fix: clean up leaked cluster-level roles in TestIgnorePrivileges (#346)

tianzhou · claude · web-flow · commit 8618f59bbd2a · 2026-03-08T05:38:32.000-07:00
* feat: add support for trigger UPDATE OF columns (#342) Triggers with column-specific UPDATE events (e.g., UPDATE OF email) were losing the column specification during inspection, causing incorrect migration plans that would fire triggers on all updates instead of only on specified column changes. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: guard UPDATE OF column extraction with tgtype bitmask check Only extract UPDATE OF columns when the trigger actually has an UPDATE event, preventing false positives if the substring appears elsewhere. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: clean up leaked cluster-level roles in TestIgnorePrivileges TestIgnorePrivileges creates cluster-level PostgreSQL roles (app_reader, deploy_bot, admin_role) and ALTER DEFAULT PRIVILEGES rules in the shared embedded PG instance. Since Go runs tests alphabetically, these persist and contaminate TestPlanAndApply, causing unexpected GRANT statements in plan output for all table/view/index tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/cmd/ignore_integration_test.go b/cmd/ignore_integration_test.go
@@ -1130,6 +1130,40 @@ ALTER DEFAULT PRIVILEGES GRANT ALL ON TABLES TO deploy_bot;
 			t.Error("Plan should not include changes for admin_role (ignored)")
 		}
 	})
+
+	// Clean up cluster-level objects (roles, default privileges) from sharedEmbeddedPG.
+	// The plan subtest applies SQL with CREATE ROLE and ALTER DEFAULT PRIVILEGES to the
+	// shared embedded PG instance. These are cluster-level objects that persist after the
+	// temp schema is dropped, contaminating subsequent tests (e.g., TestPlanAndApply).
+	cleanupSharedEmbeddedPG(t)
+}
+
+// cleanupSharedEmbeddedPG removes cluster-level objects (roles, default privileges)
+// that were created in sharedEmbeddedPG by privilege tests.
+func cleanupSharedEmbeddedPG(t *testing.T) {
+	t.Helper()
+
+	sharedConn, _, _, _, _, _ := testutil.ConnectToPostgres(t, sharedEmbeddedPG)
+	defer sharedConn.Close()
+
+	// Must clean up in order: revoke default privileges, revoke object privileges, then drop roles.
+	// Each statement runs independently since some roles may not exist.
+	cleanupStatements := []string{
+		"ALTER DEFAULT PRIVILEGES REVOKE ALL ON TABLES FROM app_reader",
+		"ALTER DEFAULT PRIVILEGES REVOKE ALL ON TABLES FROM deploy_bot",
+		"REASSIGN OWNED BY app_reader TO testuser",
+		"DROP OWNED BY app_reader",
+		"REASSIGN OWNED BY deploy_bot TO testuser",
+		"DROP OWNED BY deploy_bot",
+		"REASSIGN OWNED BY admin_role TO testuser",
+		"DROP OWNED BY admin_role",
+		"DROP ROLE IF EXISTS app_reader",
+		"DROP ROLE IF EXISTS deploy_bot",
+		"DROP ROLE IF EXISTS admin_role",
+	}
+	for _, stmt := range cleanupStatements {
+		sharedConn.Exec(stmt) // Ignore errors; some roles may not exist
+	}
 }
 
 // verifyPlanOutput checks that plan output excludes ignored objects
