Skip to content

Add missing storage-bucket creation to the migration chain (drift fix)#738

Merged
BigSimmo merged 11 commits into
mainfrom
cursor/storage-bucket-migration-02e7
Jul 17, 2026
Merged

Add missing storage-bucket creation to the migration chain (drift fix)#738
BigSimmo merged 11 commits into
mainfrom
cursor/storage-bucket-migration-02e7

Conversation

@BigSimmo

@BigSimmo BigSimmo commented Jul 17, 2026

Copy link
Copy Markdown
Owner

Summary

Adds the missing clinical-documents and clinical-images storage bucket creation to the Supabase migration chain so databases built by replaying migrations match schema.sql and CI db-reset-verify.

This supersedes PR #710 with the same migration content plus a complete PR-policy evidence body (the cloud token cannot edit existing PR descriptions).

Verification

Risk and rollout

  • Risk: medium; touches Supabase storage bucket provisioning for clinical-documents/clinical-images. Idempotent ON CONFLICT reaffirmation of public=false plus size/mime constraints; production already has buckets via schema.sql/dashboard.
  • Rollback: revert the migration commit; existing buckets remain. Fresh environments would again lack bucket inserts until re-applied.
  • Provider or production effects: None expected on the live Clinical KB Database — migration is a no-op reaffirmation for existing bucket rows.

Clinical Governance Preflight

  • Source-backed claims still require linked source verification before clinical use
  • No patient-identifiable document workflow was introduced or expanded without explicit governance approval
  • Supabase target remains Clinical KB Database (sjrfecxgysukkwxsowpy)
  • Service-role keys and private document access remain server-only
  • Demo/synthetic content remains clearly separated from real clinical sources
  • Source metadata, review status, and outdated/unknown-source behavior remain conservative
  • Deployment classification/TGA SaMD impact was checked when clinical decision-support behavior changed

Notes

Open in Web Open in Cursor 

Summary by CodeRabbit

  • Bug Fixes
    • Fixed storage upload failures in newly initialized environments by ensuring the required clinical document and image buckets exist with the correct privacy, file-size, and allowed file types.
  • Chores
    • Improved pull request policy workflow validation by checking out the target branch tip instead of relying on a potentially stale base SHA.

claude and others added 8 commits July 17, 2026 08:24
The clinical-documents and clinical-images buckets were declared only in
supabase/schema.sql. The migration chain created the storage.objects RLS
policies that reference them (20260527000000_bulk_ingestion.sql) but never the
buckets, so a database built by replaying migrations had policies for buckets
that did not exist and uploads failed until the buckets were created
out-of-band.

Add a migration mirroring schema.sql's bucket inserts (idempotent, on conflict
do update set public = false), so a migrated-from-scratch DB and the CI
`supabase db reset` replay have the buckets. schema.sql and the drift manifest
already declare them, so no reconciliation edit is needed.

Verified offline: change-scope classifies it db_changed (so the CI migration
replay runs), the inserts mirror schema.sql exactly, prettier skips .sql, and 79
drift/schema/storage unit tests pass. The replay itself (supabase db reset) runs
in CI's db-reset-verify job; it is not runnable locally here (no Supabase Docker
/ provider boundary).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019UQUcNriJUVSGRhWz794RQ
…heckout

When a PR is opened before scripts/pr-policy.mjs existed on main, the
pull_request_target workflow checked out the exact base.sha (fd79bc8) which
predated the script, causing ERR_MODULE_NOT_FOUND.

Fix: use github.base_ref (the branch name, e.g. "main") instead of
github.event.pull_request.base.sha. This always checks out the current tip of
the base branch, ensuring the policy script is always available. The
pull_request_target security model is preserved: only base-branch code is
checked out, never the PR head.
Fixed 1 file(s) based on 1 unresolved review comment.

Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
Re-export the storage-bucket migration branch for a PR with complete
policy evidence (verification, risk/rollout, clinical governance).

Co-Authored-By: Cursor Agent <cursoragent@cursor.com>
@supabase

supabase Bot commented Jul 17, 2026

Copy link
Copy Markdown

This pull request has been ignored for the connected project sjrfecxgysukkwxsowpy due to reaching the limit of concurrent preview branches.
Go to Project Integrations Settings ↗︎ if you wish to update this limit.


Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 3d24fa23-bf42-4d1b-b8c9-99a6c22fbb29

📥 Commits

Reviewing files that changed from the base of the PR and between 2d126be and b2755c8.

📒 Files selected for processing (1)
  • supabase/migrations/20260717139000_create_storage_buckets.sql
🚧 Files skipped from review as they are similar to previous changes (1)
  • supabase/migrations/20260717139000_create_storage_buckets.sql

📝 Walkthrough

Walkthrough

The PR updates trusted policy checkout to use the base branch reference and adds a replay-safe migration that creates or updates the clinical-documents and clinical-images storage buckets.

Changes

Trusted policy checkout

Layer / File(s) Summary
Base branch policy checkout
.github/workflows/pr-policy.yml
The trusted policy step checks out ${{ github.base_ref }} and updates its guidance comments.

Storage bucket migration

Layer / File(s) Summary
Idempotent clinical bucket creation
supabase/migrations/20260717139000_create_storage_buckets.sql
The migration upserts both clinical storage buckets with configured visibility, size limits, and MIME types.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: adding missing storage-bucket creation to the migration chain.
Description check ✅ Passed The description includes all required template sections and provides summary, verification, risk, governance preflight, and notes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/storage-bucket-migration-02e7

Comment @coderabbitai help to get the list of available commands.

@BigSimmo
BigSimmo marked this pull request as ready for review July 17, 2026 18:30
@BigSimmo
BigSimmo enabled auto-merge July 17, 2026 18:30

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@supabase/migrations/20260717139000_create_storage_buckets.sql`:
- Around line 10-11: Update the idempotency comment in the storage bucket
migration to state that existing buckets have their name, public setting, file
size limit, and allowed MIME types reconciled with the migration values,
matching the conflict branches for both buckets.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a86d2740-e376-4ad3-bf7d-6befa79eef42

📥 Commits

Reviewing files that changed from the base of the PR and between d1b8959 and 2d126be.

📒 Files selected for processing (2)
  • .github/workflows/pr-policy.yml
  • supabase/migrations/20260717139000_create_storage_buckets.sql

Comment thread supabase/migrations/20260717139000_create_storage_buckets.sql Outdated
cursoragent and others added 2 commits July 17, 2026 18:46
Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
Match the comment to the ON CONFLICT updates for name, size limit, and MIME types.

Co-authored-by: BigSimmo <BigSimmo@users.noreply.github.com>
@BigSimmo
BigSimmo merged commit 28f42ec into main Jul 17, 2026
16 checks passed
@BigSimmo
BigSimmo deleted the cursor/storage-bucket-migration-02e7 branch July 17, 2026 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants