Add automated database schema diagram generation

[Copilot]

Schema Diagram GitHub Actions Workflow

• Create .github/workflows/schema-diagram.yml workflow file
• Create helper script .github/scripts/create-sample-db.sh to generate database
• Update ARCHITECTURE.md documentation
• Address PR feedback:
  • Remove auto-commit step to avoid cascading CI executions (rely only on artifacts)
  • Reuse existing install-backend-deps.sh script instead of duplicating logic
  • Use python instead of python3 for consistency with setup-python
  • Change permissions to contents: read (no longer need write)
  • Update documentation to reference artifacts only
• Fix pipeline linking errors:
  • Changed from commit SHA to version tag (@v17.6.0) for SchemaCrawler-Action
  • Docker-based actions work better with version tags

Implementation Complete

The schema diagram workflow is ready to run on GitHub. It will:

• Automatically generate a PNG diagram when database models change
• Upload the diagram as a workflow artifact (90-day retention)
• Can be triggered manually via workflow_dispatch
• No longer commits diagram to repository (avoids cascading CI executions)
• Uses stable version tag for reliable Docker action execution

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Create schema diagram</issue_title>
<issue_description>Use a GitHub action workflow to make a schema diagram. Example tool: https://github.com/schemacrawler/SchemaCrawler-Action</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Create schema diagram #183

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 7 3 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-python	a309ff8b426b58ec0e2a45f0f869d46889d02405	🟢 5	Details Check Score Reason Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/actions/upload-artifact	c0d66db0b43eb92e5f6e4fc5f8f67c6d8c1e2d10	🟢 6.2	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 27 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 6 4 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits
actions/schemacrawler/SchemaCrawler-Action	9a56a3998eca72506a483f3a0de36901c93321bf	🟢 5.2	Details Check Score Reason Code-Review ⚠️ 0 Found 0/20 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• .github/workflows/schema-diagram.yml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.82%. Comparing base (e9daa58) to head (cd62a6e).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #187   +/-   ##
=======================================
  Coverage   71.82%   71.82%           
=======================================
  Files          11       11           
  Lines         802      802           
  Branches      124      124           
=======================================
  Hits          576      576           
  Misses        163      163           
  Partials       63       63           

Flag	Coverage Δ
backend	71.82% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds an automated GitHub Actions workflow to generate and publish a database schema diagram for the backend’s SQLAlchemy/SQLite models, improving visibility into the data model over time.

Changes:

• Introduces a new workflow to generate a PNG schema diagram via SchemaCrawler and upload it as an artifact (and currently also commit it to the repo).
• Adds a helper script to generate a temporary SQLite DB from SQLAlchemy models for SchemaCrawler input.
• Updates architecture documentation to reference the automated diagram.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
ARCHITECTURE.md	Documents where the auto-generated schema diagram can be found.
.github/workflows/schema-diagram.yml	New workflow to build a sample DB, generate the diagram, upload artifact, and commit the PNG.
.github/scripts/create-sample-db.sh	New script that installs backend deps and creates a SQLite DB from SQLAlchemy metadata.

[Copilot]

This workflow adds an inline multi-line run: | block for the git commit/push step. Repo guidance says multi-line workflow scripts must be extracted into an executable under .github/scripts/ (see .github/copilot-instructions.md:158-164). Move this logic into a dedicated script (e.g., .github/scripts/commit-schema-diagram.sh) and call it with a single-line run:.

[Copilot]

The workflow pushes an extra commit back to main, which will trigger all other push-based workflows again (e.g., .github/workflows/docker-test.yml runs on every push to main). The [skip ci] marker in the commit message is not used anywhere else in this repo’s workflows, so it won’t prevent those runs. Consider removing the auto-commit (rely on the artifact), or changing the approach (e.g., open a PR / commit to a separate branch) to avoid cascading CI executions on every model change.

[Copilot]

Removed the auto-commit step. The workflow now only uploads the diagram as an artifact (90-day retention) to avoid triggering cascading CI executions. Changed permissions to contents: read and updated documentation accordingly. (commit cd62a6e)

[Copilot]

This script creates/activates a backend/venv and installs dependencies on every run. In CI this adds time and duplicates the existing .github/scripts/install-backend-deps.sh pattern used elsewhere. Consider reusing the existing dependency-install script (and/or avoid creating a venv inside the repo) to keep workflows consistent and faster.

Suggested change

	# Change to backend directory
	cd "$BACKEND_DIR"
	# Activate virtual environment if it exists, otherwise create it
	if [ ! -d "venv" ]; then
	echo "Creating virtual environment..."
	python3 -m venv venv
	fi
	source venv/bin/activate
	# Install dependencies
	echo "Installing dependencies..."
	pip install -q -r requirements.txt
	INSTALL_SCRIPT="$PROJECT_ROOT/.github/scripts/install-backend-deps.sh"
	# Install backend dependencies using the shared script when available
	if [ -x "$INSTALL_SCRIPT" ]; then
	echo "Using shared backend dependency install script..."
	(cd "$PROJECT_ROOT" && "$INSTALL_SCRIPT")
	# Activate virtual environment if it was created by the install script
	cd "$BACKEND_DIR"
	if [ -d "venv" ]; then
	# shellcheck disable=SC1091
	source venv/bin/activate
	fi
	else
	echo "Shared install script not found; falling back to local venv setup..."
	cd "$BACKEND_DIR"
	# Activate virtual environment if it exists, otherwise create it
	if [ ! -d "venv" ]; then
	echo "Creating virtual environment..."
	python3 -m venv venv
	fi
	# shellcheck disable=SC1091
	source venv/bin/activate
	# Install dependencies (only when using the local fallback)
	echo "Installing dependencies..."
	pip install -q -r requirements.txt
	fi

[Copilot]

Updated to reuse the existing .github/scripts/install-backend-deps.sh script instead of duplicating the dependency installation logic. The script now calls the shared install script which is consistent with other workflows. (commit cd62a6e)

[Copilot]

The script hardcodes python3 and pip, which can bypass the interpreter configured by actions/setup-python (the repo’s other CI scripts use python -m pip ...). Use the runner-selected python (and python -m pip) for consistency and to avoid inadvertently mixing Python versions/environments.

Suggested change

	python3 -m venv venv
	fi
	source venv/bin/activate
	# Install dependencies
	echo "Installing dependencies..."
	pip install -q -r requirements.txt
	python -m venv venv
	fi
	source venv/bin/activate
	# Install dependencies
	echo "Installing dependencies..."
	python -m pip install -q -r requirements.txt

[Copilot]

Changed to use python instead of python3 for consistency with the interpreter configured by actions/setup-python. (commit cd62a6e)

[DevSecNinja]

@copilot Fix the feedback please

[Copilot]

@copilot Fix the feedback please

All feedback addressed in commit cd62a6e:

• Removed auto-commit to avoid cascading CI executions
• Reusing existing install-backend-deps.sh script
• Using python instead of python3 for consistency
• Changed permissions to contents: read
• Updated documentation to reference artifacts only

[DevSecNinja]

@copilot Also fix the failing pipeline runs. See linking errors.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

[Copilot]

The yamllint suppression comment is on its own line, but disable-line only applies to the line it’s on. In this repo other workflows use on: # yamllint disable-line rule:truthy, so this file may fail YAML linting. Move the comment onto the on: line (or use an appropriate disable-next-line directive) to match the existing pattern.

[Copilot]

This script writes to a predictable path /tmp/create_db.py. Using a fixed temp filename can fail if the file already exists and is generally unsafe; prefer mktemp (and a trap cleanup) to create a unique temp file and ensure it’s removed even on errors.

[Copilot]

If backend/sample_schema.db already exists, Base.metadata.create_all() won’t remove/modify existing tables/columns, which can produce a stale schema diagram on reruns. Remove any existing DB file before creating it (or explicitly create it at a fresh path) so the diagram always reflects the current models.

Suggested change

	from app.models.database import Base
	from sqlalchemy import create_engine
	# Create engine and database
	engine = create_engine('sqlite:///sample_schema.db')
	Base.metadata.create_all(engine)
	print("Sample database created successfully at backend/sample_schema.db")
	from pathlib import Path
	from sqlalchemy import create_engine
	from app.models.database import Base
	# Determine database path in current working directory (backend/)
	db_path = Path("sample_schema.db")
	# Remove existing database file to avoid stale schemas
	if db_path.exists():
	db_path.unlink()
	# Create engine and database
	engine = create_engine(f"sqlite:///{db_path}")
	Base.metadata.create_all(engine)
	print(f"Sample database created successfully at {db_path.resolve()}")

[Copilot]

@copilot Also fix the failing pipeline runs. See linking errors.

Fixed the pipeline linking error. Changed SchemaCrawler-Action reference from commit SHA to version tag (@v17.6.0). Docker-based actions require version tags rather than commit SHAs for proper resolution. (commit cb03740)