From 5fc0086f49e2f7a12f7fc5403f31c1f2b8d9f590 Mon Sep 17 00:00:00 2001 From: Theodore Li Date: Wed, 1 Jul 2026 16:34:04 -0700 Subject: [PATCH 1/8] ci(trigger): auto-deploy Trigger.dev tasks to dev-sim on dev pushes Add a deploy-trigger-dev job that runs `trigger.dev deploy --env preview --branch dev-sim` on pushes to the dev branch, replacing the manual step. Gated after migrate-dev for the same reason as build-dev: the new task code runs against the dev DB, so the schema must be pushed first. Uses Trigger.dev's remote build (no --local-build), so the runner needs no Docker/buildx. Requires a TRIGGER_ACCESS_TOKEN repo secret. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_015orsjbLX34FPFGujSK3AQK --- .github/workflows/ci.yml | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c62cd2f2d1e..54a1a3c70c8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -130,6 +130,44 @@ jobs: provenance: false sbom: false + # Dev: deploy Trigger.dev background tasks to the preview "dev-sim" branch. + # Gated after migrate-dev for the same reason as build-dev — the new task + # code runs against the dev DB, so the schema must be pushed first. + deploy-trigger-dev: + name: Deploy Trigger.dev (Dev) + needs: [migrate-dev] + if: github.event_name == 'push' && github.ref == 'refs/heads/dev' + runs-on: blacksmith-4vcpu-ubuntu-2404 + steps: + - name: Checkout code + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + + - name: Setup Bun + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2 + with: + bun-version: 1.3.13 + + - name: Cache Bun dependencies + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + with: + path: | + ~/.bun/install/cache + node_modules + **/node_modules + key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lock') }} + restore-keys: | + ${{ runner.os }}-bun- + + - name: Install dependencies + run: bun install --frozen-lockfile + + - name: Deploy to Trigger.dev + working-directory: ./apps/sim + env: + TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }} + TRIGGER_PROJECT_ID: proj_kufttkwzywcydwtccqhx + run: bunx trigger.dev@4.4.3 deploy --env preview --branch dev-sim + # Main/staging: build AMD64 images and push to ECR + GHCR build-amd64: name: Build AMD64 From e6507f2912262786e79f9efffd6991d8f8be0fa2 Mon Sep 17 00:00:00 2001 From: Theodore Li Date: Wed, 1 Jul 2026 16:38:03 -0700 Subject: [PATCH 2/8] ci(trigger): source TRIGGER_PROJECT_ID from repo secret Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_015orsjbLX34FPFGujSK3AQK --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 54a1a3c70c8..52af65ff8f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -165,7 +165,7 @@ jobs: working-directory: ./apps/sim env: TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }} - TRIGGER_PROJECT_ID: proj_kufttkwzywcydwtccqhx + TRIGGER_PROJECT_ID: ${{ secrets.TRIGGER_PROJECT_ID }} run: bunx trigger.dev@4.4.3 deploy --env preview --branch dev-sim # Main/staging: build AMD64 images and push to ECR + GHCR From d22b025a1270ad0c482e780f7f054c95d035d3af Mon Sep 17 00:00:00 2001 From: Theodore Li Date: Wed, 1 Jul 2026 16:41:53 -0700 Subject: [PATCH 3/8] ci(trigger): fail fast when Trigger.dev secrets are unset Guard the deploy step so a missing TRIGGER_ACCESS_TOKEN or TRIGGER_PROJECT_ID exits with a clear message instead of a cryptic trigger.dev CLI error, matching the DATABASE_URL guard in migrations.yml. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_015orsjbLX34FPFGujSK3AQK --- .github/workflows/ci.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 52af65ff8f5..460613d154f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -166,7 +166,12 @@ jobs: env: TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }} TRIGGER_PROJECT_ID: ${{ secrets.TRIGGER_PROJECT_ID }} - run: bunx trigger.dev@4.4.3 deploy --env preview --branch dev-sim + run: | + if [ -z "$TRIGGER_ACCESS_TOKEN" ] || [ -z "$TRIGGER_PROJECT_ID" ]; then + echo "ERROR: TRIGGER_ACCESS_TOKEN and TRIGGER_PROJECT_ID repo secrets must both be set" >&2 + exit 1 + fi + bunx trigger.dev@4.4.3 deploy --env preview --branch dev-sim # Main/staging: build AMD64 images and push to ECR + GHCR build-amd64: From cb2aa5e081b7f2d6db2ce2c2fbceb956166ee1b8 Mon Sep 17 00:00:00 2001 From: Theodore Li Date: Wed, 1 Jul 2026 16:47:30 -0700 Subject: [PATCH 4/8] ci(migrations): fail dev db:push on interactive prompt or error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit drizzle-kit push prompts interactively for ambiguous renames (--force only covers data-loss). In CI there's no TTY, so the prompt reads EOF and drizzle can exit 0 without applying — the job goes green while the schema change was silently skipped. Close stdin, reject prompt markers, and require a success marker so an unresolved rename or failed statement fails the job. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_015orsjbLX34FPFGujSK3AQK --- .github/workflows/migrations.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/migrations.yml b/.github/workflows/migrations.yml index f789ec32627..5485e94509b 100644 --- a/.github/workflows/migrations.yml +++ b/.github/workflows/migrations.yml @@ -69,7 +69,20 @@ jobs: if [ "${ENVIRONMENT}" = "dev" ]; then echo "Dev environment — pushing schema directly (db:push)" - bun run db:push --force + # drizzle-kit push prompts interactively for ambiguous renames (which + # --force does NOT cover). With no TTY the prompt reads EOF and drizzle + # can still exit 0 without applying — a false green. Close stdin, then + # reject prompt markers and require a success marker so an unresolved + # rename or failed statement fails the job instead of passing. + bun run db:push --force < /dev/null 2>&1 | tee /tmp/db-push.log + if grep -qE "created or renamed|Do you want" /tmp/db-push.log; then + echo "ERROR: db:push hit an interactive rename prompt; resolve it with a versioned migration, not push." >&2 + exit 1 + fi + if ! grep -qE "Changes applied|No changes detected|No schema changes" /tmp/db-push.log; then + echo "ERROR: db:push did not confirm success (aborted prompt or failed statement)." >&2 + exit 1 + fi else echo "Applying versioned migrations (db:migrate)" bun run ./scripts/migrate.ts From 3b13560b59b291d4923b2328bf0cf045a9ae7861 Mon Sep 17 00:00:00 2001 From: Theodore Li Date: Wed, 1 Jul 2026 17:07:49 -0700 Subject: [PATCH 5/8] ci(migrations): fail dev db:push when drizzle-kit hits a TTY prompt drizzle-kit push needs a TTY to resolve ambiguous renames; in CI it throws "Interactive prompts require a TTY terminal" but still exits 0, so the job went green without applying the schema (e.g. run 28415609570). Fail on that explicit error. Keys on drizzle's own stable message rather than fuzzy prompt text, and a real non-zero exit still fails via set -e. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_015orsjbLX34FPFGujSK3AQK --- .github/workflows/migrations.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/migrations.yml b/.github/workflows/migrations.yml index 5485e94509b..7965eaf5e6d 100644 --- a/.github/workflows/migrations.yml +++ b/.github/workflows/migrations.yml @@ -69,18 +69,14 @@ jobs: if [ "${ENVIRONMENT}" = "dev" ]; then echo "Dev environment — pushing schema directly (db:push)" - # drizzle-kit push prompts interactively for ambiguous renames (which - # --force does NOT cover). With no TTY the prompt reads EOF and drizzle - # can still exit 0 without applying — a false green. Close stdin, then - # reject prompt markers and require a success marker so an unresolved - # rename or failed statement fails the job instead of passing. + # drizzle-kit push