marko/cnpg-postgres-containers
1
0
Fork 0
forked from repo-mirrors/cnpg-postgres-containers
Code Pull Requests Actions Activity

Compare commits

merge into: marko:dev/209
Branches Tags
marko:main marko:renovate/barman-3.x marko:dev/340 marko:dev/security-scan-action marko:dev/209 marko:dev/290 marko:dev/upload marko:dev/improve-readme
...
pull from: marko:main
Branches Tags
marko:renovate/barman-3.x marko:main marko:dev/340 marko:dev/security-scan-action marko:dev/209 marko:dev/290 marko:dev/upload marko:dev/improve-readme

15 Commits
dev/209 ... main

Author SHA1 Message Date
Gabriele Bartolini
6fbb0e5aa1 fix(docs): instructions for SBOMs inspection (#342) 
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
 2025-10-14 15:42:09 +02:00
renovate[bot]
15b9d07bdf chore(deps): update github/codeql-action digest to f443b60 (#335) 2025-10-13 16:20:29 +02:00
renovate[bot]
9ee71b4889 chore(deps): update dependency python to 3.14 (#336) 2025-10-13 16:12:31 +02:00
CloudNativePG Automated Updates
817bb9be04 chore: update imageCatalogs 2025-10-13 08:36:32 +00:00
renovate[bot]
073cdda5e6 chore(deps): update github/codeql-action action to v4 (#337) 
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
 2025-10-09 11:32:26 +02:00
renovate[bot]
a64506b57a chore(deps): update github/codeql-action digest to 64d10c1 (#334) 2025-10-07 13:13:49 +02:00
renovate[bot]
b80307424a chore(deps): update peter-evans/repository-dispatch action to v4 (#333) 2025-10-07 13:12:48 +02:00
CloudNativePG Automated Updates
8bffe4b142 chore: update imageCatalogs 2025-10-06 08:34:20 +00:00
CloudNativePG Automated Updates
3123e46bbf chore: update imageCatalogs 2025-10-02 15:35:38 +00:00
renovate[bot]
01b2e5ec76 chore(deps): update docker/login-action digest to 5e57cd1 (#331) 2025-09-30 13:39:30 +02:00
renovate[bot]
7d41825cc9 chore(deps): update debian base images (#332) 2025-09-30 13:37:33 +02:00
renovate[bot]
600629611f chore(deps): update github/codeql-action digest to 3599b3b (#325) 2025-09-30 13:20:03 +02:00
Niccolò Fei
f7e28cab0e ci: fix snyk security scans in bake_targets.yml (#329) 
Closes #327

Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
 2025-09-26 15:49:06 +02:00
Niccolò Fei
517f68f972 docs: add v18 to the README (#326) 
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
 2025-09-26 13:21:06 +02:00
CloudNativePG Automated Updates
733ceedb2c chore: update imageCatalogs 2025-09-26 10:55:35 +00:00
7 changed files with 46 additions and 28 deletions
Expand all files Collapse all files

2
.github/actions/generate-catalogs/action.yml vendored
View File

@@ -26,7 +26,7 @@ runs:
- name: Set up Python
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
with:
python-version: 3.13
python-version: 3.14
- name: Install Python dependencies
shell: bash

4
.github/workflows/bake.yml vendored
View File

@@ -51,6 +51,8 @@ jobs:
with:
environment: ${{ github.event.inputs.environment }}
postgresql_version: ${{ matrix.version }}
secrets:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Catalogs:
name: Update Catalogs
@@ -63,6 +65,6 @@ jobs:
( github.event.inputs.environment == 'production' || github.event_name == 'schedule' )
steps:
- name: Repository Dispatch
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4
with:
event-type: update-catalogs

23
.github/workflows/bake_targets.yml vendored
View File

@@ -29,6 +29,9 @@ on:
`source` directory.
required: false
type: string
secrets:
SNYK_TOKEN:
required: false
permissions: {}
@@ -74,7 +77,7 @@ jobs:
echo "filtered_targets=$target" >> "$GITHUB_OUTPUT"
- name: Log in to the GitHub Container registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -141,7 +144,7 @@ jobs:
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
- name: Log in to the GitHub Container registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
@@ -158,6 +161,10 @@ jobs:
- name: Snyk
uses: snyk/actions/docker@master
id: snyk
if: ${{ env.SNYK_TOKEN != '' }}
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning.
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@@ -165,9 +172,15 @@ jobs:
image: "${{ matrix.image }}"
args: --severity-threshold=high --file=Dockerfile
- name: Replace sarif security-severity invalid values
if: ${{ steps.snyk.conclusion == 'success' }}
run: |
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3
continue-on-error: true
uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
if: ${{ steps.snyk.conclusion == 'success' }}
with:
sarif_file: snyk.sarif
@@ -191,7 +204,7 @@ jobs:
id-token: write
steps:
- name: Log in to the GitHub Container registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
with:
registry: ghcr.io
username: ${{ github.actor }}

