ci: add a composite action for security scanners

Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>

.github/actions/generate-catalogs/action.yml

@@ -26,7 +26,7 @@ runs:
     - name: Set up Python
       uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
       with:
-        python-version: 3.13
+        python-version: 3.14
 
     - name: Install Python dependencies
       shell: bash

.github/actions/security-scans/README.md

@@ -0,0 +1,71 @@
+# Security Scans Action
+
+This composite GitHub Action wraps all the security scanners used to
+analyze CloudNativePG container images.
+
+---
+
+## Requirements
+
+This composite action relies on the calling workflow’s `GITHUB_TOKEN`.
+Make sure your calling workflow includes:
+
+```
+permissions:
+  contents: read
+  packages: read
+  security-events: write      # required for SARIF upload
+```
+
+---
+
+## Security scanners
+
+- [Dockle](https://github.com/goodwithtech/dockle):
+  - Best-practice and configuration checks.
+
+- [Snyk](https://github.com/snyk/actions):
+  - Detects vulnerabilities in OS packages, libraries, and dependencies.
+  - Generates a `snyk.sarif` that gets uploaded to GitHub Code Scanning
+
+---
+
+## Inputs
+
+| Name             | Description                                        | Required  | Default        |
+| ---------------- | -------------------------------------------------- | --------- | -------------- |
+| `image`          | The image to scan (e.g. `ghcr.io/org/image:tag`)   | ✅ Yes    | —              |
+| `registry_user`  | The user used to pull the image                    | ✅ Yes    | —              |
+| `registry_token` | The token used to pull the image                   | ✅ Yes    | —              |
+| `snyk_token`     | The Snyk authentication token                      | ❌ No     | —              |
+| `dockerfile`     | Path to the image’s Dockerfile (for Snyk scanning) | ❌ No     | `./Dockerfile` |
+
+Note:
+- If a `snyk_token` is not provided, Snyk scans won't be performed.
+- The `dockerfile` path is currently only required by Snyk.
+
+---
+
+## Usage
+
+Example workflow:
+
+```
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v5
+      - name: Security checks
+        uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main
+        with:
+          image: ghcr.io/org/image:tag
+          registry_user: ${{ github.actor }}
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
+          snyk_token: ${{ secrets.SNYK_TOKEN }}
+          dockerfile: "./Dockerfile"
+```

.github/actions/security-scans/action.yml

@@ -0,0 +1,64 @@
+name: Security Scans
+description: Security Scans
+inputs:
+  image:
+    description: "The image to scan"
+    required: true
+  registry_user:
+    description: "The user used to pull the image"
+    required: true
+  registry_token:
+    description: "The token used to pull the image"
+    required: true
+  snyk_token:
+    description: "The snyk authentication token"
+    required: false
+  dockerfile:
+    description: "The image's Dockerfile"
+    required: false
+    default: './Dockerfile'
+
+runs:
+  using: composite
+  steps:
+    - name: Log in to the GitHub Container registry
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+      with:
+        registry: ghcr.io
+        username: ${{ inputs.registry_user }}
+        password: ${{ inputs.registry_token }}
+
+    - name: Dockle
+      uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
+      with:
+        image: "${{ inputs.image }}"
+        exit-code: '1'
+        failure-threshold: WARN
+        accept-keywords: key
+        accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
+
+    - name: Snyk
+      uses: snyk/actions/docker@master
+      id: snyk
+      if: ${{ inputs.snyk_token != '' }}
+      # Snyk can be used to break the build when it detects vulnerabilities.
+      # In this case we want to upload the issues to GitHub Code Scanning.
+      continue-on-error: true
+      env:
+        SNYK_TOKEN: ${{ inputs.snyk_token }}
+      with:
+        image: "${{ inputs.image }}"
+        args: --severity-threshold=high --file=${{ inputs.dockerfile }}
+
+    - name: Replace sarif security-severity invalid values
+      if: ${{ steps.snyk.conclusion == 'success' }}
+      shell: bash
+      run: |
+        sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
+        sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
+
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
+      if: ${{ steps.snyk.conclusion == 'success' }}
+      with:
+        sarif_file: snyk.sarif

.github/workflows/bake.yml

@@ -51,6 +51,8 @@ jobs:
     with:
       environment: ${{ github.event.inputs.environment }}
       postgresql_version: ${{ matrix.version }}
+    secrets:
+      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
 
   Catalogs:
     name: Update Catalogs
@@ -63,6 +65,6 @@ jobs:
       ( github.event.inputs.environment == 'production' || github.event_name == 'schedule' )
     steps:
        - name: Repository Dispatch
-         uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
+         uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4
          with:
            event-type: update-catalogs

