run rollback

expected state from source control
observed state in target database
recorded state in history/changelog table
running application compatibility
business data correctness

1. Stop automatic retries unless failure is known transient.
2. Identify target database, schema, tenant, region.
3. Capture exact migration artifact version.
4. Capture tool command and arguments.
5. Capture error output and timestamps.
6. Check whether application traffic is impacted.
7. Check active locks, sessions, blocking transactions.
8. Snapshot history/changelog table rows.
9. Determine whether any DDL/DML actually applied.
10. Decide: wait, cancel, continue, roll-forward, or isolate.

- Do not edit an already applied migration file.
- Do not delete history/changelog rows manually.
- Do not run repair before understanding actual database state.
- Do not run Liquibase clear-checksums as a generic fix.
- Do not release Liquibase lock if a migration process is still alive.
- Do not retry a non-idempotent data migration blindly.
- Do not deploy new app version if schema compatibility is unknown.

- developer edited applied SQL file
- file line endings changed
- placeholder value or script content changed unexpectedly
- migration was rebuilt/generated differently
- wrong artifact/version deployed
- environment has different migration file set

If production already applied V012, do not rewrite V012.
Create V013 that corrects the state.

- connection refused
- wrong password
- permission denied before statement execution
- syntax parse error before transaction begins

-- Examples; adapt to vendor.
SELECT * FROM flyway_schema_history ORDER BY installed_rank DESC;

-- inspect whether object exists
-- inspect whether column exists
-- inspect whether index exists
-- inspect whether data rows changed
-- inspect invalid objects / constraints

- file deleted after being applied
- branch artifact missing old migration
- repository restructuring changed locations
- wrong artifact deployed to environment

Prod has V100, V101, V102.
A hotfix branch creates V101_1 or V099 accidentally.
Flyway sees lower version after higher version.

Do not rely on outOfOrder as normal workflow.
Use timestamp versions or reserve hotfix version ranges.
If outOfOrder is used, record release justification and compatibility proof.

1. Identify changeset id, author, filepath.
2. Compare current changelog artifact with deployed artifact.
3. Determine whether modification was accidental, formatting-only, or semantic.
4. If accidental: restore original changeset.
5. If semantic: revert change and create a new changeset.
6. Use validCheckSum or clear-checksums only under explicit policy.

clear-checksums can reset checksum tracking.
It should not be a generic way to silence validation errors.

Waiting for changelog lock...
Could not acquire change log lock...

1. Confirm whether another Liquibase process is still running.
2. Check CI job status, pod/job status, DB sessions.
3. If active process exists, do not release lock.
4. If process died, capture lock row evidence.
5. Run release-locks through approved operator path.
6. Rerun status/validate before update.

onFail=MARK_RAN to bypass object existence errors everywhere.

- automatic rollback is unsupported for the change type
- custom rollback SQL is wrong
- data changed since migration
- dependent objects now exist
- app wrote data using new schema
- rollback violates constraints

Rollback is a migration too.
It needs testing, evidence, and compatibility analysis.

bad schema state -> corrective migration -> compatibility restored

bad schema state -> destructive rollback -> unknown data loss

- migration hangs
- statement timeout
- lock wait timeout
- app latency spike
- deadlock detected
- replication lag increases
- connection pool saturation

What statement is waiting?
What object is locked?
Who holds the blocking lock?
Is blocker an app transaction, batch job, reporting query, or another migration?
Can we wait safely?
What is the timeout policy?
If we cancel, does DB roll back fully?

- deterministic selection criteria
- batch/chunk size
- checkpoint or resumability strategy
- idempotent update logic
- verification query
- stop/resume command
- rollback or compensating strategy

Migration target:
  populate orders.customer_region from customers.region

Failure:
  job updated 8M of 20M rows, then timed out

Bad retry:
  run full update again without WHERE target IS NULL

Better retry:
  update only rows where customer_region IS NULL
  checkpoint by order id range
  verify count of remaining NULL
  track progress in backfill_control table

CREATE TABLE migration_backfill_checkpoint (
  migration_key VARCHAR(200) PRIMARY KEY,
  last_processed_id BIGINT NOT NULL,
  processed_count BIGINT NOT NULL,
  updated_at TIMESTAMP NOT NULL
);

Revert
  Bring DB back to source-controlled intent.

Adopt
  Create a new migration representing the real DB change.

Waive
  Record accepted difference with expiry/owner.

Investigate
  Treat as incident if unauthorized or unexplained.

1. Hotfix migration must still be committed to source control.
2. Artifact must still be built by CI or an approved emergency pipeline.
3. Migration version must avoid future collision.
4. Compatibility with currently running app version must be checked.
5. Main branch must be reconciled immediately after hotfix.
6. Post-incident review must capture why normal path was insufficient.

V20260628153000__hotfix_add_missing_index.sql

- changeSet:
    id: 20260628-153000-hotfix-add-missing-index
    author: platform
    labels: hotfix,incident-12345

- destructive data loss occurred
- compensating migration cannot reconstruct data
- schema/data corruption is widespread
- audit/legal/business impact requires exact recovery

- identify recovery point objective
- identify writes after recovery point
- estimate data loss window
- coordinate application downtime/read-only mode
- preserve corrupted state for forensic analysis if needed
- confirm backup integrity and restore rehearsal maturity

Incident
[ ] Incident/ticket id
[ ] Start/end timestamp
[ ] Affected database/schema/tenant/region
[ ] Business impact summary

Artifact
[ ] Git commit SHA
[ ] Build id
[ ] Migration file list and checksums
[ ] Tool version and command arguments

Database State
[ ] History/changelog rows before and after
[ ] Object/data verification queries
[ ] Lock/session snapshots if relevant
[ ] Error logs and SQL state codes

Decision
[ ] Classification of failure
[ ] Decision: retry, cleanup, repair, rollback, roll-forward, restore
[ ] Approver/owner
[ ] Risk accepted

Resolution
[ ] Corrective migration id
[ ] Metadata repair command if used
[ ] Verification result
[ ] Follow-up tasks

Symptom:
  Pipeline retries failed migration repeatedly.

Risk:
  Non-idempotent statements apply multiple times or lock pressure grows.

Fix:
  Stop retries unless migration is explicitly idempotent/resumable.

Symptom:
  validate fails, operator runs repair immediately.

Risk:
  History metadata changes before root cause is captured.

Fix:
  RCA first, metadata repair second.

Symptom:
  Team assumes every migration can be rolled back.

Risk:
  Data loss or app incompatibility during rollback.

Fix:
  Classify rollback capability per migration.

Symptom:
  DBA fixes production directly, no migration file created.

Risk:
  Permanent drift.

Fix:
  Adopt/revert through source-controlled migration.

Symptom:
  Liquibase waits for lock, operator runs release-locks.

Risk:
  Two migrations run concurrently if original process is active.

Fix:
  Verify active process/session first.

Migration failure recovery is not tool command memorization.
It is state reconciliation under uncertainty.

stop -> observe -> classify -> inspect actual state -> choose recovery -> verify -> repair metadata if needed -> document evidence