Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.
Hack for Public Good
Feature Articles

Bumper

2 February 2026

Safer migrations with a lightweight AI-powered review integrating directly in PRs with Github Action

Opportunity

Database migrations are one of the most common causes of unplanned downtime for teams practising continuous delivery. When engineers deploy schema changes — adding columns, creating indexes, or introducing foreign keys — The database may acquire "locks" - where access to data can be temporarily blocked. If the engineer does not have deep knowledge of the database's locking behaviour, a seemingly innocent migration can bring a production service down.

This risk is especially acute at OGP, where PostgreSQL is the go-to database across most product teams and planned downtime for maintenance windows are rare, which is in-line with modern software development. Today, catching these issues relies on individual expertise during code review, which is inconsistent and easy to miss under time pressure. A lightweight, automated check at PR time could surface these risks before they ever reach production.

Velocity

I built Bumper, a GitHub Action, which is an automated checking tool that runs whenever developers submit code changes. It detects PostgreSQL migration files in a pull request that contains the code changes and uses AI (Claude) to analyse them for potential lock issues.

For each migration file, Bumper posts a structured review comment showing which tables are affected, what lock types are acquired, whether reads and writes are blocked, the expected lock duration, and an overall risk rating (CRITICAL / HIGH / MEDIUM / LOW).

It handles PRs with multiple migration files, producing a per-file breakdown in a single comment (example: single migration, example: multi-migration).


Single migration result

Single migration result

Multi-migration result

Multi-migration result

So far, only limited internal testing has been done to look at assessing accuracy of AI results, and time taken for the tool to complete analysis:

Accuracy of results: 4 out of 4 produced accurate lock analysis

Average time taken for analysis across 4 attempts: 20.75s

The setup takes minutes — teams only need to add an Anthropic API key and a workflow file. The cost is negligible at roughly $0.003–0.01 per migration file analysed. The tool is working end-to-end today, though more testing against real-world migrations is necessary to further evaluate accuracy and coverage across different migration patterns.

Traction

Bumper has not yet been rolled out beyond my own testing. The immediate next step is to integrate it into ScamShield after getting buy-in from the team as ScamShield is a product I actively work on which can benefit from this — It has high usage with an evolving PostgreSQL schema — This would allow further validation of the usefulness of the tool. If it proves useful, I plan to offer it to other OGP product teams and eventually publish it on the GitHub Marketplace as an open-source tool for the broader engineering community.

team makeup: solo project done by Kaiwen

Back to top