From c60b436eece071da56a851384f547243441f7db8 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 11:47:04 -0400 Subject: [PATCH 01/22] feat: source specific version of packer and build with specific go use in all workflows --- .github/workflows/ami-release-nix-single.yml | 8 ++-- .github/workflows/ami-release-nix.yml | 8 ++-- .github/workflows/qemu-image-build.yml | 2 +- .github/workflows/testinfra-ami-build.yml | 8 ++-- flake.lock | 17 +++++++ flake.nix | 1 + nix/devShells.nix | 4 +- nix/packages/default.nix | 3 +- nix/packages/packer.nix | 50 ++++++++++++++++++++ 9 files changed, 84 insertions(+), 17 deletions(-) create mode 100644 nix/packages/packer.nix diff --git a/.github/workflows/ami-release-nix-single.yml b/.github/workflows/ami-release-nix-single.yml index 500bf26d5..34ae339a6 100644 --- a/.github/workflows/ami-release-nix-single.yml +++ b/.github/workflows/ami-release-nix-single.yml @@ -57,18 +57,18 @@ jobs: env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - packer init amazon-arm64-nix.pkr.hcl + nix run .#packer -- init amazon-arm64-nix.pkr.hcl GIT_SHA=${{ steps.get_sha.outputs.sha }} - packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + nix run .#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - packer init stage2-nix-psql.pkr.hcl + nix run .#packer -- init stage2-nix-psql.pkr.hcl GIT_SHA=${{ steps.get_sha.outputs.sha }} POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + nix run .#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml index 0c97d8374..da09e52e1 100644 --- a/.github/workflows/ami-release-nix.yml +++ b/.github/workflows/ami-release-nix.yml @@ -78,19 +78,19 @@ jobs: env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - packer init amazon-arm64-nix.pkr.hcl + nix run .#packer -- init amazon-arm64-nix.pkr.hcl GIT_SHA=${{github.sha}} # why is postgresql_major defined here instead of where the _three_ other postgresql_* variables are defined? - packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + nix run .#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - packer init stage2-nix-psql.pkr.hcl + nix run .#packer -- init stage2-nix-psql.pkr.hcl GIT_SHA=${{github.sha}} POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + nix run .#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/qemu-image-build.yml b/.github/workflows/qemu-image-build.yml index ffd12683c..9a6fcddec 100644 --- a/.github/workflows/qemu-image-build.yml +++ b/.github/workflows/qemu-image-build.yml @@ -91,7 +91,7 @@ jobs: make init GIT_SHA=${{github.sha}} export PACKER_LOG=1 - packer build -var "git_sha=${GIT_SHA}" -var-file="common-nix.vars.pkr.hcl" qemu-arm64-nix.pkr.hcl + nix run .#packer -- build -var "git_sha=${GIT_SHA}" -var-file="common-nix.vars.pkr.hcl" qemu-arm64-nix.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index 5636a34c3..ae64e5b36 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -76,15 +76,15 @@ jobs: - name: Build AMI stage 1 run: | - packer init amazon-arm64-nix.pkr.hcl + nix run .#packer -- init amazon-arm64-nix.pkr.hcl GIT_SHA=${{github.sha}} - packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + nix run .#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 run: | - packer init stage2-nix-psql.pkr.hcl + nix run .#packer -- init stage2-nix-psql.pkr.hcl GIT_SHA=${{github.sha}} - packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}" stage2-nix-psql.pkr.hcl + nix run .#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}" stage2-nix-psql.pkr.hcl - name: Run tests timeout-minutes: 10 diff --git a/flake.lock b/flake.lock index 8b6d868bf..9d2865e1d 100644 --- a/flake.lock +++ b/flake.lock @@ -208,6 +208,22 @@ "type": "github" } }, + "nixpkgs-go124": { + "locked": { + "lastModified": 1754085309, + "narHash": "sha256-3RTSdhnqTcxS5wjKNEBpbt0hiSKfBZiQPlWHn90N1qQ=", + "owner": "Nixos", + "repo": "nixpkgs", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "type": "github" + }, + "original": { + "owner": "Nixos", + "repo": "nixpkgs", + "rev": "d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0", + "type": "github" + } + }, "nixpkgs-lib": { "locked": { "lastModified": 1750555020, @@ -295,6 +311,7 @@ "nix-fast-build": "nix-fast-build", "nix2container": "nix2container", "nixpkgs": "nixpkgs_4", + "nixpkgs-go124": "nixpkgs-go124", "rust-overlay": "rust-overlay", "treefmt-nix": "treefmt-nix_2" } diff --git a/flake.nix b/flake.nix index 3aa651b09..db14dac9a 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,7 @@ treefmt-nix.inputs.nixpkgs.follows = "nixpkgs"; git-hooks.url = "github:cachix/git-hooks.nix"; git-hooks.inputs.nixpkgs.follows = "nixpkgs"; + nixpkgs-go124.url = "github:Nixos/nixpkgs/d2ac4dfa61fba987a84a0a81555da57ae0b9a2b0"; }; outputs = diff --git a/nix/devShells.nix b/nix/devShells.nix index 7ff4d0720..03768a770 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -45,9 +45,7 @@ shellcheck ansible ansible-lint - (packer.overrideAttrs (_oldAttrs: { - version = "1.7.8"; - })) + self'.packages.packer self'.packages.start-server self'.packages.start-client diff --git a/nix/packages/default.nix b/nix/packages/default.nix index cd6d6a1d0..342763961 100644 --- a/nix/packages/default.nix +++ b/nix/packages/default.nix @@ -1,4 +1,4 @@ -{ self, ... }: +{ self, inputs, ... }: { imports = [ ./postgres.nix ]; perSystem = @@ -37,6 +37,7 @@ supabase-groonga = pkgs.callPackage ./groonga { }; local-infra-bootstrap = pkgs.callPackage ./local-infra-bootstrap.nix { }; migrate-tool = pkgs.callPackage ./migrate-tool.nix { psql_15 = self'.packages."psql_15/bin"; }; + packer = pkgs.callPackage ./packer.nix { inherit inputs; }; pg-restore = pkgs.callPackage ./pg-restore.nix { psql_15 = self'.packages."psql_15/bin"; }; pg_prove = pkgs.perlPackages.TAPParserSourceHandlerpgTAP; pg_regress = makePgRegress activeVersion; diff --git a/nix/packages/packer.nix b/nix/packages/packer.nix new file mode 100644 index 000000000..7f0063c30 --- /dev/null +++ b/nix/packages/packer.nix @@ -0,0 +1,50 @@ +{ + pkgs, + inputs, + lib, + fetchFromGitHub, + installShellFiles, + ... +}: +let + go124 = inputs.nixpkgs-go124.legacyPackages.