feat: clean up and attach stages in packer

Author: samrose

.github/workflows/ami-release-nix.yml

@@ -0,0 +1,169 @@
+name: Release AMI
+
+on:
+  push:
+    branches:
+      - develop
+    paths:
+      - '.github/workflows/ami-release-nix.yml'
+      - 'common-nix.vars.pkr.hcl'
+  workflow_dispatch:
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - runner: arm-runner
+            arch: arm64
+            ubuntu_release: focal
+            ubuntu_version: 20.04
+            mcpu: neoverse-n1
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 150
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v3
+
+      - name: Run checks if triggered manually
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        # Update `ci.yaml` too if changing constraints.
+        run: |
+          SUFFIX=$(sed -E 's/postgres-version = "[0-9\.]+(.*)"/\1/g' common-nix.vars.pkr.hcl)
+          if [[ -z $SUFFIX ]] ; then
+            echo "Version must include non-numeric characters if built manually."
+            exit 1
+          fi
+
+      # - id: args
+      #   uses: mikefarah/yq@master
+      #   with:
+      #     cmd: yq 'to_entries | map(select(.value|type == "!!str")) |  map(.key + "=" + .value) | join("\n")' 'ansible/vars.yml'
+      # - run: docker context create builders
+      # - uses: docker/setup-buildx-action@v3
+      #   with:
+      #     endpoint: builders
+      # - uses: docker/build-push-action@v5
+      #   with:
+      #     build-args: |
+      #       ${{ steps.args.outputs.result }}
+      #     target: extensions
+      #     tags: supabase/postgres:extensions
+      #     platforms: linux/${{ matrix.arch }}
+      #     outputs: type=tar,dest=/tmp/extensions.tar
+      #     cache-from: type=gha,scope=${{ github.ref_name }}-latest-${{ matrix.arch }}
+      #     # No need to export extensions cache because latest depends on it
+
+      # - name: Extract built packages
+      #   run: |
+      #     mkdir -p ansible/files/extensions
+      #     tar xvf /tmp/extensions.tar -C ansible/files/extensions --strip-components 1
+      # TODO remove this block as extensions are build in nix prior to this step
+
+      - id: version
+        run: echo "${{ steps.args.outputs.result }}" | grep "postgresql" >> "$GITHUB_OUTPUT"
+      - name: Build Postgres deb
+        uses: docker/build-push-action@v5
+        with:
+          file: docker/Dockerfile
+          target: pg-deb
+          build-args: |
+            ubuntu_release=${{ matrix.ubuntu_release }}
+            ubuntu_release_no=${{ matrix.ubuntu_version }}
+            postgresql_major=${{ steps.version.outputs.postgresql_major }}
+            postgresql_release=${{ steps.version.outputs.postgresql_release }}
+            CPPFLAGS=-mcpu=${{ matrix.mcpu }}
+          tags: supabase/postgres:deb
+          platforms: linux/${{ matrix.arch }}
+          outputs: type=tar,dest=/tmp/pg-deb.tar
+          cache-from: type=gha,scope=${{ github.ref_name }}-deb
+          cache-to: type=gha,mode=max,scope=${{ github.ref_name }}-deb
+      # - name: Extract Postgres deb
+      #   run: |
+      #     mkdir -p ansible/files/postgres
+      #     tar xvf /tmp/pg-deb.tar -C ansible/files/postgres --strip-components 1
+      #TODO remove this block as deb is build in nix prior to this step
+
+      - name: Build AMI stage 1
+        run: |
+          packer init amazon-arm64-nix.pkr.hcl
+          GIT_SHA=${{github.sha}}
+          packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments="  amazon-arm64-nix.pkr.hcl
+
+      - name: Build AMI stage 1
+        run: |
+          packer init amazon-arm64-nix.pkr.hcl
+          GIT_SHA=${{github.sha}}
+          packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments="  amazon-arm64-nix.pkr.hcl
+  
+      - name: Grab release version
+        id: process_release_version
+        run: |
+          VERSION=$(sed -e 's/postgres-version = "\(.*\)"/\1/g' common-nix.vars.pkr.hcl)
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: configure aws credentials - staging
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+          aws-region: "us-east-1"
+
+      - name: Upload software manifest to s3 staging
+        run: |
+          cd ansible
+          ansible-playbook -i localhost \
+            -e "ami_release_version=${{ steps.process_release_version.outputs.version }}" \
+            -e "internal_artifacts_bucket=${{ secrets.ARTIFACTS_BUCKET }}" \
+            manifest-playbook.yml
+
+      # - name: Upload pg binaries to s3 staging
+      #   run: |
+      #     aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz
+      # #TODO look to see if this only pg binaries and if so, remove this as it is covered by nix build
+      # TODO deactivate this block to assure binaries from this file are not uploaded. This is covered by nix build
+      - name: configure aws credentials - prod
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: "us-east-1"
+
+      - name: Upload software manifest to s3 prod
+        run: |
+          cd ansible
+          ansible-playbook -i localhost \
+            -e "ami_release_version=${{ steps.process_release_version.outputs.version }}" \
+            -e "internal_artifacts_bucket=${{ secrets.PROD_ARTIFACTS_BUCKET }}" \
+            manifest-playbook.yml
+
+      # - name: Upload pg binaries to s3 prod
+      #   run: |
+      #     aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz
+      #TODO deactivate this block to assure binaries from this file are not uploaded. This is covered by nix build
+      
+      
+      - name: Create release
+        uses: softprops/action-gh-release@v1
+        with:
+          name: ${{ steps.process_release_version.outputs.version }}
+          tag_name: ${{ steps.process_release_version.outputs.version }}
+          target_commitish: ${{github.sha}}
+
+      - name: Slack Notification on Failure
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK }}
+          SLACK_USERNAME: 'gha-failures-notifier'
+          SLACK_COLOR: 'danger'
+          SLACK_MESSAGE: 'Building Postgres AMI failed'
+          SLACK_FOOTER: ''
+
+      - name: Cleanup resources on build cancellation
+        if: ${{ cancelled() }}
+        run: |
+          aws ec2 describe-instances --filters "Name=tag:packerExecutionId,Values=${GITHUB_RUN_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -n 1 -I {} aws ec2 terminate-instances --instance-ids {}

.github/workflows/text-nix.yml

@@ -0,0 +1,117 @@
+name: Test Database
+
+on:
+  push:
+    branches:
+      - develop
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - runner: [self-hosted, X64]
+            arch: amd64
+          - runner: arm-runner
+            arch: arm64
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 180
+    env:
+      POSTGRES_PORT: 5478
+      POSTGRES_PASSWORD: password
+    steps:
+      - uses: actions/checkout@v3
+      - id: args
+        uses: mikefarah/yq@master
+        with:
+          cmd: yq 'to_entries | map(select(.value|type == "!!str")) |  map(.key + "=" + .value) | join("\n")' 'ansible/vars.yml'
+
+      - run: docker context create builders
+      - uses: docker/setup-buildx-action@v3
+        with:
+          endpoint: builders
+      - uses: docker/build-push-action@v5
+        with:
+          load: true
+          context: .
+          target: production
+          build-args: |
+            ${{ steps.args.outputs.result }}
+          tags: samrose/nix-experimental-postgresql-15-aarch64-linux:latest
+          cache-from: |
+            type=gha,scope=${{ github.ref_name }}-latest-${{ matrix.arch }}
+            type=gha,scope=${{ github.base_ref }}-latest-${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ github.ref_name }}-latest-${{ matrix.arch }}
+
+      - name: Start Postgres
+        run: |
+          docker run --rm --pull=never \
+          -e POSTGRES_PASSWORD=${{ env.POSTGRES_PASSWORD }} \
+          -p ${{ env.POSTGRES_PORT }}:5432 \
+          --name supabase_postgres \
+          -d supabase/postgres:latest
+
+      - name: Install psql
+        run: |
+          sudo apt update
+          sudo apt install -y --no-install-recommends postgresql-client
+
+      - name: Install pg_prove
+        run: sudo cpan -T TAP::Parser::SourceHandler::pgTAP
+        env:
+          SHELL: /bin/bash
+
+      - name: Wait for healthy database
+        run: |
+          count=0
+          until [ "$(docker inspect -f '{{.State.Health.Status}}' "$container")" == "healthy" ]; do
+              exit=$?
+              count=$((count + 1))
+              if [ $count -ge "$retries" ]; then
+                  echo "Retry $count/$retries exited $exit, no more retries left."
+                  docker stop -t 2 "$container"
+                  return $exit
+              fi
+              sleep 1;
+          done;
+          echo "$container container is healthy"
+        env:
+          retries: 20
+          container: supabase_postgres
+
+      - name: Run tests
+        run: pg_prove migrations/tests/test.sql
+        env:
+          PGHOST: localhost
+          PGPORT: ${{ env.POSTGRES_PORT }}
+          PGDATABASE: postgres
+          PGUSER: supabase_admin
+          PGPASSWORD: ${{ env.POSTGRES_PASSWORD }}
+
+      - name: Check migrations are idempotent
+        run: |
+          for sql in ./migrations/db/migrations/*.sql; do
+            echo "$0: running $sql"
+            psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -f "$sql"
+          done
+        env:
+          PGHOST: localhost
+          PGPORT: ${{ env.POSTGRES_PORT }}
+          PGDATABASE: postgres
+          PGUSER: supabase_admin
+          PGPASSWORD: ${{ env.POSTGRES_PASSWORD }}
+
+  schema:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: verify schema.sql is committed
+        run: |
+          docker compose -f migrations/docker-compose.yaml up db dbmate --abort-on-container-exit
+          if ! git diff --ignore-space-at-eol --exit-code --quiet migrations/schema.sql; then
+            echo "Detected uncommitted changes after build. See status below:"
+            git diff
+            exit 1
+          fi