diff --git a/.github/workflows/pr-policy.yml b/.github/workflows/pr-policy.yml index 1c2532d4f..5a0d59652 100644 --- a/.github/workflows/pr-policy.yml +++ b/.github/workflows/pr-policy.yml @@ -24,13 +24,15 @@ jobs: if: github.event_name == 'merge_group' run: echo "PR metadata was validated before merge-queue entry." - # pull_request_target runs trusted base-branch code. Pin the checkout to - # the PR's exact base SHA and never execute the PR head or persist credentials. + # pull_request_target runs trusted base-branch code. Checkout the current + # tip of the base branch (not a potentially stale base.sha) so the policy + # script is always available even when the PR was opened before the script + # was added to main. Never execute the PR head or persist credentials. - name: Checkout trusted policy if: github.event_name == 'pull_request_target' uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: - ref: ${{ github.event.pull_request.base.sha }} + ref: ${{ github.base_ref }} persist-credentials: false - name: Validate pull request evidence diff --git a/supabase/migrations/20260717139000_create_storage_buckets.sql b/supabase/migrations/20260717139000_create_storage_buckets.sql new file mode 100644 index 000000000..bed9931c0 --- /dev/null +++ b/supabase/migrations/20260717139000_create_storage_buckets.sql @@ -0,0 +1,45 @@ +-- Create the storage buckets in the migration chain (schema-drift fix). +-- +-- The clinical-documents and clinical-images buckets were declared only in +-- supabase/schema.sql. The migration chain created the storage.objects RLS +-- policies that reference them (20260527000000_bulk_ingestion.sql) but never the +-- buckets themselves, so a database built purely by replaying migrations had RLS +-- policies for buckets that did not exist and uploads failed until the buckets +-- were created out-of-band. This migration mirrors schema.sql so a +-- migrated-from-scratch database (and the CI `supabase db reset` replay) has the +-- buckets. Idempotent: an existing database that already has them re-affirms +-- public = false plus name, file_size_limit, and allowed_mime_types from this +-- migration (schema.sql only forces public = false on conflict). + +insert into storage.buckets (id, name, public, file_size_limit, allowed_mime_types) +values ( + 'clinical-documents', + 'clinical-documents', + false, + 157286400, + array[ + 'application/pdf', + 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', + 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', + 'text/plain' + ] +) +on conflict (id) do update set + public = false, + name = excluded.name, + file_size_limit = excluded.file_size_limit, + allowed_mime_types = excluded.allowed_mime_types; + +insert into storage.buckets (id, name, public, file_size_limit, allowed_mime_types) +values ( + 'clinical-images', + 'clinical-images', + false, + 52428800, + array['image/png', 'image/jpeg', 'image/webp'] +) +on conflict (id) do update set + public = false, + name = excluded.name, + file_size_limit = excluded.file_size_limit, + allowed_mime_types = excluded.allowed_mime_types;