opentdf · jrschumacher · Jun 4, 2025 · Jun 4, 2025 · Jun 4, 2025 · Jun 4, 2025
@@ -465,3 +465,106 @@
           "$(go env GOROOT)"/bin/go run github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e
           check --disallowed_types=forbidden --include_tests
           ./examples
+  migrate:
+    name: "goose migrate up and down (⚠️ WARN: this could be a false positive)"
+    runs-on: ubuntu-22.04 # Consistently Linux
+    services:
+      postgres:
+        image: postgres:15
+        env:
+          POSTGRES_USER: testuser
+          POSTGRES_PASSWORD: testpass
+          POSTGRES_DB: testdb
+        ports:
+          - "5432:5432"
+        options: --health-cmd="pg_isready -U testuser -d testdb" --health-interval=10s --health-timeout=5s --health-retries=5
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.4.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Install goose
+        run: go install github.com/pressly/goose/v3/cmd/goose@v3.24.3
+
+      - name: Determine Go binary locations
+        id: go_paths
+        shell: bash
+        run: |
+          set -e # Ensure commands succeed
+          echo "gobin_path=$(go env GOBIN)" >> "$GITHUB_OUTPUT"
+          echo "gopath_bin_path=$(go env GOPATH)/bin" >> "$GITHUB_OUTPUT"
+
+      - name: Determine goose executable path
+        id: goose_exec
+        shell: bash
+        run: |
+          set -eo pipefail
+
+          goose_exe_name="goose" # Always Linux, so no .exe
+          determined_goose_path=""
+
+          gobin_dir="${{ steps.go_paths.outputs.gobin_path }}"
+          gopath_bin_dir="${{ steps.go_paths.outputs.gopath_bin_path }}"
+
+          # Prefer GOBIN if set and goose is there
+          if [[ -n "$gobin_dir" && -x "$gobin_dir/$goose_exe_name" ]]; then
+            determined_goose_path="$gobin_dir/$goose_exe_name"
+          # Fallback to GOPATH/bin
+          elif [[ -x "$gopath_bin_dir/$goose_exe_name" ]]; then
+            determined_goose_path="$gopath_bin_dir/$goose_exe_name"
+          else
+            echo "Error: goose executable ('$goose_exe_name') not found in GOBIN ('$gobin_dir') or GOPATH/bin ('$gopath_bin_dir')." >&2
+            ls -la "$gobin_dir" || true # List contents for debugging
+            ls -la "$gopath_bin_dir" || true # List contents for debugging
+            exit 1
+          fi
+          echo "Found goose at: $determined_goose_path"
+          echo "goose_executable_path=${determined_goose_path}" >> "$GITHUB_OUTPUT"
+
+      - name: Wait for Postgres
+        env:
+          POSTGRES_USER: testuser
+          POSTGRES_DB: testdb
+        shell: bash
+        run: |
+          set -eo pipefail
+          echo "Waiting for PostgreSQL to be ready..."
+          for i in {1..30}; do
+            if pg_isready -h localhost -U "$POSTGRES_USER" -d "$POSTGRES_DB" -q; then
+              echo "PostgreSQL is ready."
+              exit 0
+            fi
+            echo "Attempt $i/30: PostgreSQL not ready yet, sleeping for 1 second..."
+            sleep 1
+          done
+          echo "Error: PostgreSQL did not become ready after 30 attempts."
+          exit 1
+
+      - name: Run goose up
+        env:
+          POSTGRES_USER: testuser
+          POSTGRES_PASSWORD: testpass
+          POSTGRES_DB: testdb
+          GOOSE_EXECUTABLE: ${{ steps.goose_exec.outputs.goose_executable_path }}
+        shell: bash
+        run: |
+          set -eo pipefail
+          DB_DSN="host=localhost port=5432 user=${POSTGRES_USER} password=${POSTGRES_PASSWORD} dbname=${POSTGRES_DB} sslmode=disable"
+
+          echo "Running goose up migrations using ${GOOSE_EXECUTABLE}..."
+          "$GOOSE_EXECUTABLE" -dir ./service/policy/db/migrations postgres "$DB_DSN" up
+
+      - name: Run goose down
+        env:
+          POSTGRES_USER: testuser
+          POSTGRES_PASSWORD: testpass
+          POSTGRES_DB: testdb
+          GOOSE_EXECUTABLE: ${{ steps.goose_exec.outputs.goose_executable_path }}
+        shell: bash
+        run: |
+          set -eo pipefail
+          DB_DSN="host=localhost port=5432 user=${POSTGRES_USER} password=${POSTGRES_PASSWORD} dbname=${POSTGRES_DB} sslmode=disable"
+
+          echo "Running goose down migrations (all) using ${GOOSE_EXECUTABLE}..."
+          "$GOOSE_EXECUTABLE" -dir ./service/policy/db/migrations postgres "$DB_DSN" down-to 20230101000000
@@ -15,7 +15,7 @@ CREATE TABLE IF NOT EXISTS attribute_fqns (
 
 -- +goose Down
 
-DROP TABLE attribute_fqn;
+DROP TABLE IF EXISTS attribute_fqns;
 
 -- +goose StatementBegin
 -- +goose StatementEnd
@@ -114,7 +114,7 @@ WHERE subject_mappings.subject_condition_set_id = subject_mappings_migration_dat
 
 ALTER TABLE IF EXISTS subject_mappings DROP COLUMN subject_condition_set_id, DROP COLUMN actions;
 
-DROP TRIGGER subject_condition_set_updated_at;
+DROP TRIGGER IF EXISTS subject_condition_set_updated_at ON subject_condition_set;
 DROP TABLE subject_condition_set;
 CREATE TYPE subject_mappings_operator AS ENUM ('UNSPECIFIED', 'IN', 'NOT_IN');
 

@@ -37,12 +37,14 @@ EXECUTE FUNCTION update_definition_delete_values_order();
 
 -- +goose StatementBegin
 
-DROP FUNCTION update_definition_add_values_order;
-DROP TRIGGER trigger_update_definition_add_values_order;
+DROP TRIGGER IF EXISTS trigger_update_definition_add_values_order ON attribute_values;
 
-DROP FUNCTION update_definition_delete_values_order;
-DROP TRIGGER trigger_update_definition_delete_values_order;
+DROP TRIGGER IF EXISTS trigger_update_definition_delete_values_order ON attribute_values;
 
-ALTER TABLE attribute_definitions DROP COLUMN values_order;
+DROP FUNCTION IF EXISTS update_definition_add_values_order();
+
+DROP FUNCTION IF EXISTS update_definition_delete_values_order();
+
+ALTER TABLE attribute_definitions DROP COLUMN IF EXISTS values_order;
 
 -- +goose StatementEnd
@@ -140,110 +140,122 @@ ON DELETE CASCADE;
 
 -- Do not cascade deletion of Attribute Definitions when their parent Namespace is deleted
 ALTER TABLE attribute_definitions
-DROP CONSTRAINT attribute_definitions_namespace_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attribute_definitions_namespace_id_fkey_cascades;
+ALTER TABLE attribute_definitions
+DROP CONSTRAINT IF EXISTS attribute_definitions_namespace_id_fkey; 
 ALTER TABLE attribute_definitions
 ADD CONSTRAINT attribute_definitions_namespace_id_fkey
 FOREIGN KEY (namespace_id)
 REFERENCES attribute_namespaces (id);
 
 -- Do not cascade deletion of Attribute Values when their parent Definition is deleted
 ALTER TABLE attribute_values
-DROP CONSTRAINT attribute_values_attribute_definition_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attribute_values_attribute_definition_id_fkey_cascades;
+ALTER TABLE attribute_values
+DROP CONSTRAINT IF EXISTS attribute_values_attribute_definition_id_fkey; 
 ALTER TABLE attribute_values
 ADD CONSTRAINT attribute_values_attribute_definition_id_fkey
 FOREIGN KEY (attribute_definition_id)
 REFERENCES attribute_definitions (id);
 
 -- Do not cascade deletion of Resource Mappings when their parent Attribute Value is deleted
 ALTER TABLE resource_mappings
-DROP CONSTRAINT resource_mappings_attribute_value_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS resource_mappings_attribute_value_id_fkey_cascades;
+ALTER TABLE resource_mappings
+DROP CONSTRAINT IF EXISTS resource_mappings_attribute_value_id_fkey; 
 ALTER TABLE resource_mappings
 ADD CONSTRAINT resource_mappings_attribute_value_id_fkey
 FOREIGN KEY (attribute_value_id)
 REFERENCES attribute_values (id);
 
 -- Do not cascade deletion of Subject Mappings when their parent Attribute Value is deleted
 ALTER TABLE subject_mappings
-DROP CONSTRAINT subject_mappings_attribute_value_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS subject_mappings_attribute_value_id_fkey_cascades;
+ALTER TABLE subject_mappings
+DROP CONSTRAINT IF EXISTS subject_mappings_attribute_value_id_fkey; 
 ALTER TABLE subject_mappings
 ADD CONSTRAINT subject_mappings_attribute_value_id_fkey
 FOREIGN KEY (attribute_value_id)
 REFERENCES attribute_values (id);
 
 -- Do not cascade deletion of FQNs when their parent objects are deleted
 ALTER TABLE attribute_fqns
-DROP CONSTRAINT attribute_fqns_namespace_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attribute_fqns_namespace_id_fkey_cascades;
+ALTER TABLE attribute_fqns
+DROP CONSTRAINT IF EXISTS attribute_fqns_namespace_id_fkey; 
 ALTER TABLE attribute_fqns
 ADD CONSTRAINT attribute_fqns_namespace_id_fkey
 FOREIGN KEY (namespace_id)
 REFERENCES attribute_namespaces (id);
 
 ALTER TABLE attribute_fqns
-DROP CONSTRAINT attribute_fqns_attribute_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attribute_fqns_attribute_id_fkey_cascades;
+ALTER TABLE attribute_fqns
+DROP CONSTRAINT IF EXISTS attribute_fqns_attribute_id_fkey; 
 ALTER TABLE attribute_fqns
 ADD CONSTRAINT attribute_fqns_attribute_id_fkey
 FOREIGN KEY (attribute_id)
 REFERENCES attribute_definitions (id);
 
 ALTER TABLE attribute_fqns
-DROP CONSTRAINT attribute_fqns_value_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attribute_fqns_value_id_fkey_cascades;
+ALTER TABLE attribute_fqns
+DROP CONSTRAINT IF EXISTS attribute_fqns_value_id_fkey; 
 ALTER TABLE attribute_fqns
 ADD CONSTRAINT attribute_fqns_value_id_fkey
 FOREIGN KEY (value_id)
 REFERENCES attribute_values (id);
 
 -- Do not cascade deletion of KAS Registrations when an associated policy object is deleted
-
 ALTER TABLE attribute_definition_key_access_grants
-DROP CONSTRAINT attr_def_key_access_gr_attr_def_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attr_def_key_access_gr_attr_def_id_fkey_cascades;
+ALTER TABLE attribute_definition_key_access_grants
+DROP CONSTRAINT IF EXISTS attribute_definition_key_access_gr_attribute_definition_id_fkey; 
 ALTER TABLE attribute_definition_key_access_grants
 ADD CONSTRAINT attribute_definition_key_access_gr_attribute_definition_id_fkey
 FOREIGN KEY (attribute_definition_id)
 REFERENCES attribute_definitions (id);
 
 ALTER TABLE attribute_definition_key_access_grants
-DROP CONSTRAINT attr_def_key_access_grant_kas_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attr_def_key_access_grant_kas_id_fkey_cascades;
+ALTER TABLE attribute_definition_key_access_grants
+DROP CONSTRAINT IF EXISTS attribute_definition_key_access_grant_key_access_server_id_fkey; 
 ALTER TABLE attribute_definition_key_access_grants
 ADD CONSTRAINT attribute_definition_key_access_grant_key_access_server_id_fkey
 FOREIGN KEY (key_access_server_id)
 REFERENCES key_access_servers (id);
 
 ALTER TABLE attribute_value_key_access_grants
-DROP CONSTRAINT attr_val_key_access_grants_kas_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attr_val_key_access_grants_kas_id_fkey_cascades;
+ALTER TABLE attribute_value_key_access_grants
+DROP CONSTRAINT IF EXISTS attribute_value_key_access_grants_key_access_server_id_fkey; 
 ALTER TABLE attribute_value_key_access_grants
 ADD CONSTRAINT attribute_value_key_access_grants_key_access_server_id_fkey
 FOREIGN KEY (key_access_server_id)
 REFERENCES key_access_servers (id);
 
