Schema migrations: a zero-downtime column rename under load

Rename a column on a 10M+-row Postgres table from username to handle with zero downtime, using the full expand-contract sequence, while a load generator runs both an old (reads/writes username) and a new (reads/writes handle) client against the database the whole time.

• Provision Postgres 14+ with a users table of at least 10M rows (generate_series). Stand up a load generator that issues concurrent reads and writes, and run a long analytics SELECT periodically so the lock queue is realistic.
• Run two app versions side by side against the same database for the whole exercise: v1 reads and writes username; v2 reads and writes handle. Keep both running so you can prove the schema stays compatible with both at every phase.
• Phase 1 — Expand: ADD COLUMN handle TEXT with no default (instant). Run every migration session with SET lock_timeout = '2s' and SET statement_timeout, and capture a pg_locks / pg_stat_activity snapshot showing the ALTER did not freeze the table (or aborted-and-retried cleanly when a long query held ACCESS SHARE).
• Phase 2 — Dual-write: deploy v2 so writes go to both username and handle. Confirm v1 and v2 are both serving with no errors.
• Phase 3 — Backfill: copy username into handle for existing rows in 1k–10k-row batches with pg_sleep between batches. Record pg_stat_replication.replay_lag (or WAL generation rate) across the backfill and show it stays bounded — contrast against a single-statement UPDATE you run once on a throwaway copy to observe the WAL flood.
• Phase 4–5 — Cut over and stop old writes: deploy a v2 that reads handle exclusively (still dual-writing), then a version that writes only handle. Verify no request errors during each rolling step.
• Phase 6 — Contract: DROP COLUMN username only after confirming no running version references it. Show the drop is fast and the table is still serving traffic.
• Add a NOT NULL on handle the safe way as a bonus DDL: ADD CHECK (handle IS NOT NULL) NOT VALID, VALIDATE CONSTRAINT, then ALTER COLUMN SET NOT NULL — proving the VALIDATE scan ran under SHARE UPDATE EXCLUSIVE without blocking the load generator's writes.

• A request-error timeline for both v1 and v2 across all six phases showing zero failed requests attributable to schema incompatibility — measured under live load, not assumed.
• A before/after lock evidence pair: a pg_locks snapshot during a contended ALTER showing the lock_timeout abort-and-retry path, versus the same ALTER succeeding in a quiet window.
• Backfill metrics: batch count, rows per batch, and a replication-lag (or WAL-rate) graph that stays bounded for the batched run, next to the single-statement UPDATE's WAL spike on the throwaway copy.
• A one-paragraph write-up naming, for each phase, the invariant that held (schema compatible with both versions) and the specific failure it prevented (rename outage, lock freeze, WAL flood).