${pkgs.system}.go_1_24; + buildGoModule = pkgs.buildGoModule.override { go = go124; }; +in +buildGoModule rec { + pname = "packer"; + version = "1.14.1"; + + src = fetchFromGitHub { + owner = "hashicorp"; + repo = "packer"; + rev = "v${version}"; + hash = "sha256-3g9hsmrfLzGhjcGvUza/L9PMGUFw+KLbg2pIK0CxlQI="; + }; + + vendorHash = "sha256-F6hn+pXPyPe70UTK8EF24lk7ArYz7ygUyVVsatW6+hI="; + + subPackages = [ "." ]; + + ldflags = [ + "-s" + "-w" + ]; + + nativeBuildInputs = [ installShellFiles ]; + + buildInputs = lib.optionals pkgs.stdenv.isDarwin [ + pkgs.darwin.apple_sdk.frameworks.IOKit + pkgs.darwin.apple_sdk.frameworks.Security + ]; + + postInstall = '' + installShellCompletion --zsh contrib/zsh-completion/_packer + ''; + + meta = { + description = "Tool for creating identical machine images for multiple platforms from a single source configuration"; + homepage = "https://www.packer.io"; + license = lib.licenses.bsl11; + changelog = "https://github.com/hashicorp/packer/blob/v${version}/CHANGELOG.md"; + }; +} From 383b3e03a010347cccc2c8c146a6ba771033bf93 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 11:59:26 -0400 Subject: [PATCH 02/22] fix: add package to checks to assure it is tested, built cached prior to use --- nix/checks.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/checks.nix b/nix/checks.nix index 13be10f23..2dc51797a 100644 --- a/nix/checks.nix +++ b/nix/checks.nix @@ -294,6 +294,7 @@ wal-g-2 wal-g-3 dbmate-tool + packer pg_regress ; } From 8930cd41f130912b0092f7bd5b83546cb7936b80 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 12:21:17 -0400 Subject: [PATCH 03/22] fix: try to use nix shell to settle permission issue --- .github/workflows/ami-release-nix-single.yml | 8 ++++---- .github/workflows/ami-release-nix.yml | 8 ++++---- .github/workflows/qemu-image-build.yml | 2 +- .github/workflows/testinfra-ami-build.yml | 8 ++++---- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ami-release-nix-single.yml b/.github/workflows/ami-release-nix-single.yml index 34ae339a6..b3da4f0ca 100644 --- a/.github/workflows/ami-release-nix-single.yml +++ b/.github/workflows/ami-release-nix-single.yml @@ -57,18 +57,18 @@ jobs: env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - nix run .#packer -- init amazon-arm64-nix.pkr.hcl + nix shell .#packer -c packer init amazon-arm64-nix.pkr.hcl GIT_SHA=${{ steps.get_sha.outputs.sha }} - nix run .#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + nix shell .#packer -c packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - nix run .#packer -- init stage2-nix-psql.pkr.hcl + nix shell .#packer -c packer init stage2-nix-psql.pkr.hcl GIT_SHA=${{ steps.get_sha.outputs.sha }} POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - nix run .#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + nix shell .#packer -c packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml index da09e52e1..5f69091a8 100644 --- a/.github/workflows/ami-release-nix.yml +++ b/.github/workflows/ami-release-nix.yml @@ -78,19 +78,19 @@ jobs: env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - nix run .#packer -- init amazon-arm64-nix.pkr.hcl + nix shell .#packer -c packer init amazon-arm64-nix.pkr.hcl GIT_SHA=${{github.sha}} # why is postgresql_major defined here instead of where the _three_ other postgresql_* variables are defined? - nix run .#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + nix shell .#packer -c packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - nix run .#packer -- init stage2-nix-psql.pkr.hcl + nix shell .#packer -c packer init stage2-nix-psql.pkr.hcl GIT_SHA=${{github.sha}} POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - nix run .#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + nix shell .#packer -c packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/qemu-image-build.yml b/.github/workflows/qemu-image-build.yml index 9a6fcddec..c733f6910 100644 --- a/.github/workflows/qemu-image-build.yml +++ b/.github/workflows/qemu-image-build.yml @@ -91,7 +91,7 @@ jobs: make init GIT_SHA=${{github.sha}} export PACKER_LOG=1 - nix run .#packer -- build -var "git_sha=${GIT_SHA}" -var-file="common-nix.vars.pkr.hcl" qemu-arm64-nix.pkr.hcl + nix shell .#packer -c packer build -var "git_sha=${GIT_SHA}" -var-file="common-nix.vars.pkr.hcl" qemu-arm64-nix.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index ae64e5b36..8c102644f 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -76,15 +76,15 @@ jobs: - name: Build AMI stage 1 run: | - nix run .#packer -- init amazon-arm64-nix.pkr.hcl + nix shell .#packer -c packer init amazon-arm64-nix.pkr.hcl GIT_SHA=${{github.sha}} - nix run .#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + nix shell .#packer -c packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 run: | - nix run .#packer -- init stage2-nix-psql.pkr.hcl + nix shell .#packer -c packer init stage2-nix-psql.pkr.hcl GIT_SHA=${{github.sha}} - nix run .