From cf7725fd53b17f7e11de7f3fcea8cfd7ab3776a4 Mon Sep 17 00:00:00 2001
From: dal <dallin@buster.so>
Date: Sat, 20 Sep 2025 16:34:28 -0600
Subject: [PATCH] add cert step

---
 .github/workflows/database-migrations.yml | 20 +++++++++++++++-
 packages/database/drizzle.config.ts       | 28 ++++++++++++++++++++---
 2 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/database-migrations.yml b/.github/workflows/database-migrations.yml
index 79b1d1f9b..e2c4ad53a 100644
--- a/.github/workflows/database-migrations.yml
+++ b/.github/workflows/database-migrations.yml
@@ -59,8 +59,26 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile --prefer-offline
       
+      - name: Download SSL Certificate from S3
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+          CERT_S3_URL: ${{ secrets.CERT_S3_URL }}
+        run: |
+          # Create certs directory
+          mkdir -p /tmp/certs
+          
+          # Download the certificate from S3
+          aws s3 cp "$CERT_S3_URL" /tmp/certs/db-cert.pem
+          
+          # Set proper permissions
+          chmod 600 /tmp/certs/db-cert.pem
+          
+          echo "Certificate downloaded successfully"
+      
       - name: Run migrations
         run: pnpm run db:migrate
         env:
           DATABASE_URL: ${{ secrets.DB_URL }}
-          NODE_TLS_REJECT_UNAUTHORIZED: '0'
\ No newline at end of file
+          DATABASE_SSL_CERT: /tmp/certs/db-cert.pem
\ No newline at end of file
diff --git a/packages/database/drizzle.config.ts b/packages/database/drizzle.config.ts
index 6dba1bf0f..dd536d865 100644
--- a/packages/database/drizzle.config.ts
+++ b/packages/database/drizzle.config.ts
@@ -1,5 +1,6 @@
 import { config } from 'dotenv';
 import { defineConfig } from 'drizzle-kit';
+import * as fs from 'fs';
 
 // Load specific .env file
 config({ path: '../../.env' }); // or '.env.development', '.env.production', etc.
@@ -10,15 +11,36 @@ if (!connectionString) {
   throw new Error('DATABASE_URL environment variable is not defined');
 }
 
+// Check if we have a certificate file specified
+const certPath = process.env.DATABASE_SSL_CERT;
+const isLocalhost = connectionString.includes('localhost') || connectionString.includes('127.0.0.1');
+
+// Configure SSL based on environment
+let sslConfig: any = undefined;
+if (!isLocalhost) {
+  if (certPath && fs.existsSync(certPath)) {
+    // Use the certificate if available
+    sslConfig = {
+      ca: fs.readFileSync(certPath),
+      rejectUnauthorized: true, // With a proper cert, we can validate
+    };
+    console.log('Using SSL certificate from:', certPath);
+  } else {
+    // Fallback to allowing self-signed certificates
+    sslConfig = {
+      rejectUnauthorized: false,
+    };
+    console.log('SSL certificate not found, allowing self-signed certificates');
+  }
+}
+
 export default defineConfig({
   schema: './src/schema.ts',
   out: './drizzle',
   dialect: 'postgresql',
   dbCredentials: {
     url: connectionString || '',
-    ssl: {
-      rejectUnauthorized: false, // Allow self-signed certificates
-    },
+    ...(sslConfig && { ssl: sslConfig }),
   },
   verbose: true,
   strict: true,