From efe984ec2976ae6a09b51a147a952a47f15f1ef1 Mon Sep 17 00:00:00 2001
From: Zbigniew Sobiecki <zbigniew@sobiecki.name>
Date: Mon, 23 Mar 2026 16:51:11 +0100
Subject: [PATCH] fix(deploy): fix SELF_SIGNED_CERT_IN_CHAIN in production
 migration containers (#996)

Migration steps were using --env-file /opt/services/cascade.env which
doesn't contain DATABASE_SSL, causing getDb() to fail with
SELF_SIGNED_CERT_IN_CHAIN against Supabase's connection pooler.

- Replace --env-file with explicit -e DATABASE_SSL=false on the three
  migration containers (drizzle-kit, migrate-triggers, migrate-hooks)
- Add -e DATABASE_SSL=false to the re-encrypt step (keeps --env-file for
  CREDENTIAL_MASTER_KEY)
- Add "Configure DATABASE_SSL for production" step that idempotently
  injects DATABASE_SSL=false into /opt/services/cascade.env before
  service restarts, so router and dashboard also get it

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/deploy.yml | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 6f56b02f..28c4a072 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -74,24 +74,24 @@ jobs:
         run: |
           docker build --target=builder -f Dockerfile.dashboard -t cascade-migrator:latest .
           docker run --rm \
-            --env-file /opt/services/cascade.env \
             -e DATABASE_URL="${{ secrets.DATABASE_URL }}" \
+            -e DATABASE_SSL=false \
             cascade-migrator:latest \
             ./node_modules/.bin/drizzle-kit migrate
 
       - name: Run trigger config migration
         run: |
           docker run --rm \
-            --env-file /opt/services/cascade.env \
             -e DATABASE_URL="${{ secrets.DATABASE_URL }}" \
+            -e DATABASE_SSL=false \
             cascade-migrator:latest \
             npx tsx tools/migrate-triggers.ts
 
       - name: Run hooks migration
         run: |
           docker run --rm \
-            --env-file /opt/services/cascade.env \
             -e DATABASE_URL="${{ secrets.DATABASE_URL }}" \
+            -e DATABASE_SSL=false \
             cascade-migrator:latest \
             npx tsx tools/migrate-hooks.ts --apply
 
@@ -100,9 +100,20 @@ jobs:
           docker run --rm \
             --env-file /opt/services/cascade.env \
             -e DATABASE_URL="${{ secrets.DATABASE_URL }}" \
+            -e DATABASE_SSL=false \
             cascade-migrator:latest \
             npx tsx tools/migrate-project-credentials-reencrypt.ts
 
+      - name: Configure DATABASE_SSL for production (Supabase certificate)
+        run: |
+          docker run --rm \
+            -v /opt/services:/mnt/services \
+            alpine:3 sh -c '
+              grep -v "^DATABASE_SSL=" /mnt/services/cascade.env > /tmp/new.env 2>/dev/null || true
+              echo "DATABASE_SSL=false" >> /tmp/new.env
+              cp /tmp/new.env /mnt/services/cascade.env
+            '
+
       - name: Pull latest worker image
         run: docker pull ${{ env.WORKER_IMAGE }}:latest