Skip to content

Switch to pgxn-tools based testing#5

Open
jnasbyupgrade wants to merge 10 commits into
masterfrom
master-pre-rollback
Open

Switch to pgxn-tools based testing#5
jnasbyupgrade wants to merge 10 commits into
masterfrom
master-pre-rollback

Conversation

@jnasbyupgrade

Copy link
Copy Markdown
Contributor

Re-opens the pgxn-tools testing work (originally PR #1, which was merged as a merge commit rather than a squash; master has since been rolled back to the pre-merge state d191ef1).

This branch holds the original PR #1 content (the 728f815 merge state). Intended to be squash-merged once CI is green.

Note: CI on this branch surfaces a pre-existing column "oid" specified more than once error at CREATE EXTENSION — the fix for that lives in the separate new_features branch (PR #2), so that needs sorting before/with this merge.

e9c24de Fix pg_regress on versions > 12 (#5)
c0af00f Improvements to HISTORY.asc
6e8f2a7 Allow use of sudo when installing an extension
705f1ec Don't run clean as part of make test
370fa8e Create test/sql during setup

git-subtree-dir: pgxntool
git-subtree-split: e9c24de986ddc85bbd1fb3149076888d075ce100
Ditch the old travis setup. Pulls in some pgxntool changes as well.
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds GitHub Actions CI for PostgreSQL versions 17 through 10 using the pgxn/pgxn-tools container. Updates regression options and test setup for PostgreSQL 13+, installs pgtap with --sudo, and creates the test SQL directory. Dump and restore scripts now invoke psql with -X. Related changelog and ignore-file entries are included. The previous Travis CI configuration and test helper script were removed.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant GitHub Actions
  participant pgxn/pgxn-tools
  participant PostgreSQL
  GitHub Actions->>pgxn/pgxn-tools: Run make test with PGUSER=postgres
  pgxn/pgxn-tools->>PostgreSQL: Execute tests for matrix version
  PostgreSQL-->>pgxn/pgxn-tools: Return test results
  pgxn/pgxn-tools-->>GitHub Actions: Return test status
Loading

Possibly related issues

Poem

A rabbit hops through CI green,
From Postgres ten to seventeen.
Old flags rest, new tests take flight,
Dumps stay tidy, sessions right.
make test thumps its carrot drum—
“Across the matrix, here we come!”

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: moving the test setup to pgxn-tools-based testing.
Description check ✅ Passed The description is directly related to the changeset and explains the testing migration and CI context.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch master-pre-rollback

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/ci.yml (1)

1-18: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Add a permissions block to restrict default token permissions.

The workflow has no permissions: block, so the GITHUB_TOKEN gets the repo's default permissions, which may include write access to contents, packages, etc. Since this job only runs tests, it should use read-only or empty permissions.

🔒️ Proposed fix
 name: CI
 on: [push, pull_request]
+permissions:
+  contents: read
 jobs:
   test:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 1 - 18, Add a top-level permissions
block to the CI workflow, before jobs, granting the GITHUB_TOKEN no permissions
(or only the minimum read access required by actions/checkout). Keep the
existing test job, PostgreSQL matrix, and steps unchanged.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 10-15: Pin the pgxn/pgxn-tools container to an immutable image
digest and pin actions/checkout to a full commit SHA instead of mutable tags. In
the checkout step, set persist-credentials to false.

In `@pgxntool/base.mk`:
- Around line 60-64: Fix the version-gated condition in the Makefile by changing
the malformed `ifeq` expression to use `$(call test, $(MAJORVER), -lt, 130)`,
matching the argument pattern used by the existing condition and the scaled
`MAJORVER` values. Keep the `REGRESS_OPTS += --load-language=plpgsql` assignment
unchanged.

---

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 1-18: Add a top-level permissions block to the CI workflow, before
jobs, granting the GITHUB_TOKEN no permissions (or only the minimum read access
required by actions/checkout). Keep the existing test job, PostgreSQL matrix,
and steps unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f7a47839-f028-4d74-87c1-b3482fecc296

📥 Commits

Reviewing files that changed from the base of the PR and between d191ef1 and 728f815.

