Merge branch 'develop' into or/pgmq-upgrade-seqs

Author: soedirgo

.envrc.recommended

@@ -0,0 +1,3 @@
+watch_file nix/devShells.nix
+
+use flake

.github/CODEOWNERS

@@ -1,4 +1,4 @@
-* @supabase/backend
-migrations/ @supabase/cli @supabase/backend
+* @supabase/backend @supabase/postgres
+migrations/ @supabase/dev-workflows @supabase/postgres @supabase/backend
 docker/orioledb @supabase/postgres @supabase/backend
 common.vars.pkr.hcl @supabase/postgres @supabase/backend

.github/actions/shared-checkout/action.yml

@@ -0,0 +1,12 @@
+name: Checkout
+description: Checkout repository for pull requests and branches
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+        ref: ${{ github.event.pull_request.head.sha || github.sha }}
+        fetch-depth: 0
+        fetch-tags: true

.github/workflows/ami-release-nix-single.yml

@@ -0,0 +1,152 @@
+name: Release Single AMI Nix
+
+on:
+  workflow_dispatch:
+    inputs:
+      postgres_version:
+        description: 'PostgreSQL major version to build (e.g. 15)'
+        required: true
+        type: string
+      branch:
+        description: 'Branch to run the workflow from'
+        required: true
+        type: string
+        default: 'main'
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  build:
+    runs-on: large-linux-arm
+    timeout-minutes: 150
+
+    steps:
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+        with:
+          ref: ${{ github.event.inputs.branch }}
+      - name: aws-creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+          aws-region: "us-east-1"
+          output-credentials: true
+          role-duration-seconds: 7200
+
+      - name: Get current branch SHA
+        id: get_sha
+        run: |
+          echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+
+      - uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Set PostgreSQL version environment variable
+        run: echo "POSTGRES_MAJOR_VERSION=${{ github.event.inputs.postgres_version }}" >> $GITHUB_ENV
+
+      - name: Generate common-nix.vars.pkr.hcl
+        run: |
+          PG_VERSION=$(nix run nixpkgs#yq -- '.postgres_release["postgres'${{ env.POSTGRES_MAJOR_VERSION }}'"]' ansible/vars.yml)
+          PG_VERSION=$(echo "$PG_VERSION" | tr -d '"')  # Remove any surrounding quotes
+          echo 'postgres-version = "'$PG_VERSION'"' > common-nix.vars.pkr.hcl
+          # Ensure there's a newline at the end of the file
+          echo "" >> common-nix.vars.pkr.hcl
+
+      - name: Build AMI stage 1
+        env:
+          POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }}
+        run: |
+          packer init amazon-arm64-nix.pkr.hcl
+          GIT_SHA=${{ steps.get_sha.outputs.sha }}
+          packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}"  -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}"  amazon-arm64-nix.pkr.hcl
+
+      - name: Build AMI stage 2
+        env:
+          POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }}
+        run: |
+          packer init stage2-nix-psql.pkr.hcl
+          GIT_SHA=${{ steps.get_sha.outputs.sha }}
+          POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }}
+          packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl
+
+      - name: Grab release version
+        id: process_release_version
+        run: |
+          VERSION=$(cat common-nix.vars.pkr.hcl | sed -e 's/postgres-version = "\(.*\)"/\1/g')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Create nix flake revision tarball
+        run: |
+          GIT_SHA=${{ steps.get_sha.outputs.sha }}
+          MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }}
+
+          mkdir -p "/tmp/pg_upgrade_bin/${MAJOR_VERSION}"
+          echo "$GIT_SHA" >> "/tmp/pg_upgrade_bin/${MAJOR_VERSION}/nix_flake_version"
+          tar -czf "/tmp/pg_binaries.tar.gz" -C "/tmp/pg_upgrade_bin" .
+
+      - name: configure aws credentials - staging
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+          aws-region: "us-east-1"
+
+      - name: Upload software manifest to s3 staging
+        run: |
+          cd ansible
+          ansible-playbook -i localhost \
+            -e "ami_release_version=${{ steps.process_release_version.outputs.version }}" \
+            -e "internal_artifacts_bucket=${{ secrets.ARTIFACTS_BUCKET }}" \
+            -e "postgres_major_version=${{ env.POSTGRES_MAJOR_VERSION }}" \
+            manifest-playbook.yml
+
+      - name: Upload nix flake revision to s3 staging
+        run: |
+          aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz
+
+      - name: configure aws credentials - prod
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.PROD_AWS_ROLE }}
+          aws-region: "us-east-1"
+
+      - name: Upload software manifest to s3 prod
+        run: |
+          cd ansible
+          ansible-playbook -i localhost \
+            -e "ami_release_version=${{ steps.process_release_version.outputs.version }}" \
+            -e "internal_artifacts_bucket=${{ secrets.PROD_ARTIFACTS_BUCKET }}" \
+            -e "postgres_major_version=${{ env.POSTGRES_MAJOR_VERSION }}" \
+            manifest-playbook.yml
+    
+      - name: Upload nix flake revision to s3 prod
+        run: |
+          aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/20.04.tar.gz
+
+      - name: Create release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: ${{ steps.process_release_version.outputs.version }}
+          tag_name: ${{ steps.process_release_version.outputs.version }}
+          target_commitish: ${{ steps.get_sha.outputs.sha }}
+
+      - name: Slack Notification on Failure
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK }}
+          SLACK_USERNAME: 'gha-failures-notifier'
+          SLACK_COLOR: 'danger'
+          SLACK_MESSAGE: 'Building Postgres AMI failed'
+          SLACK_FOOTER: ''
+
+      - name: Cleanup resources after build
+        if: ${{ always() }}
+        run: |
+          aws ec2 describe-instances --filters "Name=tag:packerExecutionId,Values=${GITHUB_RUN_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -r aws ec2 terminate-instances --instance-ids
+
+      - name: Cleanup resources on build cancellation
+        if: ${{ cancelled() }}
+        run: |
+          aws ec2 describe-instances --filters "Name=tag:packerExecutionId,Values=${GITHUB_RUN_ID}" --query "Reservations[].Instances[].InstanceId" --output text | xargs -r aws ec2 terminate-instances --instance-ids 
+

