tests: add multi-PG mesh installcheck #486
+1,197
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| # | ||
| # Multi-PG Spock mesh installcheck (no Docker) | ||
| # | ||
| # Builds PostgreSQL REL_15/16/17/18_STABLE plus the Spock extension against | ||
| # each, wires the four single-node clusters into a full Spock mesh | ||
| # (12 subscriptions, exception_behaviour='discard', auto-DDL on), | ||
| # stresses it with `make installcheck-parallel` against n1 (PG15), | ||
| # then asserts that every subscription is still enabled and that | ||
| # spock.sync_event() round-trips on every directed edge. | ||
| # | ||
| # The whole thing is driven by tests/run-multi-pg-installcheck.sh, so | ||
| # it runs identically on a developer laptop. This workflow's job is | ||
| # just: provision deps, invoke the script, save logs on failure. | ||
| # | ||
| # Dependency footprint is dictated by the script's ./configure flags | ||
| # (see _do_configure_pg in tests/run-multi-pg-installcheck.sh): | ||
| # | ||
| # --with-icu -> libicu-dev | ||
| # --with-openssl -> libssl-dev | ||
| # --with-readline -> libreadline-dev | ||
| # --with-zstd -> libzstd-dev | ||
| # --with-lz4 -> liblz4-dev | ||
| # (default zlib) -> zlib1g-dev | ||
| # parser/scanner -> bison, flex | ||
| # ICU pkg detect -> pkg-config (preinstalled, listed for clarity) | ||
| # | ||
| # Everything else the script touches -- gcc, make, perl, git, rsync, | ||
| # ca-certificates -- is preinstalled on ubuntu-latest. If you change | ||
| # the configure command in the script, sync this list with it. | ||
| # | ||
|
|
||
| name: Installcheck (multi-PG mesh) | ||
| run-name: Multi-PG mesh installcheck + sync_event verification | ||
|
|
||
| on: | ||
| workflow_dispatch: # manual: "Run workflow" button in the UI | ||
| push: # automatic: every commit on every branch | ||
| paths-ignore: | ||
| - '**/*.md' | ||
| - 'docs/**' | ||
| - 'mkdocs.yml' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| installcheck-multi-pg: | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 90 | ||
|
|
||
| steps: | ||
| - name: Checkout spock | ||
| uses: actions/checkout@v4 | ||
|
Comment on lines
+52
to
+53
There was a problem hiding this comment. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
for repo in actions/checkout actions/upload-artifact; do
type="$(gh api "repos/${repo}/git/ref/tags/v4" --jq '.object.type')"
sha="$(gh api "repos/${repo}/git/ref/tags/v4" --jq '.object.sha')"
if [ "$type" = tag ]; then
sha="$(gh api "repos/${repo}/git/tags/${sha}" --jq '.object.sha')"
fi
printf '%s@v4 -> %s\n' "$repo" "$sha"
doneRepository: pgEdge/spock Length of output: 191 🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/installcheck-multi-pg.yml"
echo "== File excerpt around lines 45-85 =="
nl -ba "$FILE" | sed -n '45,85p'
echo
echo "== All uses of `@v4` in that workflow =="
rg -n "uses:\s*.*`@v4`" "$FILE" || true
echo
echo "== All uses of actions/checkout@v4 and actions/upload-artifact@v4 =="
rg -n "uses:\s*actions/(checkout|upload-artifact)`@v4`" "$FILE" || trueRepository: pgEdge/spock Length of output: 155 🏁 Script executed: #!/bin/bash
set -euo pipefail
FILE=".github/workflows/installcheck-multi-pg.yml"
echo "== File excerpt around lines 45-85 =="
awk 'NR>=45 && NR<=85 {printf "%5d %s\n", NR, $0}' "$FILE"
echo
echo "== All uses of `@v4` in that workflow =="
rg -n "uses:\s*.*`@v4`" "$FILE" || true
echo
echo "== All uses of actions/checkout@v4 and actions/upload-artifact@v4 =="
rg -n "uses:\s*actions/(checkout|upload-artifact)`@v4`" "$FILE" || trueRepository: pgEdge/spock Length of output: 1850 Pin GitHub Actions versions to immutable SHAs. This workflow uses mutable tags:
🧰 Tools🪛 zizmor (1.25.2)[warning] 52-53: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false (artipacked) [error] 53-53: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy) (unpinned-uses) 🤖 Prompt for AI Agents |
||
|
|
||
| - name: Install build dependencies | ||
| run: | | ||
| sudo apt-get update -qq | ||
| sudo DEBIAN_FRONTEND=noninteractive apt-get install -y \ | ||
| --no-install-recommends \ | ||
| bison flex pkg-config \ | ||
| libicu-dev libssl-dev libreadline-dev \ | ||
| libzstd-dev liblz4-dev zlib1g-dev | ||
|
|
||
| - name: Run multi-PG installcheck | ||
| run: | | ||
| # BASE_DIR defaults to <repo>/multi-pg-installcheck which in CI | ||
| # is ${GITHUB_WORKSPACE}/multi-pg-installcheck -- exactly the | ||
| # paths the upload-artifact step below points at. | ||
| ./tests/run-multi-pg-installcheck.sh --jobs "$(nproc)" | ||
|
|
||
| - name: Collect logs on failure | ||
| if: ${{ failure() }} | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: installcheck-multi-pg-logs | ||
| path: | | ||
| multi-pg-installcheck/log/** | ||
| multi-pg-installcheck/src/pg15/src/test/regress/regression.diffs | ||
| multi-pg-installcheck/src/pg15/src/test/regress/regression.out | ||
| if-no-files-found: ignore | ||
| retention-days: 7 | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Set
persist-credentials: falseto prevent credential leakage.The checkout action should explicitly set
persist-credentials: falseto ensure the GitHub token is not persisted to disk after checkout completes. While the artifacts being uploaded are only logs and test output (not the git checkout itself), this is a security best practice to prevent accidental credential exposure.🔒 Proposed fix
- name: Checkout spock uses: actions/checkout@v4 + with: + persist-credentials: false📝 Committable suggestion
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 49-50: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 50-50: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents