Merge branch 'develop' into INDATA-211

Author: jchancojr

.github/workflows/publish-migrations-staging.yml

@@ -1,7 +1,9 @@
 name: Release Migrations - Staging
 
 on:
-  merge_group:
+  push:
+    branches:
+      - develop
   workflow_dispatch:
 
 jobs:

ansible/files/postgresql_config/supautils.conf.j2

@@ -10,7 +10,7 @@ supautils.privileged_extensions = 'address_standardizer, address_standardizer_da
 supautils.extension_custom_scripts_path = '/etc/postgresql-custom/extension-custom-scripts'
 supautils.privileged_extensions_superuser = 'supabase_admin'
 supautils.privileged_role = 'postgres'
-supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
+supautils.privileged_role_allowed_configs = 'auto_explain.*, log_lock_waits, log_min_duration_statement, log_min_messages, log_parameter_max_length, log_replication_commands, log_statement, log_temp_files, pg_net.batch_size, pg_net.ttl, pg_stat_statements.*, pgaudit.log, pgaudit.log_catalog, pgaudit.log_client, pgaudit.log_level, pgaudit.log_relation, pgaudit.log_rows, pgaudit.log_statement, pgaudit.log_statement_once, pgaudit.role, pgrst.*, plan_filter.*, safeupdate.enabled, session_replication_role, track_io_timing, wal_compression'
 supautils.reserved_memberships = 'pg_read_server_files, pg_write_server_files, pg_execute_server_program, supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, authenticator'
 supautils.reserved_roles = 'supabase_admin, supabase_auth_admin, supabase_storage_admin, supabase_read_only_user, supabase_realtime_admin, supabase_replication_admin, supabase_etl_admin, dashboard_user, pgbouncer, service_role*, authenticator*, authenticated*, anon*'
 supautils.disable_program = 'true'

ansible/tasks/test-image.yml

@@ -1,87 +1,104 @@
-# - name: Temporarily disable PG Sodium references in config
-#   become: yes
-#   become_user: postgres
-#   shell:
-#     cmd: sed -i.bak -e "s/pg_net,\ pgsodium,\ timescaledb/pg_net,\ timescaledb/g" -e "s/pgsodium.getkey_script=/#pgsodium.getkey_script=/g" /etc/postgresql/postgresql.conf
-#   when: debpkg_mode or stage2_nix
+- name: Execute tasks when (debpkg_mode or stage2_nix)
+  when:
+    - (debpkg_mode or stage2_nix)
+  block:
+    - name: Make a backup of the /etc/postgresql/postgresql.conf file
+      ansible.builtin.copy:
+        dest: '/etc/postgresql/postgresql.conf.bak'
+        src: '/etc/postgresql/postgresql.conf'
+      become: true
 
-- name: Temporarily disable PG Sodium and Supabase Vault references in config
-  become: yes
-  become_user: postgres
-  shell:
-    cmd: >
-      sed -i.bak
-      -e 's/\(shared_preload_libraries = '\''.*\)pgsodium,\(.*'\''\)/\1\2/'
-      -e 's/\(shared_preload_libraries = '\''.*\)supabase_vault,\(.*'\''\)/\1\2/'
-      -e 's/\(shared_preload_libraries = '\''.*\), *supabase_vault'\''/\1'\''/'
-      -e 's/pgsodium.getkey_script=/#pgsodium.getkey_script=/'
-      /etc/postgresql/postgresql.conf
-  when: debpkg_mode or stage2_nix
+    - name: Temporarily disable PG Sodium and Supabase Vault references in /etc/postgresql/postgresql.conf
+      ansible.builtin.replace:
+        path: '/etc/postgresql/postgresql.conf'
+        regexp: "{{ regx['in'] }}"
+        replace: "{{ regx['out'] }}"
+      become: true
+      become_user: 'postgres'
+      loop:
+        - { in: "^(shared_preload_libraries = '.*)pgsodium(.*')", out: '\1\2' }
+        - { in: "^(shared_preload_libraries = '.*)supabase_vault(.*')", out: '\1\2' }
+        - { in: "^(shared_preload_libraries = '.*)*supabase_vault(.*')", out: '\1\2' }
+        - { in: '^(pgsodium\.getkey_script=)', out: '#\1' }
+      loop_control:
+        loop_var: 'regx'
 
