RHINENG-26116: create workspace-aware advisories aggregate table

[rverdile]

adds a new table for account advisories by workspace, but does not wire-up the table to anything

Secure Coding Practices Checklist GitHub Link

• https://github.com/RedHatInsights/secure-coding-checklist

Secure Coding Checklist

• Input Validation
• Output Encoding
• Authentication and Password Management
• Session Management
• Access Control
• Cryptographic Practices
• Error Handling and Logging
• Data Protection
• Communication Security
• System Configuration
• Database Security
• File Management
• Memory Management
• General Coding Practices

Summary by Sourcery

Introduce a workspace-scoped advisory aggregation table and wire it into schema, migrations, and docs.

New Features:

• Add an account_advisory table to store per-workspace advisory aggregates and notification state keyed by account, workspace, and advisory.

Enhancements:

• Partition the account_advisory table by account ID with appropriate indexes and role grants for existing application roles.
• Update database documentation to describe the new account_advisory table and its purpose.

Build:

• Add a new schema migration (153) to create and manage the account_advisory table in deployed environments.

Tests:

• Extend development test data reset script to clear the new account_advisory table.

[sourcery-ai]

Reviewer's Guide

Adds a new workspace-aware, partitioned account advisory aggregate table (account_advisory), wires it into schema creation, migration, test-data cleanup, and documentation, without yet integrating it into application logic.

File-Level Changes

Change	Details	Files
Introduce workspace-scoped account advisory aggregate table with partitioning and indexes.	Create account_advisory table keyed by (rh_account_id, workspace_id, advisory_id) with aggregate columns and notified timestamp. Partition the table by HASH on rh_account_id with 32 partitions and specific storage/autovacuum settings. Add index on (rh_account_id, workspace_id) to support workspace-scoped lookups. Grant SELECT/INSERT/UPDATE/DELETE on all partitions to manager, evaluator, listener, and vmaas_sync roles.	database_admin/schema/create_schema.sql database_admin/migrations/153_account_advisory.up.sql
Update schema versioning and migration rollback for the new table.	Bump schema_migrations baseline from 152 to 153 in the schema creation script. Add a down migration that drops the account_advisory table if it exists.	database_admin/schema/create_schema.sql database_admin/migrations/153_account_advisory.down.sql
Align development tooling and documentation with the new workspace-aware advisory table.	Ensure dev/test_data cleanup script deletes from account_advisory to keep environments clean. Document the new account_advisory table as the workspace-scoped analogue of advisory_account_data, including its key structure and partitioning.	dev/test_data.sql docs/md/database.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• The UNIQUE (advisory_id, rh_account_id, workspace_id) constraint on account_advisory appears redundant with the primary key containing the same columns; if the different column order is intended to optimize specific query patterns, consider replacing the UNIQUE with an explicitly named index to make that intent clear.
• Given expected access patterns, double-check whether additional indexes (e.g. starting with advisory_id or including notified) are needed for common queries, since the current primary key and (rh_account_id, workspace_id) index may not cover lookups that are advisory-centric or notification-centric.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `UNIQUE (advisory_id, rh_account_id, workspace_id)` constraint on `account_advisory` appears redundant with the primary key containing the same columns; if the different column order is intended to optimize specific query patterns, consider replacing the UNIQUE with an explicitly named index to make that intent clear.
- Given expected access patterns, double-check whether additional indexes (e.g. starting with `advisory_id` or including `notified`) are needed for common queries, since the current primary key and `(rh_account_id, workspace_id)` index may not cover lookups that are advisory-centric or notification-centric.

## Individual Comments

### Comment 1
<location path="database_admin/schema/create_schema.sql" line_range="793-798" />
<code_context>
+    CONSTRAINT account_advisory_advisory_id
+        FOREIGN KEY (advisory_id)
+            REFERENCES advisory_metadata (id),
+    UNIQUE (advisory_id, rh_account_id, workspace_id),
+    PRIMARY KEY (rh_account_id, workspace_id, advisory_id)
+) PARTITION BY HASH (rh_account_id);
</code_context>
<issue_to_address>
**suggestion (performance):** The UNIQUE constraint duplicates the PRIMARY KEY and might be unnecessary.

The PRIMARY KEY on `(rh_account_id, workspace_id, advisory_id)` already enforces uniqueness for this column set, just in a different order. Unless you need this specific column order for query planning, you can remove the separate `UNIQUE (advisory_id, rh_account_id, workspace_id)` to avoid the overhead of an extra index.

```suggestion
    CONSTRAINT account_advisory_advisory_id
        FOREIGN KEY (advisory_id)
            REFERENCES advisory_metadata (id),
    PRIMARY KEY (rh_account_id, workspace_id, advisory_id)
) PARTITION BY HASH (rh_account_id);
```
</issue_to_address>

### Comment 2
<location path="database_admin/schema/create_schema.sql" line_range="809" />
<code_context>
+SELECT grant_table_partitions('SELECT, INSERT, UPDATE, DELETE', 'account_advisory', 'listener');
+SELECT grant_table_partitions('SELECT, INSERT, UPDATE, DELETE', 'account_advisory', 'vmaas_sync');
+
+CREATE INDEX ON account_advisory (rh_account_id, workspace_id);
</code_context>
<issue_to_address>
**suggestion (performance):** The separate index on (rh_account_id, workspace_id) may overlap with the primary key index.

The primary key on `(rh_account_id, workspace_id, advisory_id)` already provides a btree index that can serve most queries filtering on `(rh_account_id, workspace_id)`. Unless you have specific evidence that dropping `advisory_id` from the index is needed (e.g., for size or a particular query pattern), this extra index is likely redundant and could be removed to reduce write overhead and maintenance cost.
</issue_to_address>

### Comment 3
<location path="database_admin/migrations/153_account_advisory.up.sql" line_range="25" />
<code_context>
+SELECT grant_table_partitions('SELECT, INSERT, UPDATE, DELETE', 'account_advisory', 'listener');
+SELECT grant_table_partitions('SELECT, INSERT, UPDATE, DELETE', 'account_advisory', 'vmaas_sync');
+
+CREATE INDEX ON account_advisory (rh_account_id, workspace_id);
</code_context>
<issue_to_address>
**suggestion (performance):** Consider whether the (rh_account_id, workspace_id) index is needed in addition to the PK index.

Since the PK already starts with `(rh_account_id, workspace_id)`, this additional index likely duplicates it while adding insert/update overhead. Please confirm via query plans that it’s actually used; if not, consider removing it and relying on the PK index.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[MichaelMraka]

PK is, by definition, unique. So another unique index on the same columns is not necessary.
I'd also change order of columns in PK to (rh_account_id, advisory_id, workspace_id) because it can be also used to search 'prefixes'. And we will likely have some queries for rh_account_id + advisory_id and not for rh_account_id + workspace_id.
Actually PK is correct. Now with Kessel we always filter by rh_account_id and workspace_id so it make sense to have them first.

[MichaelMraka]

I don't know if this index is useful / necessary. Will we ever query something like "all advisories in given org and workspace"?
This is unnecessary because it's a prefix of already existing PK.

[MichaelMraka]

workspace_id should be UUID. (takes less space)

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.06%. Comparing base (836502e) to head (8273ed8).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2184   +/-   ##
=======================================
  Coverage   59.06%   59.06%           
=======================================
  Files         136      136           
  Lines        8761     8761           
=======================================
  Hits         5175     5175           
  Misses       3040     3040           
  Partials      546      546           

Flag	Coverage Δ
unittests	59.06% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[rverdile]

thanks @MichaelMraka, updated!