Merge branch 'cloudnative-pg:main' into feat/wal2json

Author: paraddise

.github/generate-strategy.sh

@@ -8,9 +8,12 @@
 #
 set -eu
 
+ROOT_DIR=$(cd "$(dirname "$0")/../"; pwd)
+source "${ROOT_DIR}/lib/repo_funcs.sh"
+
 # Define an optional aliases for some major versions
 declare -A aliases=(
-	[16]='latest'
+	[$POSTGRESQL_LATEST_MAJOR_RELEASE]='latest'
 )
 
 # Define the current default distribution
@@ -66,13 +69,18 @@ generator() {
 
 		# Additional aliases in case we are running in the default distro
 		# i.e. "14", "14.2", "14.2-1", "latest"
-		if [ "${distro}" == "${DEFAULT_DISTRO}" ]; then
+		if [[ "${distro}" == "${DEFAULT_DISTRO}" ]]; then
 			versionAliases+=(
-				"$version"
 				"${postgresImageVersion}"
 				"${postgresImageVersion}-${releaseVersion}"
 				${aliases[$version]:+"${aliases[$version]}"}
 			)
+			# Create a tag with just the major (e.g "14") only for stable versions
+			if [[ "${version}" -le "${POSTGRESQL_LATEST_MAJOR_RELEASE}" ]]; then
+				versionAliases+=(
+					"$version"
+				)
+			fi
 		fi
 
 		# Supported platforms for container images

.github/workflows/build.yml

@@ -72,8 +72,29 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
+    # When publishing new images from main, we should not overwrite an existing
+    # tag in order to guarantee the tag's SHA digest consistency.
+    - name: Verify primary tag is not overwritten
+      run: |
+        echo "MISSING_TAG=false" >> $GITHUB_ENV
+        # if we are not on the main branch, always push
+        if [ "${GITHUB_REF#refs/heads/}" != main ]; then
+            echo "MISSING_TAG=true" >> $GITHUB_ENV
+            exit 0
+        fi
+        IMAGE="${IMAGE_RELEASE}:${{ matrix.fullTag }}"
+        # If the primary tag already exists, skip the building phase
+        if skopeo inspect docker://${IMAGE} >/dev/null 2>/dev/null; then
+          echo "Image ${IMAGE} already exists"
+          # We still need to grab the digest to build the imageCatalog
+          echo "OLD_DIGEST=$(skopeo inspect docker://${IMAGE} --format '{{ .Digest }}')" >> $GITHUB_ENV
+        else
+          echo "MISSING_TAG=true" >> $GITHUB_ENV
+        fi
+
     - name: Build and load
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
+      if: ${{ env.MISSING_TAG == 'true' }}
       with:
         context: ${{ matrix.dir }}
         file: ${{ matrix.file }}
@@ -83,6 +104,7 @@ jobs:
 
     - name: Dockle scan
       uses: erzz/dockle-action@v1
+      if: ${{ env.MISSING_TAG == 'true' }}
       with:
         image: "${{ env.IMAGE_STAGING }}:${{ matrix.tags[0] }}"
         exit-code: '1'
@@ -92,6 +114,7 @@ jobs:
 
     - name: Run Snyk to check Docker image for vulnerabilities
       uses: snyk/actions/docker@master
+      if: ${{ env.MISSING_TAG == 'true' }}
       continue-on-error: true
       env:
         SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@@ -101,13 +124,15 @@ jobs:
 
     - name: Upload result to GitHub Code Scanning
       uses: github/codeql-action/upload-sarif@v3
+      if: ${{ env.MISSING_TAG == 'true' }}
       continue-on-error: true
       with:
         sarif_file: snyk.sarif
 
     - name: Build and push
       id: build
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
+      if: ${{ env.MISSING_TAG == 'true' }}
       with:
         context: ${{ matrix.dir }}
         file: ${{ matrix.file }}
@@ -123,7 +148,12 @@ jobs:
             BASE_IMAGE=${IMAGE_RELEASE}
         fi
 
-        IMAGE=${BASE_IMAGE}:${{ matrix.fullTag }}@${{ steps.build.outputs.digest }} \
+        DIGEST="${{ steps.build.outputs.digest }}"
+        if [[ "${{ env.MISSING_TAG }}" == "false" ]]; then
+            DIGEST="${{ env.OLD_DIGEST }}"
+        fi
+
+        IMAGE=${BASE_IMAGE}:${{ matrix.fullTag }}@${DIGEST} \
         MAJOR=${{ matrix.version }} \
         yq --null-input '{
           "apiVersion": "postgresql.cnpg.io/v1",

.github/workflows/update.yml

@@ -2,7 +2,7 @@ name: Automatic Updates
 
 on:
   schedule:
-    - cron: 0 0 * * *
+    - cron: 0 0 * * 1
   workflow_dispatch:
 
 defaults:

Debian/12/bookworm/.versions.json

@@ -1,6 +1,6 @@
 {
-  "BARMAN_VERSION": "3.10.0",
-  "IMAGE_RELEASE_VERSION": "1",
-  "POSTGRES_IMAGE_LAST_UPDATED": "2024-05-15T17:08:55.965329Z",
-  "POSTGRES_IMAGE_VERSION": "13.15-bookworm"
+  "BARMAN_VERSION": "3.12.1",
+  "IMAGE_RELEASE_VERSION": "29",
+  "POSTGRES_IMAGE_LAST_UPDATED": "2024-12-25T12:08:00.06375Z",
+  "POSTGRES_IMAGE_VERSION": "13.18-bookworm"
 }

Debian/12/bookworm/requirements.txt

@@ -14,17 +14,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-FROM postgres:13.15-bookworm
+FROM postgres:13.18-bookworm
 
 # Do not split the description, otherwise we will see a blank space in the labels
 LABEL name="PostgreSQL Container Images" \
       vendor="The CloudNativePG Contributors" \
       version="${PG_VERSION}" \
-      release="1" \
+      release="29" \
       summary="PostgreSQL Container images." \
-      description="This Docker image contains PostgreSQL and Barman Cloud based on Postgres 13.15-bookworm."
+      description="This Docker image contains PostgreSQL and Barman Cloud based on Postgres 13.18-bookworm."
 
-LABEL org.opencontainers.image.description="This Docker image contains PostgreSQL and Barman Cloud based on Postgres 13.15-bookworm."
+LABEL org.opencontainers.image.description="This Docker image contains PostgreSQL and Barman Cloud based on Postgres 13.18-bookworm."
 
 COPY requirements.txt /
 
@@ -48,7 +48,7 @@ RUN set -xe; \
 		python3-setuptools \
 	; \
 	pip3 install --break-system-packages --upgrade pip; \
-# TODO: Remove --no-deps once https://github.com/pypa/pip/issues/9644 is solved
+	# TODO: Remove --no-deps once https://github.com/pypa/pip/issues/9644 is solved
 	pip3 install --break-system-packages --no-deps -r requirements.txt; \
 	rm -rf /var/lib/apt/lists/*;