 ALTER TABLE attribute_value_key_access_grants
-DROP CONSTRAINT attr_val_key_access_grants_attr_val_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attr_val_key_access_grants_attr_val_id_fkey_cascades;
+ALTER TABLE attribute_value_key_access_grants
+DROP CONSTRAINT IF EXISTS attribute_value_key_access_grants_attribute_value_id_fkey; 
 ALTER TABLE attribute_value_key_access_grants
 ADD CONSTRAINT attribute_value_key_access_grants_attribute_value_id_fkey
 FOREIGN KEY (attribute_value_id)
 REFERENCES attribute_values (id);
 
 ALTER TABLE attribute_value_members
-DROP CONSTRAINT attr_val_members_value_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attr_val_members_value_id_fkey_cascades;
+ALTER TABLE attribute_value_members
+DROP CONSTRAINT IF EXISTS attribute_value_members_value_id_fkey; 
 ALTER TABLE attribute_value_members
 ADD CONSTRAINT attribute_value_members_value_id_fkey
 FOREIGN KEY (value_id)
 REFERENCES attribute_values (id);
 
 ALTER TABLE attribute_value_members
-DROP CONSTRAINT attr_val_members_member_id_fkey_cascades;
-
+DROP CONSTRAINT IF EXISTS attr_val_members_member_id_fkey_cascades;
+ALTER TABLE attribute_value_members
+DROP CONSTRAINT IF EXISTS attribute_value_members_member_id_fkey; 
 ALTER TABLE attribute_value_members
 ADD CONSTRAINT attribute_value_members_member_id_fkey
 FOREIGN KEY (member_id)

@@ -297,29 +297,20 @@ COMMENT ON VIEW active_value_public_keys_view IS 'View to retrieve active public
 -- +goose Down
 -- +goose StatementBegin
 DROP VIEW IF EXISTS active_value_public_keys_view;
-
 DROP VIEW IF EXISTS active_definition_public_keys_view;
-
 DROP VIEW IF EXISTS active_namespace_public_keys_view;
 
 DROP TRIGGER IF EXISTS trigger_update_was_mapped_namespace ON attribute_namespace_public_key_map;
-
 DROP TRIGGER IF EXISTS trigger_update_was_mapped_definition ON attribute_definition_public_key_map;
+DROP TRIGGER IF EXISTS trigger_update_was_mapped_value ON attribute_value_public_key_map;
+DROP TRIGGER IF EXISTS maintain_active_key ON public_keys;
 
-DROP TRIGGER IF EXISTS trigger_update_was_mapped_value ON attribute_value_key_map;
-
-DROP TRIGGER IF EXISTS maintain_active_key;
-
-DROP FUNCTION IF EXISTS update_active_key;
-
-DROP FUNCTION IF EXISTS update_was_mapped ();
-
-DROP TABLE public_keys;
-
-DROP TABLE attribute_namespace_public_key_map;
-
-DROP TABLE attribute_definition_public_key_map;
+DROP FUNCTION IF EXISTS update_active_key();
+DROP FUNCTION IF EXISTS update_was_mapped();
 
-DROP TABLE attribute_value_public_key_map;
+DROP TABLE IF EXISTS attribute_value_public_key_map;
+DROP TABLE IF EXISTS attribute_definition_public_key_map;
+DROP TABLE IF EXISTS attribute_namespace_public_key_map;
+DROP TABLE IF EXISTS public_keys;
 
 -- +goose StatementEnd
@@ -60,11 +60,6 @@ ON attribute_values(active);
 
 -- +goose Down
 -- +goose StatementBegin
-
-ALTER TABLE subject_condition_set DROP COLUMN IF EXISTS selector_values;
-DROP TRIGGER IF EXISTS update_selector_values ON subject_condition_set;
-DROP FUNCTION IF EXISTS extract_selector_values;
-
 DROP INDEX IF EXISTS idx_subject_condition_set_selector_values;
 DROP INDEX IF EXISTS idx_subject_mappings_attribute_value_id;
 DROP INDEX IF EXISTS idx_subject_mappings_subject_condition_set_id;
@@ -75,4 +70,8 @@ DROP INDEX IF EXISTS idx_attribute_namespaces_active;
 DROP INDEX IF EXISTS idx_attribute_definitions_active;
 DROP INDEX IF EXISTS idx_attribute_values_active;
 
+ALTER TABLE subject_condition_set DROP COLUMN IF EXISTS selector_values;
+DROP TRIGGER IF EXISTS update_selector_values ON subject_condition_set;
+DROP FUNCTION IF EXISTS extract_selector_values;
+
 -- +goose StatementEnd