chore: add system images to docker-bake.hcl (#282)

This change extends the bake build process by introducing the system image flavour. The system image is derived from the existing standard image and includes Barman Cloud support. Closes #283 Closes #286 Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com> Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com> Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com> Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com> Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com> Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com> Co-authored-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
2025-09-08 12:07:22 +02:00
parent 3ea082111e
commit fdc8010750
6 changed files with 173 additions and 67 deletions
--- a/.github/workflows/bake.yml
+++ b/.github/workflows/bake.yml
@@ -0,0 +1,53 @@
+name: Bake Images
+
+on:
+  schedule:
+    # Build images once a week, on Mondays
+    - cron: 0 8 * * 1
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        options:
+          - testing
+          - production
+        default: testing
+        description: "Choose the environment to bake the target for"
+
+permissions: {}
+
+jobs:
+  get_versions:
+    name: Get PostgreSQL versions
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    outputs:
+      versions: ${{ steps.get_versions.outputs.versions }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - name: Get supported PostgreSQL versions
+        id: get_versions
+        run: |
+          VERSIONS="$(sed -n '/postgreSQLVersions = \[/,/\]/ s/.*"\(.*\)\..*".*/\"\1\"/p' docker-bake.hcl | xargs echo | tr ' ' ',')"
+          echo "PostgreSQL versions: [$VERSIONS]"
+          echo "versions=[$VERSIONS]" >> "$GITHUB_OUTPUT"
+
+  Bake:
+    name: Bake
+    needs: get_versions
+    permissions:
+      packages: write
+      contents: read
+      id-token: write
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        version: ${{ fromJson(needs.get_versions.outputs.versions) }}
+    uses: ./.github/workflows/bake_targets.yml
+    with:
+      environment: ${{ github.event.inputs.environment }}
+      postgresql_version: ${{ matrix.version }}
--- a/.github/workflows/bake_targets.yml
+++ b/.github/workflows/bake_targets.yml
@@ -1,33 +1,28 @@
-name: Bake images
+name: Build target images

 on:
-  schedule:
-    - cron: 0 8 * * 1
-  workflow_dispatch:
+  workflow_call:
    inputs:
      environment:
-        type: choice
-        options:
-          - testing
-          - production
-        default: testing
-        description: "Choose the environment to bake the images for"
-      target:
+        description: "The environment to build for"
+        required: true
+        type: string
+        default: "testing"
+      postgresql_version:
+        description: "The PostgreSQL major version to bake"
+        required: true
        type: string
-        default: ""
-        description: "A comma separated list of targets to build. If empty, all targets will be built."

-permissions: read-all
+permissions: {}

 jobs:
-  # Start by building images for testing. We want to run security checks before pushing those to production.
  testbuild:
-    name: Build for testing
-    runs-on: ubuntu-latest
+    # Start by building images for testing. We want to run security checks before pushing those to production.
+    name: PostgreSQL ${{ inputs.postgresql_version }}
+    runs-on: ubuntu-24.04
    permissions:
      contents: read
      packages: write
-      security-events: write
      # Required by the cosign step
      id-token: write
    outputs:
@@ -37,6 +32,19 @@ jobs:
      - name: Checkout Code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

+      - name: List targets
+        id: targets
+        uses: docker/bake-action/subaction/matrix@v6
+        with:
+          target: "default"
+
+      - name: Filter by versions
+        id: extract_targets
+        run: |
+          target=$(echo '${{ steps.targets.outputs.matrix }}' | jq -r '.[] | .[] | select(match("${{ inputs.postgresql_version }}"))' | xargs echo | sed 's/ /,/g')
+          echo "Targets for PostgreSQL ${{ inputs.postgresql_version }}: $target"
+          echo "filtered_targets=$target" >> "$GITHUB_OUTPUT"
+
      - name: Log in to the GitHub Container registry
        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
        with:
@@ -63,7 +71,7 @@ jobs:
          revision: ${{ github.sha }}
        with:
          push: true
-          targets: ${{ github.event.inputs.target }}
+          targets: ${{ steps.extract_targets.outputs.filtered_targets }}

      # Get a list of the images that were built and pushed. We only care about a single tag for each image.
      - name: Generated images
@@ -86,6 +94,10 @@ jobs:
  security:
    name: Security checks
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
    needs:
      - testbuild
    strategy:
@@ -107,6 +119,9 @@ jobs:
        with:
          image: ${{ matrix.image }}
          exit-code: '1'
+          failure-threshold: WARN
+          accept-keywords: key
+          accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py

      - name: Snyk
        uses: snyk/actions/docker@master