fix(deploy): pnpm install workspace deps before running safe-db-push

Two follow-up fixes after the first migration-step deploy revealed gaps: 1. \`pnpm dlx drizzle-kit\` doesn't work — the drizzle.config.ts file itself does \`import { defineConfig } from 'drizzle-kit'\`, and Node's resolver only finds that import via local node_modules, not pnpm's dlx cache. Reverted to plain \`pnpm exec drizzle-kit\` and require the workspace to be installed. 2. CD now runs \`pnpm install --filter ./services/<svc>... --frozen- lockfile --ignore-scripts\` once at the start of the migration step for every Drizzle service in the deploy. Path-based filter (not name-based) because our service package names follow no uniform convention (\`@mana/auth\` vs \`@mana/credits-service\` vs \`@mana/events\`). pnpm's lockfile cache makes second-and-later runs near-instant. 3. Dropped the \`--silent\` flag from \`pnpm exec drizzle-kit --version\` — it isn't a recognised pnpm-exec flag and causes a 254 exit code, making the script's "is drizzle-kit available?" probe always fail. Smoke-tested locally — script now runs cleanly against mana-auth's schema, reports "no changes detected", cleans up the probe SQL file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 20:01:09 +02:00 · 2026-04-28 17:10:08 +02:00 · 2026-04-28 17:10:08 +02:00 · 104a5a46a0
commit 104a5a46a0
parent 941df57f77
2 changed files with 42 additions and 12 deletions
--- a/.github/workflows/cd-macmini.yml
+++ b/.github/workflows/cd-macmini.yml
@ -340,6 +340,35 @@ jobs:
          . "$ENV_FILE"
          set +a
          PG_PASSWORD="${POSTGRES_PASSWORD:-mana123}"
+
+          # `drizzle-kit` reads `drizzle.config.ts`, which itself
+          # `import {defineConfig} from 'drizzle-kit'`. Node's resolver
+          # only finds that import when the package lives in the local
+          # node_modules — `pnpm dlx` puts it in the global cache,
+          # invisible to a from-cwd resolve. So before running any
+          # migration we install workspace deps for every Drizzle
+          # service in this deploy. pnpm's lockfile cache makes the
+          # second-and-later runs near-instant.
+          DRIZZLE_SVCS=""
+          for svc in $SERVICES; do
+            if [ -f "services/$svc/drizzle.config.ts" ] || [ -f "services/$svc/drizzle.config.js" ]; then
+              DRIZZLE_SVCS="$DRIZZLE_SVCS $svc"
+            fi
+          done
+          if [ -n "$DRIZZLE_SVCS" ]; then
+            echo "Installing workspace deps for Drizzle services:$DRIZZLE_SVCS"
+            # Use pnpm's path-based filter (`--filter ./services/<svc>...`)
+            # because our service package names don't follow a uniform
+            # convention (`@mana/auth` vs `@mana/credits-service` etc.).
+            # The trailing `...` includes transitive workspace deps.
+            FILTER_FLAGS=""
+            for svc in $DRIZZLE_SVCS; do
+              FILTER_FLAGS="$FILTER_FLAGS --filter ./services/$svc..."
+            done
+            # shellcheck disable=SC2086
+            pnpm install $FILTER_FLAGS --frozen-lockfile --ignore-scripts 2>&1 | tail -5 || true
+          fi
+
          # Most services live in mana_platform; mana-sync (Go, no
          # Drizzle) and a handful of others use mana_sync. Per-service
          # routing is read straight from compose's DATABASE_URL env.
--- a/scripts/mac-mini/safe-db-push.sh
+++ b/scripts/mac-mini/safe-db-push.sh
@ -57,16 +57,17 @@ fi

 cd "$SVC_DIR"

-# Pick how we'll invoke drizzle-kit. The Mac Mini runner doesn't run
-# `pnpm install` for the workspace (everything builds inside Docker),
-# so the per-service node_modules/.bin/drizzle-kit binary is missing.
-# `pnpm dlx` fetches drizzle-kit on demand, caches it in the global
-# pnpm store, and is then fast on every subsequent call. drizzle-kit
-# reads its config from cwd so it still finds drizzle.config.ts here.
-if pnpm exec --silent drizzle-kit --version >/dev/null 2>&1; then
-	DRIZZLE="pnpm exec drizzle-kit"
-else
-	DRIZZLE="pnpm dlx drizzle-kit"
+# Drizzle-kit must be available as a workspace-local module — its
+# binary AND the import that drizzle.config.ts performs both go
+# through Node's local-dir resolver. The CD pipeline runs `pnpm
+# install --filter ./services/<svc>...` before invoking this script
+# so every Drizzle service has node_modules/.bin/drizzle-kit + the
+# importable package linked. `pnpm dlx` doesn't work here because
+# its global cache isn't on Node's resolution path for the config
+# file's `import { defineConfig } from 'drizzle-kit'`.
+if ! pnpm exec drizzle-kit --version >/dev/null 2>&1; then
+	echo "[safe-db-push] $SVC: drizzle-kit not installed in workspace — run \`pnpm install --filter ./services/$SVC...\` first"
+	exit 0
 fi

 # Snapshot the existing migration set before we generate. Anything new
@ -75,7 +76,7 @@ PRE_GEN_FILES=$(find drizzle -maxdepth 2 -name '*.sql' 2>/dev/null | sort || tru

 # Generate-only — does not touch the database.
 echo "[safe-db-push] $SVC: generating diff…"
-GEN_OUT=$($DRIZZLE generate --name "__ci_safety_check_$$" 2>&1 || true)
+GEN_OUT=$(pnpm exec drizzle-kit generate --name "__ci_safety_check_$$" 2>&1 || true)
 echo "$GEN_OUT" | tail -20

 POST_GEN_FILES=$(find drizzle -maxdepth 2 -name '*.sql' 2>/dev/null | sort || true)
@ -132,5 +133,5 @@ fi

 # Additive only — safe to apply.
 echo "[safe-db-push] $SVC: ✓ additive only, applying…"
-$DRIZZLE push --force
+pnpm exec drizzle-kit push --force
 echo "[safe-db-push] $SVC: ✓ schema is now in sync"