gitpod-io · zacharias-ona · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/.github/workflows/deploy-migrations.yml b/.github/workflows/deploy-migrations.yml
@@ -11,29 +11,58 @@ env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
 jobs:
-  dry-run:
+  # ---------------------------------------------------------------------------
+  # PR check: reset staging DB then push migrations for real execution
+  # ---------------------------------------------------------------------------
+  staging:
     if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
+    # Only one staging validation at a time — later PRs queue behind earlier ones
+    concurrency:
+      group: staging-migrations
+      cancel-in-progress: false
 
     env:
       SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
-      SUPABASE_DB_PASSWORD: ${{ secrets.SUPABASE_DB_PASSWORD }}
-      SUPABASE_PROJECT_ID: ${{ secrets.SUPABASE_PROJECT_ID }}
+      SUPABASE_DB_PASSWORD: ${{ secrets.SUPABASE_STAGING_DB_PASSWORD }}
+      SUPABASE_PROJECT_ID: ${{ secrets.SUPABASE_STAGING_PROJECT_ID }}
 
     steps:
+      - name: Check staging secrets are configured
+        id: check-secrets
+        run: |
+          if [ -z "$SUPABASE_PROJECT_ID" ] || [ -z "$SUPABASE_DB_PASSWORD" ]; then
+            echo "⚠️ Staging secrets not configured — skipping migration validation."
+            echo "Add SUPABASE_STAGING_PROJECT_ID and SUPABASE_STAGING_DB_PASSWORD repository secrets to enable."
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
       - uses: actions/checkout@v6
+        if: steps.check-secrets.outputs.skip == 'false'
 
       # supabase/setup-cli@v1 still targets node20; keep FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 until they ship a node24 version
       - uses: supabase/setup-cli@v1
+        if: steps.check-secrets.outputs.skip == 'false'
         with:
           version: latest
 
-      - name: Link Supabase project
+      - name: Link staging project
+        if: steps.check-secrets.outputs.skip == 'false'
         run: supabase link --project-ref $SUPABASE_PROJECT_ID
 
-      - name: Dry-run migrations
-        run: supabase db push --dry-run
+      - name: Reset staging DB to clean state
+        if: steps.check-secrets.outputs.skip == 'false'
+        run: supabase db reset --linked --yes
+
+      - name: Push migrations to staging
+        if: steps.check-secrets.outputs.skip == 'false'
+        run: supabase db push --yes
 
+  # ---------------------------------------------------------------------------
+  # Production deploy: runs on push to main
+  # ---------------------------------------------------------------------------
   deploy:
     if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
@@ -55,7 +84,7 @@ jobs:
         run: supabase link --project-ref $SUPABASE_PROJECT_ID
 
       - name: Deploy migrations
-        run: supabase db push
+        run: supabase db push --yes
 
       - name: Verify critical tables exist
         env: