Initial Commit

Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/generate-strategy.sh

@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+#
+# Given a list of PostgreSQL versions (defined as directories in the root
+# folder of the project), this script generates a JSON object that will be used
+# inside the Github workflows as a strategy to create a matrix of jobs to run.
+# The JSON object contains, for each PostgreSQL version, the tags of the
+# container image to be built.
+#
+set -eu
+
+# Define an optional aliases for some major versions
+declare -A aliases=(
+	[14]='latest'
+)
+
+cd "$(dirname "$(readlink -f "${BASH_SOURCE[0]}/..")")"
+BASE_DIRECTORY="$(pwd)"
+
+
+# Retrieve the PostgreSQL versions for Debian
+cd ${BASE_DIRECTORY}/Debian
+for version in */; do
+	[[ $version == src/ ]] && continue
+	debian_versions+=("$version")
+done
+debian_versions=("${debian_versions[@]%/}")
+
+# Sort the version numbers with highest first
+mapfile -t debian_versions < <(IFS=$'\n'; sort -rV <<< "${debian_versions[*]}")
+
+# prints "$2$1$3$1...$N"
+join() {
+	local sep="$1"
+	shift
+	local out
+	printf -v out "${sep//%/%%}%s" "$@"
+	echo "${out#$sep}"
+}
+
+entries=()
+for version in "${debian_versions[@]}"; do
+
+	# Read versions from the definition file
+	versionFile="${version}/.versions.json"
+	postgresImageVersion=$(jq -r '.POSTGRES_IMAGE_VERSION | split("-") | .[0]' "${versionFile}")
+	releaseVersion=$(jq -r '.IMAGE_RELEASE_VERSION' "${versionFile}")
+
+	# Initial aliases are "major version", "optional alias", "full version with release"
+	# i.e. "14", "latest", "14.2-1", "14.2-debian","14.2"
+	versionAliases=(
+			"${version}"
+			${aliases[$version]:+"${aliases[$version]}"}
+			"${postgresImageVersion}-${releaseVersion}"
+			"${postgresImageVersion}"
+		)
+	# Add all the version prefixes between full version and major version
+	# i.e "13.2"
+	while [ "$postgresImageVersion" != "$version" ] && [ "${postgresImageVersion%[.-]*}" != "$postgresImageVersion" ]; do
+		versionAliases+=("$postgresImageVersion-debian")
+		postgresImageVersion="${postgresImageVersion%[.-]*}"
+	done
+    # Support platform for container images
+	platforms="linux/amd64"
+
+	# Build the json entry
+	entries+=(
+		"{\"name\": \"Debian ${postgresImageVersion}\", \"platforms\": \"$platforms\", \"dir\": \"Debian/$version\", \"file\": \"Debian/$version/Dockerfile\", \"version\": \"$version\", \"tags\": [\"$(join "\", \"" "${versionAliases[@]}")\"]}"
+	)
+done
+
+# Build the strategy as a JSON object
+strategy="{\"fail-fast\": false, \"matrix\": {\"include\": [$(join ', ' "${entries[@]}")]}}"
+jq -C . <<<"$strategy" # sanity check / debugging aid
+echo "::set-output name=strategy::$(jq -c . <<<"$strategy")"