14
Debian/ClusterImageCatalog-bookworm.yaml
View File

@@ -6,17 +6,19 @@ metadata:
images.cnpg.io/family: postgresql
images.cnpg.io/type: system
images.cnpg.io/os: bookworm
images.cnpg.io/date: '20250923'
images.cnpg.io/date: '20251013'
images.cnpg.io/publisher: cnpg.io
spec:
images:
- major: 13
image: ghcr.io/cloudnative-pg/postgresql:13.22-202509220807-system-bookworm@sha256:b4a1e2d577546d32e82d44168e6977b3d4b0a4765bb4a7482e353f99ec49216a
image: ghcr.io/cloudnative-pg/postgresql:13.22-202510130807-system-bookworm@sha256:8960f067c4e5c633e5deff50f781957ca4579d72d275739c586befe9d05d444c
- major: 14
image: ghcr.io/cloudnative-pg/postgresql:14.19-202509220807-system-bookworm@sha256:fb3a27a77364017ec604a24f19def5124b945e6e45cb4613455f0aee3e15cc47
image: ghcr.io/cloudnative-pg/postgresql:14.19-202510130807-system-bookworm@sha256:b020285c14e795e262760e5e2c8111769788a7da45e8ee9d1af10ed7a5b66cab
- major: 15
image: ghcr.io/cloudnative-pg/postgresql:15.14-202509220807-system-bookworm@sha256:fbdf4141d38d6c70e6ab10a2d6ab6b7a5853b62fa1bba78b4353032e0b345740
image: ghcr.io/cloudnative-pg/postgresql:15.14-202510130807-system-bookworm@sha256:06096a05e7216ada6eafe2e72e7cae1a9d2e57561541caecfcdfcecb4bd03df3
- major: 16
image: ghcr.io/cloudnative-pg/postgresql:16.10-202509220807-system-bookworm@sha256:41561360238d5fb7a85e2b1d75f1e5d626be37b94a01306432ad7f94cf542dc4
image: ghcr.io/cloudnative-pg/postgresql:16.10-202510130807-system-bookworm@sha256:830b0a2d5b616b06cbb4f594453dc20bafadeb3f1c48441668e9c7e088b0c7d1
- major: 17
image: ghcr.io/cloudnative-pg/postgresql:17.6-202509220807-system-bookworm@sha256:b931f2c7d6e259c1448a88486912da2a3e4039e13c9099e3c09a54cbb25a36cf
image: ghcr.io/cloudnative-pg/postgresql:17.6-202510130807-system-bookworm@sha256:71f14116070ce91762198fac8504daee954e75d5d0685363f7844309555130e6
- major: 18
image: ghcr.io/cloudnative-pg/postgresql:18.0-202510130807-system-bookworm@sha256:12707396990ac3ad9767404180f36ea4998761483365938db1f3a8050b50effb

