Merge branch 'develop' into dd/bump-admin-mgr-v0.25.1

delgado3d · web-flow · commit 7ce105392a6d · 2025-06-04T14:16:19.000+05:30
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/complete.sh
@@ -226,9 +226,14 @@ EOF
         AND EXISTS (SELECT FROM pg_extension WHERE extname = 'supabase_vault')
       THEN
         IF (SELECT extversion FROM pg_extension WHERE extname = 'supabase_vault') != '0.2.8' THEN
-          GRANT USAGE ON SCHEMA vault TO postgres WITH GRANT OPTION;
-          GRANT SELECT, DELETE ON vault.secrets, vault.decrypted_secrets TO postgres WITH GRANT OPTION;
-          GRANT EXECUTE ON FUNCTION vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt TO postgres WITH GRANT OPTION;
+          grant usage on schema vault to postgres with grant option;
+          grant select, delete, truncate, references on vault.secrets, vault.decrypted_secrets to postgres with grant option;
+          grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to postgres with grant option;
+
+          -- service_role used to be able to manage secrets in Vault <=0.2.8 because it had privileges to pgsodium functions
+          grant usage on schema vault to service_role;
+          grant select, delete on vault.secrets, vault.decrypted_secrets to service_role;
+          grant execute on function vault.create_secret, vault.update_secret, vault._crypto_aead_det_decrypt to service_role;
         END IF;
         -- Do an explicit IF EXISTS check to avoid referencing pgsodium objects if the project already migrated away from using pgsodium.
         IF EXISTS (SELECT FROM vault.secrets WHERE key_id IS NOT NULL) THEN
diff --git a/ansible/files/postgresql_config/supautils.conf.j2 b/ansible/files/postgresql_config/supautils.conf.j2
@@ -7,7 +7,7 @@ supautils.drop_trigger_grants = '{"postgres":["auth.audit_log_entries","auth.ide
 # omitted because doesn't require superuser: pgmq
 # omitted because protected:                 plpgsql
 supautils.privileged_extensions = 'address_standardizer, address_standardizer_data_us, autoinc, bloom, btree_gin, btree_gist, citext, cube, dblink, dict_int, dict_xsyn, earthdistance, fuzzystrmatch, hstore, http, hypopg, index_advisor, insert_username, intarray, isn, ltree, moddatetime, orioledb, pg_buffercache, pg_cron, pg_graphql, pg_hashids, pg_jsonschema, pg_net, pg_prewarm, pg_repack, pg_stat_monitor, pg_stat_statements, pg_tle, pg_trgm, pg_walinspect, pgaudit, pgcrypto, pgjwt, pgroonga, pgroonga_database, pgrouting, pgrowlocks, pgsodium, pgstattuple, pgtap, plcoffee, pljava, plls, plpgsql_check, plv8, postgis, postgis_raster, postgis_sfcgal, postgis_tiger_geocoder, postgis_topology, postgres_fdw, refint, rum, seg, sslinfo, supabase_vault, supautils, tablefunc, tcn, timescaledb, tsm_system_rows, tsm_system_time, unaccent, uuid-ossp, vector, wrappers'
-supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
+supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
 supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
diff --git a/flake.nix b/flake.nix
@@ -75,6 +75,10 @@
                 cargo-pgrx = final.cargo-pgrx.cargo-pgrx_0_12_9;
               };
 
+              buildPgrxExtension_0_14_3 = prev.buildPgrxExtension.override {
+                cargo-pgrx = final.cargo-pgrx.cargo-pgrx_0_14_3;
+              };
+
             })
             (final: prev: {
               postgresql = final.callPackage ./nix/postgresql/default.nix {
@@ -417,6 +421,7 @@
             cargo-pgrx_0_11_3 = pkgs.cargo-pgrx.cargo-pgrx_0_11_3;
             cargo-pgrx_0_12_6 = pkgs.cargo-pgrx.cargo-pgrx_0_12_6;
             cargo-pgrx_0_12_9 = pkgs.cargo-pgrx.cargo-pgrx_0_12_9;
+            cargo-pgrx_0_14_3 = pkgs.cargo-pgrx.cargo-pgrx_0_14_3;
             # PostgreSQL versions.
             psql_15 = postgresVersions.psql_15;
             psql_17 = postgresVersions.psql_17;
diff --git a/nix/cargo-pgrx/default.nix b/nix/cargo-pgrx/default.nix
@@ -8,7 +8,7 @@
 , rust-bin
 }:
 let
-  rustVersion = "1.76.0";
+  rustVersion = "1.85.1";
   rustPlatform = makeRustPlatform {
     cargo = rust-bin.stable.${rustVersion}.default;
     rustc = rust-bin.stable.${rustVersion}.default;
@@ -19,6 +19,11 @@ let
     , cargoHash
     }:
     rustPlatform.buildRustPackage rec {
+      # rust-overlay uses 'cargo-auditable' wrapper for 'cargo' command, but it
+      # is using older version 0.18.1 of 'cargo_metadata' which doesn't support
+      # rust edition 2024, so we disable the 'cargo-auditable' just for now.
+      # ref: https://github.com/oxalica/rust-overlay/issues/153
+      auditable = false;
       pname = "cargo-pgrx";
       inherit version;
       src = fetchCrate {
@@ -69,7 +74,12 @@ in
   cargo-pgrx_0_12_9 = generic {
     version = "0.12.9";
     hash = "sha256-aR3DZAjeEEAjLQfZ0ZxkjLqTVMIEbU0UiZ62T4BkQq8=";
-    cargoHash = "sha256-53HKhvsKLTa2JCByLEcK3UzWXoM+LTatd98zvS1C9no=";
+    cargoHash = "sha256-KTKcol9qSNLQZGW32e6fBb6cPkUGItknyVpLdBYqrBY=";
+  };
+  cargo-pgrx_0_14_3 = generic {
+    version = "0.14.3";
+    hash = "sha256-3TsNpEqNm3Uol5XPW1i0XEbP2fF2+RKB2d7lO6BDnvQ=";
+    cargoHash = "sha256-Ny7j56pwB+2eEK62X0nWfFKQy5fBz+Q1oyvecivxLkk=";
   };
   inherit rustPlatform;
 }
diff --git a/nix/ext/supautils.nix b/nix/ext/supautils.nix
@@ -2,21 +2,21 @@
 
 stdenv.mkDerivation rec {
   pname = "supautils";
-  version = "2.9.1";
+  version = "2.9.4";
 
   buildInputs = [ postgresql ];
 
   src = fetchFromGitHub {
     owner = "supabase";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-Rw7dmIUg9bJ7SuiHxCsZtnVhdG9hg4WlptiB/MxVmPc=";
+    hash = "sha256-qP9fOEWXw+wY49GopTizwxSBEGS0UoseJHVBtKS/BdI=";
   };
 
   installPhase = ''
     mkdir -p $out/lib
 
-    install -D build/*${postgresql.dlSuffix} -t $out/lib
+    install -D *${postgresql.dlSuffix} -t $out/lib
   '';
 
   meta = with lib; {
diff --git a/nix/tools/run-server.sh.in b/nix/tools/run-server.sh.in
@@ -220,7 +220,7 @@ mkdir -p "$DATDIR/extension-custom-scripts"
 cp -r "$EXTENSION_CUSTOM_SCRIPTS"/* "$DATDIR/extension-custom-scripts"
 
 # Configure supautils
-sed "s|supautils.privileged_extensions_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'|supautils.privileged_extensions_custom_scripts_path = '$DATDIR/extension-custom-scripts'|" "$SUPAUTILS_CONFIG_FILE" > "$DATDIR/supautils.conf"
+sed "s|supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'|supautils.extension_custom_scripts_path = '$DATDIR/extension-custom-scripts'|" "$SUPAUTILS_CONFIG_FILE" > "$DATDIR/supautils.conf"
 
 # Configure PostgreSQL
 sed -e "1i\\
