ci: add CI/CD workflows, Docker Bake, and extract extension fetch script

Add GitHub Actions workflows for CI (format check + regression tests) and
multi-arch Docker builds with manifest merging. Extract DuckDB extension
download into a reusable script. Harden docker.yaml against shell injection
by passing refs via env vars, scope permissions to contents:read, and add
concurrency guards.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: YuweiXiao

.github/workflows/ci.yaml

@@ -0,0 +1,95 @@
+name: CI
+
+on:
+  push:
+    branches: ["main"]
+    tags: ["v*"]
+  pull_request:
+
+# Cancel in-progress runs for the same branch (except main)
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ !contains(github.ref, 'main') }}
+
+jobs:
+  format:
+    name: "Format check"
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt
+
+      - name: Check Rust formatting
+        run: cargo fmt --all -- --check
+
+  test:
+    name: "Regression tests (PG${{ matrix.pg_version }})"
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        pg_version: [18]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build pg_duckpipe builder image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: builder
+          build-args: PG_VERSION=${{ matrix.pg_version }}
+          load: true
+          tags: pg_duckpipe:builder-${{ matrix.pg_version }}
+          cache-from: type=gha,scope=ci-builder-pg${{ matrix.pg_version }}
+          cache-to: type=gha,mode=max,scope=ci-builder-pg${{ matrix.pg_version }}
+
+      - name: Run regression tests
+        id: run-tests
+        run: |
+          docker run --rm \
+            -v /tmp/regression-output-${{ matrix.pg_version }}:/results \
+            pg_duckpipe:builder-${{ matrix.pg_version }} bash -c '
+              set -euo pipefail
+
+              # Pre-fetch the ducklake DuckDB extension needed by tests
+              /build/docker/fetch-ducklake-ext.sh
+              chown -R postgres:postgres /var/lib/postgresql/.duckdb /build
+
+              # pg_regress refuses to run as root — switch to the postgres user
+              su postgres -s /bin/bash -c "
+                export LD_LIBRARY_PATH=/usr/lib/postgresql/${{ matrix.pg_version }}/lib
+                make -C /build/test/regression check-regression \
+                  PG_CONFIG=/usr/lib/postgresql/${{ matrix.pg_version }}/bin/pg_config
+              " || {
+                mkdir -p /results
+                cp /build/test/regression/regression.diffs /results/ 2>/dev/null || true
+                cp /build/test/regression/log/postmaster.log /results/ 2>/dev/null || true
+                exit 1
+              }
+            '
+
+      - name: Upload regression artifacts
+        if: failure() && steps.run-tests.outcome == 'failure'
+        uses: actions/upload-artifact@v4
+        with:
+          name: regression-output-pg${{ matrix.pg_version }}
+          path: /tmp/regression-output-${{ matrix.pg_version }}/
+
+      - name: Print regression.diffs on failure
+        if: failure() && steps.run-tests.outcome == 'failure'
+        run: |
+          echo "=== regression.diffs ==="
+          cat /tmp/regression-output-${{ matrix.pg_version }}/regression.diffs || echo "(not found)"
+          echo ""
+          echo "=== postmaster.log (last 100 lines) ==="
+          tail -100 /tmp/regression-output-${{ matrix.pg_version }}/postmaster.log || echo "(not found)"
+          exit 1

.github/workflows/docker.yaml

@@ -0,0 +1,142 @@
+name: Build Docker
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ !startsWith(github.ref, 'refs/tags/') }}
+
+on:
+  push:
+    tags: ["v*"]
+  pull_request:
+    paths:
+      - Dockerfile
+      - docker-bake.hcl
+      - ".github/workflows/docker.yaml"
+  schedule:
+    # Rebuild nightly to pick up base-image updates from pg_ducklake
+    - cron: "44 4 * * *"
+  workflow_dispatch:
+
+jobs:
+  docker_build:
+    name: Build Docker image for Postgres ${{ matrix.postgres }} on ${{ matrix.runner }}
+    strategy:
+      matrix:
+        postgres: ["18"]
+        runner: ["ubuntu-24.04", "ubuntu-24.04-arm"]
+
+    runs-on: ${{ matrix.runner }}
+
+    env:
+      BUILDKIT_PROGRESS: plain
+      PG_VERSION: ${{ matrix.postgres }}
+      RAW_REF: ${{ github.head_ref || github.ref_name }}
+    outputs:
+      branch_tag: ${{ steps.params.outputs.branch_tag }}
+      target_repo: ${{ steps.params.outputs.target_repo }}
+
+    steps:
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        uses: docker/login-action@v3
+        with:
+          username: pgducklake
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Checkout pg_duckpipe code
+        uses: actions/checkout@v4
+
+      - name: Compute job parameters
+        id: params
+        run: |
+          # Sanitise branch name to a valid Docker tag component (max 112 chars)
+          BRANCH=$(printf '%s' "$RAW_REF" \
+              | sed 's/[^a-zA-Z0-9\-\.]/-/g' \
+              | cut -c 1-112 | tr '[:upper:]' '[:lower:]' \
+              | sed -e 's/-*$//')
+
+          # Set platform depending on which runner we're using
+          if [ "${{ matrix.runner }}" = "ubuntu-24.04" ]; then
+            PLATFORM=amd64
+          else
+            PLATFORM=arm64
+          fi
+
+          # main branch and release tags publish to pgducklake/pgduckpipe;
+          # all other branches go to the staging pgducklake/pipe-ci-builds repo.
+          git fetch --tags --force
+          if [ "$BRANCH" = "main" ] || git rev-parse --verify "$BRANCH"^{tag} > /dev/null 2>&1; then
+            TARGET_REPO='pgducklake/pgduckpipe'
+          else
+            TARGET_REPO='pgducklake/pipe-ci-builds'
+          fi
+
+          LATEST_IMAGE="pgducklake/pipe-ci-builds:${{ matrix.postgres }}-${PLATFORM}-${BRANCH}-latest"
+
+          echo "platform=$PLATFORM"             >> "$GITHUB_OUTPUT"
+          echo "branch_tag=$BRANCH"             >> "$GITHUB_OUTPUT"
+          echo "target_repo=$TARGET_REPO"        >> "$GITHUB_OUTPUT"
+          echo "latest_image=$LATEST_IMAGE"      >> "$GITHUB_OUTPUT"
+
+      - name: Attempt to pull previous image for layer cache
+        run: |
+          docker pull "${{ steps.params.outputs.latest_image }}" || true
+          docker pull moby/buildkit:buildx-stable-1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          platforms: linux/${{ steps.params.outputs.platform }}
+
+      - name: docker bake
+        uses: docker/bake-action@v5
+        with:
+          targets: pg_duckpipe_${{ matrix.postgres }}
+          push: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+          set: |
+            *.platform=linux/${{ steps.params.outputs.platform }}
+            *.cache-from=type=registry,ref=${{ steps.params.outputs.latest_image }}
+            *.cache-from=type=gha,scope=${{ github.workflow }}
+            *.cache-to=type=gha,mode=max,scope=${{ github.workflow }}
+            pg_duckpipe.tags=pgducklake/pipe-ci-builds:${{ matrix.postgres }}-${{ steps.params.outputs.platform }}-${{ github.sha }}
+            pg_duckpipe.tags=${{ steps.params.outputs.latest_image }}
+
+  docker_merge:
+    name: Merge Docker image for Postgres ${{ matrix.postgres }}
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+    strategy:
+      matrix:
+        postgres: ["18"]
+
+    runs-on: ubuntu-24.04
+    needs: docker_build
+
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: pgducklake
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Merge amd64 + arm64 into a multi-arch manifest
+        run: |
+          docker pull --platform linux/amd64 \
+            pgducklake/pipe-ci-builds:${{ matrix.postgres }}-amd64-${{ github.sha }}
+          docker pull --platform linux/arm64 \
+            pgducklake/pipe-ci-builds:${{ matrix.postgres }}-arm64-${{ github.sha }}
+
+          BRANCH="${{ needs.docker_build.outputs.branch_tag }}"
+          TARGET_REPO="${{ needs.docker_build.outputs.target_repo }}"
+
+          echo "Pushing merged manifest to '${TARGET_REPO}'"
+          docker buildx imagetools create \
+            --tag "${TARGET_REPO}:${{ matrix.postgres }}-${BRANCH}" \
+            --tag "pgducklake/pipe-ci-builds:${{ matrix.postgres }}-${{ github.sha }}" \
+            "pgducklake/pipe-ci-builds:${{ matrix.postgres }}-amd64-${{ github.sha }}" \
+            "pgducklake/pipe-ci-builds:${{ matrix.postgres }}-arm64-${{ github.sha }}"
+
+          docker buildx imagetools inspect \
+            "pgducklake/pipe-ci-builds:${{ matrix.postgres }}-${{ github.sha }}"

