Repro
YAML schema with:
grants:
- schema: public
target: Schema
privileges: [USAGE]
roles: [app_user, app_admin]
- schema: public
target: AllTablesInSchema
privileges: [SELECT, INSERT, UPDATE, DELETE]
roles: [app_user, app_admin]Run dotnet DataProviderMigrate --schema schema.yaml --output "<postgres-dsn>" --provider postgres.
Expected
Migration converges. SchemaIntegrityVerifier reports clean.
Actual
Migration completed successfully
SCHEMA INTEGRITY CHECK FAILED
grant Schema public: missing grant
grant AllTablesInSchema public: missing grant
Exit code 1. Re-running is non-converging — the verifier reports the same missing grants on every run.
Verification that the grants are actually applied
-- Schema USAGE: explicit grant present in nspacl
SELECT nspname, nspacl FROM pg_namespace WHERE nspname='public';
-- public | {... app_user=U/pg_database_owner, app_admin=U/pg_database_owner}
-- has_schema_privilege() returns true
SELECT has_schema_privilege('app_user', 'public', 'USAGE'); -- t
SELECT has_schema_privilege('app_admin', 'public', 'USAGE'); -- t
-- Table grants: every public table shows arwd in relacl for both roles
SELECT relname, relacl
FROM pg_class
WHERE relnamespace='public'::regnamespace AND relkind='r' LIMIT 1;
-- users | {... app_user=arwd/postgres, app_admin=arwd/postgres}So the migrate step applies the grants correctly. The verifier's InspectSchemaGrants simply doesn't recognise the applied state.
Side issue (also new in 0.9.11): text column defaults
defaultValue: "'generating'" in YAML round-trips to 'generating'::text in information_schema.columns.column_default (Postgres normalises text literals). The verifier reports:
public.sites.status: default expected 'generating' but found 'generating'::text
Workaround: spell the YAML as defaultValue: "'generating'::text". The verifier should ideally strip the ::text cast (or apply the same normalisation to both sides) before comparing.
Environment
- DataProviderMigrate 0.9.11-beta
- Postgres 16 (Supabase docker stack)
- Same YAML migrates cleanly under 0.9.10-beta (the verifier step appears to be new in 0.9.11).
Workaround we're shipping
Until this lands we invoke dotnet DataProviderMigrate via a Python wrapper that swallows exactly the two known false-positive lines after asserting Migration completed successfully is in stdout — see scripts/migrate_schema.py. Happy to delete the wrapper once the verifier is fixed.
Repro
YAML schema with:
Run
dotnet DataProviderMigrate --schema schema.yaml --output "<postgres-dsn>" --provider postgres.Expected
Migration converges.
SchemaIntegrityVerifierreports clean.Actual
Exit code 1. Re-running is non-converging — the verifier reports the same missing grants on every run.
Verification that the grants are actually applied
So the migrate step applies the grants correctly. The verifier's
InspectSchemaGrantssimply doesn't recognise the applied state.Side issue (also new in 0.9.11): text column defaults
defaultValue: "'generating'"in YAML round-trips to'generating'::textininformation_schema.columns.column_default(Postgres normalises text literals). The verifier reports:Workaround: spell the YAML as
defaultValue: "'generating'::text". The verifier should ideally strip the::textcast (or apply the same normalisation to both sides) before comparing.Environment
Workaround we're shipping
Until this lands we invoke
dotnet DataProviderMigratevia a Python wrapper that swallows exactly the two known false-positive lines after assertingMigration completed successfullyis in stdout — see scripts/migrate_schema.py. Happy to delete the wrapper once the verifier is fixed.