.github/workflows/ami-release-nix.yml

@@ -11,15 +11,19 @@ on:
       - 'ansible/vars.yml'
   workflow_dispatch:
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   prepare:
-    runs-on: ubuntu-latest
+    runs-on: large-linux-x86
     outputs:
       postgres_versions: ${{ steps.set-versions.outputs.postgres_versions }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
-      
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
       - uses: DeterminateSystems/nix-installer-action@main
 
       - name: Set PostgreSQL versions
@@ -34,29 +38,27 @@ jobs:
       matrix:
         postgres_version: ${{ fromJson(needs.prepare.outputs.postgres_versions) }}
         include:
-          - runner: arm-runner
-            arch: arm64
-            ubuntu_release: focal
-            ubuntu_version: 20.04
-            mcpu: neoverse-n1
+          - runner: large-linux-arm
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 150
-    permissions:
-      contents: write
-      packages: write
-      id-token: write
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
-
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+      - name: aws-creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
+          aws-region: "us-east-1"
+          output-credentials: true
+          role-duration-seconds: 7200
       - uses: DeterminateSystems/nix-installer-action@main
 
       - name: Run checks if triggered manually
         if: ${{ github.event_name == 'workflow_dispatch' }}
         run: |
-          SUFFIX=$(sudo nix run nixpkgs#yq -- ".postgres_release[\"postgres${{ matrix.postgres_version }}\"]" ansible/vars.yml | sed -E 's/[0-9\.]+(.*)$/\1/')
-          if [[ -z $SUFFIX ]] ; then
+          SUFFIX=$(nix run nixpkgs#yq -- ".postgres_release[\"postgres${{ matrix.postgres_version }}\"]" ansible/vars.yml | sed -E 's/[0-9\.]+(.*)$/\1/')
+          if [[ -z "$SUFFIX" ]] ; then
             echo "Version must include non-numeric characters if built manually."
             exit 1
           fi
@@ -66,8 +68,8 @@ jobs:
 