.github/workflows/bake_targets.yml

@@ -29,6 +29,9 @@ on:
           `source` directory.
         required: false
         type: string
+    secrets:
+      SNYK_TOKEN:
+        required: false
 
 permissions: {}
 
@@ -74,7 +77,7 @@ jobs:
           echo "filtered_targets=$target" >> "$GITHUB_OUTPUT"
 
       - name: Log in to the GitHub Container registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -140,36 +143,14 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
-      - name: Log in to the GitHub Container registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Dockle
-        uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
-        with:
-          image: ${{ matrix.image }}
-          exit-code: '1'
-          failure-threshold: WARN
-          accept-keywords: key
-          accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py
-
-      - name: Snyk
-        uses: snyk/actions/docker@master
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - name: Security checks
+        uses: ./.github/actions/security-scans
         with:
           image: "${{ matrix.image }}"
-          args: --severity-threshold=high --file=Dockerfile
-
-      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3
-        continue-on-error: true
-        with:
-          sarif_file: snyk.sarif
+          registry_user: ${{ github.actor }}
+          registry_token: ${{ secrets.GITHUB_TOKEN }}
+          snyk_token: ${{ secrets.SNYK_TOKEN }}
+          dockerfile: "./Dockerfile"
 
   # Use the metadata generated in the `testbuild` step to find all the images
   # that have been built. We copy them one by one to the production registry
@@ -191,7 +172,7 @@ jobs:
       id-token: write
     steps:
       - name: Log in to the GitHub Container registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

Debian/ClusterImageCatalog-bookworm.yaml

@@ -6,17 +6,19 @@ metadata:
     images.cnpg.io/family: postgresql
     images.cnpg.io/type: system
     images.cnpg.io/os: bookworm
-    images.cnpg.io/date: '20250923'
+    images.cnpg.io/date: '20251013'
     images.cnpg.io/publisher: cnpg.io
 spec:
   images:
     - major: 13
-      image: ghcr.io/cloudnative-pg/postgresql:13.22-202509220807-system-bookworm@sha256:b4a1e2d577546d32e82d44168e6977b3d4b0a4765bb4a7482e353f99ec49216a
+      image: ghcr.io/cloudnative-pg/postgresql:13.22-202510130807-system-bookworm@sha256:8960f067c4e5c633e5deff50f781957ca4579d72d275739c586befe9d05d444c
     - major: 14
-      image: ghcr.io/cloudnative-pg/postgresql:14.19-202509220807-system-bookworm@sha256:fb3a27a77364017ec604a24f19def5124b945e6e45cb4613455f0aee3e15cc47
+      image: ghcr.io/cloudnative-pg/postgresql:14.19-202510130807-system-bookworm@sha256:b020285c14e795e262760e5e2c8111769788a7da45e8ee9d1af10ed7a5b66cab
     - major: 15
-      image: ghcr.io/cloudnative-pg/postgresql:15.14-202509220807-system-bookworm@sha256:fbdf4141d38d6c70e6ab10a2d6ab6b7a5853b62fa1bba78b4353032e0b345740
+      image: ghcr.io/cloudnative-pg/postgresql:15.14-202510130807-system-bookworm@sha256:06096a05e7216ada6eafe2e72e7cae1a9d2e57561541caecfcdfcecb4bd03df3
     - major: 16
-      image: ghcr.io/cloudnative-pg/postgresql:16.10-202509220807-system-bookworm@sha256:41561360238d5fb7a85e2b1d75f1e5d626be37b94a01306432ad7f94cf542dc4
+      image: ghcr.io/cloudnative-pg/postgresql:16.10-202510130807-system-bookworm@sha256:830b0a2d5b616b06cbb4f594453dc20bafadeb3f1c48441668e9c7e088b0c7d1
     - major: 17
-      image: ghcr.io/cloudnative-pg/postgresql:17.6-202509220807-system-bookworm@sha256:b931f2c7d6e259c1448a88486912da2a3e4039e13c9099e3c09a54cbb25a36cf
+      image: ghcr.io/cloudnative-pg/postgresql:17.6-202510130807-system-bookworm@sha256:71f14116070ce91762198fac8504daee954e75d5d0685363f7844309555130e6
+    - major: 18
+      image: ghcr.io/cloudnative-pg/postgresql:18.0-202510130807-system-bookworm@sha256:12707396990ac3ad9767404180f36ea4998761483365938db1f3a8050b50effb

