feat: add environment variables db schema and queries

[Flo4604]

What does this PR do?

Fixes the types of secret, to only be a "recoverable" or writeonly secret one of them can be recovered and view in the dashboard, the other one cannot.

The names are not fix and can be changed.

Also adding a new blob where we store a snapshot of the encrypted env vars to ensure that re-deploying the same deployment doesn't touch any environments.

Fixes #4178

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Ran make fmt on /go directory
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5b0249e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
dashboard	Ready	Preview	Comment	Dec 4, 2025 5:39pm
engineering	Ready	Preview	Comment	Dec 4, 2025 5:39pm

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces environment variable storage and retrieval and adds deployment secrets snapshots: new environment_variables table and types; adds deployments.secrets_config column; updates SQL queries, generated Go models/querier, and TypeScript DB schema exports and definitions.

Changes

Cohort / File(s)	Summary
Schema & TS exports go/pkg/db/schema.sql, internal/db/src/schema/deployments.ts, internal/db/src/schema/environment_variables.ts, internal/db/src/schema/index.ts	Adds environment_variables table; adds deployments.secrets_config longblob NOT NULL; increases environment_variables.value length to 4096; changes enum values to recoverable/writeonly; exposes environment_variables in TS schema exports; deployments.status default set to "pending".
Deployment insert/select SQL & generated code go/pkg/db/queries/deployment_insert.sql, go/pkg/db/deployment_insert.sql_generated.go, go/pkg/db/bulk_deployment_insert.sql_generated.go, go/pkg/db/deployment_find_by_id.sql_generated.go	Insert and select statements updated to add secrets_config, remove gateway_config, and adjust column/value ordering and argument assembly; generated Go code updated to include SecretsConfig in params/scan.
Environment variables query & generated method go/pkg/db/queries/environment_variables_find_by_environment_id.sql, go/pkg/db/environment_variables_find_by_environment_id.sql_generated.go	New query FindEnvironmentVariablesByEnvironmentId and generated Go method returning rows of key/value for a given environment_id.
Generated models & querier surface go/pkg/db/models_generated.go, go/pkg/db/querier_generated.go	Adds EnvironmentVariablesType + NullEnvironmentVariablesType (Scan/Value), new EnvironmentVariable struct, extends Deployment with SecretsConfig, and adds FindEnvironmentVariablesByEnvironmentId to the querier interface.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review hotspots:
  • go/pkg/db/models_generated.go for correct Scan/Value implementations and duplicate struct declarations.
  • Generated SQL files (*_sql_generated.go) to confirm parameter ordering and bindings match the updated schema (avoid off-by-one binding issues).
  • Consistency between go/pkg/db/schema.sql and TypeScript schema files (internal/db/src/schema/*), particularly enum names and column types/lengths.
  • Call sites and tests that previously used gateway_config to ensure they were updated or handled.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers the key changes (secret types as 'recoverable' or 'writeonly', and a new secrets blob) and references issue #4178, but the 'How should this be tested?' section is empty, violating the required checklist.	Complete the 'How should this be tested?' section with specific testing instructions and check at least the critical required checklist items like self-review and format verification.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding environment variables database schema and queries, which aligns with the core objective of the PR.
Linked Issues check	✅ Passed	The PR implements database schema and queries for environment variables, addressing the core requirement from issue #4178 to support adding and managing environment variables for deployments.
Out of Scope Changes check	✅ Passed	All changes are scoped to environment variables schema, queries, and the secrets_config field for deployments; no unrelated modifications detected outside the stated objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/env-vars-db-schema

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Flo4604]

• fix golint issues #4477
• feat: better env var injection #4468
• remove gw from k8s manifest, add agent fix ctrl vault for certs #4463
• feat: add customer-workload service account for pod isolation #4455
• feat: inject env vars into pod spec via Krane #4454
• feat: decrypt env vars in CTRL workflow before passing to Krane #4453
• feat: dashboard UI for environment variables management #4452
• feat: add SecretsConfig proto for encrypted env vars #4451
• feat: add environment variables db schema and queries #4450 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7026e56 and 434bc89.

