Skip to content

Commit 0ebbbdb

Browse files
Merge branch 'main' into brendan/scim-user-provisioning
2 parents 1683dbe + ff4b389 commit 0ebbbdb

85 files changed

Lines changed: 5101 additions & 188 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
name: Check Prisma Migrations
2+
description: >-
3+
Verify Prisma migrations apply cleanly in order and reproduce schema.prisma
4+
(drift check), and that no new migration predates the latest on the base
5+
branch (ordering check). Designed to be embedded in an existing job so its
6+
failure turns that job's status red.
7+
8+
inputs:
9+
base-ref:
10+
description: >-
11+
Base git ref to diff migrations against (e.g. a PR's base branch). When
12+
set, the action skips work on PRs that don't touch migrations and runs the
13+
ordering check. When empty (release builds), the drift check always runs
14+
and the ordering check is skipped.
15+
required: false
16+
default: ""
17+
18+
runs:
19+
using: composite
20+
steps:
21+
- name: Detect Prisma changes
22+
id: detect
23+
shell: bash
24+
run: |
25+
if [ -z "${{ inputs.base-ref }}" ]; then
26+
echo "changed=true" >> "$GITHUB_OUTPUT"
27+
echo "No base-ref provided — running drift check unconditionally."
28+
exit 0
29+
fi
30+
git fetch --no-tags --depth=1 origin "+refs/heads/${{ inputs.base-ref }}:refs/remotes/origin/${{ inputs.base-ref }}"
31+
if git diff --name-only "origin/${{ inputs.base-ref }}" HEAD | grep -q '^packages/db/prisma/'; then
32+
echo "changed=true" >> "$GITHUB_OUTPUT"
33+
echo "Prisma changes detected — running migration checks."
34+
else
35+
echo "changed=false" >> "$GITHUB_OUTPUT"
36+
echo "No Prisma changes — skipping migration checks."
37+
fi
38+
39+
- name: Start Postgres
40+
if: steps.detect.outputs.changed == 'true'
41+
shell: bash
42+
run: |
43+
docker run -d --name prisma-check-pg \
44+
-e POSTGRES_USER=postgres \
45+
-e POSTGRES_PASSWORD=postgres \
46+
-e POSTGRES_DB=sourcebot \
47+
-p 5432:5432 postgres:16
48+
for i in $(seq 1 30); do
49+
if docker exec prisma-check-pg pg_isready -U postgres -q; then
50+
echo "Postgres ready."
51+
exit 0
52+
fi
53+
sleep 2
54+
done
55+
echo "Postgres failed to become ready." && exit 1
56+
57+
- name: Use Node.js
58+
if: steps.detect.outputs.changed == 'true'
59+
uses: actions/setup-node@v4
60+
with:
61+
node-version: "20.x"
62+
63+
- name: Install
64+
if: steps.detect.outputs.changed == 'true'
65+
shell: bash
66+
run: yarn install --frozen-lockfile
67+
68+
# Check 1: migrations apply cleanly in order AND reproduce schema.prisma.
69+
# `migrate deploy` fails if a migration is broken or applies out of sequence;
70+
# `migrate diff` exits 2 when the applied history drifts from the schema.
71+
- name: Apply migrations
72+
if: steps.detect.outputs.changed == 'true'
73+
shell: bash
74+
working-directory: packages/db
75+
env:
76+
DATABASE_URL: postgresql://postgres:postgres@localhost:5432/sourcebot
77+
run: yarn prisma migrate deploy
78+
79+
- name: Check for schema drift
80+
if: steps.detect.outputs.changed == 'true'
81+
shell: bash
82+
working-directory: packages/db
83+
env:
84+
DATABASE_URL: postgresql://postgres:postgres@localhost:5432/sourcebot
85+
run: |
86+
yarn prisma migrate diff \
87+
--from-url "$DATABASE_URL" \
88+
--to-schema-datamodel prisma/schema.prisma \
89+
--exit-code \
90+
&& echo "✅ No drift: migrations reproduce schema.prisma" \
91+
|| (echo "❌ schema.prisma has changes not captured in a migration. Run: yarn dev:prisma:migrate:dev --name <name>" && exit 1)
92+
93+
# Check 2 (PRs only): no new migration predates the latest on the base branch.
94+
- name: Check migration ordering
95+
if: steps.detect.outputs.changed == 'true' && inputs.base-ref != ''
96+
shell: bash
97+
run: |
98+
MIG_DIR=packages/db/prisma/migrations
99+
BASE="origin/${{ inputs.base-ref }}"
100+
LATEST_ON_BASE=$(git ls-tree -r --name-only "$BASE" -- "$MIG_DIR" \
101+
| sed -n "s#$MIG_DIR/\([0-9]\{14\}\)_.*#\1#p" | sort | tail -1)
102+
echo "Latest migration on ${{ inputs.base-ref }}: ${LATEST_ON_BASE:-<none>}"
103+
NEW=$(comm -23 \
104+
<(ls "$MIG_DIR" | sed -n 's/^\([0-9]\{14\}\)_.*/\1/p' | sort -u) \
105+
<(git ls-tree -r --name-only "$BASE" -- "$MIG_DIR" | sed -n "s#$MIG_DIR/\([0-9]\{14\}\)_.*#\1#p" | sort -u))
106+
FAIL=0
107+
for ts in $NEW; do
108+
if [ -n "$LATEST_ON_BASE" ] && [ "$ts" -lt "$LATEST_ON_BASE" ]; then
109+
echo "❌ New migration $ts predates latest migration on ${{ inputs.base-ref }} ($LATEST_ON_BASE). Rename it with a current timestamp."
110+
FAIL=1
111+
fi
112+
done
113+
[ "$FAIL" -eq 0 ] && echo "✅ Migration ordering OK"
114+
exit $FAIL

