chore(infra): Upgrade PostgreSQL 17 to 18 (#245)

* chore(infra): Upgrade PostgreSQL 17 to 18

- Update base image from postgres:17 to postgres:18
- Update PATH and PG_CONFIG for PostgreSQL 18 bin directory
- Update postgresql-server-dev package to version 18
- Update schema snapshot for PG18's descriptive NOT NULL constraint names
- Update trivyignore comments to reference postgres:18

Closes #240

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* fix(kube): Update postgres volume mount for PG18 compatibility

PostgreSQL 18 Docker images changed the data directory layout to use
major-version-specific subdirectories under /var/lib/postgresql.

Mount point must be /var/lib/postgresql (not /data) to allow the
container to manage the versioned subdirectory structure.

See: docker-library/postgres#1259

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

---------

Co-authored-by: Claude Opus 4.5 <[email protected]>

Author: icook

.trivyignore

@@ -10,11 +10,11 @@
 # in our use case (no tar parsing or x509 error string handling).
 
 # golang: archive/tar: Unbounded allocation when parsing GNU sparse map
-# Affects: gosu in postgres:17 base image (Go 1.24.6)
+# Affects: gosu in postgres:18 base image (Go 1.24.6)
 # Fixed in: Go 1.24.8, 1.25.2
 CVE-2025-58183
 
 # crypto/x509: Excessive resource consumption when printing error string
-# Affects: gosu in postgres:17 base image (Go 1.24.6)
+# Affects: gosu in postgres:18 base image (Go 1.24.6)
 # Fixed in: Go 1.24.11, 1.25.5
 CVE-2025-61729

dockerfiles/Dockerfile.postgres

@@ -1,12 +1,12 @@
-FROM postgres:17
+FROM postgres:18
 
-# Ensure pg_config from Postgres 17 is preferred
-ENV PATH="/usr/lib/postgresql/17/bin:${PATH}"
-ENV PG_CONFIG=/usr/lib/postgresql/17/bin/pg_config
+# Ensure pg_config from Postgres 18 is preferred
+ENV PATH="/usr/lib/postgresql/18/bin:${PATH}"
+ENV PG_CONFIG=/usr/lib/postgresql/18/bin/pg_config
 
 # Install pgmq extension and required contrib modules, then clean up build deps and apt cache.
 RUN set -eux; \
-    buildDeps='build-essential libicu-dev postgresql-server-dev-17 pgxnclient'; \
+    buildDeps='build-essential libicu-dev postgresql-server-dev-18 pgxnclient'; \
     apt-get update; \
     apt-get install --no-install-recommends -y $buildDeps postgresql-contrib; \
     pgxn install pgmq; \

dockerfiles/README.md

@@ -6,7 +6,7 @@ Custom Docker images for the TinyCongress development and CI environment.
 
 | Dockerfile | Purpose | Base Image |
 |------------|---------|------------|
-| `Dockerfile.postgres` | PostgreSQL with pgmq extension | `postgres:17` |
+| `Dockerfile.postgres` | PostgreSQL with pgmq extension | `postgres:18` |
 
 ## Dockerfile.postgres
 
@@ -18,7 +18,7 @@ just build-test-postgres
 ```
 
 **Key features:**
-- PostgreSQL 17
+- PostgreSQL 18
 - pgmq extension pre-installed
 - Default database: `tiny-congress`
 - Default credentials: `postgres:postgres`

kube/app/templates/postgres.yaml

@@ -40,7 +40,7 @@ spec:
           name: postgres
         volumeMounts:
         - name: postgres-data
-          mountPath: /var/lib/postgresql/data
+          mountPath: /var/lib/postgresql
         readinessProbe:
           exec:
             command:

service/tests/snapshots/schema_snapshot__schema_matches_snapshot.snap

@@ -1,6 +1,5 @@
 ---
 source: service/tests/schema_snapshot.rs
-assertion_line: 135
 expression: current_schema
 ---
 -- Schema Snapshot
@@ -40,15 +39,15 @@ CREATE INDEX idx_accounts_username ON public.accounts USING btree (username)
 CREATE UNIQUE INDEX test_items_pkey ON public.test_items USING btree (id)
 
 -- Constraints
--- accounts: 2200_16520_1_not_null (CHECK)
--- accounts: 2200_16520_2_not_null (CHECK)
--- accounts: 2200_16520_3_not_null (CHECK)
--- accounts: 2200_16520_4_not_null (CHECK)
--- accounts: 2200_16520_5_not_null (CHECK)
+-- accounts: accounts_created_at_not_null (CHECK)
+-- accounts: accounts_id_not_null (CHECK)
 -- accounts: accounts_pkey (PRIMARY KEY)
 -- accounts: accounts_root_kid_key (UNIQUE)
+-- accounts: accounts_root_kid_not_null (CHECK)
+-- accounts: accounts_root_pubkey_not_null (CHECK)
 -- accounts: accounts_username_key (UNIQUE)
--- test_items: 2200_16511_1_not_null (CHECK)
--- test_items: 2200_16511_2_not_null (CHECK)
--- test_items: 2200_16511_3_not_null (CHECK)
+-- accounts: accounts_username_not_null (CHECK)
+-- test_items: test_items_created_at_not_null (CHECK)
+-- test_items: test_items_id_not_null (CHECK)
+-- test_items: test_items_name_not_null (CHECK)
 -- test_items: test_items_pkey (PRIMARY KEY)