Debian/ClusterImageCatalog-bullseye.yaml

@@ -6,17 +6,19 @@ metadata:
     images.cnpg.io/family: postgresql
     images.cnpg.io/type: system
     images.cnpg.io/os: bullseye
-    images.cnpg.io/date: '20250923'
+    images.cnpg.io/date: '20251013'
     images.cnpg.io/publisher: cnpg.io
 spec:
   images:
     - major: 13
-      image: ghcr.io/cloudnative-pg/postgresql:13.22-202509220807-system-bullseye@sha256:16323ff5e13f568c943720756ebc59d162adff4a4f9349038ae1796f757448c8
+      image: ghcr.io/cloudnative-pg/postgresql:13.22-202510130807-system-bullseye@sha256:da485ff71aaa4ff044071af2eb91b18eff65a3befacb988af73b8096ffdc5837
     - major: 14
-      image: ghcr.io/cloudnative-pg/postgresql:14.19-202509220807-system-bullseye@sha256:f74e898ab8ef56d2b9cd259871eef9415b8b3dbdc5c916315073cd2144e89d28
+      image: ghcr.io/cloudnative-pg/postgresql:14.19-202510130807-system-bullseye@sha256:bdc36b98eb96d0f613fb4570460c57ee27114d2bbfe126d9f29b51766b9ca37e
     - major: 15
-      image: ghcr.io/cloudnative-pg/postgresql:15.14-202509220807-system-bullseye@sha256:041340459b4d3ebdaffd55fd2296ca01992fb467301b505bb19b8689434b42a8
+      image: ghcr.io/cloudnative-pg/postgresql:15.14-202510130807-system-bullseye@sha256:15661a17359d2ff46961e03a2a6593d58c779624ba5e684780111c09291b49c8
     - major: 16
-      image: ghcr.io/cloudnative-pg/postgresql:16.10-202509220807-system-bullseye@sha256:9746b62a5f1981533dd475ebc1bd8c7740b8dc8c60fa06db0407c6c6c1254fed
+      image: ghcr.io/cloudnative-pg/postgresql:16.10-202510130807-system-bullseye@sha256:697e6d8e15ace744fe3b0035d4ea633d3a2b2e59138e8a0481014e924dd1b4d4
     - major: 17
-      image: ghcr.io/cloudnative-pg/postgresql:17.6-202509220807-system-bullseye@sha256:b9763f1137de625622dab2a4b94a456c5a6587d0444885b282d9c222370b3955
+      image: ghcr.io/cloudnative-pg/postgresql:17.6-202510130807-system-bullseye@sha256:b7f2855c5a419249e30d64616da38cbb7ed3397a21cb115a581a02da8cb21ee0
+    - major: 18
+      image: ghcr.io/cloudnative-pg/postgresql:18.0-202510130807-system-bullseye@sha256:5f67a8c8ae429c8af5692024ad58408a3f70223bf5d1cb9f9dbc36dcead88919

README.md

@@ -18,14 +18,13 @@ This repository provides maintenance scripts for generating
 
 | Version | Release Date | EOL        |
 |:-------:|:------------:|:----------:|
+|    18   | 2025-09-25   | 2030-11-14 |
 |    17   | 2024-09-26   | 2029-11-08 |
 |    16   | 2023-09-14   | 2028-11-09 |
 |    15   | 2022-10-13   | 2027-11-11 |
 |    14   | 2021-09-30   | 2026-11-12 |
 |    13   | 2020-09-24   | 2025-11-13 |
 
-In addition, PostgreSQL 18 RC1 is provided for testing purposes only.
-
 These images are designed to serve as operands of the
 [CloudNativePG (CNPG) operator](https://cloudnative-pg.io) in Kubernetes
 environments, and are not intended for standalone use.

docker-bake.hcl

@@ -34,7 +34,6 @@ postgreSQLVersions = [
 // Preview versions are automatically filtered out if present in the stable list
 // MANUALLY EDIT THE CONTENT - AND UPDATE THE README.md FILE TOO
 postgreSQLPreviewVersions = [
-  "18~rc1",
 ]
 
 // Barman version to build
@@ -59,11 +58,11 @@ target "default" {
     pgVersion = getPgVersions(postgreSQLVersions, postgreSQLPreviewVersions)
     base = [
       // renovate: datasource=docker versioning=loose
-      "debian:trixie-slim@sha256:c2880112cc5c61e1200c26f106e4123627b49726375eb5846313da9cca117337",
+      "debian:trixie-slim@sha256:1caf1c703c8f7e15dcf2e7769b35000c764e6f50e4d7401c355fb0248f3ddfdb",
       // renovate: datasource=docker versioning=loose
-      "debian:bookworm-slim@sha256:df52e55e3361a81ac1bead266f3373ee55d29aa50cf0975d440c2be3483d8ed3",
+      "debian:bookworm-slim@sha256:7e490910eea2861b9664577a96b54ce68ea3e02ce7f51d89cb0103a6f9c386e0",
       // renovate: datasource=docker versioning=loose
-      "debian:bullseye-slim@sha256:6d3c63184632046054ae709964befc943ecffa140adc697ca955a10002a79c08"
+      "debian:bullseye-slim@sha256:f807f4b16002c623115b0247dca6a55711c6b1ae821dc64fb8a2339e4ce2115d"
     ]
   }
   platforms = [