feat: revoke supabase_storage_admin from postgres #2267
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test Database | |
on: | |
push: | |
branches: | |
- develop | |
pull_request: | |
workflow_dispatch: | |
jobs: | |
build: | |
strategy: | |
matrix: | |
include: | |
- runner: [self-hosted, X64] | |
arch: amd64 | |
- runner: arm-runner | |
arch: arm64 | |
runs-on: ${{ matrix.runner }} | |
timeout-minutes: 180 | |
env: | |
POSTGRES_PORT: 5478 | |
POSTGRES_PASSWORD: password | |
steps: | |
- uses: actions/checkout@v3 | |
- id: args | |
uses: mikefarah/yq@master | |
with: | |
cmd: yq 'to_entries | map(select(.value|type == "!!str")) | map(.key + "=" + .value) | join("\n")' 'ansible/vars.yml' | |
- run: docker context create builders | |
- uses: docker/setup-buildx-action@v3 | |
with: | |
endpoint: builders | |
- uses: docker/build-push-action@v5 | |
with: | |
load: true | |
context: . | |
target: production | |
build-args: | | |
${{ steps.args.outputs.result }} | |
tags: supabase/postgres:latest | |
cache-from: | | |
type=gha,scope=${{ github.ref_name }}-latest-${{ matrix.arch }} | |
type=gha,scope=${{ github.base_ref }}-latest-${{ matrix.arch }} | |
cache-to: type=gha,mode=max,scope=${{ github.ref_name }}-latest-${{ matrix.arch }} | |
- name: Start Postgres | |
run: | | |
docker run --rm --pull=never \ | |
-e POSTGRES_PASSWORD=${{ env.POSTGRES_PASSWORD }} \ | |
-p ${{ env.POSTGRES_PORT }}:5432 \ | |
--name supabase_postgres \ | |
-d supabase/postgres:latest | |
- name: Install psql | |
run: | | |
sudo apt update | |
sudo apt install -y --no-install-recommends postgresql-client | |
- name: Install pg_prove | |
run: sudo cpan -T TAP::Parser::SourceHandler::pgTAP | |
env: | |
SHELL: /bin/bash | |
- name: Wait for healthy database | |
run: | | |
count=0 | |
until [ "$(docker inspect -f '{{.State.Health.Status}}' "$container")" == "healthy" ]; do | |
exit=$? | |
count=$((count + 1)) | |
if [ $count -ge "$retries" ]; then | |
echo "Retry $count/$retries exited $exit, no more retries left." | |
docker stop -t 2 "$container" | |
return $exit | |
fi | |
sleep 1; | |
done; | |
echo "$container container is healthy" | |
env: | |
retries: 20 | |
container: supabase_postgres | |
- name: Run tests | |
run: pg_prove migrations/tests/test.sql | |
env: | |
PGHOST: localhost | |
PGPORT: ${{ env.POSTGRES_PORT }} | |
PGDATABASE: postgres | |
PGUSER: supabase_admin | |
PGPASSWORD: ${{ env.POSTGRES_PASSWORD }} | |
- name: Check migrations are idempotent | |
run: | | |
for sql in ./migrations/db/migrations/*.sql; do | |
echo "$0: running $sql" | |
psql -v ON_ERROR_STOP=1 --no-password --no-psqlrc -f "$sql" | |
done | |
env: | |
PGHOST: localhost | |
PGPORT: ${{ env.POSTGRES_PORT }} | |
PGDATABASE: postgres | |
PGUSER: supabase_admin | |
PGPASSWORD: ${{ env.POSTGRES_PASSWORD }} | |
schema: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: verify schema.sql is committed | |
run: | | |
docker compose -f migrations/docker-compose.yaml up db dbmate --abort-on-container-exit | |
if ! git diff --ignore-space-at-eol --exit-code --quiet migrations/schema.sql; then | |
echo "Detected uncommitted changes after build. See status below:" | |
git diff | |
exit 1 | |
fi |