From 4002ff71582ae8c1c7845afaaa87c42989972e40 Mon Sep 17 00:00:00 2001
From: Zbigniew Sobiecki <zbigniew@sobiecki.name>
Date: Mon, 23 Mar 2026 15:28:42 +0000
Subject: [PATCH] fix(deploy): pass SSL env vars to all migration steps

Migration containers were missing DATABASE_SSL and DATABASE_CA_CERT,
causing SELF_SIGNED_CERT_IN_CHAIN failures after TLS cert validation
was enabled by default in #979.

Add --env-file /opt/services/cascade.env to the three migration steps
(db migrate, trigger config migration, hooks migration) so they pick
up the same SSL configuration already used by the re-encrypt step.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/deploy.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index cfe55021..6f56b02f 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -74,6 +74,7 @@ jobs:
         run: |
           docker build --target=builder -f Dockerfile.dashboard -t cascade-migrator:latest .
           docker run --rm \
+            --env-file /opt/services/cascade.env \
             -e DATABASE_URL="${{ secrets.DATABASE_URL }}" \
             cascade-migrator:latest \
             ./node_modules/.bin/drizzle-kit migrate
@@ -81,6 +82,7 @@ jobs:
       - name: Run trigger config migration
         run: |
           docker run --rm \
+            --env-file /opt/services/cascade.env \
             -e DATABASE_URL="${{ secrets.DATABASE_URL }}" \
             cascade-migrator:latest \
             npx tsx tools/migrate-triggers.ts
@@ -88,6 +90,7 @@ jobs:
       - name: Run hooks migration
         run: |
           docker run --rm \
+            --env-file /opt/services/cascade.env \
             -e DATABASE_URL="${{ secrets.DATABASE_URL }}" \
             cascade-migrator:latest \
             npx tsx tools/migrate-hooks.ts --apply