📒 Files selected for processing (9)
  • .github/workflows/ci.yml
  • .gitignore
  • .travis.yml
  • pg-travis-test.sh
  • pgxntool/HISTORY.asc
  • pgxntool/base.mk
  • pgxntool/setup.sh
  • sql/.object_reference.sql.swo
  • test/dump/run.sh
💤 Files with no reviewable changes (2)
  • .travis.yml
  • pg-travis-test.sh

Comment thread .github/workflows/ci.yml
Comment on lines +10 to +15
container: pgxn/pgxn-tools
steps:
- name: Start PostgreSQL ${{ matrix.pg }}
run: pg-start ${{ matrix.pg }}
- name: Check out the repo
uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pin container image and action, and disable credential persistence.

The pgxn/pgxn-tools container and actions/checkout@v4 are referenced by tag rather than by immutable digest/SHA, which is a supply-chain risk. Additionally, actions/checkout persists the GITHUB_TOKEN in the local git config by default; since this job doesn't push, set persist-credentials: false.

🔒️ Proposed fix
-    container: pgxn/pgxn-tools
+    container: pgxn/pgxn-tools@sha256:<digest>
     steps:
       - name: Start PostgreSQL ${{ matrix.pg }}
         run: pg-start ${{ matrix.pg }}
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@<pin-to-sha>
+        with:
+          persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 14-15: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[warning] 13-13: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)


[error] 15-15: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)


[error] 10-10: unpinned image references (unpinned-images): container image is unpinned

(unpinned-images)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 10 - 15, Pin the pgxn/pgxn-tools
container to an immutable image digest and pin actions/checkout to a full commit
SHA instead of mutable tags. In the checkout step, set persist-credentials to
false.

Source: Linters/SAST tools

Comment thread pgxntool/base.mk
Comment on lines +60 to 64
endif

#DATA = $(wildcard sql/*--*.sql)
ifeq ($($call test, $(MAJORVER), -lt 13), yes)
REGRESS_OPTS += --load-language=plpgsql
endif

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Fix Makefile syntax error: --load-language=plpgsql is never added for any PostgreSQL version.

Line 62 has two defects that prevent the version-gated REGRESS_OPTS addition from ever executing:

  1. $($call typo — should be $(call. The extra $ causes GNU Make to interpret $c as a single-char variable reference (undefined → empty), making the outer $(all test, …) resolve to an undefined variable → empty string. The ifeq always evaluates to false.

  2. Missing comma and wrong comparison value-lt 13 is passed as a single argument to the test function (which expects 3 comma-separated args), and the value should be 130 not 13 because MAJORVER is already multiplied by 10 (line 51: PG 12 → 120, PG 13 → 130). Even with the $(call fix, test 120 -lt 13 is false for PG 12.

Compare with the correct pattern on line 56: $(call test, $(MAJORVER), -ge, 91).

🐛 Proposed fix for line 62
-ifeq ($($call test, $(MAJORVER), -lt 13), yes)
+ifeq ($(call test, $(MAJORVER), -lt, 130), yes)
 	REGRESS_OPTS += --load-language=plpgsql
 endif
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
endif
#DATA = $(wildcard sql/*--*.sql)
ifeq ($($call test, $(MAJORVER), -lt 13), yes)
REGRESS_OPTS += --load-language=plpgsql
endif
endif
ifeq ($(call test, $(MAJORVER), -lt, 130), yes)
REGRESS_OPTS += --load-language=plpgsql
endif
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pgxntool/base.mk` around lines 60 - 64, Fix the version-gated condition in
the Makefile by changing the malformed `ifeq` expression to use `$(call test,
$(MAJORVER), -lt, 130)`, matching the argument pattern used by the existing
condition and the scaled `MAJORVER` values. Keep the `REGRESS_OPTS +=
--load-language=plpgsql` assignment unchanged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant