cloudnative-pg
diff --git a/‎.github/workflows/bake.yml‎
Lines changed: 56 additions & 0 deletions b/‎.github/workflows/bake.yml‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎.github/workflows/bake_targets.yml‎
Lines changed: 196 additions & 0 deletions b/‎.github/workflows/bake_targets.yml‎
Lines changed: 196 additions & 0 deletions
diff --git a/‎.github/workflows/update.yml‎
Lines changed: 106 additions & 0 deletions b/‎.github/workflows/update.yml‎
Lines changed: 106 additions & 0 deletions
@@ -0,0 +1,56 @@
+name: Build and publish extensions
+
+on:
+  push:
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+permissions: {}
+
+jobs:
+  # Gather extensions that have been modified
+  change-triage:
+    name: Check changed files
+    runs-on: ubuntu-24.04
+    outputs:
+      matrix: ${{ steps.get-matrix.outputs.matrix}}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Check for changes
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        # Remember to add new folders in the operator-changed filter if needed
+        with:
+          base: ${{ (github.event_name == 'schedule') && 'main' || '' }}
+          filters: |
+            pgvector:
+              - 'pgvector/*'
+
+      # Compute a matrix containing the list of all extensions that have been modified
+      - name: Compute matrix
+        id: get-matrix
+        run: |
+          raw='${{ steps.filter.outputs.changes }}'
+          echo "{\"name\": $raw}" > matrix.json
+          cat matrix.json
+          echo "matrix=$(cat matrix.json)" >> "$GITHUB_OUTPUT"
+
+  Bake:
+    name: Bake
+    needs: change-triage
+    permissions:
+      packages: write
+      contents: read
+      id-token: write
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.change-triage.outputs.matrix) }}
+    uses: ./.github/workflows/bake_targets.yml
+    with:
+      environment: ${{ (github.ref == 'refs/heads/main') && 'production' || 'testing'}}
+      extension_name: ${{ matrix.name }}
@@ -0,0 +1,196 @@
+name: Build target extension
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: "Target environment for the image build (e.g. testing, production)."
+        required: true
+        type: string
+        default: "testing"
+      extension_name:
+        description: "The PostgreSQL extension to build (directory name)"
+        required: true
+        type: string
+    secrets:
+      SNYK_TOKEN:
+        required: false
+
+permissions: {}
+
+jobs:
+  testbuild:
+    name: Build ${{ inputs.extension_name }}
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+      # Required by the cosign step
+      id-token: write
+    outputs:
+      metadata: ${{ steps.build.outputs.metadata }}
+      images: ${{ steps.images.outputs.images }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Log in to the GitHub Container registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
+        with:
+          platforms: 'linux/arm64'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+
+      - name: Build and push
+        uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c # v6
+        id: build
+        env:
+          environment: testing
+          registry: ghcr.io/${{ github.repository_owner }}
+          revision: ${{ github.sha }}
+        with:
+          files: ./${{ inputs.extension_name }}/metadata.json,./docker-bake.hcl
+          push: true
+
+      # From bake's metadata, extract each unique tag (e.g. the ones with the timestamp)
+      - name: Generated images
+        id: images
+        run: |
+          echo "images=$(echo '${{ steps.build.outputs.metadata }}' | jq -c '[ .[]."image.name" | split(",")[] | select(test("[0-9]{12}")) ]')" >>  "$GITHUB_OUTPUT"
+
+      # Even if we're testing we sign the images, so we can push them to production later if that's required
+      - name: Install cosign
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
+        # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
+        # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
+        # how to use cosign.
