fix: address all review findings across workflows and Dockerfile

Matrix correctness:
- Fix broken include for runner-to-platform mapping by pre-building
  the full matrix in load-versions job using jq
- Iterate versions.json entries directly instead of cross-product of
  unique arrays (prevents invalid combos if versions diverge)

Dockerfile:
- Collapse 4 RUN layers into single layer (~150-300MB image savings)
- Preserve ca-certificates at runtime via apt-mark manual
- Add HEALTHCHECK instruction
- Add .dockerignore to reduce build context

Security:
- Add top-level permissions: contents: read to test.yml
- Pass all ${{ }} values through env vars in run blocks
- Add provenance and SBOM attestations to published images
- Remove cache-to from publish (test workflow warms the cache)

Author: naorpeled

.dockerignore

@@ -0,0 +1,9 @@
+.git
+.github
+.dockerignore
+.gitignore
+.env*
+*.md
+LICENSE
+docker-compose*.yml
+versions.json

.github/workflows/publish.yml

@@ -13,18 +13,16 @@ jobs:
   load-versions:
     runs-on: ubuntu-latest
     outputs:
-      pg_versions: ${{ steps.set-matrix.outputs.pg_versions }}
-      postgis_versions: ${{ steps.set-matrix.outputs.postgis_versions }}
-      pgvector_versions: ${{ steps.set-matrix.outputs.pgvector_versions }}
-      versions: ${{ steps.set-matrix.outputs.versions }}
+      build-matrix: ${{ steps.set-matrix.outputs.build_matrix }}
+      merge-matrix: ${{ steps.set-matrix.outputs.merge_matrix }}
     steps:
       - uses: actions/checkout@v6
       - id: set-matrix
         run: |
-          echo "pg_versions=$(jq -c '[.[].pg_version] | unique' versions.json)" >> "$GITHUB_OUTPUT"
-          echo "postgis_versions=$(jq -c '[.[].postgis_version] | unique' versions.json)" >> "$GITHUB_OUTPUT"
-          echo "pgvector_versions=$(jq -c '[.[].pgvector_version] | unique' versions.json)" >> "$GITHUB_OUTPUT"
-          echo "versions=$(jq -c '.' versions.json)" >> "$GITHUB_OUTPUT"
+          RUNNERS='[{"runner":"ubuntu-latest","platform":"linux/amd64"},{"runner":"ubuntu-24.04-arm","platform":"linux/arm64"}]'
+          BUILD_MATRIX=$(jq -c --argjson runners "$RUNNERS" '{include: [.[] | . as $v | $runners[] | . + $v]}' versions.json)
+          echo "build_matrix=$BUILD_MATRIX" >> "$GITHUB_OUTPUT"
+          echo "merge_matrix=$(jq -c '{include: .}' versions.json)" >> "$GITHUB_OUTPUT"
 
   build:
     needs: load-versions
@@ -36,16 +34,7 @@ jobs:
 
     strategy:
       fail-fast: false
-      matrix:
-        runner: [ubuntu-latest, ubuntu-24.04-arm]
-        pg_version: ${{ fromJSON(needs.load-versions.outputs.pg_versions) }}
-        postgis_version: ${{ fromJSON(needs.load-versions.outputs.postgis_versions) }}
-        pgvector_version: ${{ fromJSON(needs.load-versions.outputs.pgvector_versions) }}
-        include:
-          - runner: ubuntu-latest
-            platform: linux/amd64
-          - runner: ubuntu-24.04-arm
-            platform: linux/arm64
+      matrix: ${{ fromJSON(needs.load-versions.outputs.build-matrix) }}
 
     steps:
       - name: Checkout repository
@@ -74,20 +63,22 @@ jobs:
           context: .
           push: true
           platforms: ${{ matrix.platform }}
+          provenance: true
+          sbom: true
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             PG_VERSION=${{ matrix.pg_version }}
             POSTGIS_VERSION=${{ matrix.postgis_version }}
             PGVECTOR_VERSION=${{ matrix.pgvector_version }}
           cache-from: type=gha,scope=${{ matrix.pg_version }}-${{ matrix.runner }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.pg_version }}-${{ matrix.runner }}
           outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
 
       - name: Export digest
+        env:
+          DIGEST: ${{ steps.build.outputs.digest }}
         run: |
           mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
+          touch "/tmp/digests/${DIGEST#sha256:}"
 
