From fcf93aac11d5f29476568fe711908dee9a56ed42 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Wed, 6 May 2026 16:31:04 +0800
Subject: [PATCH] fix(ci): retry owner-required migrations safely

---
 .gitea/workflows/run-migration.yml | 35 +++++++++++++++++++++++++-----
 docs/LOGBOOK.md                    |  3 ++-
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/.gitea/workflows/run-migration.yml b/.gitea/workflows/run-migration.yml
index c280fc16..6672bde5 100644
--- a/.gitea/workflows/run-migration.yml
+++ b/.gitea/workflows/run-migration.yml
@@ -66,8 +66,11 @@ jobs:
       - name: Apply new migrations
         if: steps.diff.outputs.new_files != ''
         env:
-          # 從 Gitea secrets 取,不直接明碼
+          # 從 Gitea secrets 取，不直接明碼輸出。
+          # MIGRATION_DATABASE_URL 是限權帳號；DATABASE_URL 只在 PostgreSQL
+          # 明確回報「必須是 table owner」時作為受控 fallback。
           PGURL: ${{ secrets.MIGRATION_DATABASE_URL }}
+          OWNER_PGURL: ${{ secrets.DATABASE_URL }}
         run: |
           set -euo pipefail
           if [ -z "$PGURL" ]; then
@@ -75,15 +78,37 @@ jobs:
             exit 1
           fi
           PGURL_PSQL="${PGURL/postgresql+asyncpg:\/\//postgresql:\/\/}"
+          OWNER_PGURL_PSQL="${OWNER_PGURL/postgresql+asyncpg:\/\//postgresql:\/\/}"
+
+          apply_migration() {
+            local url="$1"
+            local file="$2"
+            psql "$url" \
+              -v ON_ERROR_STOP=1 \
+              --single-transaction \
+              -f "$file"
+          }
 
           # 套用每個新檔 (single transaction per file)
           echo "${{ steps.diff.outputs.new_files }}" | while IFS= read -r file; do
             [ -z "$file" ] && continue
             echo "=== Applying: $file ==="
-            psql "$PGURL_PSQL" \
-              -v ON_ERROR_STOP=1 \
-              --single-transaction \
-              -f "$file"
+            migration_err="$(mktemp)"
+            if ! apply_migration "$PGURL_PSQL" "$file" 2>"$migration_err"; then
+              if grep -q "must be owner of table" "$migration_err"; then
+                if [ -z "$OWNER_PGURL_PSQL" ]; then
+                  cat "$migration_err" >&2
+                  echo "::error::migration requires table owner but DATABASE_URL secret is not set"
+                  exit 1
+                fi
+                echo "::warning::migration requires table owner; retrying with owner connection"
+                apply_migration "$OWNER_PGURL_PSQL" "$file"
+              else
+                cat "$migration_err" >&2
+                exit 1
+              fi
+            fi
+            rm -f "$migration_err"
             echo "=== OK: $file ==="
           done
 
diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md
index 48c4d6c1..7c27a41f 100644
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -3790,4 +3790,5 @@ ALTER TABLE awooop_mcp_gateway_audit
 ```
 
 - 套用後確認 `tool_id_not_null=false`。
-- 後續需獨立修正 migration 權限模型：`awoooi_migrator` 目前可新增部分 schema，但不能 ALTER 由 `awoooi` 擁有的既有表；這會讓「修既有表」類 migration 在 CI 中失敗。
+- 同輪已修正 `.gitea/workflows/run-migration.yml`：平常仍優先使用 `MIGRATION_DATABASE_URL` 限權帳號；只有 PostgreSQL 明確回報 `must be owner of table` 時，才以 `DATABASE_URL` table owner 連線重試，且不輸出任何連線串。
+- 後續仍需獨立檢討 DB ownership 模型：`awoooi_migrator` 目前可新增部分 schema，但不能 ALTER 由 `awoooi` 擁有的既有表；owner fallback 是營運修補，不是長期最終治理模型。