Skip to content

feat(ci): Check migrations exist #106253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
armenzg wants to merge 6 commits into
base: master
Choose a base branch
from
Open

feat(ci): Check migrations exist #106253

armenzg wants to merge 6 commits into from

Conversation

@armenzg
Copy link
Member

@armenzg armenzg commented Jan 14, 2026

If migrations get added, make sure that there's an associated migration lockfile.
@armenzg
feat(ci): Check migrations exist
59a9dff 
If migrations get added, make sure that there's an associated migration lockfile.
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Jan 14, 2026
cursor[bot]
cursor bot reviewed Jan 14, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Jan 14, 2026
View reviewed changes
@armenzg armenzg marked this pull request as ready for review January 14, 2026 15:25
@armenzg armenzg requested review from a team as code owners January 14, 2026 15:25
@armenzg armenzg requested a review from a team January 14, 2026 15:25
sentry[bot]
sentry bot reviewed Jan 14, 2026
View reviewed changes
.github/workflows/backend.yml

- name: Check if lockfile was updated
run: |
if ! git diff --name-only origin/master HEAD | grep -q "migrations_lockfile.txt"; then
Copy link
Contributor

@sentry sentry bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The migration-lockfile-guard job uses a git diff command that works for pull requests but will always fail on a push to the master branch, blocking the CI pipeline.
Severity: CRITICAL

Suggested Fix

Restrict the migration-lockfile-guard job to only run on pull_request events. Alternatively, modify the script to use the correct Git references for a push event, such as comparing HEAD with ${{ github.event.before }} to get the correct diff.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/backend.yml#L329

Potential issue: The `migration-lockfile-guard` job in the `backend.yml` workflow is
configured to run on both `pull_request` and `push` events to the `master` branch.
However, the command it uses, `git diff --name-only origin/master HEAD`, is only
effective in a pull request context. When a commit is pushed to `master`, both `HEAD`
and `origin/master` point to the same commit, resulting in an empty diff. Consequently,
the subsequent `grep` command fails to find the `migrations_lockfile.txt` file, causing
the script to exit with an error and fail the CI build on the `master` branch. This will
block deployments that include database migrations.

Did we get this right? 👍 / 👎 to inform future reviews.
markstory
markstory reviewed Jan 14, 2026
View reviewed changes
.github/workflows/backend.yml Outdated
Comment on lines 330 to 331
echo "::error::Migration files were added but migrations_lockfile.txt was not updated"
echo "::error::Run: sentry django makemigrations -n <migration_name>"
Copy link
Member

@markstory markstory Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are people not doing this? Or is this a safeguard against LLMs?
Copy link
Member Author

@armenzg armenzg Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think they forgot to commit the migrations file
Copy link
Member Author

@armenzg armenzg Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have changed the wording.
armenzg
armenzg commented Jan 14, 2026
View reviewed changes
.github/workflows/backend.yml
fi

migration-lockfile-guard:
if: github.event_name == 'pull_request' && needs.files-changed.outputs.migrations_added == 'true'
Copy link
Member Author

@armenzg armenzg Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will only run this check on pull requests.
@armenzg armenzg requested a review from markstory January 14, 2026 16:07
sentry[bot]
sentry bot reviewed Jan 14, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Jan 14, 2026
View reviewed changes
.github/file-filters.yml
migrations_added:
- added:
- 'src/sentry/**/migrations/*'
- ':!src/sentry/**/migrations/__init__.py'
Copy link
Contributor

@cursor cursor bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exclusion pattern uses unsupported git pathspec syntax

Medium Severity

The exclusion pattern :!src/sentry/**/migrations/__init__.py uses git pathspec syntax, which is not supported by dorny/paths-filter. This action uses picomatch for glob matching, which doesn't recognize :! as an exclusion operator. The pattern will have no effect, so adding __init__.py files to migration directories will still incorrectly trigger the migration-lockfile-guard check. Other patterns in this file correctly use picomatch extglob syntax like !(tests)/**/*.py for exclusions.

Fix in Cursor Fix in Web
cursor bot pushed a commit that referenced this pull request Jan 14, 2026
@cursoragent @armenzg
test: Add model field without migration to test CI checks
2870e03 
This commit adds a test field to UptimeSubscription model without
generating the required migration. This is intentional to test
whether existing CI checks catch missing migrations for model changes.

Related to discussion in #discuss-backend about PR #106253.

Co-authored-by: armenzg <armenzg@sentry.io>
@armenzg armenzg mentioned this pull request Jan 14, 2026
Open
alexsohn1126
alexsohn1126 reviewed Jan 15, 2026
View reviewed changes
Copy link
Member

@alexsohn1126 alexsohn1126 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue with my PR (https://github.com/getsentry/getsentry/pull/19052) was that I forgot to add the migration itself as well as the lockfile.

maybe we should check if there are new models that has been created, and check whether migrations & lockfile is also updated?
markstory
markstory reviewed Jan 16, 2026
View reviewed changes
.github/file-filters.yml
migrations_added:
- added:
- 'src/sentry/**/migrations/*'
- ':!src/sentry/**/migrations/__init__.py'
Copy link
Member

@markstory markstory Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you need to exclude init files? They are generally empty and don't change.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Scope: Backend Automatically applied to PRs that change backend components

4 participants

@armenzg @markstory @alexsohn1126