#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}" stage2-nix-psql.pkr.hcl + nix shell .#packer -c packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}" stage2-nix-psql.pkr.hcl - name: Run tests timeout-minutes: 10 From a3c3591467f5137b70e70bf81bf23e4499bb5ed5 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 12:32:33 -0400 Subject: [PATCH 04/22] fix: install packer with nix in profile within workflow --- .github/workflows/ami-release-nix-single.yml | 11 +++++++---- .github/workflows/ami-release-nix.yml | 11 +++++++---- .github/workflows/qemu-image-build.yml | 5 ++++- .github/workflows/testinfra-ami-build.yml | 11 +++++++---- 4 files changed, 25 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ami-release-nix-single.yml b/.github/workflows/ami-release-nix-single.yml index b3da4f0ca..92494a627 100644 --- a/.github/workflows/ami-release-nix-single.yml +++ b/.github/workflows/ami-release-nix-single.yml @@ -53,22 +53,25 @@ jobs: # Ensure there's a newline at the end of the file echo "" >> common-nix.vars.pkr.hcl + - name: Install Packer + run: nix profile install github:supabase/postgres/${{ steps.get_sha.outputs.sha }}#packer + - name: Build AMI stage 1 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - nix shell .#packer -c packer init amazon-arm64-nix.pkr.hcl + packer init amazon-arm64-nix.pkr.hcl GIT_SHA=${{ steps.get_sha.outputs.sha }} - nix shell .#packer -c packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - nix shell .#packer -c packer init stage2-nix-psql.pkr.hcl + packer init stage2-nix-psql.pkr.hcl GIT_SHA=${{ steps.get_sha.outputs.sha }} POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - nix shell .#packer -c packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml index 5f69091a8..dd26ae5ce 100644 --- a/.github/workflows/ami-release-nix.yml +++ b/.github/workflows/ami-release-nix.yml @@ -74,23 +74,26 @@ jobs: # Ensure there's a newline at the end of the file echo "" >> common-nix.vars.pkr.hcl + - name: Install Packer + run: nix profile install github:supabase/postgres/${{github.sha}}#packer + - name: Build AMI stage 1 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - nix shell .#packer -c packer init amazon-arm64-nix.pkr.hcl + packer init amazon-arm64-nix.pkr.hcl GIT_SHA=${{github.sha}} # why is postgresql_major defined here instead of where the _three_ other postgresql_* variables are defined? - nix shell .#packer -c packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - nix shell .#packer -c packer init stage2-nix-psql.pkr.hcl + packer init stage2-nix-psql.pkr.hcl GIT_SHA=${{github.sha}} POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - nix shell .#packer -c packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/qemu-image-build.yml b/.github/workflows/qemu-image-build.yml index c733f6910..83164126d 100644 --- a/.github/workflows/qemu-image-build.yml +++ b/.github/workflows/qemu-image-build.yml @@ -86,12 +86,15 @@ jobs: sudo apt-get remove -y qemu-efi-aarch64 cloud-image-utils qemu-system-arm qemu-utils sudo apt-get install -y qemu-efi-aarch64 cloud-image-utils qemu-system-arm qemu-utils + - name: Install Packer + run: nix profile install github:supabase/postgres/${{github.sha}}#packer + - name: Build QEMU artifact run: | make init GIT_SHA=${{github.sha}} export PACKER_LOG=1 - nix shell .#packer -c packer build -var "git_sha=${GIT_SHA}" -var-file="common-nix.vars.pkr.hcl" qemu-arm64-nix.pkr.hcl + packer build -var "git_sha=${GIT_SHA}" -var-file="common-nix.vars.pkr.hcl" qemu-arm64-nix.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index 8c102644f..f40a3fb2e 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -74,17 +74,20 @@ jobs: # Ensure there's a newline at the end of the file echo "" >> common-nix.vars.pkr.hcl + - name: Install Packer + run: nix profile install github:supabase/postgres/${{github.sha}}#packer + - name: Build AMI stage 1 run: | - nix shell .#packer -c packer init amazon-arm64-nix.pkr.hcl + packer init amazon-arm64-nix.pkr.hcl GIT_SHA=${{github.sha}} - nix shell .#packer -c packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 run: | - nix shell .#packer -c packer init stage2-nix-psql.pkr.hcl + packer init stage2-nix-psql.pkr.hcl GIT_SHA=${{github.sha}} - nix shell .#packer -c packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}" stage2-nix-psql.pkr.hcl + packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}" stage2-nix-psql.pkr.hcl - name: Run tests timeout-minutes: 10 From f9638c5e99a87373e3dff93c3558278190a341c2 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 14:06:02 -0400 Subject: [PATCH 05/22] fix: use sudo on packer calls --- .github/workflows/ami-release-nix-single.yml | 11 ++++------- .github/workflows/ami-release-nix.yml | 11 ++++------- .github/workflows/qemu-image-build.yml | 5 +---- .github/workflows/testinfra-ami-build.yml | 11 ++++------- 4 files changed, 13 insertions(+), 25 deletions(-) diff --git a/.github/workflows/ami-release-nix-single.yml b/.github/workflows/ami-release-nix-single.yml index 92494a627..5ae57cc92 100644 --- a/.github/workflows/ami-release-nix-single.yml +++ b/.github/workflows/ami-release-nix-single.yml @@ -53,25 +53,22 @@ jobs: # Ensure there's a newline at the end of the file echo "" >> common-nix.vars.pkr.hcl - - name: Install Packer - run: nix profile install github:supabase/postgres/${{ steps.get_sha.outputs.sha }}#packer - - name: Build AMI stage 1 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - packer init amazon-arm64-nix.pkr.hcl GIT_SHA=${{ steps.get_sha.outputs.sha }} - packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - packer init stage2-nix-psql.pkr.hcl GIT_SHA=${{ steps.get_sha.outputs.sha }} + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml index dd26ae5ce..277afeb0d 100644 --- a/.github/workflows/ami-release-nix.yml +++ b/.github/workflows/ami-release-nix.yml @@ -74,26 +74,23 @@ jobs: # Ensure there's a newline at the end of the file echo "" >> common-nix.vars.pkr.hcl - - name: Install Packer - run: nix profile install github:supabase/postgres/${{github.sha}}#packer - - name: Build AMI stage 1 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - packer init amazon-arm64-nix.pkr.hcl GIT_SHA=${{github.sha}} + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl # why is postgresql_major defined here instead of where the _three_ other postgresql_* variables are defined? - packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | - packer init stage2-nix-psql.pkr.hcl GIT_SHA=${{github.sha}} + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - packer build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/qemu-image-build.yml b/.github/workflows/qemu-image-build.yml index 83164126d..d141d2827 100644 --- a/.github/workflows/qemu-image-build.yml +++ b/.github/workflows/qemu-image-build.yml @@ -86,15 +86,12 @@ jobs: sudo apt-get remove -y qemu-efi-aarch64 cloud-image-utils qemu-system-arm qemu-utils sudo apt-get install -y qemu-efi-aarch64 cloud-image-utils qemu-system-arm qemu-utils - - name: Install Packer - run: nix profile install github:supabase/postgres/${{github.sha}}#packer - - name: Build QEMU artifact run: | make init GIT_SHA=${{github.sha}} export PACKER_LOG=1 - packer build -var "git_sha=${GIT_SHA}" -var-file="common-nix.vars.pkr.hcl" qemu-arm64-nix.pkr.hcl + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var-file="common-nix.vars.pkr.hcl" qemu-arm64-nix.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index f40a3fb2e..1daaccb01 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -74,20 +74,17 @@ jobs: # Ensure there's a newline at the end of the file echo "" >> common-nix.vars.pkr.hcl - - name: Install Packer - run: nix profile install github:supabase/postgres/${{github.sha}}#packer - - name: Build AMI stage 1 run: | - packer init amazon-arm64-nix.pkr.hcl GIT_SHA=${{github.sha}} - packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 run: | - packer init stage2-nix-psql.pkr.hcl GIT_SHA=${{github.sha}} - packer build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}" stage2-nix-psql.pkr.hcl + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl + sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}" stage2-nix-psql.pkr.hcl - name: Run tests timeout-minutes: 10 From 6fceca578ed8e2949779728a7458b8da8a040e8e Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 14:33:56 -0400 Subject: [PATCH 06/22] fix: trying skip regiona validation for now --- amazon-arm64-nix.pkr.hcl | 1 + stage2-nix-psql.pkr.hcl | 1 + 2 files changed, 2 insertions(+) diff --git a/amazon-arm64-nix.pkr.hcl b/amazon-arm64-nix.pkr.hcl index f625ac4af..5a8764e6c 100644 --- a/amazon-arm64-nix.pkr.hcl +++ b/amazon-arm64-nix.pkr.hcl @@ -114,6 +114,7 @@ source "amazon-ebssurrogate" "source" { region = "${var.region}" #secret_key = "${var.aws_secret_key}" force_deregister = var.force-deregister + skip_region_validation = true # Use latest official ubuntu noble ami owned by Canonical. source_ami_filter { diff --git a/stage2-nix-psql.pkr.hcl b/stage2-nix-psql.pkr.hcl index 243e5e2e4..310ec4ff3 100644 --- a/stage2-nix-psql.pkr.hcl +++ b/stage2-nix-psql.pkr.hcl @@ -64,6 +64,7 @@ source "amazon-ebs" "ubuntu" { ami_name = "${var.ami_name}-${var.postgres-version}" instance_type = "c6g.4xlarge" region = "${var.region}" + skip_region_validation = true source_ami_filter { filters = { name = "${var.ami_name}-${var.postgres-version}-stage-1" From f825a9b005fa4788d41b92463494dedc58cce5ad Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 14:44:44 -0400 Subject: [PATCH 07/22] fix: use cachix installer with cache config --- .github/workflows/testinfra-ami-build.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index 1daaccb01..d28cd17f3 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -17,7 +17,13 @@ jobs: - name: Checkout Repo uses: supabase/postgres/.github/actions/shared-checkout@HEAD - - uses: DeterminateSystems/nix-installer-action@main + - name: Install nix + uses: cachix/install-nix-action@v27 + with: + install_url: https://releases.nixos.org/nix/nix-2.29.1/install + extra_nix_config: | + substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Set PostgreSQL versions id: set-versions From aca47524efb622c0466f1b4f81447c32e7b2975b Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 14:54:54 -0400 Subject: [PATCH 08/22] fix: try to fix perms and use non-sudo --- .github/workflows/testinfra-ami-build.yml | 11 +++++++---- amazon-arm64-nix.pkr.hcl | 1 - stage2-nix-psql.pkr.hcl | 1 - 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index d28cd17f3..6b319d4e6 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -25,6 +25,9 @@ jobs: substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + - name: Fix nix permissions + run: sudo chown -R $USER /nix/var/nix/profiles/per-user + - name: Set PostgreSQL versions id: set-versions run: | @@ -83,14 +86,14 @@ jobs: - name: Build AMI stage 1 run: | GIT_SHA=${{github.sha}} - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 run: | GIT_SHA=${{github.sha}} - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}" stage2-nix-psql.