Revert "update infra and remove railway"

This reverts commit b23258a.

Author: waleedlatif1

.github/workflows/build.yml

@@ -55,7 +55,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to the Container registry
-        if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -69,7 +69,7 @@ jobs:
           images: ${{ matrix.image }}
           tags: |
             type=raw,value=latest-${{ matrix.arch }},enable=${{ github.ref == 'refs/heads/main' }}
-            type=raw,value=staging-${{ matrix.arch }},enable=${{ github.ref == 'refs/heads/staging' }}
+            type=raw,value=staging-${{ github.sha }}-${{ matrix.arch }},enable=${{ github.ref == 'refs/heads/staging' }}
             type=sha,format=long,suffix=-${{ matrix.arch }}
 
       - name: Build and push Docker image
@@ -78,7 +78,7 @@ jobs:
           context: .
           file: ${{ matrix.dockerfile }}
           platforms: ${{ matrix.platform }}
-          push: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging') }}
+          push: ${{ github.event_name != 'pull_request' && github.ref == 'refs/heads/main' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=build-v3
@@ -89,7 +89,7 @@ jobs:
   create-manifests:
     runs-on: ubuntu-latest
     needs: build-and-push
-    if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
+    if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
     strategy:
       matrix:
         include:
@@ -115,7 +115,6 @@ jobs:
           images: ${{ matrix.image }}
           tags: |
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
-            type=raw,value=staging,enable=${{ github.ref == 'refs/heads/staging' }}
             type=sha,format=long
 
       - name: Create and push manifest
@@ -149,32 +148,4 @@ jobs:
               docker manifest inspect "$arm64_image" || echo "ARM64 image not found"
               exit 1
             fi
-          done
-
-  trigger-infrastructure-deploy:
-    runs-on: ubuntu-latest
-    needs: create-manifests
-    if: github.ref == 'refs/heads/staging' || github.ref == 'refs/heads/main'
-    permissions:
-      contents: read
-
-    steps:
-      - name: Trigger staging deployment
-        if: github.ref == 'refs/heads/staging'
-        run: |
-          curl -X POST \
-            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token ${{ secrets.INFRA_DEPLOY_TOKEN }}" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            https://api.github.com/repos/${{ secrets.INFRA_REPO }}/dispatches \
-            -d '{"event_type":"staging-deploy","client_payload":{"sha":"${{ github.sha }}","ref":"${{ github.ref }}"}}'
-      
-      - name: Trigger production deployment
-        if: github.ref == 'refs/heads/main'
-        run: |
-          curl -X POST \
-            -H "Accept: application/vnd.github.v3+json" \
-            -H "Authorization: token ${{ secrets.INFRA_DEPLOY_TOKEN }}" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            https://api.github.com/repos/${{ secrets.INFRA_REPO }}/dispatches \
-            -d '{"event_type":"production-deploy","client_payload":{"sha":"${{ github.sha }}","ref":"${{ github.ref }}"}}'
+          done

.github/workflows/ci.yml

@@ -53,3 +53,25 @@ jobs:
           fail_ci_if_error: false
           verbose: true
 
+  migrations:
+    name: Apply Database Migrations
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/staging')
+    needs: test
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Apply migrations
+        working-directory: ./apps/sim
+        env:
+          DATABASE_URL: ${{ github.ref == 'refs/heads/main' && secrets.DATABASE_URL || secrets.STAGING_DATABASE_URL }}
+        run: bunx drizzle-kit migrate

apps/sim/app/api/users/me/api-keys/route.ts

@@ -19,7 +19,6 @@ export async function GET(request: NextRequest) {
 
     const userId = session.user.id
 
-    // Fetch all API keys for this user
     const keys = await db
       .select({
         id: apiKey.id,
@@ -67,7 +66,6 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: 'Name cannot be empty.' }, { status: 400 })
     }
 
-    // Check if a key with this name already exists for the user
     const existingKey = await db
       .select()
       .from(apiKey)
@@ -83,17 +81,15 @@ export async function POST(request: NextRequest) {
       )
     }
 
-    // Create new API key with hashing
     const { key: plainKey, hashedKey } = await createApiKey(true)
 
-    // Store the hashed version in the database
     const [newKey] = await db
       .insert(apiKey)
       .values({
         id: nanoid(),
         userId,
         name,
-        key: hashedKey!, // Store the hashed version
+        key: hashedKey!,
         createdAt: new Date(),
         updatedAt: new Date(),
       })
@@ -103,11 +99,10 @@ export async function POST(request: NextRequest) {
         createdAt: apiKey.createdAt,
       })
 
-    // Return the plain key to the user (they'll never see it again)
     return NextResponse.json({
       key: {
         ...newKey,
-        key: plainKey, // Return the plain text key for user to copy
+        key: plainKey,
       },
     })
   } catch (error) {

apps/sim/app/api/v1/auth.ts

@@ -28,7 +28,6 @@ export async function authenticateApiKey(
   }
 
   try {
-    // First, check personal API keys
     const [personalKey] = await db
       .select({
         userId: apiKeyTable.userId,
@@ -56,7 +55,6 @@ export async function authenticateApiKey(
       }
     }
 
-    // If not found in personal keys, check workspace API keys
     const [workspaceKey] = await db
       .select({
         workspaceId: workspaceApiKey.workspaceId,
@@ -79,7 +77,6 @@ export async function authenticateApiKey(
         }
       }
 
-      // If a workflowId is provided, verify that the workflow belongs to this workspace
       if (workflowId) {
         const [workflowRecord] = await db
           .select({
@@ -109,7 +106,7 @@ export async function authenticateApiKey(
 
       return {
         authenticated: true,
-        userId: workspaceKey.workspaceOwnerId!, // Workspace owner is the effective user
+        userId: workspaceKey.workspaceOwnerId!,
         workspaceId: workspaceKey.workspaceId,
         keyType: 'workspace',
       }

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -322,7 +322,8 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 
     // If client provided a specific API key, check if it's either personal or workspace key
     if (providedApiKey) {
-      // First check personal API keys
+      let isValidKey = false
+
       const [personalOwned] = await db
         .select({ key: apiKey.key })
         .from(apiKey)
@@ -331,15 +332,15 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 
       if (personalOwned) {
         userKey = providedApiKey
+        isValidKey = true
       } else {
-        // Check workspace API keys - get the workflow's workspace ID
         const [workflowData] = await db
           .select({ workspaceId: workflow.workspaceId })
           .from(workflow)
           .where(eq(workflow.id, id))
           .limit(1)
 
-        if (workflowData) {
+        if (workflowData?.workspaceId) {
           const [workspaceOwned] = await db
             .select({ key: workspaceApiKey.key })
             .from(workspaceApiKey)
@@ -353,9 +354,15 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 
           if (workspaceOwned) {
             userKey = providedApiKey
+            isValidKey = true
           }
         }
       }
+
+      if (!isValidKey) {
+        logger.warn(`[${requestId}] Invalid API key provided for workflow deployment: ${id}`)
+        return createErrorResponse('Invalid API key provided', 400)
+      }
     }
 
     // Update the workflow deployment status and save current state as deployed state
@@ -374,14 +381,13 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
     // Update lastUsed for the key we returned (try both personal and workspace keys)
     if (userKey) {
       try {
-        // First try to update personal API key
         const personalResult = await db
           .update(apiKey)
           .set({ lastUsed: new Date(), updatedAt: new Date() })
           .where(eq(apiKey.key, userKey))
+          .returning({ id: apiKey.id })
 
-        // If no personal key was updated, try workspace API key
-        if (!personalResult || personalResult.rowCount === 0) {
+        if (!personalResult || personalResult.length === 0) {
           await db
             .update(workspaceApiKey)
             .set({ lastUsed: new Date(), updatedAt: new Date() })

apps/sim/app/api/workflows/middleware.ts

@@ -69,8 +69,6 @@ export async function validateWorkflowAccess(
         }
       } else {
         // Check both personal API keys and workspace API keys
-
-        // First, check personal API keys belonging to the workflow owner
         const personalKeys = await db
           .select({
             id: apiKey.id,
@@ -81,7 +79,6 @@ export async function validateWorkflowAccess(
 
         let validPersonalKey = null
 
-        // Check each personal key with authentication function
         for (const key of personalKeys) {
           const isValid = await authenticateApiKey(apiKeyHeader, key.key)
           if (isValid) {
@@ -90,9 +87,8 @@ export async function validateWorkflowAccess(
           }
         }
 
-        // If not found in personal keys, check workspace API keys
         let validWorkspaceKey = null
-        if (!validPersonalKey) {
+        if (!validPersonalKey && workflow.workspaceId) {
           const workspaceKeys = await db
             .select({
               id: workspaceApiKey.id,
@@ -103,7 +99,6 @@ export async function validateWorkflowAccess(
             .leftJoin(workspace, eq(workspaceApiKey.workspaceId, workspace.id))
             .where(eq(workspace.id, workflow.workspaceId)) // Key must belong to the same workspace as the workflow
 
-          // Check each workspace key with authentication function
           for (const key of workspaceKeys) {
             const isValid = await authenticateApiKey(apiKeyHeader, key.key)
             if (isValid) {

apps/sim/app/api/workspaces/[id]/api-keys/[keyId]/route.ts

@@ -1,4 +1,4 @@
-import { and, eq } from 'drizzle-orm'
+import { and, eq, not } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
@@ -30,7 +30,6 @@ export async function PUT(
 
     const userId = session.user.id
 
-    // Require admin or write permission to update workspace API keys
     const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
     if (!permission || (permission !== 'admin' && permission !== 'write')) {
       return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
@@ -39,7 +38,6 @@ export async function PUT(
     const body = await request.json()
     const { name } = UpdateKeySchema.parse(body)
 
-    // Check if the key exists in this workspace
     const existingKey = await db
       .select()
       .from(workspaceApiKey)
@@ -50,15 +48,14 @@ export async function PUT(
       return NextResponse.json({ error: 'API key not found' }, { status: 404 })
     }
 
-    // Check if a key with the new name already exists (excluding the current key)
     const conflictingKey = await db
       .select()
       .from(workspaceApiKey)
       .where(
         and(
           eq(workspaceApiKey.workspaceId, workspaceId),
           eq(workspaceApiKey.name, name),
-          workspaceApiKey.id.ne(keyId)
+          not(eq(workspaceApiKey.id, keyId))
         )
       )
       .limit(1)
@@ -70,7 +67,6 @@ export async function PUT(
       )
     }
 
-    // Update the key name
     const [updatedKey] = await db
       .update(workspaceApiKey)
       .set({
@@ -112,13 +108,11 @@ export async function DELETE(
 
     const userId = session.user.id
 
-    // Require admin or write permission to delete workspace API keys
     const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
     if (!permission || (permission !== 'admin' && permission !== 'write')) {
       return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
     }
 
-    // Delete the workspace API key
     const deletedRows = await db
       .delete(workspaceApiKey)
       .where(and(eq(workspaceApiKey.workspaceId, workspaceId), eq(workspaceApiKey.id, keyId)))