fix(ssl): add envvar for optional ssl cert (#1179)

waleedlatif1 · web-flow · commit ca015deea958 · 2025-08-28T23:00:43.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -74,4 +74,5 @@ jobs:
         working-directory: ./apps/sim
         env:
           DATABASE_URL: ${{ github.ref == 'refs/heads/main' && secrets.DATABASE_URL || secrets.STAGING_DATABASE_URL }}
+          DATABASE_SSL_CERT: ${{ github.ref == 'refs/heads/main' && secrets.DATABASE_SSL_CERT || '' }}
         run: bunx drizzle-kit migrate
diff --git a/apps/sim/drizzle.config.ts b/apps/sim/drizzle.config.ts
@@ -7,5 +7,11 @@ export default {
   dialect: 'postgresql',
   dbCredentials: {
     url: env.DATABASE_URL,
+    ssl: env.DATABASE_SSL_CERT
+      ? {
+          rejectUnauthorized: true,
+          ca: env.DATABASE_SSL_CERT,
+        }
+      : undefined,
   },
 } satisfies Config
diff --git a/apps/sim/lib/env.ts b/apps/sim/lib/env.ts
@@ -16,7 +16,8 @@ export const env = createEnv({
 
   server: {
     // Core Database & Authentication
-    DATABASE_URL:                          z.string().url(),                       // Primary database connection string
+    DATABASE_URL:                          z.string().url(),                       // Primary database connection string (without SSL cert)
+    DATABASE_SSL_CERT:                     z.string().optional(),                  // SSL certificate content for database connection
     BETTER_AUTH_URL:                       z.string().url(),                       // Base URL for Better Auth service
     BETTER_AUTH_SECRET:                    z.string().min(32),                     // Secret key for Better Auth JWT signing
     DISABLE_REGISTRATION:                  z.boolean().optional(),                 // Flag to disable new user registration
