From 35ce947bc77fd1c63e0953bad3df8232f6f29c7b Mon Sep 17 00:00:00 2001
From: Anthony Volk <anth.volk@gmail.com>
Date: Mon, 16 Mar 2026 23:56:19 +0100
Subject: [PATCH 1/5] fix: Relax staging integration test model count assertion

The staging/testing database may only have one country seeded.
Change assertion from >= 2 to >= 1 so the test validates the
endpoint works without assuming a specific seed preset.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 changelog.d/staging-test-fix.fixed | 1 +
 tests/test_staging_api.py          | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 changelog.d/staging-test-fix.fixed

diff --git a/changelog.d/staging-test-fix.fixed b/changelog.d/staging-test-fix.fixed
new file mode 100644
index 00000000..179f802b
--- /dev/null
+++ b/changelog.d/staging-test-fix.fixed
@@ -0,0 +1 @@
+Relax staging integration test to allow single-country database seeds
diff --git a/tests/test_staging_api.py b/tests/test_staging_api.py
index 9f135065..36c196a9 100644
--- a/tests/test_staging_api.py
+++ b/tests/test_staging_api.py
@@ -31,7 +31,7 @@ def test_list_models(api):
     r = api.get("/tax-benefit-models")
     assert r.status_code == 200
     models = r.json()
-    assert len(models) >= 2  # UK and US
+    assert len(models) >= 1  # At least one country model seeded
 
 
 def test_list_variables(api):

From 9a4ebe734d678762c24f2a347a0951b226993103 Mon Sep 17 00:00:00 2001
From: Anthony Volk <anth.volk@gmail.com>
Date: Mon, 16 Mar 2026 23:57:35 +0100
Subject: [PATCH 2/5] Revert "fix: Relax staging integration test model count
 assertion"

This reverts commit 35ce947bc77fd1c63e0953bad3df8232f6f29c7b.
---
 changelog.d/staging-test-fix.fixed | 1 -
 tests/test_staging_api.py          | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)
 delete mode 100644 changelog.d/staging-test-fix.fixed

diff --git a/changelog.d/staging-test-fix.fixed b/changelog.d/staging-test-fix.fixed
deleted file mode 100644
index 179f802b..00000000
--- a/changelog.d/staging-test-fix.fixed
+++ /dev/null
@@ -1 +0,0 @@
-Relax staging integration test to allow single-country database seeds
diff --git a/tests/test_staging_api.py b/tests/test_staging_api.py
index 36c196a9..9f135065 100644
--- a/tests/test_staging_api.py
+++ b/tests/test_staging_api.py
@@ -31,7 +31,7 @@ def test_list_models(api):
     r = api.get("/tax-benefit-models")
     assert r.status_code == 200
     models = r.json()
-    assert len(models) >= 1  # At least one country model seeded
+    assert len(models) >= 2  # UK and US
 
 
 def test_list_variables(api):

From ca6f191c62554284015cbc7ec602bbb95c079ee9 Mon Sep 17 00:00:00 2001
From: Anthony Volk <anth.volk@gmail.com>
Date: Tue, 17 Mar 2026 00:05:10 +0100
Subject: [PATCH 3/5] fix: Use SUPABASE_DB_URL instead of SUPABASE_POOLER_URL
 in db-reset workflow

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/db-reset.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/db-reset.yml b/.github/workflows/db-reset.yml
index 960d6e1e..4f62750d 100644
--- a/.github/workflows/db-reset.yml
+++ b/.github/workflows/db-reset.yml
@@ -41,7 +41,7 @@ jobs:
 
       - name: Test database connectivity
         env:
-          SUPABASE_DB_URL: ${{ secrets.SUPABASE_POOLER_URL }}
+          SUPABASE_DB_URL: ${{ secrets.SUPABASE_DB_URL }}
         run: |
           echo "Testing database connectivity..."
           uv run python -c "
@@ -81,7 +81,7 @@ jobs:
 
       - name: Reset database (init)
         env:
-          SUPABASE_DB_URL: ${{ secrets.SUPABASE_POOLER_URL }}
+          SUPABASE_DB_URL: ${{ secrets.SUPABASE_DB_URL }}
           SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
           SUPABASE_KEY: ${{ secrets.SUPABASE_KEY }}
           SUPABASE_SECRET_KEY: ${{ secrets.SUPABASE_SECRET_KEY }}
@@ -94,7 +94,7 @@ jobs:
       - name: Seed database (lite)
         if: ${{ github.event.inputs.mode == 'lite' }}
         env:
-          SUPABASE_DB_URL: ${{ secrets.SUPABASE_POOLER_URL }}
+          SUPABASE_DB_URL: ${{ secrets.SUPABASE_DB_URL }}
           SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
           SUPABASE_KEY: ${{ secrets.SUPABASE_KEY }}
           SUPABASE_SECRET_KEY: ${{ secrets.SUPABASE_SECRET_KEY }}
@@ -109,7 +109,7 @@ jobs:
       - name: Seed database (full)
         if: ${{ github.event.inputs.mode == 'full' }}
         env:
-          SUPABASE_DB_URL: ${{ secrets.SUPABASE_POOLER_URL }}
+          SUPABASE_DB_URL: ${{ secrets.SUPABASE_DB_URL }}
           SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
           SUPABASE_KEY: ${{ secrets.SUPABASE_KEY }}
           SUPABASE_SECRET_KEY: ${{ secrets.SUPABASE_SECRET_KEY }}

From ed41276afdf506fa567572c314039a197a423b70 Mon Sep 17 00:00:00 2001
From: Anthony Volk <anth.volk@gmail.com>
Date: Tue, 17 Mar 2026 00:13:14 +0100
Subject: [PATCH 4/5] feat: Support staging and production targets in db-reset
 workflow

Add target input (staging/production) so the workflow can reset
either database. Confirmation string changes per target
(reset-staging vs reset-prod). Validate job now tests connectivity
against both environments using a matrix. All secrets resolve from
the selected environment.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/db-reset.yml | 58 ++++++++++++++++++++++------------
 1 file changed, 38 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/db-reset.yml b/.github/workflows/db-reset.yml
index 4f62750d..2a49ba32 100644
--- a/.github/workflows/db-reset.yml
+++ b/.github/workflows/db-reset.yml
@@ -1,8 +1,15 @@
-name: Reset production database
+name: Reset database
 
 on:
   workflow_dispatch:
     inputs:
+      target:
+        description: "Target database"
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
       mode:
         description: "Seeding mode"
         required: true
@@ -12,7 +19,7 @@ on:
           - lite
           - full
       confirm:
-        description: "Type 'reset-prod' to confirm"
+        description: "Type 'reset-staging' or 'reset-prod' to confirm"
         required: true
         type: string
   pull_request:
@@ -20,11 +27,15 @@ on:
       - ".github/workflows/db-reset.yml"
 
 jobs:
-  # Validation job - runs on PR to test connectivity (no environment = no approval needed)
+  # Validation job - runs on PR to test connectivity against both environments
   validate:
-    name: Validate database connectivity
+    name: Validate ${{ matrix.environment }} database connectivity
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
+    environment: ${{ matrix.environment }}
+    strategy:
+      matrix:
+        environment: [staging, production]
 
     steps:
       - name: Checkout code
@@ -43,29 +54,35 @@ jobs:
         env:
           SUPABASE_DB_URL: ${{ secrets.SUPABASE_DB_URL }}
         run: |
-          echo "Testing database connectivity..."
+          echo "Testing ${{ matrix.environment }} database connectivity..."
           uv run python -c "
           from policyengine_api.config.settings import settings
           from sqlmodel import create_engine, text
           engine = create_engine(settings.database_url, echo=False)
           with engine.connect() as conn:
               result = conn.execute(text('SELECT 1'))
-              print('✅ Database connection successful')
+              print('✅ ${{ matrix.environment }} database connection successful')
           "
 
   # Reset job - only runs on manual trigger with confirmation
   reset-db:
-    name: Reset and reseed database
+    name: Reset and reseed ${{ inputs.target }} database
     runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch'
-    environment: production
+    environment: ${{ inputs.target }}
 
     steps:
       - name: Verify confirmation
-        if: ${{ github.event.inputs.confirm != 'reset-prod' }}
         run: |
-          echo "❌ Confirmation failed. You must type 'reset-prod' to proceed."
-          exit 1
+          EXPECTED="reset-staging"
+          if [ "${{ inputs.target }}" = "production" ]; then
+            EXPECTED="reset-prod"
+          fi
+          if [ "${{ inputs.confirm }}" != "$EXPECTED" ]; then
+            echo "❌ Confirmation failed. You must type '$EXPECTED' to proceed."
+            exit 1
+          fi
+          echo "✅ Confirmation verified for ${{ inputs.target }}"
 
       - name: Checkout code
         uses: actions/checkout@v4
@@ -86,13 +103,13 @@ jobs:
           SUPABASE_KEY: ${{ secrets.SUPABASE_KEY }}
           SUPABASE_SECRET_KEY: ${{ secrets.SUPABASE_SECRET_KEY }}
           LOGFIRE_TOKEN: ${{ secrets.LOGFIRE_TOKEN }}
-          LOGFIRE_ENVIRONMENT: prod
+          LOGFIRE_ENVIRONMENT: ${{ inputs.target }}
         run: |
-          echo "Resetting database tables..."
+          echo "Resetting ${{ inputs.target }} database tables..."
           echo "yes" | uv run python scripts/init.py --reset
 
       - name: Seed database (lite)
-        if: ${{ github.event.inputs.mode == 'lite' }}
+        if: ${{ inputs.mode == 'lite' }}
         env:
           SUPABASE_DB_URL: ${{ secrets.SUPABASE_DB_URL }}
           SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
@@ -100,14 +117,14 @@ jobs:
           SUPABASE_SECRET_KEY: ${{ secrets.SUPABASE_SECRET_KEY }}
           STORAGE_BUCKET: ${{ vars.STORAGE_BUCKET }}
           LOGFIRE_TOKEN: ${{ secrets.LOGFIRE_TOKEN }}
-          LOGFIRE_ENVIRONMENT: prod
+          LOGFIRE_ENVIRONMENT: ${{ inputs.target }}
           HUGGING_FACE_TOKEN: ${{ secrets.HUGGING_FACE_TOKEN }}
         run: |
-          echo "Seeding database (lite mode - fewer params, includes datasets)..."
+          echo "Seeding ${{ inputs.target }} database (lite mode)..."
           uv run python scripts/seed.py --lite
 
       - name: Seed database (full)
-        if: ${{ github.event.inputs.mode == 'full' }}
+        if: ${{ inputs.mode == 'full' }}
         env:
           SUPABASE_DB_URL: ${{ secrets.SUPABASE_DB_URL }}
           SUPABASE_URL: ${{ secrets.SUPABASE_URL }}
@@ -116,13 +133,14 @@ jobs:
           HUGGING_FACE_TOKEN: ${{ secrets.HUGGING_FACE_TOKEN }}
           STORAGE_BUCKET: ${{ vars.STORAGE_BUCKET }}
           LOGFIRE_TOKEN: ${{ secrets.LOGFIRE_TOKEN }}
-          LOGFIRE_ENVIRONMENT: prod
+          LOGFIRE_ENVIRONMENT: ${{ inputs.target }}
         run: |
-          echo "Seeding database (full mode - includes datasets)..."
+          echo "Seeding ${{ inputs.target }} database (full mode)..."
           uv run python scripts/seed.py
 
       - name: Summary
         run: |
           echo "✅ Database reset complete!"
-          echo "Mode: ${{ github.event.inputs.mode }}"
+          echo "Target: ${{ inputs.target }}"
+          echo "Mode: ${{ inputs.mode }}"
           echo "Triggered by: ${{ github.actor }}"

From 25145f05f6f9280c62c3675aba6f4e14ccdcc7ba Mon Sep 17 00:00:00 2001
From: Anthony Volk <anth.volk@gmail.com>
Date: Tue, 17 Mar 2026 00:16:42 +0100
Subject: [PATCH 5/5] chore: Add changelog entry for db-reset workflow changes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 changelog.d/137.changed | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/137.changed

diff --git a/changelog.d/137.changed b/changelog.d/137.changed
new file mode 100644
index 00000000..c381f469
--- /dev/null
+++ b/changelog.d/137.changed
@@ -0,0 +1 @@
+Support staging and production targets in db-reset workflow with environment-scoped secrets