GitHub Integration
Automate migration analysis in pull requests with the CAPYSQUASH GitHub App—complete setup, configuration, and workflow guide
GitHub Integration
Automate migration analysis in pull requests with set-and-forget automation that catches migration issues before they reach production
Fully Operational
The CAPYSQUASH GitHub App now supports full webhook automation! When you install the app and open a pull request with migration files, CAPYSQUASH will automatically analyze them and post results as a PR comment.
Why GitHub Integration?
The GitHub App provides true automation for your migration workflow:
Automation
Auto-analyze on PR open/update with pass/fail checks and configurable thresholds
Visibility
Team sees migration impact, catches issues before merge with best practice suggestions
Fast Feedback
Results in 15-30 seconds with detailed warnings and actionable recommendations
Quick Navigation
Quick Setup
Connect in 2 minutes
PR Workflows
Automated optimization
Security & Permissions
What we access and why
Installation
GitHub integration is not available on the Free plan. Upgrade to Creator, Professional, Agency, or Enterprise.
Go to Organization Settings
Navigate to your CAPYSQUASH organization:
Dashboard → [Your Organization] → Settings → Integrations → GitHubInstall GitHub App
Click "Install GitHub App" and authorize:
- Choose organization or personal account
- Select repositories (all or specific ones)
- Grant required permissions
- Complete installation
Configure Projects
Link CAPYSQUASH projects to GitHub repositories:
- Return to CAPYSQUASH dashboard
- Go to each project's settings
- Link to GitHub repository
- Configure migration paths and analysis rules
Verify Installation
Create a test PR to confirm:
git checkout -b test-capysquash
echo "CREATE TABLE test (id INT);" > migrations/test.sql
git add migrations/test.sql
git commit -m "test: CAPYSQUASH integration"
git push origin test-capysquashCAPYSQUASH should post a comment within 30 seconds.
Installation Options
Pros:
- Automatic for new repositories
- One-time setup
- Consistent across organization
Cons:
- Broader access
- May analyze non-relevant repos
Best for: Organizations with consistent migration practices
Pros:
- More control
- Limited access scope
- Only relevant repos
Cons:
- Manual selection for new repos
- Must update as you add repos
Best for: Organizations with mixed tech stacks
How It Works
Automatic Analysis Flow
Timing: Typically completes in 15-30 seconds.
What Triggers Analysis
☑ Automatic Triggers
- ► PR opened
- ► PR updated (new commits)
- ► PR reopened
- ► PR synchronized
⏭️ Skipped When
- ► No migration files changed
- ► PR marked as draft (optional)
- ► PR from bot (optional)
- ► Specific labels present
Repository Configuration
Migration Path Configuration
Tell CAPYSQUASH where to find your migration files:
supabase/migrations/prisma/migrations/drizzle/migrations/
db/migrate/
sql/For multiple paths, use comma-separated:
migrations/, database/migrations/, sql/File Pattern
Specify which files are migrations:
| Pattern | Example Files |
|---|---|
*.sql (default) | 001_init.sql, 002_users.sql |
*.up.sql | 001_init.up.sql |
*_migration.sql | 20240101_migration.sql |
Branch Configuration
Analyze PRs targeting any branch (default).
Best for: Most projects
Only analyze PRs to specific branches:
branches:
- main
- develop
- productionBest for: Projects with strict branch workflow
Use glob patterns:
branches:
- main
- release/*
- hotfix/*Best for: Gitflow or release branch strategies
Analysis Rules
Configure when and how analysis runs:
Trigger Events
- ☑ PR opened
- ☑ PR updated (new commits)
- ☑ PR reopened
- ☑ Manual comment trigger
Skip Labels
Prevent analysis with labels:
- ► skip-analysis
- ► wip
- ► do-not-merge
Status Check Configuration
Control how CAPYSQUASH reports pass/fail:
Always pass, show results only.
Best for: Teams starting with CAPYSQUASH
Pass with warnings, highlight issues.
Best for: Balanced approach
Fail on issues, block merge.
Failure Conditions:
fail_conditions:
data_loss_risk: true
warning_threshold: 3
consolidation_threshold: 70
deployment_time_minutes: 10Best for: Strict migration quality
Monorepo Configuration
For repositories with multiple projects:
Link different projects to different paths:
Project: API
Repository: monorepo
Path: services/api/migrations/
Project: Dashboard
Repository: monorepo
Path: services/dashboard/migrations/CAPYSQUASH detects which project based on changed files.
Create .capysquash.yml in repository root:
version: 1
projects:
- name: "API"
path: "services/api/migrations"
label: "api"
safety: conservative
- name: "Dashboard"
path: "services/dashboard/migrations"
label: "dashboard"
safety: standardBenefits:
- Version controlled configuration
- Label-based project routing
- Per-project safety levels
PR Workflow
PR Comment Example
When analysis completes, CAPYSQUASH posts a detailed comment:
## 🦫 CAPYSQUASH Analysis
☑ Migrations analyzed successfully!
### 📊 Results
- **New migrations:** 3 files
- **Total migrations:** 156 files
- **Consolidation opportunity:** Can squash to 12 files (92% reduction)
- **Warnings:** 2 minor issues
- **Estimated deployment time:** +15 seconds
### ⚠️ Warnings
1. **Migration 20240115_add_column.sql**
- Adding non-nullable column without default
- Risk: May fail if table has existing rows
- Suggestion: Add DEFAULT value or make nullable
2. **Migration 20240116_drop_table.sql**
- Dropping table `old_data`
- Risk: Permanent data loss
- Suggestion: Backup data first or use soft delete
### 💡 Recommendations
- ☑ Migrations follow naming convention
- ☑ No syntax errors detected
- ⚠️ Consider consolidating after merge (92% reduction available)
- ⚠️ Review data loss warnings before merging
### 📈 Impact
**Current:** 156 migrations, ~2.5min deployment
**After consolidation:** 12 migrations, ~10sec deployment (15x faster!)
[View full analysis →](https://capysquash.dev/runs/abc123)
---
*CAPYSQUASH Professional · [Configure](https://capysquash.dev/settings/github)*Status Check States
| State | Icon | Meaning |
|---|---|---|
| Success | ☑ | No issues or informational mode |
| Failure | ☒ | Issues detected (blocking mode only) |
| Pending | 🟡 | Analysis in progress |
| Error | ⚠️ | Analysis failed (technical error) |
Manual Triggers
Trigger analysis manually via PR comment:
@capysquash analyzeRuns analysis with default settings.
# Override safety level
@capysquash analyze --safety=conservative
# Force reanalysis
@capysquash analyze --force
# Verbose output
@capysquash analyze --verbose# Analyze specific migrations
@capysquash analyze migrations/002_*.sql
# Multiple patterns
@capysquash analyze migrations/002_*.sql migrations/003_*.sqlManual Triggers - Verification Needed
Manual trigger commands are documented but need platform team verification. Check with support if you need manual trigger functionality. Current alternative: Trigger analysis from the CAPYSQUASH dashboard.
Fork PR Workflow
Pull requests from forked repositories require manual approval:
Contributor Opens Fork PR
External contributor submits PR from their fork.
Maintainer Reviews PR
Check if PR is safe and contains migrations.
Maintainer Triggers Analysis
Comment: @capysquash analyze
CAPYSQUASH Analyzes
Runs with maintainer's approval and posts results.
Why manual approval? GitHub limits app permissions on forked PRs for security.