+      - name: Sign images
+        run: |
+          echo '${{ steps.build.outputs.metadata }}' | \
+            jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"' | \
+            xargs cosign sign --yes
+
+  security:
+    name: Security checks
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+    needs:
+      - testbuild
+    strategy:
+      matrix:
+        image: ${{fromJson(needs.testbuild.outputs.images)}}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Security checks
+        uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
+        with:
+          image: "${{ matrix.image }}"
+          registry_user: ${{ github.actor }}
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
+          snyk_token: ${{ secrets.SNYK_TOKEN }}
+          dockerfile: "${{ inputs.extension_name }}/Dockerfile"
+
+  smoke-test:
+    name: Smoke test
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: read
+    needs:
+      - testbuild
+    strategy:
+      matrix:
+        image: ${{fromJson(needs.testbuild.outputs.images)}}
+        cnpg: ["main", "1.27"]
+    env:
+      # renovate: datasource=github-tags depName=kubernetes-sigs/kind versioning=semver
+      KIND_VERSION: "v0.30.0"
+      # renovate: datasource=docker depName=kindest/node
+      KIND_NODE_VERSION: "v1.34.0"
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Create kind cluster
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          kubectl_version: ${{ env.KIND_NODE_VERSION }}
+          node_image: kindest/node:${{ env.KIND_NODE_VERSION }}
+          config: kind-config.yaml
+
+      - name: Install CNPG (${{ matrix.cnpg }})
+        run: |
+          operator_manifest="https://raw.githubusercontent.com/cloudnative-pg/artifacts/release-${{ matrix.cnpg }}/manifests/operator-manifest.yaml"
+          if [[ ${{ matrix.cnpg }} == 'main' ]]; then
+            operator_manifest="https://raw.githubusercontent.com/cloudnative-pg/artifacts/main/manifests/operator-manifest.yaml"
+          fi
+          curl -sSfL "$operator_manifest" | kubectl apply --server-side -f -
+          kubectl wait --for=condition=Available --timeout=2m -n cnpg-system deployments cnpg-controller-manager
+
+      - name: Setup environment variables
+        id: get-env
+        run: |
+          SQL_NAME=$(jq -r '.metadata.sql_name' ${{ inputs.extension_name }}/metadata.json)
+          PG_IMAGE=$(skopeo inspect docker://${{ matrix.image }} -f '{{ json .Labels }}' | jq -r '."org.opencontainers.image.base.name"')
+
+          echo "sql_name=$SQL_NAME" >> $GITHUB_OUTPUT
+          echo "pg_image=$PG_IMAGE" >> $GITHUB_OUTPUT
+
+      - name: Install Chainsaw
+        uses: kyverno/action-install-chainsaw@6354895e0f99ab23d3e38d85cf5c71b5dc21d727 # v0.2.13
+
+      - name: Run Kyverno/Chainsaw
+        env:
+          EXT_NAME: ${{ inputs.extension_name }}
+          EXT_IMAGE: ${{ matrix.image }}
+          EXT_SQL_NAME: ${{ steps.get-env.outputs.sql_name }}
+          PG_IMAGE: ${{ steps.get-env.outputs.pg_image }}
+        run: |
+          yq -n \
+            '
+              .extension_name = env(EXT_NAME) |
+              .extension_image = env(EXT_IMAGE) |
+              .extension_sql_name = env(EXT_SQL_NAME) |
+              .pg_image = env(PG_IMAGE)
+            ' \
+          > values.yaml
+          cat values.yaml
+
+          chainsaw test ./test --values values.yaml
+
+  copytoproduction:
+    name: Copy images to production
+    if: |
+      github.ref == 'refs/heads/main' &&
+      ( github.event.inputs.environment == 'production' || github.event_name == 'schedule' )
+    runs-on: ubuntu-24.04
+    needs:
+      - testbuild
+      - security
+      - smoke-test
+    permissions:
+      contents: read
+      packages: write
+      # Required by the cosign step
+      id-token: write
+    steps:
+      - name: Copy to production
+        uses: cloudnative-pg/postgres-containers/.github/actions/copy-images@main
+        with:
+          bake_build_metadata: "${{ needs.testbuild.outputs.metadata }}"
+          registry_user: ${{ github.actor }}
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,106 @@
+name: Update Extension versions
+
+on:
+  push:
+  schedule:
+    - cron: 0 0 * * 1
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+permissions: read-all
+
+jobs:
+  fetch-extensions:
+    name: Fetch available extensions
+    runs-on: ubuntu-24.04
+    outputs:
+      extensions: ${{ steps.get-extensions.outputs.extensions }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Fetch extensions
+        id: get-extensions
+        run: |
+          extensions=$(find . -type f -name Dockerfile -exec dirname {} \; | \
+            sed 's|^\./||' | xargs -n1 basename | sort -u | \
+            jq -R -s -c 'split("\n")[:-1]')
+          echo "extensions=$extensions" >> $GITHUB_OUTPUT
+
+  update-extension:
+    name: Update ${{ matrix.extension }}
+    runs-on: ubuntu-24.04
+    needs:
+      - fetch-extensions
+    strategy:
+      matrix:
+        extension: ${{fromJson(needs.fetch-extensions.outputs.extensions)}}
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Fetch latest extension versions
+        id: fetch_versions
+        run: |
+          # Get the distributions
+          readarray -t DISTROS < <(sed -n '/variable "distributions"/,/}/ { s/^[[:space:]]*"\([^"]*\)".*/\1/p }' docker-bake.hcl)
+          # Get the PG versions
+          readarray -t POSTGRES_MAJORS < <(sed -n '/variable "pgVersions"/,/]/ { s/^[[:space:]]*"\([^"]*\)".*/\1/p }' docker-bake.hcl)
+          # Get the extension name
+          EXT_NAME=$(jq -r '.metadata.name' "${{ matrix.extension }}/metadata.json")
+
+          for DISTRO in "${DISTROS[@]}"; do
+            for MAJOR in "${POSTGRES_MAJORS[@]}"; do
+              VERSION=$(curl -s "https://apt.postgresql.org/pub/repos/apt/dists/$DISTRO-pgdg/main/binary-amd64/Packages" \
+                | awk -v pkg="postgresql-${MAJOR}-${EXT_NAME}" '
+                    $1 == "Package:" && $2 == pkg {show=1; next}
+                    show && $1 == "Version:" {print $2; show=0}
+                  ' \
+                | sort -V \
+                | tail -n1)
+              if [[ -z "$VERSION" ]]; then
+                echo "No version found for ${EXT_NAME} on PG ${MAJOR} - $DISTRO"
+                exit 1
+              fi
+
+              jq --arg distro "$DISTRO" \
+                 --arg major "$MAJOR" \
+                 --arg version "$VERSION" \
+                '.metadata.versions[$distro][$major] = $version' \
+              "${{ matrix.extension }}/metadata.json" > "${{ matrix.extension }}/metadata.tmp" \
+              && mv "${{ matrix.extension }}/metadata.tmp" "${{ matrix.extension }}/metadata.json"
+            done
+          done
+
+      - name: Diff
+        run: |
+          git status
+          git diff
+
+      - name: Temporarily disable "include administrators" branch protection
+        if: ${{ always() && github.ref == 'refs/heads/main' }}
+        id: disable_include_admins
+        uses: benjefferies/branch-protection-bot@af281f37de86139d1c7a27b91176b5dc1c2c827c # v1.1.2
+        with:
+          access_token: ${{ secrets.REPO_GHA_PAT }}
+          branch: main
+          enforce_admins: false
+
+      - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
+        with:
+          author_name: CloudNativePG Automated Updates
+          author_email: [email protected]
+          message: 'chore: update ${{ matrix.extension }} versions'
+
+      - name: Enable "include administrators" branch protection
+        uses: benjefferies/branch-protection-bot@af281f37de86139d1c7a27b91176b5dc1c2c827c # v1.1.2
+        if: ${{ always() && github.ref == 'refs/heads/main' }}
+        with:
+          access_token: ${{ secrets.REPO_GHA_PAT }}
+          branch: main
+          enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}