fix: apply toyaml filter to all secret-backed credential fields in profiles template

[devin-ai-integration]

fix: apply toyaml filter to all secret-backed credential fields

Summary

Applies the | toyaml Jinja2 filter to all secret-backed credential fields in tests/profiles/profiles.yml.j2. Previously only bigquery_keyfile used this filter — all other secret values (snowflake, redshift, databricks, athena, bigquery project) were rendered as raw template variables.

Without the filter, secret values that happen to be YAML-significant strings (e.g. "yes" → boolean, "123" → integer, "null" → None) would be silently misinterpreted by the YAML parser when dbt loads profiles.yml. The toyaml filter (yaml.dump) properly quotes/escapes values to preserve their string type.

Companion change to dbt-data-reliability PR #937.

Review & Testing Checklist for Human

• Verify the toyaml filter in tests/profiles/generate_profiles.py handles plain string scalars correctly (not just dicts like bigquery_keyfile). Specifically, confirm that yaml.dump("some_password", default_flow_style=True).strip() returns the string quoted/unquoted appropriately.
• Verify that redshift_port (typically an integer in the JSON secret) renders correctly through toyaml — e.g. yaml.dump(5439, default_flow_style=True).strip() should produce 5439 not '5439'.
• Note that schema_name fields are intentionally not filtered — they are computed values, not raw secrets.

Notes

• Requested by: @haritamar
• Link to Devin run

Summary by CodeRabbit

• Tests
  • Test profile templates now use safer YAML serialization for credential and secret fields, improving escaping and rendering.
  • Inline YAML generation updated to preserve native scalars, quote ambiguous values, and render undefined as an empty string for more robust generated profiles.
• Chores
  • CI triggers expanded so profile-related tests run more broadly on pull requests.

[linear]

ELE-5262 Refactor CI profiles.yml to use committed template with secret substitution

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 @devin-ai-integration[bot]
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in this pull request.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Replaces direct template variable rendering with the toyaml filter in the profiles YAML template, changes _yaml_inline behavior to return empty string for undefined and avoid dumping non-dict scalars, and expands CI triggers to run on changes under tests/profiles/**.

Changes

Cohort / File(s)	Summary
Template YAML Rendering tests/profiles/profiles.yml.j2	Switched plain template variable usage to `
YAML inline helper tests/profiles/generate_profiles.py	Modified _yaml_inline to return '' for undefined, render dicts via yaml.dump (compact inline), and bypass yaml.dump for non-dict scalars (returning them as-is).
CI workflow triggers .github/workflows/test-all-warehouses.yml	Added tests/profiles/** to pull_request and pull_request_target path filters so profile-related changes trigger the workflow.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped through templates late at night,
I whispered toyaml to make values right,
Undefined now hushes to an empty string,
Scalars stay simple, dicts get neatly kinged,
A rabbit’s tidy tweak — small, precise, and bright. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: applying the toyaml filter to secret-backed credential fields in the profiles template, which is the core objective of this PR.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/ele-5262-1772067614

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/profiles/profiles.yml.j2`:
- Line 54: The template currently renders port with the toyaml filter which
preserves string types and can produce a quoted value; update the template so
redshift_port is emitted as an integer (e.g., coerce it with the Jinja2 int
filter or otherwise cast before rendering) or ensure CI_WAREHOUSE_SECRETS
provides redshift_port as a numeric JSON type; specifically change the usage
around redshift_port in the profiles.yml.j2 template (replace the toyaml usage
with an explicit integer cast like redshift_port|int or remove toyaml for this
field) so the resulting YAML contains an unquoted numeric port value.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9817afd and 23f04ab.

📒 Files selected for processing (1)

• tests/profiles/profiles.yml.j2

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/profiles/generate_profiles.py`:
- Around line 38-39: The code currently returns "{}" for instances of Undefined
in _yaml_inline, causing scalar secrets to render as empty dicts; update
_yaml_inline to return a quoted empty string (e.g., '""') for Undefined scalar
values so password/user/client_id become YAML scalar empty strings, while
preserving the existing "{}" behavior only for actual dict-like secret fields
(or detect dict-context where appropriate); reference the Undefined type and the
_yaml_inline function (and _NullUndefined.__str__ if needed) to implement this
change.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 23f04ab and 91f260c.

📒 Files selected for processing (1)

• tests/profiles/generate_profiles.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/profiles/generate_profiles.py`:
- Around line 40-42: The current scalar pass-through returns non-string values
and reintroduces YAML coercion (e.g. "yes", "null", "123"); change the fallback
so it always returns a string and emits a quoted YAML scalar instead of
returning value directly: for the non-dict branch use yaml.safe_dump(value,
default_flow_style=True, default_style='"') (or equivalent dumper options) and
.strip() so the function always returns a str and preserves quoting for strings;
update the branch handling the variable named value and keep the existing dict
branch that uses yaml.dump.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 766a2c3 and 25f34a0.

📒 Files selected for processing (1)

• tests/profiles/generate_profiles.py