-- name: Verify pgsodium and vault removal from config
-  become: yes
-  become_user: postgres
-  shell:
-    cmd: |
-      FOUND=$(grep -E "shared_preload_libraries.*pgsodium|shared_preload_libraries.*supabase_vault|^pgsodium\.getkey_script" /etc/postgresql/postgresql.conf)
-      if [ ! -z "$FOUND" ]; then
-        echo "Found unremoved references:"
-        echo "$FOUND"
-        exit 1
-      fi
-  register: verify_result
-  failed_when: verify_result.rc != 0
-  when: debpkg_mode or stage2_nix
+    - name: Make sure we disabled all the things
+      ansible.builtin.lineinfile:
+        path: '/etc/postgresql/postgresql.conf'
+        regexp: "{{ regx }}"
+        state: 'absent'
+      check_mode: true
+      failed_when:
+        - (pgconf is changed) or (pgconf is failed)
+      loop:
+        - "^shared_preload_libraries = '.*pgsodium.*'"
+        - "^shared_preload_libraries = '.*supabase_vault.*'"
+        - '^pgsodium\.getkey_script='
+      loop_control:
+        loop_var: 'regx'
+      register: 'pgconf'
 
 - name: Start Postgres Database to load all extensions.
-  become: yes
-  become_user: postgres
-  shell:
+  ansible.builtin.command:
     cmd: /usr/lib/postgresql/bin/pg_ctl -D /var/lib/postgresql/data start "-o -c config_file=/etc/postgresql/postgresql.conf"
-  when: debpkg_mode
+  become: true
+  become_user: 'postgres'
+  when:
+    - debpkg_mode
 
-- name: Stop Postgres Database in stage 2
-  become: yes
-  become_user: postgres
-  shell: source /var/lib/postgresql/.bashrc &&  /usr/lib/postgresql/bin/pg_ctl -D /var/lib/postgresql/data stop
-  args:
-    executable: /bin/bash
-  environment:
-    LANG: en_US.UTF-8
-    LANGUAGE: en_US.UTF-8
-    LC_ALL: en_US.UTF-8
-    LC_CTYPE: en_US.UTF-8
-    LOCALE_ARCHIVE: /usr/lib/locale/locale-archive
-  when: stage2_nix
+- name: Execute tasks when stage2_nix
+  when:
+    - stage2_nix
+  block:
+    - name: Restart Postgres Database in stage 2 to load all extensions
+      ansible.builtin.command:
+        cmd: "/usr/lib/postgresql/bin/pg_ctl --pgdata /var/lib/postgresql/data --mode fast --options '-c config_file=/etc/postgresql/postgresql.conf' {{ ctlcmd }}"
+      become: true
+      become_user: 'postgres'
+      environment:
+        LANG: 'en_US.UTF-8'
+        LANGUAGE: 'en_US.UTF-8'
+        LC_ALL: 'en_US.UTF-8'
+        LC_CTYPE: 'en_US.UTF-8'
+        LOCALE_ARCHIVE: '/usr/lib/locale/locale-archive'
+      loop:
+        - stop
+        - start
+      loop_control:
+        loop_var: 'ctlcmd'
 
-- name: Start Postgres Database to load all extensions.
-  become: yes
-  become_user: postgres
-  shell: source /var/lib/postgresql/.bashrc &&  /usr/lib/postgresql/bin/pg_ctl -D /var/lib/postgresql/data start "-o -c config_file=/etc/postgresql/postgresql.conf"
-  args:
-    executable: /bin/bash
-  environment:
-    LANG: en_US.UTF-8
-    LANGUAGE: en_US.UTF-8
-    LC_ALL: en_US.UTF-8
-    LC_CTYPE: en_US.UTF-8
-    LOCALE_ARCHIVE: /usr/lib/locale/locale-archive
-  when: stage2_nix
+- name: Execute tasks when (debpkg_mode or stage2_nix)
+  when:
+    - (debpkg_mode or stage2_nix)
+  block:
+    - name: Re-enable PG Sodium references in /etc/postgresql/postgresql.conf
+      ansible.builtin.command:
+        cmd: mv /etc/postgresql/postgresql.conf.bak /etc/postgresql/postgresql.conf
+      become: true
+      become_user: 'postgres'
 
-- name: Re-enable PG Sodium references in config
-  become: yes
-  become_user: postgres
-  shell:
-    cmd: mv /etc/postgresql/postgresql.conf.bak /etc/postgresql/postgresql.conf
-  when: debpkg_mode or stage2_nix
+    - name: Install psycopg2
+      ansible.builtin.apt:
+        name: 'python3-psycopg2'
+        state: 'present'
+        update_cache: true
+      become: true
 