       - name: Upload digest
         uses: actions/upload-artifact@v4
@@ -107,8 +98,7 @@ jobs:
 
     strategy:
       fail-fast: false
-      matrix:
-        include: ${{ fromJSON(needs.load-versions.outputs.versions) }}
+      matrix: ${{ fromJSON(needs.load-versions.outputs.merge-matrix) }}
 
     steps:
       - name: Download digests
@@ -137,10 +127,13 @@ jobs:
 
       - name: Create multi-arch manifest and push
         working-directory: /tmp/digests
+        env:
+          REGISTRY: ${{ env.REGISTRY }}
+          IMAGE: ${{ env.IMAGE_NAME }}
         run: |
           docker buildx imagetools create \
             $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+            $(printf "${REGISTRY}/${IMAGE}@sha256:%s " *)
 
       - name: Verify multi-arch manifest
         run: |

.github/workflows/test.yml

@@ -7,32 +7,28 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   load-versions:
     runs-on: ubuntu-latest
     outputs:
-      pg_versions: ${{ steps.set-matrix.outputs.pg_versions }}
-      postgis_versions: ${{ steps.set-matrix.outputs.postgis_versions }}
-      pgvector_versions: ${{ steps.set-matrix.outputs.pgvector_versions }}
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - uses: actions/checkout@v6
       - id: set-matrix
         run: |
-          echo "pg_versions=$(jq -c '[.[].pg_version] | unique' versions.json)" >> "$GITHUB_OUTPUT"
-          echo "postgis_versions=$(jq -c '[.[].postgis_version] | unique' versions.json)" >> "$GITHUB_OUTPUT"
-          echo "pgvector_versions=$(jq -c '[.[].pgvector_version] | unique' versions.json)" >> "$GITHUB_OUTPUT"
+          MATRIX=$(jq -c '{include: [.[] | . as $v | {runner: "ubuntu-latest"}, {runner: "ubuntu-24.04-arm"} | . + $v]}' versions.json)
+          echo "matrix=$MATRIX" >> "$GITHUB_OUTPUT"
 
   test:
     needs: load-versions
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 15
     strategy:
       fail-fast: false
-      matrix:
-        runner: [ubuntu-latest, ubuntu-24.04-arm]
-        pg_version: ${{ fromJSON(needs.load-versions.outputs.pg_versions) }}
-        postgis_version: ${{ fromJSON(needs.load-versions.outputs.postgis_versions) }}
-        pgvector_version: ${{ fromJSON(needs.load-versions.outputs.pgvector_versions) }}
+      matrix: ${{ fromJSON(needs.load-versions.outputs.matrix) }}
 
     steps:
       - uses: actions/checkout@v6
@@ -54,9 +50,12 @@ jobs:
           cache-to: type=gha,mode=max,scope=${{ matrix.pg_version }}-${{ matrix.runner }}
 
       - name: Start PostgreSQL container
+        env:
+          PG_VERSION: ${{ matrix.pg_version }}
+          RUNNER: ${{ matrix.runner }}
         run: |
-          IMAGE_TAG="postgres-test:pg${{ matrix.pg_version }}"
-          echo "Testing image: $IMAGE_TAG (runner: ${{ matrix.runner }})"
+          IMAGE_TAG="postgres-test:pg${PG_VERSION}"
+          echo "Testing image: $IMAGE_TAG (runner: $RUNNER)"
 
           docker run -d --name test-db \
             -e POSTGRES_PASSWORD=test \
@@ -66,7 +65,7 @@ jobs:
             --health-interval=2s \
             --health-timeout=5s \
             --health-retries=30 \
-            $IMAGE_TAG \
+            "$IMAGE_TAG" \
             postgres -c shared_preload_libraries=vector
 
           echo "Waiting for PostgreSQL to become healthy..."
@@ -97,8 +96,10 @@ jobs:
           docker exec test-db psql -U test -d test -c "CREATE TABLE items (id bigserial PRIMARY KEY, embedding vector(3)); INSERT INTO items (embedding) VALUES ('[1,2,3]'), ('[4,5,6]'); SELECT COUNT(*) FROM items;"
 
       - name: Verify installed versions match requested
+        env:
+          EXPECTED_PGVECTOR: ${{ matrix.pgvector_version }}
+          EXPECTED_POSTGIS: ${{ matrix.postgis_version }}
         run: |
-          EXPECTED_PGVECTOR="${{ matrix.pgvector_version }}"
           ACTUAL_PGVECTOR=$(docker exec test-db psql -U test -d test -tAc \
             "SELECT extversion FROM pg_extension WHERE extname = 'vector';")
           if [ "$ACTUAL_PGVECTOR" != "$EXPECTED_PGVECTOR" ]; then
@@ -107,7 +108,6 @@ jobs:
           fi
           echo "pgvector version OK: $ACTUAL_PGVECTOR"
 
