Merge branch 'develop' into sam/pg-cron-migration-fix

Author: hunleyd

.github/actions/nix-install-ephemeral/action.yml

@@ -0,0 +1,46 @@
+name: 'Install Nix on ephemeral runners'
+description: 'Installs Nix and sets up AWS credentials to push to the Nix binary cache'
+inputs:
+  push-to-cache:
+    description: 'Whether to push build outputs to the Nix binary cache'
+    required: false
+    default: 'false'
+runs:
+  using: 'composite'
+  steps:
+    - name: aws-creds
+      uses: aws-actions/configure-aws-credentials@v4
+      if: ${{ inputs.push-to-cache == 'true' }}
+      with:
+        role-to-assume: ${{ env.DEV_AWS_ROLE }}
+        aws-region: "us-east-1"
+        output-credentials: true
+        role-duration-seconds: 7200
+    - name: Setup AWS credentials for Nix
+      if: ${{ inputs.push-to-cache == 'true' }}
+      shell: bash
+      run: |
+        sudo -H aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
+        sudo -H aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
+        sudo -H aws configure set aws_session_token $AWS_SESSION_TOKEN
+        sudo mkdir -p /etc/nix
+        sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
+        cat << 'EOF' | sudo tee /etc/nix/upload-to-cache.sh > /dev/null
+        #!/usr/bin/env bash
+        set -euo pipefail
+        set -f
+
+        export IFS=' '
+        /nix/var/nix/profiles/default/bin/nix copy --to 's3://nix-postgres-artifacts?secret-key=/etc/nix/nix-secret-key' $OUT_PATHS
+        EOF
+        sudo chmod +x /etc/nix/upload-to-cache.sh
+      env:
+        NIX_SIGN_SECRET_KEY: ${{ env.NIX_SIGN_SECRET_KEY }}
+    - name: Install nix
+      uses: cachix/install-nix-action@v31
+      with:
+        install_url: https://releases.nixos.org/nix/nix-2.32.2/install
+        extra_nix_config: |
+          substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
+          trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+          ${{ inputs.push-to-cache == 'true' && 'post-build-hook = /etc/nix/upload-to-cache.sh' || '' }}

.github/workflows/ami-release-nix-single.yml

@@ -46,7 +46,7 @@ jobs:
           install_url: https://releases.nixos.org/nix/nix-2.29.1/install
           extra_nix_config: |
             substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
-            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
 
       - name: Set PostgreSQL version environment variable
         run: |

.github/workflows/ami-release-nix.yml

@@ -30,7 +30,7 @@ jobs:
           install_url: https://releases.nixos.org/nix/nix-2.29.1/install
           extra_nix_config: |
             substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
-            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
 
       - name: Set PostgreSQL versions
         id: set-versions
@@ -65,7 +65,7 @@ jobs:
           install_url: https://releases.nixos.org/nix/nix-2.29.1/install
           extra_nix_config: |
             substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
-            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
 
       - name: Run checks if triggered manually
         if: ${{ github.event_name == 'workflow_dispatch' }}
@@ -96,7 +96,7 @@ jobs:
           GIT_SHA=${{github.sha}}
           nix  run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl
           # why is postgresql_major defined here instead of where the _three_ other postgresql_* variables are defined?
-          nix  run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${EXECUTION_ID}"  -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}"  amazon-arm64-nix.pkr.hcl
+          nix  run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${EXECUTION_ID}"  -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" -var "region=us-east-1" -var 'ami_regions=["us-east-1"]' amazon-arm64-nix.pkr.hcl
 
       - name: Build AMI stage 2
         env:
@@ -105,7 +105,7 @@ jobs:
           GIT_SHA=${{github.sha}}
           nix  run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl
           POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }}
-          nix  run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${EXECUTION_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl
+          nix  run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${EXECUTION_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "region=us-east-1" -var 'ami_regions=["us-east-1"]' stage2-nix-psql.pkr.hcl
 
       - name: Grab release version
         id: process_release_version
@@ -184,9 +184,9 @@ jobs:
       - name: Cleanup resources after build
         if: ${{ always() }}
         run: |
-          aws ec2 describe-instances --filters "Name=tag:packerExecutionId,Values=${EXECUTION_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -r aws ec2 terminate-instances --instance-ids
+          aws ec2 --region us-east-1 describe-instances --filters "Name=tag:packerExecutionId,Values=${EXECUTION_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -r aws ec2 terminate-instances --region us-east-1 --instance-ids
 
       - name: Cleanup resources on build cancellation
         if: ${{ cancelled() }}
         run: |
-          aws ec2 describe-instances --filters "Name=tag:packerExecutionId,Values=${EXECUTION_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -r aws ec2 terminate-instances --instance-ids
+          aws ec2 --region us-east-1 describe-instances --filters "Name=tag:packerExecutionId,Values=${EXECUTION_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -r aws ec2 terminate-instances --region us-east-1 --instance-ids

.github/workflows/check-shellscripts.yml

@@ -1,12 +1,14 @@
 name: Check shell scripts
 
 on:
-  push:
-    branches:
-      - develop
   pull_request:
+  merge_group:
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.merge_group.head_ref || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+
 permissions:
   contents: read
 

.github/workflows/ci.yml

@@ -2,10 +2,15 @@ name: Check merge requirements
 
 on:
   pull_request:
+  merge_group:
 
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   check-release-version:
     timeout-minutes: 5

.github/workflows/dockerhub-release-matrix.yml

@@ -20,9 +20,9 @@ jobs:
     outputs:
       matrix_config: ${{ steps.set-matrix.outputs.matrix_config }}
     steps:
-      - uses: DeterminateSystems/nix-installer-action@main
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+      - uses: ./.github/actions/nix-install-ephemeral
       - name: Generate build matrix
         id: set-matrix
         run: |
@@ -55,7 +55,7 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/nix-install-ephemeral
       - name: Set PostgreSQL version environment variable
         run: echo "POSTGRES_MAJOR_VERSION=${{ matrix.version }}" >> $GITHUB_ENV
 
@@ -80,7 +80,7 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/nix-install-ephemeral
       - run: docker context create builders
       - uses: docker/setup-buildx-action@v3
         with:
@@ -136,7 +136,7 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/nix-install-ephemeral
       - uses: docker/setup-buildx-action@v3
       - uses: docker/login-action@v2
         with:
@@ -180,7 +180,7 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/nix-install-ephemeral
 
       - name: Debug Input from Prepare
         run: |

.github/workflows/manual-docker-release.yml

@@ -17,7 +17,7 @@ jobs:
     outputs:
       matrix_config: ${{ steps.set-matrix.outputs.matrix_config }}
     steps:
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/nix-install-ephemeral
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - name: Generate build matrix
@@ -52,7 +52,7 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/nix-install-ephemeral
       - name: Set PostgreSQL version environment variable
         run: echo "POSTGRES_MAJOR_VERSION=${{ matrix.version }}" >> $GITHUB_ENV
 
@@ -77,7 +77,7 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/nix-install-ephemeral
       - run: docker context create builders
       - uses: docker/setup-buildx-action@v3
         with:
@@ -145,7 +145,7 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/nix-install-ephemeral
       - uses: docker/setup-buildx-action@v3
       - uses: docker/login-action@v2
         with:
@@ -189,7 +189,7 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/nix-install-ephemeral
 
       - name: Debug Input from Prepare
         run: |

.github/workflows/nix-build.yml

@@ -3,9 +3,9 @@ name: Nix CI
 on:
   push:
     branches:
-      - develop
       - release/*
   pull_request:
+  merge_group:
   workflow_dispatch:
 
 permissions:
@@ -14,6 +14,10 @@ permissions:
   contents: write
   packages: write
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
   build-run-image:
     strategy:
@@ -31,54 +35,12 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
-      - name: aws-creds
-        uses: aws-actions/configure-aws-credentials@v4
-        if: ${{ github.secret_source == 'Actions' }}
+      - uses: ./.github/actions/nix-install-ephemeral
         with:
-          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
-          aws-region: "us-east-1"
-          output-credentials: true
-          role-duration-seconds: 7200
-      - name: Setup AWS credentials for Nix
-        if: ${{ github.secret_source == 'Actions' }}
-        run: |
-          sudo -H aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID
-          sudo -H aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
-          sudo -H aws configure set aws_session_token $AWS_SESSION_TOKEN
-      - name: write secret key
-        # use python so we don't interpolate the secret into the workflow logs, in case of bugs
-        run: |
-          sudo mkdir -p /etc/nix
-          sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
+          push-to-cache: ${{ github.secret_source == 'Actions' && 'true' || 'false' }}
         env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
-      - name: Setup cache script
-        if: ${{ github.secret_source == 'Actions' }}
-        run: |
-          cat << 'EOF' | sudo tee /etc/nix/upload-to-cache.sh > /dev/null
-          #!/usr/bin/env bash
-          set -euf
-          export IFS=' '
-          /nix/var/nix/profiles/default/bin/nix copy --to 's3://nix-postgres-artifacts?secret-key=/etc/nix/nix-secret-key' $OUT_PATHS
-          EOF
-          sudo chmod +x /etc/nix/upload-to-cache.sh
-      - name: Install nix
-        uses: cachix/install-nix-action@v27
-        if: ${{ github.secret_source == 'Actions' }}
-        with:
-          install_url: https://releases.nixos.org/nix/nix-2.29.1/install
-          extra_nix_config: |
-            substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
-            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
-            post-build-hook = /etc/nix/upload-to-cache.sh
-      - name: Install nix
-        uses: cachix/install-nix-action@v27
-        if: ${{ github.secret_source == 'None' }}
-        with:
-          install_url: https://releases.nixos.org/nix/nix-2.29.1/install
-          extra_nix_config: |
-            substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com
-            trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
       - name: Aggressive disk cleanup for DuckDB build
         if: matrix.runner == 'macos-latest-xlarge'
         run: |
@@ -104,7 +66,8 @@ jobs:
           sudo rm -rf /tmp/* 2>/dev/null || true
           echo "=== AFTER CLEANUP ==="
           df -h
-      - name: Build psql bundle
+      - 
+        name: Build psql bundle
         run: >
           nix run "github:Mic92/nix-fast-build?rev=b1dae483ab7d4139a6297e02b6de9e5d30e43d48" 
           -- --skip-cached --no-nom ${{ matrix.runner == 'macos-latest-xlarge' && '--max-jobs 1' || '' }}

.github/workflows/publish-migrations-staging.yml

@@ -7,7 +7,7 @@ on:
   workflow_dispatch:
 
 jobs:
-  build:
+  release-migrations-staging:
     runs-on: blacksmith-2vcpu-ubuntu-2404-arm
     timeout-minutes: 15
     permissions:

.github/workflows/publish-nix-pgupgrade-bin-flake-version.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: ./.github/actions/nix-install-ephemeral
 
       - name: Set PostgreSQL versions
         id: set-versions
@@ -38,7 +38,7 @@ jobs:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
-      - uses: DeterminateSystems/nix-installer-action@main  
+      - uses: ./.github/actions/nix-install-ephemeral
 
       - name: Grab release version
         id: process_release_version