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "postgres-version=${{ steps.random.outputs.random_string }}" -var "region=ap-southeast-1" -var 'ami_regions=["ap-southeast-1"]' -var "force-deregister=true" -var "git_sha=${GITHUB_SHA}" stage2-nix-psql.pkr.hcl - name: Run tests timeout-minutes: 10 diff --git a/amazon-arm64-nix.pkr.hcl b/amazon-arm64-nix.pkr.hcl index 5a8764e6c..f625ac4af 100644 --- a/amazon-arm64-nix.pkr.hcl +++ b/amazon-arm64-nix.pkr.hcl @@ -114,7 +114,6 @@ source "amazon-ebssurrogate" "source" { region = "${var.region}" #secret_key = "${var.aws_secret_key}" force_deregister = var.force-deregister - skip_region_validation = true # Use latest official ubuntu noble ami owned by Canonical. source_ami_filter { diff --git a/stage2-nix-psql.pkr.hcl b/stage2-nix-psql.pkr.hcl index 310ec4ff3..243e5e2e4 100644 --- a/stage2-nix-psql.pkr.hcl +++ b/stage2-nix-psql.pkr.hcl @@ -64,7 +64,6 @@ source "amazon-ebs" "ubuntu" { ami_name = "${var.ami_name}-${var.postgres-version}" instance_type = "c6g.4xlarge" region = "${var.region}" - skip_region_validation = true source_ami_filter { filters = { name = "${var.ami_name}-${var.postgres-version}-stage-1" From 893836ee83e7164dad14c4b2d1c2a7e024af742a Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 15:10:50 -0400 Subject: [PATCH 09/22] fix: assure nix version we need is installed at this stage + perm fix --- .github/workflows/testinfra-ami-build.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index 6b319d4e6..3b537fa0b 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -25,9 +25,6 @@ jobs: substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - - name: Fix nix permissions - run: sudo chown -R $USER /nix/var/nix/profiles/per-user - - name: Set PostgreSQL versions id: set-versions run: | @@ -57,6 +54,17 @@ jobs: - name: Checkout Repo uses: supabase/postgres/.github/actions/shared-checkout@HEAD + - name: Install nix + uses: cachix/install-nix-action@v27 + with: + install_url: https://releases.nixos.org/nix/nix-2.29.1/install + extra_nix_config: | + substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= + + - name: Fix nix permissions + run: sudo chown -R $USER /nix/var/nix/profiles/per-user + - id: args uses: mikefarah/yq@master with: From d73fb5f4128aaff1a37fedb70345e74cbcdf0a17 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 15:25:57 -0400 Subject: [PATCH 10/22] fix: see how nix was installed on this machine originally --- .github/workflows/testinfra-ami-build.yml | 37 +++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index 3b537fa0b..9aad9e2ae 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -54,6 +54,43 @@ jobs: - name: Checkout Repo uses: supabase/postgres/.github/actions/shared-checkout@HEAD + - name: Diagnose existing Nix installation + run: | + echo "=== Nix installation diagnostics ===" + + # Check if nix command exists and where + which nix || echo "nix command not found in PATH" + ls -la /nix 2>/dev/null || echo "/nix directory does not exist" + + # Check installation method traces + echo "--- Checking for DeterminateSystems installer traces ---" + ls -la /nix/.nix-installer* 2>/dev/null || echo "No DeterminateSystems installer traces found" + cat /nix/.nix-installer* 2>/dev/null || echo "No installer receipt file" + + echo "--- Checking for cachix installer traces ---" + ls -la /etc/systemd/system/nix-daemon.service 2>/dev/null || echo "No systemd nix-daemon service" + systemctl status nix-daemon 2>/dev/null || echo "nix-daemon not running via systemd" + + echo "--- Checking for manual installation traces ---" + ls -la /etc/bash.bashrc | grep -C2 nix || echo "No nix in /etc/bash.bashrc" + ls -la /etc/profile | grep -C2 nix || echo "No nix in /etc/profile" + + echo "--- Checking nix store and configuration ---" + ls -la /nix/store 2>/dev/null | head -10 || echo "No /nix/store" + ls -la /etc/nix/ 2>/dev/null || echo "No /etc/nix directory" + cat /etc/nix/nix.conf 2>/dev/null || echo "No /etc/nix/nix.conf" + + echo "--- Checking user-level nix ---" + ls -la ~/.nix-* 2>/dev/null || echo "No user nix directories" + env | grep -i nix || echo "No nix environment variables" + + echo "--- Checking processes ---" + ps aux | grep -i nix || echo "No nix processes running" + + echo "--- Checking nix version and info ---" + nix --version 2>/dev/null || echo "Cannot get nix version" + nix show-config 2>/dev/null || echo "Cannot show nix config" + - name: Install nix uses: cachix/install-nix-action@v27 with: From 34497ce4f82026c3df23d0e9c79918b9b3310282 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 15:55:59 -0400 Subject: [PATCH 11/22] fix: for now keep nix and inherit env --- .github/workflows/ami-release-nix.yml | 8 ++-- .github/workflows/testinfra-ami-build.yml | 46 ++++++----------------- 2 files changed, 16 insertions(+), 38 deletions(-) diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml index 277afeb0d..abf121f88 100644 --- a/.github/workflows/ami-release-nix.yml +++ b/.github/workflows/ami-release-nix.yml @@ -79,18 +79,18 @@ jobs: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | GIT_SHA=${{github.sha}} - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl + sudo -E nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl # why is postgresql_major defined here instead of where the _three_ other postgresql_* variables are defined? - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + sudo -E nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | GIT_SHA=${{github.sha}} - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl + sudo -E nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + sudo -E nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index 9aad9e2ae..a10755e88 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -54,42 +54,20 @@ jobs: - name: Checkout Repo uses: supabase/postgres/.github/actions/shared-checkout@HEAD - - name: Diagnose existing Nix installation + - name: Remove existing DeterminateSystems Nix installation run: | - echo "=== Nix installation diagnostics ===" + # Use the built-in DeterminateSystems uninstaller + if [ -f /nix/nix-installer ]; then + echo "Found DeterminateSystems nix-installer, using built-in uninstaller" + sudo /nix/nix-installer uninstall --no-confirm || true + else + echo "No DeterminateSystems installer found to uninstall" + fi - # Check if nix command exists and where - which nix || echo "nix command not found in PATH" - ls -la /nix 2>/dev/null || echo "/nix directory does not exist" - - # Check installation method traces - echo "--- Checking for DeterminateSystems installer traces ---" - ls -la /nix/.nix-installer* 2>/dev/null || echo "No DeterminateSystems installer traces found" - cat /nix/.nix-installer* 2>/dev/null || echo "No installer receipt file" - - echo "--- Checking for cachix installer traces ---" - ls -la /etc/systemd/system/nix-daemon.service 2>/dev/null || echo "No systemd nix-daemon service" - systemctl status nix-daemon 2>/dev/null || echo "nix-daemon not running via systemd" - - echo "--- Checking for manual installation traces ---" - ls -la /etc/bash.bashrc | grep -C2 nix || echo "No nix in /etc/bash.bashrc" - ls -la /etc/profile | grep -C2 nix || echo "No nix in /etc/profile" - - echo "--- Checking nix store and configuration ---" - ls -la /nix/store 2>/dev/null | head -10 || echo "No /nix/store" - ls -la /etc/nix/ 2>/dev/null || echo "No /etc/nix directory" - cat /etc/nix/nix.conf 2>/dev/null || echo "No /etc/nix/nix.conf" - - echo "--- Checking user-level nix ---" - ls -la ~/.nix-* 2>/dev/null || echo "No user nix directories" - env | grep -i nix || echo "No nix environment variables" - - echo "--- Checking processes ---" - ps aux | grep -i nix || echo "No nix processes running" - - echo "--- Checking nix version and info ---" - nix --version 2>/dev/null || echo "Cannot get nix version" - nix show-config 2>/dev/null || echo "Cannot show nix config" + # Verify removal + echo "Verifying nix removal..." + which nix || echo "nix command no longer available" + ls -la /nix 2>/dev/null || echo "/nix directory removed" - name: Install nix uses: cachix/install-nix-action@v27 From 325faa4dbdae79ed7d59b7d9aa068e99840fce0b Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 16:26:53 -0400 Subject: [PATCH 12/22] fix: use large-linux-arm here going forward --- .github/workflows/ami-release-nix-single.yml | 16 +++++++++---- .github/workflows/ami-release-nix.yml | 25 +++++++++++++++----- .github/workflows/testinfra-ami-build.yml | 25 +++++++------------- 3 files changed, 38 insertions(+), 28 deletions(-) diff --git a/.github/workflows/ami-release-nix-single.yml b/.github/workflows/ami-release-nix-single.yml index 5ae57cc92..dd579df30 100644 --- a/.github/workflows/ami-release-nix-single.yml +++ b/.github/workflows/ami-release-nix-single.yml @@ -40,7 +40,13 @@ jobs: run: | echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: DeterminateSystems/nix-installer-action@main + - name: Install nix + uses: cachix/install-nix-action@v27 + with: + install_url: https://releases.nixos.org/nix/nix-2.29.1/install + extra_nix_config: | + substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Set PostgreSQL version environment variable run: echo "POSTGRES_MAJOR_VERSION=${{ github.event.inputs.postgres_version }}" >> $GITHUB_ENV @@ -58,17 +64,17 @@ jobs: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | GIT_SHA=${{ steps.get_sha.outputs.sha }} - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | GIT_SHA=${{ steps.get_sha.outputs.sha }} - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml index abf121f88..df0bf096e 100644 --- a/.github/workflows/ami-release-nix.yml +++ b/.github/workflows/ami-release-nix.yml @@ -24,7 +24,13 @@ jobs: - name: Checkout Repo uses: supabase/postgres/.github/actions/shared-checkout@HEAD - - uses: DeterminateSystems/nix-installer-action@main + - name: Install nix + uses: cachix/install-nix-action@v27 + with: + install_url: https://releases.nixos.org/nix/nix-2.29.1/install + extra_nix_config: | + substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Set PostgreSQL versions id: set-versions @@ -52,7 +58,14 @@ jobs: aws-region: "us-east-1" output-credentials: true role-duration-seconds: 7200 - - uses: DeterminateSystems/nix-installer-action@main + + - name: Install nix + uses: cachix/install-nix-action@v27 + with: + install_url: https://releases.nixos.org/nix/nix-2.29.1/install + extra_nix_config: | + substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com + trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - name: Run checks if triggered manually if: ${{ github.event_name == 'workflow_dispatch' }} @@ -79,18 +92,18 @@ jobs: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | GIT_SHA=${{github.sha}} - sudo -E nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- init amazon-arm64-nix.pkr.hcl # why is postgresql_major defined here instead of where the _three_ other postgresql_* variables are defined? - sudo -E nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" -var "ansible_arguments=-e postgresql_major=${POSTGRES_MAJOR_VERSION}" amazon-arm64-nix.pkr.hcl - name: Build AMI stage 2 env: POSTGRES_MAJOR_VERSION: ${{ env.POSTGRES_MAJOR_VERSION }} run: | GIT_SHA=${{github.sha}} - sudo -E nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- init stage2-nix-psql.pkr.hcl POSTGRES_MAJOR_VERSION=${{ env.POSTGRES_MAJOR_VERSION }} - sudo -E nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl + nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var "git-head-version=${GIT_SHA}" -var "packer-execution-id=${GITHUB_RUN_ID}" -var "postgres_major_version=${POSTGRES_MAJOR_VERSION}" -var-file="development-arm.vars.pkr.hcl" -var-file="common-nix.vars.pkr.hcl" stage2-nix-psql.pkr.hcl - name: Grab release version id: process_release_version diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index a10755e88..8014d0ffd 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -38,7 +38,7 @@ jobs: matrix: postgres_version: ${{ fromJson(needs.prepare.outputs.postgres_versions) }} include: - - runner: arm-runner + - runner: large-linux-arm arch: arm64 ubuntu_release: noble ubuntu_version: 24.04 @@ -54,20 +54,13 @@ jobs: - name: Checkout Repo uses: supabase/postgres/.github/actions/shared-checkout@HEAD - - name: Remove existing DeterminateSystems Nix installation - run: | - # Use the built-in DeterminateSystems uninstaller - if [ -f /nix/nix-installer ]; then - echo "Found DeterminateSystems nix-installer, using built-in uninstaller" - sudo /nix/nix-installer uninstall --no-confirm || true - else - echo "No DeterminateSystems installer found to uninstall" - fi - - # Verify removal - echo "Verifying nix removal..." - which nix || echo "nix command no longer available" - ls -la /nix 2>/dev/null || echo "/nix directory removed" + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.DEV_AWS_ROLE }} + aws-region: "us-east-1" + output-credentials: true + role-duration-seconds: 7200 - name: Install nix uses: cachix/install-nix-action@v27 @@ -77,8 +70,6 @@ jobs: substituters = https://cache.nixos.org https://nix-postgres-artifacts.s3.amazonaws.com trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=% cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= - - name: Fix nix permissions - run: sudo chown -R $USER /nix/var/nix/profiles/per-user - id: args uses: mikefarah/yq@master From b0bf9276d8b0c7664a791ca6f5e467e49aa083f6 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 16:53:09 -0400 Subject: [PATCH 13/22] fix: try remove job level perms --- .github/workflows/testinfra-ami-build.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index 8014d0ffd..073b473ba 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -45,10 +45,6 @@ jobs: mcpu: neoverse-n1 runs-on: ${{ matrix.runner }} timeout-minutes: 150 - permissions: - contents: write - packages: write - id-token: write steps: - name: Checkout Repo From 29f97800f4789bdfaca3142af2caa320938a814f Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 19:38:53 -0400 Subject: [PATCH 14/22] fix: match permissions on ami-release --- .github/workflows/testinfra-ami-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index 073b473ba..d0dfcbefb 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -5,7 +5,7 @@ on: workflow_call: permissions: - contents: read + contents: write id-token: write jobs: From 91d8b31490aff17bcc8b24dfee11d60168bbdd30 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 19:53:25 -0400 Subject: [PATCH 15/22] tests: debug role --- .github/workflows/testinfra-ami-build.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index d0dfcbefb..acc2f1200 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -50,6 +50,15 @@ jobs: - name: Checkout Repo uses: supabase/postgres/.github/actions/shared-checkout@HEAD + - name: Debug AWS role secret + run: | + echo "Checking DEV_AWS_ROLE secret availability..." + if [ -z "${{ secrets.DEV_AWS_ROLE }}" ]; then + echo "❌ DEV_AWS_ROLE is empty or not available" + else + echo "✅ DEV_AWS_ROLE is available" + fi + - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: From c20a2ffe51e4c341b4c847cd76e80cd00f299534 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 20:02:49 -0400 Subject: [PATCH 16/22] fix: allows workflow to recv secret when called from other workflows --- .github/workflows/testinfra-ami-build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index acc2f1200..7ab9c7d5d 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -3,6 +3,10 @@ name: Testinfra Integration Tests Nix on: workflow_dispatch: workflow_call: + secrets: + DEV_AWS_ROLE: + description: 'AWS role for dev environment' + required: true permissions: contents: write From 9770041997f116528048ae97c1e27eaaca6cd27a Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 20:10:40 -0400 Subject: [PATCH 17/22] fix: receive the secret as a parameter --- .github/workflows/nix-build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml index 362d3ff5e..058d9087b 100644 --- a/.github/workflows/nix-build.yml +++ b/.github/workflows/nix-build.yml @@ -118,6 +118,8 @@ jobs: needs: build-run-image if: ${{ success() }} uses: ./.github/workflows/testinfra-ami-build.yml + secrets: + DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }} run-tests: needs: build-run-image From 109b062acf3bfb53bd5c156009971af1c2bd363d Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Wed, 6 Aug 2025 20:19:12 -0400 Subject: [PATCH 18/22] fix: no need for sudo --- .github/workflows/testinfra-ami-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/testinfra-ami-build.yml b/.github/workflows/testinfra-ami-build.yml index 7ab9c7d5d..892b54b74 100644 --- a/.github/workflows/testinfra-ami-build.yml +++ b/.github/workflows/testinfra-ami-build.yml @@ -100,7 +100,7 @@ jobs: - name: Generate common-nix.vars.pkr.hcl run: | - PG_VERSION=$(sudo nix run nixpkgs#yq -- '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml) + PG_VERSION=$(nix run nixpkgs#yq -- '.postgres_release["postgres'${{ matrix.postgres_version }}'"]' ansible/vars.yml) PG_VERSION=$(echo "$PG_VERSION" | tr -d '"') # Remove any surrounding quotes echo 'postgres-version = "'$PG_VERSION'"' > common-nix.vars.pkr.hcl # Ensure there's a newline at the end of the file From 792223e07678f4715a83eba6a7bb52df078c834c Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 7 Aug 2025 07:21:15 -0400 Subject: [PATCH 19/22] chore: revert qemu workflow/do not change packer handling there --- .github/workflows/qemu-image-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/qemu-image-build.yml b/.github/workflows/qemu-image-build.yml index d141d2827..ffd12683c 100644 --- a/.github/workflows/qemu-image-build.yml +++ b/.github/workflows/qemu-image-build.yml @@ -91,7 +91,7 @@ jobs: make init GIT_SHA=${{github.sha}} export PACKER_LOG=1 - sudo nix run github:supabase/postgres/${GIT_SHA}#packer -- build -var "git_sha=${GIT_SHA}" -var-file="common-nix.vars.pkr.hcl" qemu-arm64-nix.pkr.hcl + packer build -var "git_sha=${GIT_SHA}" -var-file="common-nix.vars.pkr.hcl" qemu-arm64-nix.pkr.hcl - name: Grab release version id: process_release_version From 4f69e1e0e299504764153c713d96ea1fe8fec47d Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 7 Aug 2025 09:13:47 -0400 Subject: [PATCH 20/22] docs: updating deps doc --- nix/docs/updating-dependencies.md | 68 +++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 nix/docs/updating-dependencies.md diff --git a/nix/docs/updating-dependencies.md b/nix/docs/updating-dependencies.md new file mode 100644 index 000000000..73c5cf79a --- /dev/null +++ b/nix/docs/updating-dependencies.md @@ -0,0 +1,68 @@ +# Updating Dependencies + +This document explains how to update various dependencies used in the nix configuration. + +## Updating Packer + +Packer is used for creating machine images and is defined in `nix/packages/packer.nix`. + +### Steps to update Packer version: + +1. Create a branch off of `develop` +2. Navigate to `nix/packages/packer.nix` +3. Update the version field: + ```nix + version = "1.15.0"; # Update to desired version + ``` +4. Update the git revision to match the new version: + ```nix + rev = "v${version}"; + ``` +5. Temporarily clear the hash to get the new SHA256: + ```nix + hash = ""; # Clear this temporarily + ``` +6. Save the file and run: + ```bash + nix build .#packer + ``` +7. Nix will fail and output the correct SHA256 hash. Copy this hash and update the file: + ```nix + hash = "sha256-NEWHASHHEREFROMBUILDOUTPUT"; + ``` +8. Update the vendorHash if needed. If the build fails due to vendor hash mismatch, temporarily set: + ```nix + vendorHash = ""; # Clear this temporarily + ``` +9. Run `nix build .#packer` again to get the correct vendorHash, then update: + ```nix + vendorHash = "sha256-NEWVENDORHASHHEREFROMBUILDOUTPUT"; + ``` +10. Verify the build works: + ```bash + nix build .#packer + ``` +11. Test the packer binary: + ```bash + ./result/bin/packer version + ``` +12. Run the full test suite to ensure nothing is broken: + ```bash + nix flake check -L + ``` +13. Commit your changes and create a PR for review +14. Update any CI/CD workflows or documentation that reference the old Packer version + +### Notes: +- Always check the [Packer changelog](https://github.com/hashicorp/packer/releases) for breaking changes +- Packer uses Go, so ensure compatibility with the Go version specified in the flake inputs +- The current Go version is specified in `flake.nix` under `nixpkgs-go124` input +- If updating to a major version, test all packer templates (`.pkr.hcl` files) in the repository + +## Updating Other Dependencies + +Similar patterns can be followed for other dependencies defined in the nix packages. Always: +1. Check for breaking changes in changelogs +2. Update version numbers and hashes +3. Run local tests +4. Verify functionality before creating PR \ No newline at end of file From fa5f66cca8f939d926f05d5d39ad96928b6975e0 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 7 Aug 2025 09:16:07 -0400 Subject: [PATCH 21/22] chore: tmp suffix to test release --- ansible/vars.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index 949a76cab..96e795bbc 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,9 +9,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.014-orioledb" - postgres17: "17.4.1.071" - postgres15: "15.8.1.128" + postgresorioledb-17: "17.5.1.014-orioledb-test-1" + postgres17: "17.4.1.071-test-1" + postgres15: "15.8.1.128-test-1" # Non Postgres Extensions pgbouncer_release: "1.19.0" From 8889edc7a9617c1f34a872ea5f5eee1a36a8a5dc Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Thu, 7 Aug 2025 11:52:37 -0400 Subject: [PATCH 22/22] chore: restore versions post testing --- ansible/vars.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/vars.yml b/ansible/vars.yml index 96e795bbc..949a76cab 100644 --- a/ansible/vars.yml +++ b/ansible/vars.yml @@ -9,9 +9,9 @@ postgres_major: # Full version strings for each major version postgres_release: - postgresorioledb-17: "17.5.1.014-orioledb-test-1" - postgres17: "17.4.1.071-test-1" - postgres15: "15.8.1.128-test-1" + postgresorioledb-17: "17.5.1.014-orioledb" + postgres17: "17.4.1.071" + postgres15: "15.8.1.128" # Non Postgres Extensions pgbouncer_release: "1.19.0"