-          EXPECTED_POSTGIS="${{ matrix.postgis_version }}"
           ACTUAL_POSTGIS=$(docker exec test-db psql -U test -d test -tAc \
             "SELECT extversion FROM pg_extension WHERE extname = 'postgis';")
           if [ "$ACTUAL_POSTGIS" != "$EXPECTED_POSTGIS" ]; then

Dockerfile

@@ -13,53 +13,50 @@ LABEL maintainer="TypeORM"
 LABEL description="PostgreSQL with PostGIS and pgvector extensions for TypeORM"
 LABEL org.opencontainers.image.source="https://github.com/typeorm/docker"
 
-# Install base dependencies, setup PGDG repository, and install build tools
+# Install PostGIS, build pgvector from source, then clean up in a single layer
 # Note: PG_MAJOR is provided by the official postgres base image
-RUN apt-get update \
+RUN set -eux \
+    && apt-get update \
     && apt-get install -y --no-install-recommends \
-    lsb-release \
-    gnupg \
-    ca-certificates \
-    wget \
+        lsb-release \
+        gnupg \
+        ca-certificates \
+        wget \
     && wget --quiet -O /usr/share/keyrings/postgresql-archive-keyring.gpg https://www.postgresql.org/media/keys/ACCC4CF8.asc \
     && sh -c 'echo "deb [signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \
     && apt-get update \
     && apt-get install -y --no-install-recommends \
-    build-essential \
-    git \
-    make \
-    gcc \
-    "postgresql-server-dev-${PG_MAJOR}"
-
-# Install pinned PostGIS version (apt packages use major version in name)
-RUN POSTGIS_MAJOR=$(echo "${POSTGIS_VERSION}" | cut -d. -f1) \
-    && apt-get update \
+        build-essential \
+        git \
+        make \
+        gcc \
+        "postgresql-server-dev-${PG_MAJOR}" \
+    && POSTGIS_MAJOR=$(echo "${POSTGIS_VERSION}" | cut -d. -f1) \
     && apt-get install -y --no-install-recommends \
-    "postgis=${POSTGIS_VERSION}+dfsg*" \
-    "postgresql-${PG_MAJOR}-postgis-${POSTGIS_MAJOR}=${POSTGIS_VERSION}+dfsg*" \
-    "postgresql-${PG_MAJOR}-postgis-${POSTGIS_MAJOR}-scripts=${POSTGIS_VERSION}+dfsg*"
-
-# Build and install pinned pgvector version from source
-RUN git clone --branch "v${PGVECTOR_VERSION}" --depth 1 https://github.com/pgvector/pgvector.git /usr/src/pgvector \
+        "postgis=${POSTGIS_VERSION}+dfsg*" \
+        "postgresql-${PG_MAJOR}-postgis-${POSTGIS_MAJOR}=${POSTGIS_VERSION}+dfsg*" \
+        "postgresql-${PG_MAJOR}-postgis-${POSTGIS_MAJOR}-scripts=${POSTGIS_VERSION}+dfsg*" \
+    && git clone --branch "v${PGVECTOR_VERSION}" --depth 1 https://github.com/pgvector/pgvector.git /usr/src/pgvector \
     && cd /usr/src/pgvector \
     && make \
-    && make install
-
-# Cleanup build dependencies
-RUN apt-get purge -y --auto-remove \
-    build-essential \
-    git \
-    make \
-    gcc \
-    "postgresql-server-dev-${PG_MAJOR}" \
-    wget \
-    lsb-release \
-    gnupg \
+    && make install \
+    && apt-mark manual ca-certificates \
+    && apt-get purge -y --auto-remove \
+        build-essential \
+        git \
+        make \
+        gcc \
+        "postgresql-server-dev-${PG_MAJOR}" \
+        wget \
+        lsb-release \
+        gnupg \
     && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* \
-    && rm -rf /usr/src/pgvector
+    && rm -rf /var/lib/apt/lists/* /usr/src/pgvector
 
 # Copy initialization scripts
 COPY docker-entrypoint-initdb.d/ /docker-entrypoint-initdb.d/
 
+HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
+    CMD pg_isready -U postgres || exit 1
+
 EXPOSE 5432