[StepSecurity] ci: Harden GitHub Actions (#488) #177
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: postgresql-16-ppg-package | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
tags: | |
- '[0-9]+.[0-9]+.[0-9]+*' | |
permissions: | |
contents: read | |
jobs: | |
build: | |
name: pg-16-ppg-package-test | |
runs-on: ubuntu-22.04 | |
timeout-minutes: 30 | |
steps: | |
- name: Clone pg_stat_monitor repository | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
path: 'src/pg_stat_monitor' | |
- name: Delete old postgresql files | |
run: | | |
sudo apt-get update | |
sudo apt purge postgresql-client-common postgresql-common \ | |
postgresql postgresql* | |
sudo apt-get install -y libreadline6-dev systemtap-sdt-dev \ | |
zlib1g-dev libssl-dev libpam0g-dev python3-dev bison flex \ | |
libipc-run-perl wget | |
sudo rm -rf /var/lib/postgresql /var/log/postgresql /etc/postgresql \ | |
/usr/lib/postgresql /usr/include/postgresql /usr/share/postgresql \ | |
/etc/postgresql | |
sudo rm -f /usr/bin/pg_config | |
sudo /usr/bin/perl -MCPAN -e 'install IPC::Run' | |
sudo /usr/bin/perl -MCPAN -e 'install Text::Trim' | |
- name: Install percona-release script | |
run: | | |
sudo apt-get -y update | |
sudo apt-get -y upgrade | |
sudo apt-get install -y wget gnupg2 curl lsb-release | |
sudo wget \ | |
https://repo.percona.com/apt/percona-release_latest.generic_all.deb | |
sudo dpkg -i percona-release_latest.generic_all.deb | |
- name: Install Percona Distribution Postgresql 16 & Extensions | |
run: | | |
sudo percona-release setup ppg-16 | |
sudo apt-get update -y | |
sudo apt-get install -y percona-postgresql-16 \ | |
percona-postgresql-contrib percona-postgresql-server-dev-all \ | |
percona-pgpool2 libpgpool2 percona-postgresql-16-pgaudit \ | |
percona-postgresql-16-pgaudit-dbgsym percona-postgresql-16-repack \ | |
percona-postgresql-16-repack-dbgsym percona-pgaudit16-set-user \ | |
percona-pgaudit16-set-user-dbgsym percona-postgresql-16-postgis-3 \ | |
percona-postgresql-16-postgis-3-scripts \ | |
percona-postgresql-postgis-scripts percona-postgresql-postgis \ | |
percona-postgis | |
- name: Change src owner to postgres | |
run: | | |
sudo chmod o+rx ~ | |
sudo chown -R postgres:postgres src | |
- name: Build pg_stat_monitor | |
run: | | |
sudo -u postgres bash -c 'make USE_PGXS=1' | |
sudo make USE_PGXS=1 install | |
working-directory: src/pg_stat_monitor | |
- name: Start pg_stat_monitor_tests | |
run: | | |
sudo service postgresql stop | |
echo "shared_preload_libraries = 'pg_stat_monitor'" | | |
sudo tee -a /etc/postgresql/16/main/postgresql.conf | |
sudo service postgresql start | |
sudo psql -V | |
export PG_TEST_PORT_DIR=${GITHUB_WORKSPACE}/src/pg_stat_monitor | |
echo $PG_TEST_PORT_DIR | |
sudo -E -u postgres bash -c 'make installcheck USE_PGXS=1' | |
working-directory: src/pg_stat_monitor | |
- name: Change dir permissions on fail | |
if: ${{ failure() }} | |
run: | | |
sudo chmod -R ugo+rwx t | |
sudo chmod -R ugo+rwx tmp_check | |
exit 2 # regenerate error so that we can upload files in next step | |
working-directory: src/pg_stat_monitor | |
- name: Upload logs on fail | |
if: ${{ failure() }} | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: Regressions diff and postgresql log | |
path: | | |
src/pg_stat_monitor/regression.diffs | |
src/pg_stat_monitor/regression.out | |
src/pg_stat_monitor/logfile | |
src/pg_stat_monitor/t/results/ | |
src/pg_stat_monitor/tmp_check/log/ | |
!src/pg_stat_monitor/tmp_check/**/archives/* | |
!src/pg_stat_monitor/tmp_check/**/backup/* | |
!src/pg_stat_monitor/tmp_check/**/pgdata/* | |
!src/pg_stat_monitor/tmp_check/**/archives/ | |
!src/pg_stat_monitor/tmp_check/**/backup/ | |
!src/pg_stat_monitor/tmp_check/**/pgdata/ | |
if-no-files-found: warn | |
retention-days: 3 |