Handling Warnings
When CAPYSQUASH detects warnings:
Permissions & Security
Required Permissions
The GitHub App requires minimal permissions to function:
📝 Pull Requests - Read & Write
Why we need it:
- ► Read PR details and changed files
- ► Post analysis results as comments
- ► Read manual trigger commands
What we DON'T do:
- ► Never merge or close PRs
- ► Never modify PR descriptions
- ► Never request reviews
📁 Contents - Read Only
Why we need it:
- ► Read migration files from configured paths
- ► Detect changed files in PRs
What we DON'T do:
- ► Never write or modify files
- ► Never create commits
- ► Never read outside migration paths
☑ Checks - Read & Write
Why we need it:
- ► Create status checks on PRs
- ► Update check status (pass/fail)
- ► Add check details and links
ℹ️ Metadata - Read Only
Standard GitHub permission:
- ► Repository name and description
- ► Repository visibility
- ► Default branch information
What We Access
☑ We DO Access
- ► Migration files only
- ► Files in configured migration paths
- ► Only when PR changes them
- ► PR metadata (number, title, author)
- ► Repository info (name, owner)
☒ We DON'T Access
- ► Your application code
- ► Configuration files
- ► Secrets/environment variables
- ► Database credentials
- ► Files outside migration paths
- ► Other repositories
Data Handling
What We Store:
- Analysis results (warnings, recommendations)
- Migration file metadata (name, size, timestamp)
- PR metadata (number, title, link)
- Repository name and link
We do NOT store:
- Full migration file contents (discarded after analysis)
- Your database schema (only temporary during analysis)
- Any data from your database
- Code from other parts of repository
Data Retention
| Data Type | Retention |
|---|---|
| Analysis results | Forever (or until you delete project) |
| File metadata | Forever |
| Temporary analysis data | Deleted immediately after analysis |
| Webhook payloads | Not stored |
| Migration file contents | Not stored |
Security Measures
🔒 Encryption
- ► TLS 1.3 in transit
- ► AES-256 at rest
- ► Encrypted backups
🛡️ Isolation
- ► Separate analysis environments
- ► Network isolation
- ► No cross-tenant access
🔐 Access Control
- ► Role-based permissions
- ► Audit logging
- ► 2FA for team members
📋 Compliance
- ► SOC 2 Type II (in progress)
- ► GDPR compliant
- ► Regular security audits
Security First
The app only reads migration files from configured paths. It never writes to your repository, accesses databases, or reads sensitive data.
Analysis Environment
Each analysis runs in an isolated environment:
Secure Container
├── Temporary file system (ephemeral)
├── No network access (except CAPYSQUASH API)
├── Read-only migration files
├── No persistent storage
└── Destroyed after analysisTroubleshooting
Best Practices
For Developers
- Run locally first - Use capysquash-cli before opening PR
- Address warnings early - Fix issues before review
- Clear commit messages - Help reviewers understand changes
- Regular consolidation - Keep migrations manageable
For Reviewers
- Check CAPYSQUASH comment - Review before manual review
- Understand warnings - Not all warnings are blockers
- Verify fixes - If author fixed warnings, confirm
- Consider context - Team's risk tolerance varies
For Teams
- Set clear policies - When to block vs warn
- Document overrides - When and why to bypass checks
- Regular consolidation - Schedule periodic cleanup
- Monitor trends - Track migration quality over time
Branch Protection
Require CAPYSQUASH check before merging:
Go to GitHub repo Settings → Branches
Add rule for your branch (e.g., main)
Enable "Require status checks to pass before merging"
Search for and select "CAPYSQUASH Analysis"
Save branch protection rule
Usage & Pricing
PR analyses count toward your monthly limit:
| Plan | Monthly Analyses |
|---|---|
| Free | Not available |
| Creator | 50 analyses/month |
| Professional | Unlimited |
| Agency | Unlimited |
| Enterprise | Unlimited |
GitHub integration is only available on paid plans (Creator and above).
Uninstalling
To remove the GitHub App:
From CAPYSQUASH:
- Dashboard → Organization → Settings → Integrations → GitHub
- Click "Disconnect"
- Confirm removal
From GitHub:
- GitHub Settings → Applications → Installed GitHub Apps
- Find CAPYSQUASH
- Click "Uninstall"
Historical analysis data is preserved even after uninstalling.
Related Resources
Projects
Create and manage projects
Organizations
Team management and settings
API Reference
Integrate programmatically
Troubleshooting
Solve common issues
Support
Need help with GitHub integration?
- 📧 Email: support@capysquash.dev
- 💬 Discord: Join community
- 🎫 Support: Open ticket in dashboard
- 🔐 Security: security@capysquash.dev
How is this guide?