📒 Files selected for processing (12)

• go/pkg/db/bulk_deployment_insert.sql_generated.go (2 hunks)
• go/pkg/db/deployment_find_by_id.sql_generated.go (2 hunks)
• go/pkg/db/deployment_insert.sql_generated.go (4 hunks)
• go/pkg/db/environment_variables_find_by_environment_id.sql_generated.go (1 hunks)
• go/pkg/db/models_generated.go (3 hunks)
• go/pkg/db/querier_generated.go (3 hunks)
• go/pkg/db/queries/deployment_insert.sql (2 hunks)
• go/pkg/db/queries/environment_variables_find_by_environment_id.sql (1 hunks)
• go/pkg/db/schema.sql (2 hunks)
• internal/db/src/schema/deployments.ts (1 hunks)
• internal/db/src/schema/environment_variables.ts (2 hunks)
• internal/db/src/schema/index.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 4190
File: go/internal/services/keys/verifier.go:51-53
Timestamp: 2025-10-30T15:10:52.743Z
Learning: PR #4190 for unkeyed/unkey is focused solely on database schema and query changes for identity-based credits. It adds IdentityCredits and KeyCredits fields to structs and queries, but does not implement the priority enforcement logic in the usagelimiter. The logic implementation is intentionally deferred to a later PR in the stack.

Learnt from: ogzhanolguncu
Repo: unkeyed/unkey PR: 3973
File: go/pkg/db/schema.sql:307-308
Timestamp: 2025-09-15T17:40:51.536Z
Learning: The environments table in the Unkey codebase is not being used in production yet, so schema changes to it don't require complex migration sequences to handle existing data or concurrent usage.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.436Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.283Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

📚 Learning: 2025-09-15T17:40:51.536Z

Learnt from: ogzhanolguncu
Repo: unkeyed/unkey PR: 3973
File: go/pkg/db/schema.sql:307-308
Timestamp: 2025-09-15T17:40:51.536Z
Learning: The environments table in the Unkey codebase is not being used in production yet, so schema changes to it don't require complex migration sequences to handle existing data or concurrent usage.

Applied to files:

• go/pkg/db/schema.sql
• internal/db/src/schema/environment_variables.ts

📚 Learning: 2025-04-22T14:40:51.459Z

Learnt from: chronark
Repo: unkeyed/unkey PR: 3161
File: go/pkg/clickhouse/schema/databases/001_verifications/002_raw_key_verifications_v1.sql:31-33
Timestamp: 2025-04-22T14:40:51.459Z
Learning: The ClickHouse table schemas in the codebase mirror the production environment and cannot be modified directly in PRs without careful migration planning.

Applied to files:

• go/pkg/db/schema.sql

📚 Learning: 2025-04-22T14:43:11.724Z

Learnt from: chronark
Repo: unkeyed/unkey PR: 3161
File: go/pkg/clickhouse/schema/databases/002_ratelimits/006_ratelimits_per_day_v1.sql:1-13
Timestamp: 2025-04-22T14:43:11.724Z
Learning: In the unkey project, the SQL files in clickhouse/schema/databases represent the current production schema and shouldn't be modified directly in PRs. Schema changes require dedicated migration scripts.

Applied to files:

• go/pkg/db/schema.sql

📚 Learning: 2025-09-12T08:01:20.792Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3944
File: go/pkg/db/acme_challenge_update_verified_with_expiry.sql_generated.go:31-39
Timestamp: 2025-09-12T08:01:20.792Z
Learning: Do not review or suggest changes to files with sql_generated.go suffix or other files marked as auto-generated (containing "Code generated by" comments), as these are generated by tools like sqlc and changes would be overwritten on regeneration.