       - name: Generate common-nix.vars.pkr.hcl
         run: |
-          PG_VERSION=$(sudo nix run nixpkgs#yq -- '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml)
-          PG_VERSION=$(echo $PG_VERSION | tr -d '"')  # Remove any surrounding quotes
+          PG_VERSION=$(nix run nixpkgs#yq -- '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml)
+          PG_VERSION=$(echo "$PG_VERSION" | tr -d '"')  # Remove any surrounding quotes
           echo 'postgres-version = "'$PG_VERSION'"' > common-nix.vars.pkr.hcl
           # Ensure there's a newline at the end of the file
           echo "" >> common-nix.vars.pkr.hcl

.github/workflows/check-shellscripts.yml

@@ -7,11 +7,15 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - name: Checkout Repo
+      uses: supabase/postgres/.github/actions/shared-checkout@HEAD
     - name: Run ShellCheck
       uses: ludeeus/action-shellcheck@master
       env:

.github/workflows/ci.yml

@@ -3,13 +3,16 @@ name: Check merge requirements
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check-release-version:
     timeout-minutes: 5
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - name: Load postgres_release values
         id: load_postgres_release

.github/workflows/dockerhub-release-matrix.yml

@@ -9,16 +9,20 @@ on:
       - ".github/workflows/dockerhub-release-matrix.yml"
       - "ansible/vars.yml"
   workflow_dispatch:
- 
+
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   prepare:
-    runs-on: ubuntu-latest
+    runs-on: large-linux-x86
     outputs:
       matrix_config: ${{ steps.set-matrix.outputs.matrix_config }}
     steps:
       - uses: DeterminateSystems/nix-installer-action@main
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - name: Generate build matrix
         id: set-matrix
         run: |
@@ -45,11 +49,12 @@ jobs:
     needs: prepare
     strategy:
       matrix: ${{ fromJson(needs.prepare.outputs.matrix_config) }}
-    runs-on: ubuntu-latest
+    runs-on: large-linux-x86
     outputs:
       build_args: ${{ steps.args.outputs.result }}
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
       - name: Set PostgreSQL version environment variable
         run: echo "POSTGRES_MAJOR_VERSION=${{ matrix.version }}" >> $GITHUB_ENV
@@ -70,10 +75,11 @@ jobs:
       matrix:
         postgres: ${{ fromJson(needs.prepare.outputs.matrix_config).include }}
         arch: [amd64, arm64]
-    runs-on: ${{ matrix.arch == 'amd64' && 'ubuntu-latest' || 'arm-runner' }}
+    runs-on: ${{ matrix.arch == 'amd64' && 'large-linux-x86' || 'large-linux-arm' }}
     timeout-minutes: 180
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
       - run: docker context create builders
       - uses: docker/setup-buildx-action@v3
@@ -87,7 +93,7 @@ jobs:
         id: image
         run: |
           if [[ "${{ matrix.arch }}" == "arm64" ]]; then
-            pg_version=$(sudo nix run nixpkgs#nushell -- -c '
+            pg_version=$(nix run nixpkgs#nushell -- -c '
               let version = "${{ matrix.postgres.version }}"
               let release_key = if ($version | str contains "orioledb") {
                 $"postgresorioledb-17"
@@ -126,9 +132,10 @@ jobs:
     strategy:
       matrix:
         include: ${{ fromJson(needs.prepare.outputs.matrix_config).include }}
-    runs-on: ubuntu-latest
+    runs-on: large-linux-x86
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: docker/setup-buildx-action@v3
       - uses: docker/login-action@v2
@@ -169,9 +176,10 @@ jobs:
           ${{ steps.get_version.outputs.pg_version }}_arm64
   combine_results:
     needs: [prepare, merge_manifest]
-    runs-on: ubuntu-latest
+    runs-on: large-linux-x86
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
 
       - name: Debug Input from Prepare
@@ -233,6 +241,10 @@ jobs:
       matrix: ${{ steps.combine.outputs.matrix }}
   publish:
       needs: combine_results
+      permissions:
+        contents: read
+        packages: write
+        id-token: write
       strategy:
         matrix: ${{ fromJson(needs.combine_results.outputs.matrix) }}
       uses: ./.github/workflows/mirror.yml