needs a TTY to resolve ambiguous renames (--force only + # covers data-loss). In CI it throws "Interactive prompts require a TTY + # terminal" but still exits 0, so the job goes green without applying the + # change. tee keeps the output live in the log; we then fail on drizzle's + # own TTY error. A genuine non-zero exit already fails via `set -e`. bun run db:push --force < /dev/null 2>&1 | tee /tmp/db-push.log - if grep -qE "created or renamed|Do you want" /tmp/db-push.log; then - echo "ERROR: db:push hit an interactive rename prompt; resolve it with a versioned migration, not push." >&2 - exit 1 - fi - if ! grep -qE "Changes applied|No changes detected|No schema changes" /tmp/db-push.log; then - echo "ERROR: db:push did not confirm success (aborted prompt or failed statement)." >&2 + if grep -q "Interactive prompts require a TTY terminal" /tmp/db-push.log; then + echo "ERROR: db:push needs an interactive rename decision; land it as a versioned migration instead of relying on push." >&2 exit 1 fi else From bc3b5adf3b11d92f867a350af8257a3fdf95abfe Mon Sep 17 00:00:00 2001 From: Theodore Li Date: Wed, 1 Jul 2026 17:30:41 -0700 Subject: [PATCH 6/8] ci(trigger): scope the access token secret as DEV_TRIGGER_ACCESS_TOKEN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The PAT is only used by the dev deploy job, so prefix it DEV_ to match the repo's dev-scoped secret convention. TRIGGER_PROJECT_ID stays unprefixed — it's the shared project (same one prod uses); dev-sim is a preview branch within it, not a separate project. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_015orsjbLX34FPFGujSK3AQK --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 460613d154f..6f46e1fd8ba 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -164,7 +164,7 @@ jobs: - name: Deploy to Trigger.dev working-directory: ./apps/sim env: - TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }} + TRIGGER_ACCESS_TOKEN: ${{ secrets.DEV_TRIGGER_ACCESS_TOKEN }} TRIGGER_PROJECT_ID: ${{ secrets.TRIGGER_PROJECT_ID }} run: | if [ -z "$TRIGGER_ACCESS_TOKEN" ] || [ -z "$TRIGGER_PROJECT_ID" ]; then From b0be41da3d39fe352fbbb55cb6c53ba1871242ca Mon Sep 17 00:00:00 2001 From: Theodore Li Date: Wed, 1 Jul 2026 17:57:18 -0700 Subject: [PATCH 7/8] Adjust warning error --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6f46e1fd8ba..623c042f3f4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -168,7 +168,7 @@ jobs: TRIGGER_PROJECT_ID: ${{ secrets.TRIGGER_PROJECT_ID }} run: | if [ -z "$TRIGGER_ACCESS_TOKEN" ] || [ -z "$TRIGGER_PROJECT_ID" ]; then - echo "ERROR: TRIGGER_ACCESS_TOKEN and TRIGGER_PROJECT_ID repo secrets must both be set" >&2 + echo "ERROR: DEV_TRIGGER_ACCESS_TOKEN and TRIGGER_PROJECT_ID repo secrets must both be set" >&2 exit 1 fi bunx trigger.dev@4.4.3 deploy --env preview --branch dev-sim @@ -402,7 +402,7 @@ jobs: steps: - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: - fetch-depth: 2 # Need at least 2 commits to detect changes + fetch-depth: 2 # Need at least 2 commits to detect changes - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 id: filter with: From c2652f657bba6ffb72ffedeeb1b22798000931e7 Mon Sep 17 00:00:00 2001 From: Theodore Li Date: Wed, 1 Jul 2026 18:56:06 -0700 Subject: [PATCH 8/8] ci: align build-dev checkout to v6 to match the other jobs build-dev was the only job still pinning actions/checkout to the v4 hash; every other job uses v6. Non-functional consistency fix. Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_015orsjbLX34FPFGujSK3AQK --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 623c042f3f4..25d8348d8c4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -92,7 +92,7 @@ jobs: ecr_repo_secret: ECR_PII steps: - name: Checkout code - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6