Gate postgrest-db changes with BATS integration CI and pre-push image CVE scan#2
Conversation
There was a problem hiding this comment.
@copilot: update README.md so that developers know how to test locally
marcvolkert
left a comment
There was a problem hiding this comment.
@copilot: make the test suite run with podman as well
Done in |
There was a problem hiding this comment.
Pull request overview
This PR adds an integration-test and vulnerability-scan gate around the postgrest-tandem “postgrest-db” image so changes to bootstrap/auth/JWT/security SQL are verified before publish, and publishes are blocked on HIGH/CRITICAL CVEs.
Changes:
- Added a BATS integration suite (
postgrest-tandem/tests/) with a shared helper to validate JWT secret behavior, auth/login flows, and privilege boundaries viapsql. - Added a new GitHub Actions workflow to build the image and run the BATS suite on PRs/pushes affecting
postgrest-tandem/**. - Hardened the publish workflow by scanning the built image with Trivy (fail on HIGH/CRITICAL) before pushing, and documented local test execution.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
postgrest-tandem/tests/test_helper.bash |
Adds container/psql harness utilities and JWT payload decode helper for the BATS suite. |
postgrest-tandem/tests/01_jwt_secret.bats |
Validates JWT secret singleton, pre_config() propagation, and rotation semantics. |
postgrest-tandem/tests/02_auth.bats |
Validates bcrypt hashing, login JWT claims/expiry, invalid password handling, and password constraints. |
postgrest-tandem/tests/03_security.bats |
Validates privilege boundaries around signing/rotation/login and SECURITY DEFINER ownership. |
postgrest-tandem/image/README.md |
Documents prerequisites and commands for running the BATS integration suite locally. |
postgrest-tandem/image/initdb/03-auth.sql |
Tightens password storage by enforcing bcrypt format and adding explicit length validation before hashing. |
.github/workflows/ci-test-postgrest-db.yml |
New CI workflow to build the image artifact and run the BATS integration suite. |
.github/workflows/publish-postgrest-db.yml |
Adds a Trivy scan gate before pushing the image to GHCR. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| POSTGREST_DB_CONTAINER="postgrest-db-bats" | ||
| POSTGREST_DB_PORT="55432" | ||
| POSTGRES_PASSWORD="postgres-ci-only" | ||
| AUTHENTICATOR_PASSWORD="testpw-ci-only" |
| return 1 | ||
| fi | ||
|
|
||
| printf '%s' "$payload" | base64 --decode |
| - name: Install test dependencies | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y bats bats-support bats-assert postgresql-client jq |
postgrest-tandemimage publishing had no runtime verification of init/auth/security SQL and no vulnerability gate before push. This PR adds integration coverage for bootstrap/auth/JWT privilege boundaries, enforces it in CI forpostgrest-tandem/**, and documents local execution.Integration coverage for init/auth/JWT/security
postgrest-tandem/tests/BATS suite:test_init.bats: role flags/membership, schema bootstrap, required extensions.test_jwt_secret.bats: singleton secret,pre_config()propagation, rotation +updated_atadvancement.test_auth.bats: bcrypt hashing, JWT claims/expiry window, invalid password path, role/password constraints, password re-hash on update.test_api.bats:api.loginsuccess/failure asanon.test_security.bats: revocation boundaries forauth.sign_jwt,auth.login,postgrest.rotate_jwt_secret, table read restrictions, and SECURITY DEFINER ownership checks.test_helper.bash(container lifecycle,psqlhelpers, fixture user seed, JWT payload decode).New CI gate for postgrest-db
.github/workflows/ci-test-postgrest-db.yml.pull_request+pushtomainwithpaths: postgrest-tandem/**.buildjob builds image locally and uploads tar artifact.integration-testjob downloads/loads image, installsbats+bats-support+bats-assert+postgresql-client+jq, then runsbats postgrest-tandem/tests/.contents: read).Publish workflow hardening
.github/workflows/publish-postgrest-db.ymlto build/load image for scan before push.HIGH,CRITICAL, fail on findings) before registry push.Developer docs
postgrest-tandem/image/README.mdwith a Local integration tests (BATS) section covering prerequisites and local commands.Example workflow gate: