CI/CD pattern

In CI: set DF_CONTROL_URL and DF_PASSWORD as secrets, run `delta-forge-cli --profile ci run <FILE>`. Exit 0 = success; non-zero = fail the job.

Syntax

delta-forge-cli --profile ci run <FILE>

Description

## Overview The CI/CD pattern runs DeltaForge as a non-interactive step in a build or deploy pipeline. Connection details arrive through `DF_CONTROL_URL` and credentials through `DF_USERNAME` / `DF_PASSWORD`, both sourced from the CI system's secret store. The CLI exits 0 on success and non-zero on failure; the CI runner uses that exit status to gate subsequent stages. ## Recipe GitHub Actions, executing a SHA-pinned migration file on merge to main: ```yaml name: deploy-migrations on: push: branches: [main] jobs: migrate: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Install DeltaForge CLI run: curl -fsSL https://install.delta-forge-cli.example/install.sh | bash - name: Apply migrations env: DF_CONTROL_URL: ${{ secrets.DF_CONTROL_URL }} DF_USERNAME: ${{ secrets.DF_USERNAME }} DF_PASSWORD: ${{ secrets.DF_PASSWORD }} run: | delta-forge-cli --profile ci run migrations/${GITHUB_SHA}.sql ``` Exit 0 promotes the workflow to the next job; exit 1 (SQL or auth error) or exit 2 (client init error) fails the step and the pipeline. ## Behavior - `DF_CONTROL_URL` overrides the profile's URL; `DF_USERNAME` and `DF_PASSWORD` likewise override profile credentials. This keeps the profile file free of secrets while letting the CI runner inject them per-environment. - Progress is streamed to stderr. GitHub Actions, GitLab CI, and Jenkins each capture and display stderr alongside stdout, so progress lines appear in the build log. - The CLI auto-detects that stdin is not a TTY in CI and suppresses interactive features. - Global flags such as `--format json` work the same way as in local invocations.

Examples

# GitHub Actions step:
- name: Apply migrations
  env:
    DF_CONTROL_URL: ${{ secrets.DF_CONTROL_URL }}
    DF_USERNAME: ${{ secrets.DF_USERNAME }}
    DF_PASSWORD: ${{ secrets.DF_PASSWORD }}
  run: delta-forge-cli --profile ci run migrations/$GITHUB_SHA.sql

# GitLab CI job:
apply_migrations:
  stage: deploy
  variables:
    DF_CONTROL_URL: $DF_CONTROL_URL
    DF_PASSWORD: $DF_PASSWORD
  script:
    - delta-forge-cli --profile ci run migrations/$CI_COMMIT_SHA.sql

# Jenkins pipeline step:
withEnv(["DF_CONTROL_URL=${env.DF_CONTROL_URL}", "DF_PASSWORD=${env.DF_PASSWORD}"]) {
  sh 'delta-forge-cli --profile ci run migrations/${GIT_COMMIT}.sql'
}

Pitfalls

• Do not enable `set -x` or any shell tracing around `delta-forge-cli auth` or profile commands that print tokens; tokens end up in the build log where anyone with read access to the job can see them.
• The `--force` / `-y` flag is declared but in the current codebase it only gates the `--classic` REPL's interactive confirmation prompt. In non-interactive `run` invocations there is nothing for it to bypass, so including `--force` in a CI recipe is cosmetic and can be omitted.
• `run` executes statements sequentially without an outer transaction. A failure mid-script leaves earlier statements committed; design migrations to be idempotent or wrap them in explicit `BEGIN`/`COMMIT` blocks.
• Store `DF_PASSWORD` as a masked CI secret. If it appears in a profile file checked into the repository, every CI job and every developer has it.

See Also

• CLI_AUTOMATION_HEADLESS
• CLI_FLAG_FORCE
• CLI_EXIT_CODES