14
Debian/ClusterImageCatalog-bullseye.yaml
View File

@@ -6,17 +6,19 @@ metadata:
images.cnpg.io/family: postgresql
images.cnpg.io/type: system
images.cnpg.io/os: bullseye
images.cnpg.io/date: '20250923'
images.cnpg.io/date: '20251013'
images.cnpg.io/publisher: cnpg.io
spec:
images:
- major: 13
image: ghcr.io/cloudnative-pg/postgresql:13.22-202509220807-system-bullseye@sha256:16323ff5e13f568c943720756ebc59d162adff4a4f9349038ae1796f757448c8
image: ghcr.io/cloudnative-pg/postgresql:13.22-202510130807-system-bullseye@sha256:da485ff71aaa4ff044071af2eb91b18eff65a3befacb988af73b8096ffdc5837
- major: 14
image: ghcr.io/cloudnative-pg/postgresql:14.19-202509220807-system-bullseye@sha256:f74e898ab8ef56d2b9cd259871eef9415b8b3dbdc5c916315073cd2144e89d28
image: ghcr.io/cloudnative-pg/postgresql:14.19-202510130807-system-bullseye@sha256:bdc36b98eb96d0f613fb4570460c57ee27114d2bbfe126d9f29b51766b9ca37e
- major: 15
image: ghcr.io/cloudnative-pg/postgresql:15.14-202509220807-system-bullseye@sha256:041340459b4d3ebdaffd55fd2296ca01992fb467301b505bb19b8689434b42a8
image: ghcr.io/cloudnative-pg/postgresql:15.14-202510130807-system-bullseye@sha256:15661a17359d2ff46961e03a2a6593d58c779624ba5e684780111c09291b49c8
- major: 16
image: ghcr.io/cloudnative-pg/postgresql:16.10-202509220807-system-bullseye@sha256:9746b62a5f1981533dd475ebc1bd8c7740b8dc8c60fa06db0407c6c6c1254fed
image: ghcr.io/cloudnative-pg/postgresql:16.10-202510130807-system-bullseye@sha256:697e6d8e15ace744fe3b0035d4ea633d3a2b2e59138e8a0481014e924dd1b4d4
- major: 17
image: ghcr.io/cloudnative-pg/postgresql:17.6-202509220807-system-bullseye@sha256:b9763f1137de625622dab2a4b94a456c5a6587d0444885b282d9c222370b3955
image: ghcr.io/cloudnative-pg/postgresql:17.6-202510130807-system-bullseye@sha256:b7f2855c5a419249e30d64616da38cbb7ed3397a21cb115a581a02da8cb21ee0
- major: 18
image: ghcr.io/cloudnative-pg/postgresql:18.0-202510130807-system-bullseye@sha256:5f67a8c8ae429c8af5692024ad58408a3f70223bf5d1cb9f9dbc36dcead88919

10
README.md
View File

@@ -18,14 +18,13 @@ This repository provides maintenance scripts for generating
| Version | Release Date | EOL |
|:-------:|:------------:|:----------:|
| 18 | 2025-09-25 | 2030-11-14 |
| 17 | 2024-09-26 | 2029-11-08 |
| 16 | 2023-09-14 | 2028-11-09 |
| 15 | 2022-10-13 | 2027-11-11 |
| 14 | 2021-09-30 | 2026-11-12 |
| 13 | 2020-09-24 | 2025-11-13 |
In addition, PostgreSQL 18 RC1 is provided for testing purposes only.
These images are designed to serve as operands of the
[CloudNativePG (CNPG) operator](https://cloudnative-pg.io) in Kubernetes
environments, and are not intended for standalone use.
@@ -206,11 +205,12 @@ ensure transparency and traceability:
Metadata detailing how the image was built, following the [SLSA Provenance](https://slsa.dev)
framework.
For example, you can retrieve the SBOM for a specific image using the following
command:
For example, to retrieve the SBOM of a multi-architecture image for a specific
platform (e.g. `linux/amd64`), you can use the following command:
```bash
docker buildx imagetools inspect <IMAGE> --format "{{ json .SBOM.SPDX }}"
docker buildx imagetools inspect <IMAGE> \
--format '{{ json (index .SBOM "linux/amd64").SPDX }}'
```
This command outputs the SBOM in JSON format, providing a detailed view of the

7
docker-bake.hcl
View File

@@ -34,7 +34,6 @@ postgreSQLVersions = [
// Preview versions are automatically filtered out if present in the stable list
// MANUALLY EDIT THE CONTENT - AND UPDATE THE README.md FILE TOO
postgreSQLPreviewVersions = [
"18~rc1",
]
// Barman version to build
@@ -59,11 +58,11 @@ target "default" {
pgVersion = getPgVersions(postgreSQLVersions, postgreSQLPreviewVersions)
base = [
// renovate: datasource=docker versioning=loose
"debian:trixie-slim@sha256:c2880112cc5c61e1200c26f106e4123627b49726375eb5846313da9cca117337",
"debian:trixie-slim@sha256:1caf1c703c8f7e15dcf2e7769b35000c764e6f50e4d7401c355fb0248f3ddfdb",
// renovate: datasource=docker versioning=loose
"debian:bookworm-slim@sha256:df52e55e3361a81ac1bead266f3373ee55d29aa50cf0975d440c2be3483d8ed3",
"debian:bookworm-slim@sha256:7e490910eea2861b9664577a96b54ce68ea3e02ce7f51d89cb0103a6f9c386e0",
// renovate: datasource=docker versioning=loose
"debian:bullseye-slim@sha256:6d3c63184632046054ae709964befc943ecffa140adc697ca955a10002a79c08"
"debian:bullseye-slim@sha256:f807f4b16002c623115b0247dca6a55711c6b1ae821dc64fb8a2339e4ce2115d"
]
}
platforms = [