Merge pull request #337 from cipherstash/support-postgres-18

Test multiple versions of postgres

Author: tobyhede

.github/workflows/test.yml

@@ -13,8 +13,14 @@ env:
 
 jobs:
   test:
-    name: Test
+    name: Test (PostgreSQL ${{ matrix.pg_version }})
     runs-on: blacksmith-16vcpu-ubuntu-2204
+    strategy:
+      fail-fast: false
+      matrix:
+        pg_version: [14, 15, 16, 17] # PG 18 not currently supported
+    env:
+      PG_VERSION: ${{ matrix.pg_version }}
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-test

CLAUDE.md

@@ -123,7 +123,7 @@ CS_CLIENT_KEY = "your-client-key"
 - `5617` - PostgreSQL 17 (TLS)
 - `6432` - CipherStash Proxy
 
-Container names: `postgres`, `postgres-17-tls`, `proxy`, `proxy-tls`
+Container names: `postgres`, `postgres-tls`, `proxy`, `proxy-tls`
 
 ### Logging Configuration
 Set granular log levels by target:

DEVELOPMENT.md

@@ -175,7 +175,7 @@ mise run postgres:up
 
 # Start postgres instances individually in the foreground
 mise run postgres:up postgres
-mise run postgres:up postgres-17-tls
+mise run postgres:up postgres-tls
 
 # Start a postgres instance in the background
 mise run postgres:up postgres --extra-args "--detach --wait"
@@ -463,7 +463,7 @@ These are the Postgres instances and names currently provided:
 
 | Name              | Description                    |
 |-------------------|--------------------------------|
-| `postgres-17-tls` | TLS, PostgreSQL version 17     |
+| `postgres-tls`    | TLS, (PostgreSQL version 17)   |
 | `postgres`        | non-TLS, Postgres latest       |
 
 

docs/plans/2025-12-04-postgresql-version-matrix-design.md

@@ -0,0 +1,111 @@
+# PostgreSQL Version Matrix for CI
+
+## Problem
+
+PostgreSQL 18 was released and the `postgres:latest` Docker image broke volume mounting (commit `3e4fff24`). CI was pinned to PostgreSQL 17. We need to:
+1. Support PostgreSQL 18 (assuming upstream fix)
+2. Expand test coverage across multiple PostgreSQL versions
+3. Catch future breaking changes early
+
+## Decision
+
+Run a full parallel matrix in CI testing PostgreSQL versions 14, 15, 16, 17, and 18.
+
+## Design
+
+### GitHub Actions Matrix Strategy
+
+Update `.github/workflows/test.yml`:
+
+```yaml
+jobs:
+  test:
+    name: Test (PostgreSQL ${{ matrix.pg_version }})
+    runs-on: blacksmith-16vcpu-ubuntu-2204
+    strategy:
+      fail-fast: false
+      matrix:
+        pg_version: [14, 15, 16, 17, 18]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/setup-test
+      - run: |
+          mise run postgres:up --extra-args "--detach --wait"
+        env:
+          PG_VERSION: ${{ matrix.pg_version }}
+      # ... rest of steps with PG_VERSION in env
+```
+
+- `fail-fast: false` ensures all versions complete even if one fails
+- Version passed via `PG_VERSION` environment variable
+- Job names include version for clear identification in GitHub UI
+
+### Docker Compose Changes
+
+Update `tests/docker-compose.yml`:
+
+```yaml
+services:
+  postgres: &postgres
+    image: postgres:${PG_VERSION:-17}
+    pull_policy: always
+    # ... rest unchanged
+
+  postgres-tls:  # renamed from postgres-17-tls
+    <<: *postgres
+    image: postgres:${PG_VERSION:-17}
+    container_name: postgres-tls
+    environment:
+      PGPORT: 5617
+    volumes:
+      - ./pg/pg_hba-tls.conf:/etc/postgresql/pg_hba.conf
+      - ./tls/localhost-key.pem:/etc/postgresql/localhost-key.pem
+      - ./tls/localhost.pem:/etc/postgresql/localhost.pem
+      - ./pg/data-tls:/var/lib/postgresql/data  # simplified from data-17
+```
+
+- Both containers use `postgres:${PG_VERSION:-17}` - defaults to 17 for local dev
+- Rename `postgres-17-tls` → `postgres-tls` (version-agnostic naming)
+- Data directory `data-17` → `data-tls` (version-agnostic)
+
+### Mise Configuration Updates
+
+Update `mise.toml` task `postgres:up` default services:
+- Change `postgres postgres-17-tls` → `postgres postgres-tls`
+
+Update `tests/mise.tls.toml`:
+- Update any `postgres-17-tls` references to `postgres-tls`
+
+No explicit `PG_VERSION` passthrough needed - docker-compose reads from environment.
+
+### CI Test Execution
+
+Each matrix job runs the full integration suite against one PostgreSQL version:
+- All jobs use same ports (5532, 5617, 6432) - no conflicts as each runs on separate runner
+- Tests run against TLS-enabled PostgreSQL container
+- Each version shows as separate check in GitHub PR
+
+## Files to Modify
+
+| File | Change |
+|------|--------|
+| `.github/workflows/test.yml` | Add matrix strategy with `pg_version: [14, 15, 16, 17, 18]` |
+| `tests/docker-compose.yml` | Use `postgres:${PG_VERSION:-17}`, rename `postgres-17-tls` → `postgres-tls` |
+| `mise.toml` | Update default services in `postgres:up` task |
+| `tests/mise.tls.toml` | Update container name reference if present |
+
+## Local Development
+
+No changes to local development workflow. Defaults to PostgreSQL 17.
+
+## Validation
+
+1. Create branch with changes
+2. Push to trigger CI matrix
+3. Verify all 5 versions pass (especially v18 to confirm volume issue resolved)
+4. If v18 fails, investigate the specific volume issue before merge
+
+## Rollback
+
+- Remove strategy block to revert to single version
+- `PG_VERSION` defaults to 17, so removing the env var restores current behavior