-- name: Reset db stats
-  shell: /usr/lib/postgresql/bin/psql --no-password --no-psqlrc -d postgres -h localhost -U supabase_admin -c 'SELECT pg_stat_statements_reset(); SELECT pg_stat_reset();'
-  when: debpkg_mode or stage2_nix
+    - name: Reset db stats
+      community.postgresql.postgresql_query:
+        login_db: 'postgres'
+        login_host: 'localhost'
+        login_user: 'supabase_admin'
+        query: "{{ stat_item }}"
+      loop:
+        # - 'SELECT pg_stat_statements_reset()'
+        - 'SELECT pg_stat_reset()'
+      loop_control:
+        loop_var: 'stat_item'
 
-- name: Stop Postgres Database
-  become: yes
-  become_user: postgres
-  shell:
-    cmd: /usr/lib/postgresql/bin/pg_ctl -D /var/lib/postgresql/data stop
-  when: debpkg_mode or stage2_nix
+    - name: Restart Postgres Database in stage 2 to load all extensions
+      ansible.builtin.command:
+        cmd: /usr/lib/postgresql/bin/pg_ctl --pgdata /var/lib/postgresql/data --mode fast --options '-c config_file=/etc/postgresql/postgresql.conf' stop
+      become: true
+      become_user: 'postgres'

ansible/vars.yml

@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.5.1.059-orioledb"
-  postgres17: "17.6.1.038"
-  postgres15: "15.14.1.038"
+  postgresorioledb-17: "17.5.1.064-orioledb"
+  postgres17: "17.6.1.043"
+  postgres15: "15.14.1.043"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0
@@ -25,8 +25,8 @@ postgrest_release: 13.0.5
 postgrest_arm_release_checksum: sha256:7b4eafdaf76bc43b57f603109d460a838f89f949adccd02f452ca339f9a0a0d4
 postgrest_x86_release_checksum: sha256:05be2bd48abee6c1691fc7c5d005023466c6989e41a4fc7d1302b8212adb88b5
 
-gotrue_release: 2.180.0
-gotrue_release_checksum: sha1:386c1fb6be075004091b2fbd8662dc9dcdc7af04
+gotrue_release: 2.182.1
+gotrue_release_checksum: sha1:38a12109ad62df32460d88e4c7b2a475b88e7865
 
 aws_cli_release: 2.23.11
 
@@ -53,7 +53,7 @@ postgres_exporter_release_checksum:
   arm64: sha256:29ba62d538b92d39952afe12ee2e1f4401250d678ff4b354ff2752f4321c87a0
   amd64: sha256:cb89fc5bf4485fb554e0d640d9684fae143a4b2d5fa443009bd29c59f9129e84
 
-adminapi_release: "0.92.2"
+adminapi_release: "0.93.0"
 adminmgr_release: "0.32.1"
 supabase_admin_agent_release: 1.4.38
 supabase_admin_agent_splay: 30s

migrations/README.md

@@ -102,7 +102,12 @@ dbmate --migrations-dir="migrations/db/migrations" new '<some message>'
 Then, execute the migration at `./migrations/db/xxxxxxxxx_<some_message>` and make sure it runs successfully with:
 
 ```shell
-dbmate --no-dump-schema --migrations-dir"migrations/db/migrations" up
+# Make sure DATABASE_URL is set, or use the -u flag to specify the database connection
+# Example with DATABASE_URL:
+dbmate --no-dump-schema --migrations-dir="migrations/db/migrations" up
+
+# Or with -u flag:
+dbmate --no-dump-schema --migrations-dir="migrations/db/migrations" -u "postgres://supabase_admin:postgres@localhost:5435/postgres?sslmode=disable" up
 ```
 
 Note: Migrations are applied using the `supabase_admin` superuser role, as specified in the "How it was Created" section above.

migrations/db/migrations/20251105172723_grant_pg_reload_conf_to_postgres.sql

@@ -0,0 +1,5 @@
+-- migrate:up
+grant execute on function pg_catalog.pg_reload_conf() to postgres with grant option;
+
+-- migrate:down
+

nix/ext/pg_tle.nix

@@ -1,45 +1,111 @@
 {
   lib,
   stdenv,
+  buildEnv,
   fetchFromGitHub,
   postgresql,
   flex,
   openssl,
   libkrb5,
 }:
-
-stdenv.mkDerivation rec {
+let
   pname = "pg_tle";
-  version = "1.4.0";
+  build =
+    version: hash:
+    stdenv.mkDerivation rec {
+      inherit pname version;
 
-  nativeBuildInputs = [ flex ];
-  buildInputs = [
-    openssl
-    postgresql
-    libkrb5
-  ];
+      nativeBuildInputs = [ flex ];
+      buildInputs = [
+        openssl
+        postgresql
+        libkrb5
+      ];
 
-  src = fetchFromGitHub {
-    owner = "aws";
-    repo = pname;
-    rev = "refs/tags/v${version}";
-    hash = "sha256-crxj5R9jblIv0h8lpqddAoYe2UqgUlnvbOajKTzVces=";
-  };
+      src = fetchFromGitHub {
+        owner = "aws";
+        repo = pname;
+        rev = "refs/tags/v${version}";
+        inherit hash;
+      };
+
+      makeFlags = [ "FLEX=flex" ];
+
+      installPhase = ''
 
-  makeFlags = [ "FLEX=flex" ];
+        mkdir -p $out/{lib,share/postgresql/extension}
 
-  installPhase = ''
-    mkdir -p $out/{lib,share/postgresql/extension}
+        mv ${pname}${postgresql.dlSuffix} $out/lib/${pname}-${version}${postgresql.dlSuffix}
 
-    cp *${postgresql.dlSuffix}      $out/lib
-    cp *.sql     $out/share/postgresql/extension
-    cp *.control $out/share/postgresql/extension
+        create_sql_files() {
+          if test -f ${pname}--${version}.sql; then
+            cp ${pname}--${version}.sql $out/share/postgresql/extension
+          fi
+          echo "Creating SQL files for previous versions..."
+          if [[ "${version}" == "${latestVersion}" ]]; then
+            cp *.sql $out/share/postgresql/extension
+          fi
+        }
+
+        create_control_files() {
+          sed -e "/^default_version =/d" \
+              -e "s|^module_pathname = .*|module_pathname = '\$libdir/${pname}'|" \
+            ${pname}.control > $out/share/postgresql/extension/${pname}--${version}.control
+
+          if [[ "${version}" == "${latestVersion}" ]]; then
+            {
+              echo "default_version = '${latestVersion}'"
+              cat $out/share/postgresql/extension/${pname}--${latestVersion}.control
+            } > $out/share/postgresql/extension/${pname}.control
+            ln -sfn ${pname}-${latestVersion}${postgresql.dlSuffix} $out/lib/${pname}${postgresql.dlSuffix}
+          fi
+        }
+
+        create_sql_files
+        create_control_files
+      '';
+
+      meta = with lib; {
+        description = "Framework for 'Trusted Language Extensions' in PostgreSQL";
+        homepage = "https://github.com/aws/${pname}";
+        license = licenses.postgresql;
+        inherit (postgresql.meta) platforms;
+      };
+    };
+  allVersions = (builtins.fromJSON (builtins.readFile ./versions.json)).${pname};
+  supportedVersions = lib.filterAttrs (
+    _: value: builtins.elem (lib.versions.major postgresql.version) value.postgresql
+  ) allVersions;
+  versions = lib.naturalSort (lib.attrNames supportedVersions);
+  latestVersion = lib.last versions;
+  numberOfVersions = builtins.length versions;
+  packages = builtins.attrValues (
+    lib.mapAttrs (name: value: build name value.hash) supportedVersions
+  );
+in
+buildEnv {
+  name = pname;
+  paths = packages;
+  pathsToLink = [
+    "/lib"
+    "/share/postgresql/extension"
+  ];
+  postBuild = ''
+    # checks
+    (set -x
+       test "$(ls -A $out/lib/${pname}*${postgresql.dlSuffix} | wc -l)" = "${
+         toString (numberOfVersions + 1)
+       }"
+    )
   '';
 
-  meta = with lib; {
-    description = "Framework for 'Trusted Language Extensions' in PostgreSQL";
-    homepage = "https://github.com/aws/${pname}";
-    platforms = postgresql.meta.platforms;
-    license = licenses.postgresql;
+  passthru = {
+    inherit versions numberOfVersions;
+    pname = "${pname}-all";
+    defaultSettings = {
+      shared_preload_libraries = [ "pg_tle" ];
+    };
+    version =
+      "multi-" + lib.concatStringsSep "-" (map (v: lib.replaceStrings [ "." ] [ "-" ] v) versions);
   };
 }