }}
           port: ${{ secrets.SSH_PORT }}
           passphrase: ${{ secrets.DO_PASSPHRASE }}
+          fingerprint: ${{ secrets.DO_HOST_FINGERPRINT }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-to-production.yml around lines 17 - 23, The SSH
step using appleboy/ssh-action@v1.0.3 should be hardened: replace the mutable
tag (appleboy/ssh-action@v1.0.3) with an immutable pin (the action's commit SHA,
e.g., appleboy/ssh-action@sha256:<commit-hash>) and add the fingerprint input to
enable host key verification (set fingerprint: ${{ secrets.DO_HOST_FINGERPRINT
}}); keep the existing inputs (host, username, key, port, passphrase) but ensure
the host fingerprint secret is provisioned and referenced in the step where
appleboy/ssh-action is used.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/deploy-to-production.yml:
- Around line 8-10: The workflow uses the invalid top-level key "concurrent";
replace it with the correct GitHub Actions key "concurrency" so the workflow
validates and can run. Locate the block containing the "concurrent:" mapping
(the deploy-to-production workflow top-level section) and rename the key to
"concurrency", preserving the nested entries "group" and "cancel-in-progress"
exactly as they are. After the change, validate the YAML to ensure there are no
syntax errors.

---

Duplicate comments:
In @.github/workflows/deploy-to-production.yml:
- Around line 17-23: The SSH step using appleboy/ssh-action@v1.0.3 should be
hardened: replace the mutable tag (appleboy/ssh-action@v1.0.3) with an immutable
pin (the action's commit SHA, e.g., appleboy/ssh-action@sha256:<commit-hash>)
and add the fingerprint input to enable host key verification (set fingerprint:
${{ secrets.DO_HOST_FINGERPRINT }}); keep the existing inputs (host, username,
key, port, passphrase) but ensure the host fingerprint secret is provisioned and
referenced in the step where appleboy/ssh-action is used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 99f82e56-5978-4668-a995-7fae42327c91

📥 Commits

Reviewing files that changed from the base of the PR and between 4136e55 and b4697f7.

📒 Files selected for processing (1)

• .github/workflows/deploy-to-production.yml