improvement(ci): resolve migration db url from prefixed repo secrets, drop github environments

Author: TheodoreSpeaks

.github/workflows/ci.yml

@@ -57,7 +57,7 @@ jobs:
       (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
     uses: ./.github/workflows/migrations.yml
     with:
-      environment: ${{ github.ref == 'refs/heads/main' && 'db-production' || 'db-staging' }}
+      environment: ${{ github.ref == 'refs/heads/main' && 'production' || 'staging' }}
     secrets: inherit
 
   # Same ordering for dev (schema push before the dev image lands in ECR)
@@ -66,7 +66,7 @@ jobs:
     if: github.event_name == 'push' && github.ref == 'refs/heads/dev'
     uses: ./.github/workflows/migrations.yml
     with:
-      environment: db-dev
+      environment: dev
     secrets: inherit
 
   # Dev: build all 3 images for ECR only (no GHCR, no ARM64)

.github/workflows/migrations.yml

@@ -4,19 +4,19 @@ on:
   workflow_call:
     inputs:
       environment:
-        description: Target GitHub environment (db-production, db-staging, or db-dev)
+        description: Target environment (production, staging, or dev)
         required: true
         type: string
   workflow_dispatch:
     inputs:
       environment:
-        description: Target GitHub environment
+        description: Target environment
         required: true
         type: choice
         options:
-          - db-production
-          - db-staging
-          - db-dev
+          - production
+          - staging
+          - dev
 
 permissions:
   contents: read
@@ -25,7 +25,6 @@ jobs:
   migrate:
     name: Apply Database Migrations
     runs-on: blacksmith-4vcpu-ubuntu-2404
-    environment: ${{ inputs.environment }}
 
     steps:
       - name: Checkout code
@@ -50,24 +49,23 @@ jobs:
       - name: Install dependencies
         run: bun install --frozen-lockfile
 
-      # MIGRATIONS_DATABASE_URL is an environment-scoped secret with no repo-level
-      # fallback: if it's missing on the target environment it resolves to empty and
-      # the guard below fails the job, instead of silently inheriting another
-      # environment's database
+      # The expression maps the explicit environment input to exactly one repo
+      # secret, so the job never holds another environment's database URL. An
+      # unknown environment resolves to empty and the guard below fails the job.
       - name: Apply database schema changes
         working-directory: ./packages/db
         env:
-          DATABASE_URL: ${{ secrets.MIGRATIONS_DATABASE_URL }}
+          DATABASE_URL: ${{ inputs.environment == 'production' && secrets.DATABASE_URL || inputs.environment == 'staging' && secrets.STAGING_DATABASE_URL || inputs.environment == 'dev' && secrets.DEV_DATABASE_URL || '' }}
           ENVIRONMENT: ${{ inputs.environment }}
         run: |
           if [ -z "$DATABASE_URL" ]; then
-            echo "ERROR: MIGRATIONS_DATABASE_URL is not set on environment '${ENVIRONMENT}'" >&2
+            echo "ERROR: no database URL secret resolved for environment '${ENVIRONMENT}'" >&2
             exit 1
           fi
 
           echo "Applying versioned migrations (db:migrate)"
           bun run ./scripts/migrate.ts
-          if [ "${ENVIRONMENT}" = "db-dev" ]; then
+          if [ "${ENVIRONMENT}" = "dev" ]; then
             echo "Dev environment — also pushing unversioned schema drift (db:push)"
             bun run db:push --force
           fi