This repository was archived by the owner on Jun 13, 2026. It is now read-only.
Multi-arch build: linux/amd64 + linux/arm64 (Apple Silicon) #31
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & publish bpp_dbserver | |
| on: | |
| push: | |
| branches: [main] | |
| tags: | |
| - "v*" | |
| pull_request: | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| push_to_registry: | |
| description: "Push built images to Docker Hub" | |
| required: true | |
| default: "false" | |
| type: choice | |
| options: | |
| - "true" | |
| - "false" | |
| permissions: | |
| contents: read | |
| jobs: | |
| test: | |
| name: autotune self-test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: "3.12" | |
| - name: Run autotune self-test | |
| run: python autotune.py --test | |
| lint: | |
| name: pre-commit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-python@v6 | |
| with: | |
| python-version: "3.12" | |
| - uses: pre-commit/action@v3.0.1 | |
| build: | |
| name: Build matrix (PG 16/17/18), smoke & (maybe) push | |
| needs: [test, lint] | |
| runs-on: ubuntu-latest | |
| outputs: | |
| should_push: ${{ steps.decide.outputs.should_push }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Decide whether to push | |
| id: decide | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| REF: ${{ github.ref }} | |
| DISPATCH_PUSH: ${{ inputs.push_to_registry }} | |
| run: | | |
| if [[ "$EVENT_NAME" == "push" && "$REF" == refs/tags/v* ]]; then | |
| echo "should_push=true" >> "$GITHUB_OUTPUT" | |
| elif [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then | |
| echo "should_push=$DISPATCH_PUSH" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "should_push=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Bake print (plan) | |
| run: docker buildx bake --print | |
| - name: Build matrix (load locally for smoke, amd64 only) | |
| # `docker buildx bake --load` nie obsługuje multi-arch; runner GH | |
| # Actions jest amd64, więc smoke leci tylko na linux/amd64. | |
| # Multi-arch (amd64 + arm64) buduje się dopiero w kroku push. | |
| run: docker buildx bake --set "*.platform=linux/amd64" --load | |
| - name: Smoke test (PG 16/17/18) | |
| run: | | |
| set -Eeuo pipefail | |
| for tag in psql-16 psql-17 psql-18; do | |
| image="iplweb/bpp_dbserver:${tag}" | |
| container="smoke_${tag}" | |
| echo "::group::Smoke: ${image}" | |
| docker run -d --name "${container}" \ | |
| -e POSTGRES_PASSWORD=smoke \ | |
| "${image}" | |
| # Wait up to 60s for readiness | |
| ready=0 | |
| for i in $(seq 1 30); do | |
| if docker exec "${container}" pg_isready -U postgres >/dev/null 2>&1; then | |
| ready=1 | |
| break | |
| fi | |
| sleep 2 | |
| done | |
| if [ "$ready" -ne 1 ]; then | |
| echo "FAIL: pg_isready timed out for ${tag}" | |
| docker logs "${container}" || true | |
| docker rm -f "${container}" >/dev/null 2>&1 || true | |
| exit 1 | |
| fi | |
| # plpython3u must load | |
| docker exec "${container}" psql -U postgres -v ON_ERROR_STOP=1 \ | |
| -c "CREATE EXTENSION plpython3u;" | |
| # ICU pl-PL collation must be available | |
| icu_present=$(docker exec "${container}" psql -U postgres -Atc \ | |
| "SELECT 1 FROM pg_collation WHERE collname = 'pl-x-icu' LIMIT 1;") | |
| if [ "${icu_present}" != "1" ]; then | |
| echo "FAIL: pl-x-icu collation missing for ${tag}" | |
| docker rm -f "${container}" >/dev/null 2>&1 || true | |
| exit 1 | |
| fi | |
| # Autotune include must be applied (shared_buffers value visible) | |
| sb=$(docker exec "${container}" psql -U postgres -Atc \ | |
| "SHOW shared_buffers;") | |
| echo "shared_buffers for ${tag}: ${sb}" | |
| docker stop "${container}" >/dev/null | |
| docker rm "${container}" >/dev/null | |
| echo "::endgroup::" | |
| done | |
| echo "All smoke tests passed." | |
| - name: Log in to Docker Hub | |
| if: steps.decide.outputs.should_push == 'true' | |
| uses: docker/login-action@v4 | |
| with: | |
| username: ${{ secrets.DOCKER_USER }} | |
| password: ${{ secrets.DOCKER_PAT }} | |
| - name: Push to Docker Hub | |
| if: steps.decide.outputs.should_push == 'true' | |
| run: docker buildx bake --set "*.output=type=registry" --push | |
| scan: | |
| name: Trivy scan (PG ${{ matrix.major }}) | |
| needs: build | |
| if: needs.build.outputs.should_push == 'true' | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| major: ["16", "17", "18"] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| with: | |
| image-ref: "iplweb/bpp_dbserver:psql-${{ matrix.major }}" | |
| format: "sarif" | |
| output: "trivy-results-${{ matrix.major }}.sarif" | |
| severity: "CRITICAL,HIGH" | |
| exit-code: "0" | |
| ignore-unfixed: "true" | |
| - name: Upload Trivy SARIF to Security tab | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: "trivy-results-${{ matrix.major }}.sarif" | |
| category: "trivy-psql-${{ matrix.major }}" | |
| scan-main: | |
| name: Trivy scan on main (PG ${{ matrix.major }}) | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| major: ["16", "17", "18"] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Run Trivy vulnerability scanner (informational) | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| with: | |
| image-ref: "iplweb/bpp_dbserver:psql-${{ matrix.major }}" | |
| format: "sarif" | |
| output: "trivy-results-${{ matrix.major }}.sarif" | |
| severity: "CRITICAL,HIGH" | |
| exit-code: "0" | |
| ignore-unfixed: "true" | |
| - name: Upload Trivy SARIF to Security tab | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: "trivy-results-${{ matrix.major }}.sarif" | |
| category: "trivy-psql-${{ matrix.major }}" | |
| dockerhub-description: | |
| name: Sync Docker Hub description | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| needs: [test, lint] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Push DOCKERHUB.md to Docker Hub | |
| uses: peter-evans/dockerhub-description@v4 | |
| with: | |
| username: ${{ secrets.DOCKER_USER }} | |
| password: ${{ secrets.DOCKERHUB_ADMIN_PAT }} | |
| repository: iplweb/bpp_dbserver | |
| short-description: "PostgreSQL 16/17/18 + plpython3u + ICU pl-PL + autotune dla BPP" | |
| readme-filepath: ./DOCKERHUB.md | |
| enable-url-completion: true | |
| scout-main: | |
| name: Docker Scout on main (PG ${{ matrix.major }}) | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| major: ["16", "17", "18"] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v4 | |
| with: | |
| username: ${{ secrets.DOCKER_USER }} | |
| password: ${{ secrets.DOCKER_PAT }} | |
| - name: Docker Scout CVE scan (informational) | |
| uses: docker/scout-action@v1 | |
| with: | |
| command: cves | |
| image: "iplweb/bpp_dbserver:psql-${{ matrix.major }}" | |
| sarif-file: "scout-results-${{ matrix.major }}.sarif" | |
| only-severities: "critical,high" | |
| exit-code: false | |
| - name: Upload Scout SARIF to Security tab | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: "scout-results-${{ matrix.major }}.sarif" | |
| category: "scout-psql-${{ matrix.major }}" |