.github/workflows/_build.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,14 @@ jobs:
7676
fetch-depth: 0
7777
token: ${{ inputs.use_app_token && steps.generate_token.outputs.token || github.token }}
7878

79+
# Release backstop: fail the build if migrations drift from schema.prisma.
80+
# Runs once (amd64 only) since the check is platform-independent. base-ref
81+
# is omitted, so the drift check always runs and the (PR-only) ordering
82+
# check is skipped.
83+
- name: Check Prisma migrations
84+
if: matrix.platform == 'linux/amd64'
85+
uses: ./.github/actions/check-prisma-migrations
86+
7987
# Extract metadata (tags, labels) for Docker
8088
# https://github.com/docker/metadata-action
8189
- name: Extract Docker metadata
Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
name: Generate OpenAPI Spec
2+
3+
on:
4+
pull_request:
5+
branches: ["main"]
6+
paths:
7+
- "packages/web/**"
8+
- "packages/shared/src/version.ts"
9+
10+
jobs:
11+
generate-openapi:
12+
runs-on: ubuntu-latest
13+
# Skip forks: the default GITHUB_TOKEN can't push back to a fork's branch.
14+
if: github.event.pull_request.head.repo.full_name == github.repository
15+
permissions:
16+
contents: write
17+
steps:
18+
- name: Checkout repository
19+
uses: actions/checkout@v4
20+
with:
21+
submodules: "true"
22+
ref: ${{ github.head_ref }}
23+
token: ${{ secrets.GITHUB_TOKEN }}
24+
25+
- name: Use Node.js
26+
uses: actions/setup-node@v4
27+
with:
28+
node-version: '20.x'
29+
cache: 'yarn'
30+
cache-dependency-path: '**/yarn.lock'
31+
32+
- name: Install
33+
run: yarn install --frozen-lockfile
34+
35+
- name: Generate OpenAPI spec
36+
run: yarn workspace @sourcebot/web openapi:generate
37+
38+
- name: Commit regenerated spec if changed
39+
run: |
40+
SPEC=docs/api-reference/sourcebot-public.openapi.json
41+
if [ -z "$(git status --porcelain "$SPEC")" ]; then
42+
echo "OpenAPI spec is up to date."
43+
exit 0
44+
fi
45+
git config user.name "github-actions[bot]"
46+
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
47+
git add "$SPEC"
48+
git commit -m "chore: regenerate OpenAPI spec"
49+
git push

.github/workflows/pr-gate.yml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
name: PR Gate
22

3-
# This gate simply validates that we can build the docker container.
3+
# This gate validates that Prisma migrations are in order and that we can build
4+
# the docker container.
45

56
on:
67
pull_request:
@@ -16,6 +17,15 @@ jobs:
1617
uses: actions/checkout@v4
1718
with:
1819
submodules: "true"
20+
# full history so migration checks can diff against the base branch
21+
fetch-depth: 0
22+
23+
# Fails fast (before the docker build) when migrations drift from
24+
# schema.prisma or a new migration is added out of timestamp order.
25+
- name: Check Prisma migrations
26+
uses: ./.github/actions/check-prisma-migrations
27+
with:
28+
base-ref: ${{ github.base_ref }}
1929

2030
- name: Build Docker image
2131
id: build

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
1616
- [EE] Added mermaid diagram rendering to Ask Sourcebot answers, with pan/zoom, copy/export, in-thread deep links, and an interleaved right-panel view. [#1369](https://github.com/sourcebot-dev/sourcebot/pull/1369)
1717
- [EE] Added a context-window usage gauge to the Ask Sourcebot chat details, showing how much of the selected model's context window each turn occupies. Window sizes are resolved from the models.dev catalog. [#1370](https://github.com/sourcebot-dev/sourcebot/pull/1370)
1818
- Added language model input-modality and document capability resolution, automatically resolved from the models.dev catalog (falls back to text-only for uncatalogued/self-hosted models). [#1372](https://github.com/sourcebot-dev/sourcebot/pull/1372)
19+
- [EE] Added DPoP sender-constrained OAuth tokens for MCP clients. [#1395](https://github.com/sourcebot-dev/sourcebot/pull/1395)
20+
- [EE] Added text file attachments to Ask Sourcebot, letting users attach text/code/config files to a chat message via the paperclip button, drag-and-drop, or paste, with large pastes auto-converted to attachments. [#1374](https://github.com/sourcebot-dev/sourcebot/pull/1374)
21+
- [EE] Added image attachments to Ask Sourcebot, letting users attach images to a chat message when the selected model supports image input. [#1375](https://github.com/sourcebot-dev/sourcebot/pull/1375)
1922

2023
### Fixed
2124
- Send anonymous server-side PostHog events as personless so unauthenticated requests don't inflate person counts. [#1367](https://github.com/sourcebot-dev/sourcebot/pull/1367)
2225
- [EE] Fixed Ask Sourcebot mermaid diagrams overflowing their container by contain-fitting them to both width and height, and made revealing a diagram from the answer jump it into view instantly to avoid over/undershooting. [#1373](https://github.com/sourcebot-dev/sourcebot/pull/1373)
26+
- Verified GitHub review webhook deliveries before processing them. [#1378](https://github.com/sourcebot-dev/sourcebot/pull/1378)
27+
- Passed Zoekt index parameters via argv to preserve revision names with punctuation. [#1376](https://github.com/sourcebot-dev/sourcebot/pull/1376)
28+
- [EE] Validated OAuth bearer token scopes before allowing access to the Sourcebot MCP resource server. [#1396](https://github.com/sourcebot-dev/sourcebot/pull/1396)
2329

2430
## [5.0.4] - 2026-06-18
2531

docs/docs.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@
4141
"docs/overview",
4242
{
4343
"group": "Deploy Sourcebot",
44+
"root": "docs/deployment/deploy-sourcebot",
4445
"pages": [
4546
"docs/deployment/docker-compose",
4647
"docs/deployment/k8s"
@@ -251,6 +252,10 @@
251252
"strict": false
252253
},
253254
"redirects": [
255+
{
256+
"source": "/docs/deployment/overview",
257+
"destination": "/docs/deployment/deploy-sourcebot"
258+
},
254259
{
255260
"source": "/docs/features/search/overview",
256261
"destination": "/docs/features/search/code-search"

docs/docs/configuration/environment-variables.mdx

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,8 @@ The following environment variables allow you to configure your Sourcebot deploy
4040
| `SOURCEBOT_TELEMETRY_DISABLED` | `false` | <p>Enables/disables telemetry collection in Sourcebot. See [this doc](/docs/misc/telemetry) for more info.</p> |
4141
| `DEFAULT_MAX_MATCH_COUNT` | `10000` | <p>The default maximum number of search results to return when using search in the web app.</p> |
4242
| `ALWAYS_INDEX_FILE_PATTERNS` | - | <p>A comma separated list of glob patterns matching file paths that should always be indexed, regardless of size or number of trigrams.</p> |
43+
| `SOURCEBOT_CHAT_ATTACHMENT_MAX_IMAGE_BYTES` | `10485760` (10 MiB) | <p>Maximum size in bytes of a single image attachment uploaded to Ask Sourcebot. Enforced server-side at upload time.</p> |
44+
| `SOURCEBOT_CHAT_ATTACHMENT_ORPHAN_TTL_HOURS` | `24` | <p>How long in hours an uploaded-but-unsent attachment is retained before being deleted by the orphan sweep. Set to `0` to disable the sweep.</p> |
4345
| `NODE_USE_ENV_PROXY` | `0` | <p>Enables Node.js to automatically use `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables for network requests. Set to `1` to enable or `0` to disable. See [this doc](https://nodejs.org/en/learn/http/enterprise-network-configuration) for more info.</p> |
4446
| `HTTP_PROXY` | - | <p>HTTP proxy URL for routing non-SSL requests through a proxy server (e.g., `http://proxy.company.com:8080`). Requires `NODE_USE_ENV_PROXY=1`.</p> |
4547
| `HTTPS_PROXY` | - | <p>HTTPS proxy URL for routing SSL requests through a proxy server (e.g., `http://proxy.company.com:8080`). Requires `NODE_USE_ENV_PROXY=1`.</p> |
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
---
2+
title: "Deploy Sourcebot"
3+
---
4+
5+
Sourcebot runs entirely in your infrastructure. Your code, AI inputs/outputs, personal data, and all other sensitive data never leave your environment.
6+
7+
<CardGroup cols={2}>
8+
<Card title="Docker Compose" icon="docker" href="/docs/deployment/docker-compose">
9+
The fastest way to get started. Deploy Sourcebot with a single command.
10+
</Card>
11+
<Card title="Kubernetes (Helm)" icon="dharmachakra" href="/docs/deployment/k8s">
12+
Deploy Sourcebot into your Kubernetes cluster using the official Helm chart.
13+
</Card>
14+
</CardGroup>
15+
16+
Not sure how much to provision? See the [sizing guide](/docs/deployment/sizing-guide) for resource recommendations.

docs/reo.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
// Reo.dev analytics. Mintlify automatically includes any .js file in the docs
2+
// content directory as a global <script> tag on every page.
3+
!function () { var e, t, n; e = "496e8be6ff0effa", t = function () { Reo.init({ clientID: "496e8be6ff0effa", enableThirdPartyTracking: true }) }, (n = document.createElement("script")).src = "https://static.reo.dev/" + e + "/reo.js", n.defer = !0, n.onload = t, document.head.appendChild(n) }();

0 commit comments

Comments
 (0)