Applied to files:

• go/pkg/db/deployment_insert.sql_generated.go
• go/pkg/db/queries/deployment_insert.sql
• go/pkg/db/bulk_deployment_insert.sql_generated.go

📚 Learning: 2025-07-17T14:24:20.403Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3631
File: go/pkg/db/bulk_keyring_insert.sql.go:23-25
Timestamp: 2025-07-17T14:24:20.403Z
Learning: In go/pkg/db/bulk_keyring_insert.sql.go and similar bulk insert generated files, hardcoded zero values for fields like size_approx and size_last_updated_at are intentional and reflect the original SQL query structure, not missing parameters.

Applied to files:

• go/pkg/db/deployment_insert.sql_generated.go
• go/pkg/db/queries/deployment_insert.sql
• go/pkg/db/bulk_deployment_insert.sql_generated.go

📚 Learning: 2024-10-04T20:44:38.489Z

Learnt from: chronark
Repo: unkeyed/unkey PR: 2180
File: apps/dashboard/lib/constants/workspace-navigations.tsx:56-118
Timestamp: 2024-10-04T20:44:38.489Z
Learning: When typing the `workspace` parameter in functions like `createWorkspaceNavigation`, prefer importing the `Workspace` type from the database module and picking the necessary keys (e.g., `features`) instead of redefining the interface.

Applied to files:

• internal/db/src/schema/environment_variables.ts

📚 Learning: 2025-07-25T19:09:43.284Z

Learnt from: mcstepp
Repo: unkeyed/unkey PR: 3662
File: apps/dashboard/lib/trpc/routers/deployment/list.ts:11-11
Timestamp: 2025-07-25T19:09:43.284Z
Learning: In apps/dashboard/lib/trpc/routers/deployment/list.ts, the listDeployments procedure intentionally queries the versions table rather than a deployments table. The user mcstepp indicated that renaming the table would require a database migration, which was deferred for the current PR focused on UI features.

Applied to files:

• internal/db/src/schema/deployments.ts

📚 Learning: 2025-09-11T14:24:40.988Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3944
File: go/apps/ctrl/services/deployment/deploy_workflow.go:326-334
Timestamp: 2025-09-11T14:24:40.988Z
Learning: The InsertDomains method in the bulk queries uses ON DUPLICATE KEY UPDATE, making it an upsert operation that is idempotent and safe for retries, despite the "Insert" naming convention.

Applied to files:

• go/pkg/db/bulk_deployment_insert.sql_generated.go

🧬 Code graph analysis (4)

go/pkg/db/querier_generated.go (2)

go/pkg/db/interface.go (1)

• DBTX (29-34)

go/pkg/db/environment_variables_find_by_environment_id.sql_generated.go (1)

• FindEnvironmentVariablesByEnvironmentIdRow (18-21)

go/pkg/db/models_generated.go (1)

go/pkg/db/types/null_string.go (1)

• NullString (10-10)

go/pkg/db/environment_variables_find_by_environment_id.sql_generated.go (2)

go/pkg/db/queries.go (1)

• Queries (3-3)

go/pkg/db/interface.go (1)

• DBTX (29-34)

internal/db/src/schema/deployments.ts (1)

internal/db/src/schema/util/longblob.ts (1)

• longblob (15-28)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Test Dashboard / Test Dashboard
• GitHub Check: Test API / API Test Local
• GitHub Check: Lint Go Code / Lint
• GitHub Check: Test Go API Local / Test
• GitHub Check: Build / Build
• GitHub Check: Test Packages / Test

🔇 Additional comments (12)

go/pkg/db/queries/deployment_insert.sql (1)

1-39: LGTM - deployment insert correctly includes both gateway_config and secrets_config.

The query properly includes both the existing gateway_config and new secrets_config columns, indicating they serve complementary purposes rather than one replacing the other.

go/pkg/db/bulk_deployment_insert.sql_generated.go (1)

1-54: Skipping review of auto-generated file.

This file is generated by sqlc and should not be modified directly. Changes should be made to the source SQL query files instead.