.github/workflows/build.yml

@@ -0,0 +1,95 @@
+name: Continuous Delivery
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  IMAGE_STAGING: cloudnative-pg/postgresql-testing
+  IMAGE_RELEASE: cloudnative-pg/postgresql
+
+jobs:
+  generate-jobs:
+    name: Generate Jobs
+    runs-on: ubuntu-20.04
+    outputs:
+      strategy: ${{ steps.generate-jobs.outputs.strategy }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+      - name: Generate Jobs
+        id: generate-jobs
+        shell: bash
+        run: |
+          bash .github/generate-strategy.sh
+
+  build:
+    needs: generate-jobs
+    strategy: ${{ fromJson(needs.generate-jobs.outputs.strategy) }}
+    name: ${{ matrix.name }}
+    runs-on: ubuntu-20.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v3
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v1.2.0
+
+    - name: Docker meta
+      id: docker-meta
+      env:
+        TAGS: ${{ toJson(matrix.tags) }}
+      run: |
+        RESULT=""
+        for tag in $(jq -r '.[]' <<< "${TAGS}")
+        do
+          RESULT="${RESULT},ghcr.io/${IMAGE_STAGING}:${tag}"
+          # If we are running the pipeline in the main branch images are pushed in both -testing and PROD repo
+          if [ "${GITHUB_REF#refs/heads/}" == main ]
+          then
+            RESULT="${RESULT},ghcr.io/${IMAGE_RELEASE}:${tag}"
+          fi
+        done
+        echo "::set-output name=tags::${RESULT%,}"
+
+    - name: Set up Docker Buildx
+      id: buildx
+      uses: docker/setup-buildx-action@v1.6.0
+
+    - name: Log in to the GitHub Container registry
+      uses: docker/login-action@v1.14.1
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build and load
+      uses: docker/build-push-action@v2.10.0
+      with:
+        context: ${{ matrix.dir }}
+        file: ${{ matrix.file }}
+        push: false
+        load: true
+        tags: ${{ steps.docker-meta.outputs.tags }}
+
+    - name: Dockle scan
+      uses: erzz/dockle-action@v1.2.0
+      with:
+        image: "ghcr.io/${{ env.IMAGE_STAGING }}:${{ matrix.tags[0] }}"
+        exit-code: '1'
+        failure-threshold: WARN
+        accept-filenames: usr/share/cmake/Templates/Windows/Windows_TemporaryKey.pfx,etc/trusted-key.key,usr/share/doc/perl-IO-Socket-SSL/certs/server_enc.p12,usr/share/doc/perl-IO-Socket-SSL/certs/server.p12,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.8/site-packages/azure/core/settings.py,usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,usr/local/lib/python3.7/dist-packages/azure/core/settings.py,etc/ssl/private/ssl-cert-snakeoil.key
+
+    - name: Build and push
+      uses: docker/build-push-action@v2.10.0
+      with:
+        context: ${{ matrix.dir }}
+        file: ${{ matrix.file }}
+        platforms: ${{ matrix.platforms }}
+        push: true
+        tags: ${{ steps.docker-meta.outputs.tags }}

.github/workflows/update.yml

@@ -0,0 +1,54 @@
+name: Automatic Updates
+
+on:
+  schedule:
+    - cron: 0 0 * * *
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.REPO_GHA_PAT }}
+      - name: Run update script
+        uses: nick-fields/retry@v2.6.0
+        with:
+          timeout_minutes: 15
+          max_attempts: 3
+          command: |
+            # pip-tools provides pip-compile used by update.sh
+            pip3 install --upgrade pip-tools
+            export PATH=$HOME/.local/bin:$PATH
+            echo "Updating Debian images"
+            ./Debian/update.sh
+      - name: Diff
+        run: |
+          git status
+          git diff
+      - name: Temporarily disable "include administrators" branch protection
+        if: ${{ always() && github.ref == 'refs/heads/main' }}
+        id: disable_include_admins
+        uses: benjefferies/branch-protection-bot@1.0.7
+        with:
+          access_token: ${{ secrets.REPO_GHA_PAT }}
+          branch: main
+          enforce_admins: false
+      - uses: EndBug/add-and-commit@v9
+        id: commit
+        with:
+          author_name: EnterpriseDB Automated Updates
+          author_email: noreply@enterprisedb.com
+          message: 'Daily automatic update'
+      - name: Enable "include administrators" branch protection
+        uses: benjefferies/branch-protection-bot@1.0.7
+        if: ${{ always() && github.ref == 'refs/heads/main' }}
+        with:
+          access_token: ${{ secrets.REPO_GHA_PAT }}
+          branch: main
+          enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}