Dockerfile

@@ -59,7 +59,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
 ###############################################################################
 ### OUTPUT — pg_ducklake + pg_duckpipe, ready to use
 ###############################################################################
-FROM pgducklake/pgducklake:${PG_VERSION}-main
+FROM pgducklake/pgducklake:${PG_VERSION}-main AS output
 ARG PG_VERSION
 
 USER root
@@ -98,14 +98,9 @@ RUN echo "/usr/lib/postgresql/${PG_VERSION}/lib" > /etc/ld.so.conf.d/duckdb.conf
 # survives the Docker volume mount at /var/lib/postgresql/data.
 #
 # DuckDB version must match libduckdb.so shipped by pg_ducklake in this image.
+COPY docker/fetch-ducklake-ext.sh /usr/local/bin/fetch-ducklake-ext.sh
 RUN apt-get update -qq && apt-get install -y --no-install-recommends curl && \
-    DUCKDB_VER="v1.4.3" && \
-    ARCH="$(uname -m | sed 's/x86_64/linux_amd64/;s/aarch64/linux_arm64/')" && \
-    EXT_DIR="/var/lib/postgresql/.duckdb/extensions/${DUCKDB_VER}/${ARCH}" && \
-    mkdir -p "${EXT_DIR}" && \
-    curl -fsSL \
-        "https://extensions.duckdb.org/${DUCKDB_VER}/${ARCH}/ducklake.duckdb_extension.gz" \
-        | gzip -d > "${EXT_DIR}/ducklake.duckdb_extension" && \
+    /usr/local/bin/fetch-ducklake-ext.sh && \
     chown -R postgres:postgres /var/lib/postgresql/.duckdb && \
     apt-get remove -y curl && apt-get autoremove -y && \
     rm -rf /var/lib/apt/lists/*

docker-bake.hcl

@@ -0,0 +1,28 @@
+variable "REPO" {
+  default = "pgducklake/pgduckpipe"
+}
+
+variable "PG_VERSION" {
+  default = "18"
+}
+
+# Base target: defines build args, target stage, and default tag.
+# The docker.yaml workflow overrides tags via `set: pg_duckpipe.tags=...`.
+target "pg_duckpipe" {
+  args = {
+    PG_VERSION = "${PG_VERSION}"
+  }
+  target = "output"
+  tags   = ["${REPO}:${PG_VERSION}-dev"]
+}
+
+target "pg_duckpipe_18" {
+  inherits = ["pg_duckpipe"]
+  args = {
+    PG_VERSION = "18"
+  }
+}
+
+target "default" {
+  inherits = ["pg_duckpipe_18"]
+}

docker/fetch-ducklake-ext.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Download the ducklake DuckDB extension to the standard offline cache directory.
+#
+# Usage: fetch-ducklake-ext.sh [duckdb-version]
+# Default version: v1.4.3  (must match libduckdb.so shipped by pg_ducklake)
+#
+# Installs to: /var/lib/postgresql/.duckdb/extensions/<ver>/<arch>/ducklake.duckdb_extension
+
+set -euo pipefail
+
+DUCKDB_VER="${1:-v1.4.3}"
+ARCH=$(uname -m | sed 's/x86_64/linux_amd64/;s/aarch64/linux_arm64/')
+EXT_DIR="/var/lib/postgresql/.duckdb/extensions/${DUCKDB_VER}/${ARCH}"
+
+mkdir -p "${EXT_DIR}"
+curl -fsSL \
+    "https://extensions.duckdb.org/${DUCKDB_VER}/${ARCH}/ducklake.duckdb_extension.gz" \
+    | gzip -d > "${EXT_DIR}/ducklake.duckdb_extension"
+
+echo "ducklake ${DUCKDB_VER} (${ARCH}) installed to ${EXT_DIR}"