Based on learnings: Auto-generated files with sql_generated.go suffix are regenerated by tools and manual changes would be overwritten.

internal/db/src/schema/index.ts (1)

13-13: LGTM - environment_variables module export added.

The new export correctly makes the environment_variables schema accessible to consumers of the schema index.

go/pkg/db/deployment_find_by_id.sql_generated.go (1)

1-42: Skipping review of auto-generated file.

This file is generated by sqlc and should not be modified directly. Changes should be made to the source SQL query files instead.

Based on learnings: Auto-generated files with sql_generated.go suffix are regenerated by tools and manual changes would be overwritten.

go/pkg/db/querier_generated.go (1)

1-2200: Skipping review of auto-generated file.

This file is generated by sqlc and should not be modified directly. Changes should be made to the source SQL query files instead.

Based on learnings: Auto-generated files containing "Code generated by" comments are regenerated by tools and manual changes would be overwritten.

go/pkg/db/schema.sql (2)

319-332: This suggestion conflicts with the codebase's intentional database design pattern.

The schema explicitly does not use foreign key constraints despite having multi-table referential relationships. Referential integrity is handled at the application level (as validated upstream), not at the database schema level. Adding FK constraints would be inconsistent with the established architecture across all tables in the schema.

Likely an incorrect or invalid review comment.

---

381-381: The deployments table is in beta status and not yet deployed to production.

Based on the codebase analysis, the deployments table was explicitly prepared for beta readiness in the most recent schema update (commit de33fb5, Nov 19, 2025). The table is not currently in production use, making the migration concern moot. The secrets_config longblob NOT NULL constraint is appropriate for a beta table where all new deployments must include valid configuration data. No action is required.

go/pkg/db/queries/environment_variables_find_by_environment_id.sql (1)

1-4: The type field exists in the schema but cannot be verified as needed without identifying query consumers.

The type field (enum('recoverable','writeonly')) does exist in the environment_variables table schema. However, FindEnvironmentVariablesByEnvironmentId has no identifiable consumers in the codebase—the query is only referenced in generated database code and interfaces. Without identifying actual usage, it's unclear whether including the type field would be beneficial. If this query is being integrated, verify with the consuming code whether the type distinction is required for handling secret types appropriately.

go/pkg/db/environment_variables_find_by_environment_id.sql_generated.go (1)

1-49: Auto-generated file; skipping detailed review.

This file is generated by sqlc v1.29.0. Per established learnings, files with sql_generated.go suffix should not be reviewed as changes would be overwritten on regeneration.

Based on learnings, as per Flo4604 in PR #3944.

go/pkg/db/deployment_insert.sql_generated.go (1)

1-136: Auto-generated file; skipping detailed review.

This file is generated by sqlc v1.29.0. Per established learnings, files with sql_generated.go suffix should not be reviewed as changes would be overwritten on regeneration.

Based on learnings, as per Flo4604 in PR #3944.

go/pkg/db/models_generated.go (1)

1-1086: Auto-generated file; skipping detailed review.

This file is generated by sqlc v1.29.0. Per established learnings, auto-generated files should not be reviewed as changes would be overwritten on regeneration.

Based on learnings, as per Flo4604 in PR #3944.

internal/db/src/schema/environment_variables.ts (1)

20-26: Environment variables schema changes are appropriate; production status confirmed.

The value field expansion to 4096 bytes is appropriate for vault-encrypted data (keyId, nonce, ciphertext), and the type enum with ["recoverable", "writeonly"] provides clear semantics matching established key management patterns elsewhere in the codebase. The environment_variables table is actively used in production (dashboard routes, query layer), so these schema changes can proceed.

[graphite-app]

[graphite-app]

Graphite Automations

"Post a GIF when PR approved" took an action on this PR • (12/03/25)

1 gif was posted to this PR based on Andreas Thomas's automation.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

go/pkg/db/schema.sql (1)

371-385: Confirm migration strategy for new deployments.secrets_config NOT NULL column.

secrets_config longblob NOT NULL on deployments is fine for new rows, but existing deployments in production will need a backfilled value before this NOT NULL constraint is applied. Please confirm the migration in this stack either:

• backfills a sensible default for existing rows, or
• stages the change (nullable → backfill → NOT NULL).

