Add remaining security suppressions for Semgrep and flawfinder #62
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main, master, develop ] | |
| pull_request: | |
| branches: [ main, master, develop ] | |
| jobs: | |
| test: | |
| name: PostgreSQL ${{ matrix.pg }} on ${{ matrix.os }} | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest] | |
| pg: [14, 15, 16, 17, 18] | |
| include: | |
| - os: macos-latest | |
| pg: 17 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install PostgreSQL (Ubuntu) | |
| if: runner.os == 'Linux' | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y wget gnupg | |
| sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' | |
| wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add - | |
| sudo apt-get update | |
| sudo apt-get install -y \ | |
| postgresql-${{ matrix.pg }} \ | |
| postgresql-server-dev-${{ matrix.pg }} \ | |
| libcurl4-openssl-dev \ | |
| build-essential | |
| - name: Install PostgreSQL (macOS) | |
| if: runner.os == 'macOS' | |
| run: | | |
| brew install postgresql@${{ matrix.pg }} curl | |
| brew services start postgresql@${{ matrix.pg }} | |
| echo "/opt/homebrew/opt/postgresql@${{ matrix.pg }}/bin" >> $GITHUB_PATH | |
| echo "PG_CONFIG=/opt/homebrew/opt/postgresql@${{ matrix.pg }}/bin/pg_config" >> $GITHUB_ENV | |
| - name: Set PostgreSQL environment (Ubuntu) | |
| if: runner.os == 'Linux' | |
| run: | | |
| echo "PG_CONFIG=/usr/lib/postgresql/${{ matrix.pg }}/bin/pg_config" >> $GITHUB_ENV | |
| - name: Install pgvector | |
| run: | | |
| git clone --branch v0.8.1 https://github.com/pgvector/pgvector.git /tmp/pgvector | |
| cd /tmp/pgvector | |
| make PG_CONFIG=$PG_CONFIG | |
| sudo make install PG_CONFIG=$PG_CONFIG | |
| - name: Build extension | |
| run: | | |
| make PG_CONFIG=$PG_CONFIG | |
| sudo make install PG_CONFIG=$PG_CONFIG | |
| - name: Configure and start PostgreSQL (Ubuntu) | |
| if: runner.os == 'Linux' | |
| run: | | |
| # Create PostgreSQL cluster if it doesn't exist | |
| if ! pg_lsclusters | grep -q "^${{ matrix.pg }} *main"; then | |
| sudo pg_createcluster ${{ matrix.pg }} main --start | |
| fi | |
| # Get the cluster port and export it for tests | |
| PGPORT=$(pg_lsclusters -h | awk '$1==${{ matrix.pg }} && $2=="main" {print $3}') | |
| echo "PostgreSQL cluster running on port: $PGPORT" | |
| echo "PGPORT=$PGPORT" >> $GITHUB_ENV | |
| # Configure PostgreSQL | |
| PGCONF=/etc/postgresql/${{ matrix.pg }}/main/postgresql.conf | |
| echo "shared_preload_libraries = 'pgedge_vectorizer'" | sudo tee -a $PGCONF | |
| # Restart PostgreSQL to load the extension | |
| sudo pg_ctlcluster ${{ matrix.pg }} main restart | |
| # Create user and database | |
| sudo -u postgres psql -p $PGPORT -c "CREATE ROLE $USER WITH SUPERUSER LOGIN" || true | |
| createdb -p $PGPORT $USER | |
| # Verify extension loaded | |
| if psql -p $PGPORT postgres -c "SELECT 1" > /dev/null 2>&1; then | |
| echo "PostgreSQL started successfully with extension loaded" | |
| else | |
| echo "Failed to connect to PostgreSQL" | |
| sudo cat /var/log/postgresql/postgresql-${{ matrix.pg }}-main.log || true | |
| exit 1 | |
| fi | |
| - name: Configure PostgreSQL (macOS) | |
| if: runner.os == 'macOS' | |
| run: | | |
| PGCONF=$(psql postgres -t -c "SHOW config_file" | xargs) | |
| echo "shared_preload_libraries = 'pgedge_vectorizer'" >> $PGCONF | |
| brew services restart postgresql@${{ matrix.pg }} | |
| sleep 5 | |
| - name: Setup API keys for embedding tests | |
| run: | | |
| # Create API key files if secrets are available | |
| if [ -n "${{ secrets.OPENAI_API_KEY }}" ]; then | |
| echo "${{ secrets.OPENAI_API_KEY }}" > /tmp/openai-api-key | |
| chmod 600 /tmp/openai-api-key | |
| echo "OpenAI API key configured" | |
| else | |
| echo "OpenAI API key not available - embedding tests will be skipped" | |
| fi | |
| if [ -n "${{ secrets.VOYAGE_API_KEY }}" ]; then | |
| echo "${{ secrets.VOYAGE_API_KEY }}" > /tmp/voyage-api-key | |
| chmod 600 /tmp/voyage-api-key | |
| echo "Voyage API key configured" | |
| else | |
| echo "Voyage API key not available - Voyage tests will be skipped" | |
| fi | |
| - name: Run tests | |
| run: | | |
| make installcheck PG_CONFIG=$PG_CONFIG | |
| - name: Show regression diffs on failure | |
| if: failure() | |
| run: | | |
| if [ -f test/regression.diffs ]; then | |
| cat test/regression.diffs | |
| fi | |
| - name: Upload test results | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: test-results-pg${{ matrix.pg }}-${{ matrix.os }} | |
| path: | | |
| test/regression.diffs | |
| test/regression.out | |
| test/results/ | |
| retention-days: 7 | |
| if-no-files-found: ignore | |
| lint: | |
| name: Code Quality | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Check for trailing whitespace | |
| run: | | |
| ! git grep -I --line-number --perl-regexp '\s+$' -- '*.c' '*.h' '*.sql' || \ | |
| (echo "Found trailing whitespace in the lines above" && false) | |
| - name: Check for tabs in SQL files | |
| run: | | |
| ! git grep -I --line-number $'\t' -- '*.sql' || \ | |
| (echo "Found tabs in SQL files (use spaces)" && false) | |
| - name: Validate Makefile | |
| run: | | |
| make --dry-run help || (echo "Makefile validation failed" && false) |