ci: let Alchemy own PlanetScale deploy password

[theianjones]

Summary

• move schema push into alchemy.run.ts using Alchemy's PlanetScale Password resource plus Exec
• use a new Alchemy-owned deploy password resource id so stale ps-password-* state is not reused
• wire Hyperdrive to the same Alchemy-managed password used by Drizzle
• remove CI-created PlanetScale passwords and workflow-level drizzle pushes from both manual and push-to-main deploy paths

Context

This implements Option A from the Alchemy PlanetScale + Drizzle guide: Alchemy owns the database password, uses it for Drizzle, then uses that same credential for runtime infrastructure. That removes the two-sources-of-truth split between workflow-created DATABASE_URL and Alchemy-managed PlanetScalePassword state.

Guide: https://alchemy.run/guides/planetscale-drizzle/

Validation

• ruby -e "require 'yaml'; YAML.load_file('.github/workflows/deploy.yml'); puts 'deploy.yml parses'"
• pnpm --filter wodsmith-start type-check
• pnpm --filter wodsmith-start exec tsgo --ignoreConfig --noEmit alchemy.run.ts --module nodenext --moduleResolution nodenext --target es2022 --types node --skipLibCheck

---

Summary by cubic

Alchemy now owns the PlanetScale deploy password and drives the drizzle-kit schema push. This removes CI-created passwords and aligns Hyperdrive and Drizzle on one credential to avoid drift.

• Refactors
  • Moved drizzle-kit push into alchemy.run.ts via Exec, using PlanetScalePassword for DATABASE_URL.
  • Switched to ps-deploy-password-${stage} to avoid stale ps-password-* state.
  • Hyperdrive origin now uses the same Alchemy-managed credential; dropped CI-provided DATABASE_URL.
  • Removed planetscale/setup-pscale-action@v1, password generation, and workflow-level pushes in both deploy paths.
  • Added CF_AIG_TOKEN to deploy environments.

^{Written for commit ea9138c. Summary will update on new commits. Review in cubic}

Summary by CodeRabbit

• Chores
  • Updated deployment workflow configuration and infrastructure-as-code scripts to streamline the deployment process.
  • Added new authentication token support to deployment pipeline.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c58c76a4-2541-496b-9c05-7c503f15d3f5

📥 Commits

Reviewing files that changed from the base of the PR and between 689cccf and ea9138c.

📒 Files selected for processing (2)

• .github/workflows/deploy.yml
• apps/wodsmith-start/alchemy.run.ts

---

Walkthrough

Database schema migration shifts from the GitHub Actions deployment workflow to the Alchemy infrastructure-as-code runtime. PlanetScale credentials are now generated and consumed directly during IaC provisioning to execute schema push, and Hyperdrive is configured with the same credentials. The workflow jobs are simplified and now pass CF_AIG_TOKEN to deployment.

Changes

Database Schema Push Migration to IaC

Layer / File(s)	Summary
Alchemy IaC schema push and PlanetScale setup apps/wodsmith-start/alchemy.run.ts	Imports Exec to run commands during IaC provisioning. Creates a stage-scoped PlanetScale deployment password, derives a MySQL DATABASE_URL from username/password/host, and executes drizzle-kit push with that URL. Updates Hyperdrive origin configuration to use the PlanetScale credentials directly instead of relying on process.env.DATABASE_URL.
Workflow deployment simplification and secret integration .github/workflows/deploy.yml	Production and demo deployment jobs remove PlanetScale password generation and drizzle-kit push schema-migration steps. Deployment now runs directly after dependency installation. Both jobs add the CF_AIG_TOKEN secret to the environment passed to the Alchemy deploy command.

Sequence Diagram

sequenceDiagram
  participant AlchemyRun as Alchemy IaC Runtime
  participant PlanetScale as PlanetScale Credentials
  participant DrizzleKit as drizzle-kit push
  participant Hyperdrive as Hyperdrive Config
  AlchemyRun->>PlanetScale: Request deploy password
  PlanetScale-->>AlchemyRun: Return username, password, host
  AlchemyRun->>AlchemyRun: Derive MySQL DATABASE_URL
  AlchemyRun->>DrizzleKit: Exec with DATABASE_URL
  DrizzleKit-->>AlchemyRun: Schema push complete
  AlchemyRun->>Hyperdrive: Configure origin from credentials
  Hyperdrive-->>AlchemyRun: Origin configured

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• wodsmith/thewodapp#11: Both PRs modify the GitHub Actions .github/workflows/deploy.yml deployment command/step, overlapping on workflow deploy logic.

Poem

🐰 A schema moves home, from workflow to code,
Where IaC now bears the database load,
Credentials flow fresh through Alchemy's vein,
Hyperdrive configured without network strain,
Simpler the jobs, yet complete the task—
No more shall deployments hide truth in the mask. 🎯

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main architectural change: moving PlanetScale deploy password management from CI workflows to Alchemy infrastructure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/alchemy-owned-planetscale-password

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files

_{Re-trigger cubic}