mise.toml

@@ -477,7 +477,7 @@ description = "Run Postgres instances with docker compose"
 run = """
 set -e
 # Start the containers
-echo docker compose up --build {{arg(name="service",default="postgres postgres-17-tls")}} {{option(name="extra-args",default="")}} | bash
+echo docker compose up --build {{arg(name="service",default="postgres postgres-tls")}} {{option(name="extra-args",default="")}} | bash
 """
 
 [tasks."postgres:psql"]

tests/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   postgres: &postgres
-    image: postgres:17
+    image: postgres:${PG_VERSION:-17}
     pull_policy: always
     container_name: postgres
     command: -c 'config_file=/etc/postgresql/postgresql.conf'
@@ -12,7 +12,7 @@ services:
     volumes:
       - ./pg/postgresql.conf:/etc/postgresql/postgresql.conf
       - ./benchmark/sql/:/etc/postgresql/benchmark/sql
-      - ./pg/data-latest:/var/lib/postgresql/data
+      - ./pg/data-latest:/var/lib/postgresql
     env_file:
       - ./pg/common.env
     networks:
@@ -30,10 +30,10 @@ services:
       timeout: 5s
       retries: 10
 
-  postgres-17-tls:
+  postgres-tls:
     <<: *postgres
-    image: postgres:17
-    container_name: postgres-17-tls
+    image: postgres:${PG_VERSION:-17}
+    container_name: postgres-tls
     environment:
       PGPORT: 5617
     ports:
@@ -44,7 +44,7 @@ services:
       - ./pg/pg_hba-tls.conf:/etc/postgresql/pg_hba.conf
       - ./tls/localhost-key.pem:/etc/postgresql/localhost-key.pem
       - ./tls/localhost.pem:/etc/postgresql/localhost.pem
-      - ./pg/data-17:/var/lib/postgresql/data
+      - ./pg/data-17:/var/lib/postgresql
 
   proxy:
     image: cipherstash/proxy:latest

tests/mise.tls.toml

@@ -1,6 +1,6 @@
 [env]
-CS_DATABASE__HOST = "postgres-17-tls"
-CONTAINER_SUFFIX = "-17-tls"
+CS_DATABASE__HOST = "postgres-tls"
+CONTAINER_SUFFIX = "-tls"
 CS_DATABASE__PORT = "5617"
 CS_TLS__TYPE = "Path"
 CS_TLS__CERTIFICATE_PATH = "/etc/cipherstash-proxy/server.cert"