Otherwise schema deployment could fail or leave inconsistent data.

go/pkg/db/querier_generated.go (1)

220-225: Environment variables query intentionally returns only key/value; consider future metadata needs.

FindEnvironmentVariablesByEnvironmentId exposes just key and value, which is ideal for the runtime/deployment path. If the dashboard or other callers will also need type / description / delete_protection, plan on either:

• extending the underlying SQL to select those columns as well, or
• adding a separate metadata-focused query.

No change strictly required now; just something to keep in mind for the API surface.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b875df9 and 5b0249e.

📒 Files selected for processing (12)

• go/pkg/db/bulk_deployment_insert.sql_generated.go (2 hunks)
• go/pkg/db/deployment_find_by_id.sql_generated.go (2 hunks)
• go/pkg/db/deployment_insert.sql_generated.go (4 hunks)
• go/pkg/db/environment_variables_find_by_environment_id.sql_generated.go (1 hunks)
• go/pkg/db/models_generated.go (3 hunks)
• go/pkg/db/querier_generated.go (3 hunks)
• go/pkg/db/queries/deployment_insert.sql (2 hunks)
• go/pkg/db/queries/environment_variables_find_by_environment_id.sql (1 hunks)
• go/pkg/db/schema.sql (2 hunks)
• internal/db/src/schema/deployments.ts (1 hunks)
• internal/db/src/schema/environment_variables.ts (2 hunks)
• internal/db/src/schema/index.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (7)

• internal/db/src/schema/index.ts
• go/pkg/db/environment_variables_find_by_environment_id.sql_generated.go
• go/pkg/db/queries/environment_variables_find_by_environment_id.sql
• internal/db/src/schema/deployments.ts
• go/pkg/db/deployment_insert.sql_generated.go
• internal/db/src/schema/environment_variables.ts
• go/pkg/db/bulk_deployment_insert.sql_generated.go

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 4190
File: go/internal/services/keys/verifier.go:51-53
Timestamp: 2025-10-30T15:10:52.743Z
Learning: PR #4190 for unkeyed/unkey is focused solely on database schema and query changes for identity-based credits. It adds IdentityCredits and KeyCredits fields to structs and queries, but does not implement the priority enforcement logic in the usagelimiter. The logic implementation is intentionally deferred to a later PR in the stack.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.436Z
Learning: Repo: unkeyed/unkey — Preference: If imeyer comments “issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: ogzhanolguncu
Repo: unkeyed/unkey PR: 3973
File: go/pkg/db/schema.sql:307-308
Timestamp: 2025-09-15T17:40:51.536Z
Learning: The environments table in the Unkey codebase is not being used in production yet, so schema changes to it don't require complex migration sequences to handle existing data or concurrent usage.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3755
File: .github/workflows/job_detect_changes.yaml:111-114
Timestamp: 2025-08-08T16:10:00.224Z
Learning: Repo: unkeyed/unkey — When imeyer writes “make me an issue” on a PR thread, automatically open a thorough GitHub issue (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and comment, and assign to imeyer.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3755
File: .github/workflows/runbook-freshness-check.yaml:157-173
Timestamp: 2025-08-08T14:59:52.283Z
Learning: Repo unkeyed/unkey: When a CI/workflow fix is deferred, imeyer prefers a thorough GitHub issue be opened with sections (Summary, Impact, Where, Repro, Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References) and assigned to imeyer, including backlinks to the originating PR and comment.

Learnt from: imeyer
Repo: unkeyed/unkey PR: 3755
File: .github/actions/setup-node/action.yaml:0-0
Timestamp: 2025-08-08T15:10:46.436Z
Learning: For repo unkeyed/unkey and PR review workflows: When imeyer comments "issue" on a thread, automatically create a thorough GitHub issue (sections: Summary, Impact, Where, Repro/Observed vs Expected, Acceptance Criteria, Validation Plan, Out of Scope, References), include backlinks to the PR and the specific comment, and assign the issue to imeyer.

📚 Learning: 2025-07-17T14:24:20.403Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3631
File: go/pkg/db/bulk_keyring_insert.sql.go:23-25
Timestamp: 2025-07-17T14:24:20.403Z
Learning: In go/pkg/db/bulk_keyring_insert.sql.go and similar bulk insert generated files, hardcoded zero values for fields like size_approx and size_last_updated_at are intentional and reflect the original SQL query structure, not missing parameters.

Applied to files:

• go/pkg/db/queries/deployment_insert.sql

📚 Learning: 2025-09-12T08:01:20.792Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3944
File: go/pkg/db/acme_challenge_update_verified_with_expiry.sql_generated.go:31-39
Timestamp: 2025-09-12T08:01:20.792Z
Learning: Do not review or suggest changes to files with sql_generated.go suffix or other files marked as auto-generated (containing "Code generated by" comments), as these are generated by tools like sqlc and changes would be overwritten on regeneration.

Applied to files:

• go/pkg/db/queries/deployment_insert.sql

📚 Learning: 2025-09-15T17:40:51.536Z

Learnt from: ogzhanolguncu
Repo: unkeyed/unkey PR: 3973
File: go/pkg/db/schema.sql:307-308
Timestamp: 2025-09-15T17:40:51.536Z
Learning: The environments table in the Unkey codebase is not being used in production yet, so schema changes to it don't require complex migration sequences to handle existing data or concurrent usage.

Applied to files:

• go/pkg/db/schema.sql

📚 Learning: 2025-10-30T15:10:52.743Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 4190
File: go/internal/services/keys/verifier.go:51-53
Timestamp: 2025-10-30T15:10:52.743Z
Learning: PR #4190 for unkeyed/unkey is focused solely on database schema and query changes for identity-based credits. It adds IdentityCredits and KeyCredits fields to structs and queries, but does not implement the priority enforcement logic in the usagelimiter. The logic implementation is intentionally deferred to a later PR in the stack.

Applied to files:

• go/pkg/db/schema.sql

📚 Learning: 2025-08-14T16:25:48.167Z

Learnt from: Flo4604
Repo: unkeyed/unkey PR: 3785
File: go/apps/api/routes/v2_keys_reroll_key/401_test.go:52-61
Timestamp: 2025-08-14T16:25:48.167Z
Learning: User Flo4604 requested creation of a GitHub issue to track converting all test files to use table-driven test patterns as a broader codebase improvement, following the suggestion made during review of go/apps/api/routes/v2_keys_reroll_key/401_test.go.

Applied to files:

• go/pkg/db/schema.sql

📚 Learning: 2025-08-25T17:40:51.836Z

Learnt from: mcstepp
Repo: unkeyed/unkey PR: 3830
File: go/pkg/db/project_find_by_workspace_slug.sql_generated.go:0-0
Timestamp: 2025-08-25T17:40:51.836Z
Learning: When analyzing database query performance and indexing needs, always check for existing UNIQUE constraints in addition to explicit CREATE INDEX statements, as UNIQUE constraints automatically create composite indexes that provide optimal query performance for the constrained columns.

Applied to files:

• go/pkg/db/schema.sql

📚 Learning: 2025-08-25T17:40:51.836Z

Learnt from: mcstepp
Repo: unkeyed/unkey PR: 3830
File: go/pkg/db/project_find_by_workspace_slug.sql_generated.go:0-0
Timestamp: 2025-08-25T17:40:51.836Z
Learning: In database schema analysis: UNIQUE constraints automatically create composite indexes in most SQL databases (PostgreSQL, MySQL, etc.), so when analyzing query performance, check for both explicit CREATE INDEX statements and UNIQUE constraints that cover the query's filter columns.

Applied to files:

• go/pkg/db/schema.sql

📚 Learning: 2025-04-22T14:40:51.459Z

Learnt from: chronark
Repo: unkeyed/unkey PR: 3161
File: go/pkg/clickhouse/schema/databases/001_verifications/002_raw_key_verifications_v1.sql:31-33
Timestamp: 2025-04-22T14:40:51.459Z
Learning: The ClickHouse table schemas in the codebase mirror the production environment and cannot be modified directly in PRs without careful migration planning.

Applied to files:

• go/pkg/db/schema.sql

📚 Learning: 2025-04-22T14:43:11.724Z

Learnt from: chronark
Repo: unkeyed/unkey PR: 3161
File: go/pkg/clickhouse/schema/databases/002_ratelimits/006_ratelimits_per_day_v1.sql:1-13
Timestamp: 2025-04-22T14:43:11.724Z
Learning: In the unkey project, the SQL files in clickhouse/schema/databases represent the current production schema and shouldn't be modified directly in PRs. Schema changes require dedicated migration scripts.

Applied to files:

• go/pkg/db/schema.sql

🧬 Code graph analysis (1)

go/pkg/db/querier_generated.go (2)

go/pkg/db/interface.go (1)

• DBTX (29-34)

go/pkg/db/environment_variables_find_by_environment_id.sql_generated.go (1)

• FindEnvironmentVariablesByEnvironmentIdRow (18-21)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Test Dashboard / Test Dashboard
• GitHub Check: Test Packages / Test
• GitHub Check: Lint Go Code / Lint
• GitHub Check: Test API / API Test Local
• GitHub Check: Build / Build
• GitHub Check: Test Go API Local / Test
• GitHub Check: autofix
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (8)

go/pkg/db/deployment_find_by_id.sql_generated.go (1)

13-37: FindDeploymentById now correctly includes secrets_config in SELECT and Scan.

The SELECT list, Scan order, and Deployment.SecretsConfig field are aligned, so the new blob is populated correctly. No further changes needed here.

go/pkg/db/schema.sql (1)

319-332: Environment variables table schema looks consistent and constrained appropriately.

The environment_variables table (id/workspace_id/environment_id/key/value/type/description/delete_protection/created_at/updated_at) plus UNIQUE(environment_id, key) matches the intended model and provides good per-environment uniqueness without needing an extra index.

go/pkg/db/queries/deployment_insert.sql (1)

2-38: InsertDeployment correctly includes secrets_config; ensure all callers provide it.

The insert column list and VALUES list are consistent with the updated deployments schema (including both gateway_config and secrets_config), so sqlc will generate a matching params struct. Please double‑check that every InsertDeployment call in the stack now populates secrets_config to satisfy the NOT NULL constraint.

go/pkg/db/querier_generated.go (2)

191-195: FindDeploymentById surface matches updated deployment schema.

The documented SELECT now includes secrets_config alongside gateway_config, and matches the generated query and Deployment model. All good here.

---

1105-1143: InsertDeployment querier signature and documentation align with the new schema.

The InsertDeployment comment and argument ordering (including gateway_config and secrets_config) are consistent with the SQL in queries/deployment_insert.sql and the deployments table definition.

go/pkg/db/models_generated.go (3)

281-321: EnvironmentVariablesType enum and nullable wrapper are consistent with the schema and existing patterns.

The "recoverable" / "writeonly" enum plus NullEnvironmentVariablesType mirror the existing enum/Null* implementations and match the environment_variables.type definition.

---

778-795: Deployment model correctly adds SecretsConfig as a blob field.

SecretsConfig []byte 'db:"secrets_config"' matches the new longblob NOT NULL column and aligns with the updated SELECT/Scan/insert queries.

---

828-839: EnvironmentVariable struct cleanly maps the new table.

The EnvironmentVariable fields (IDs, Key, Value, Type, Description, DeleteProtection, timestamps) line up with the environment_variables table and use appropriate Go types.