chore: split build by major version of PostgreSQL

Signed-off-by: Jonathan Gonzalez V <jonathan.gonzalez@enterprisedb.com>

Author: sxd

.github/workflows/bake.yaml

@@ -1,8 +1,6 @@
-name: Bake images
+name: Bake Images
 
 on:
-  schedule:
-    - cron: 0 8 * * 1
   workflow_dispatch:
     inputs:
       environment:
@@ -11,181 +9,84 @@ on:
           - testing
           - production
         default: testing
-        description: "Choose the environment to bake the images for"
-      target:
-        type: string
-        default: ""
-        description: "A comma separated list of targets to build. If empty, all targets will be built."
+        description: "Choose the environment to bake the target for"
 
 permissions: read-all
 
 jobs:
-  # Start by building images for testing. We want to run security checks before pushing those to production.
-  testbuild:
-    name: Build for testing
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-      security-events: write
-      # Required by the cosign step
-      id-token: write
+  get_versions:
+    name: Get PostgreSQL versions
+    runs-on: ubuntu-24.04
     outputs:
-      metadata: ${{ steps.build.outputs.metadata }}
-      images: ${{ steps.images.outputs.images }}
+      versions: ${{ steps.set_versions.outputs.versions }}
     steps:
       - name: Checkout Code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
-      - name: Log in to the GitHub Container registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # TODO: review this when GitHub has linux/arm64 runners available (Q1 2025?)
-      #   https://github.com/github/roadmap/issues/970
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
-        with:
-          platforms: 'arm64'
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+      - name: Get supported PostgreSQL versions
+        id: set_versions
+        run: |
+          VERSIONS="$(sed -n '/postgreSQLVersions = \[/,/\]/ s/.*"\(.*\)\..*".*/\"\1\"/p' docker-bake.hcl | xargs echo | tr ' ' ',')"
+          echo "PostgreSQL versions: [$VERSIONS]"
+          echo "versions=[$VERSIONS]" >> "$GITHUB_OUTPUT"
 
-      - name: Build and push
-        uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c # v6
-        id: build
-        env:
-          environment: testing
-          registry: ghcr.io/${{ github.repository_owner }}
-          revision: ${{ github.sha }}
+      - name: List targets
+        id: targets
+        uses: docker/bake-action/subaction/matrix@v6
         with:
-          push: true
-          targets: ${{ github.event.inputs.target }}
+          target: "default"
 
-      # Get a list of the images that were built and pushed. We only care about a single tag for each image.
-      - name: Generated images
-        id: images
+      - name: Filter by versions
+        id: filter_versions
         run: |
-          echo "images=$(echo '${{ steps.build.outputs.metadata }}' | jq -c '[ .[]."image.name" | sub(",.*";"") ]')" >>  "$GITHUB_OUTPUT"
+          target=$(echo '${{ steps.targets.outputs.matrix }}' | jq -r '.[] | .[] | select(match("${{ matrix.pgversion }}"))' | xargs echo | sed 's/ /,/g')
+          echo "Targets for PostgreSQL ${{ matrix.pgversion }}: $target"
+          echo "filtered_targets=$target" >> "$GITHUB_OUTPUT"
 
-      # Even if we're testing we sign the images, so we can push them to production later if that's required
-      - name: Install cosign
-        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
-        # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
-        # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
-        # how to use cosign.
-      - name: Sign images
-        run: |
-          echo '${{ steps.build.outputs.metadata }}' | \
-            jq '.[] | (."image.name" | sub(",.*";"" )) + "@" + ."containerimage.digest"' | \
-            xargs cosign sign --yes
 
-  security:
-    name: Security checks
-    runs-on: ubuntu-latest
-    needs:
-      - testbuild
+  Bake:
+    name: Bake PostgreSQL
+    strategy:
+      fail-fast:
+      matrix:
+        target: ${{ fromJson(needs.get_versions.outputs.targets) }}
+    uses: ./.github/workflows/bake_targets.yaml
+    with:
+      environment: ${{ github.event.inputs.environment }}
+      target: ${{ matrix.target }}
+  bake_versions:
+    name: Bake PostgreSQL
+    needs: get_versions
+    runs-on: ubuntu-24.04
     strategy:
+      fail-fast: true
       matrix:
-        image: ${{fromJson(needs.testbuild.outputs.images)}}
+        pgversion: ${{ fromJson(needs.get_versions.outputs.versions) }}
     steps:
       - name: Checkout Code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
-      - name: Log in to the GitHub Container registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Dockle
-        uses: erzz/dockle-action@69369bc745ee29813f730231a821bcd4f71cd290 # v1
+      - name: List targets
+        id: targets
+        uses: docker/bake-action/subaction/matrix@v6
         with:
-          image: ${{ matrix.image }}
-          exit-code: '1'
+          target: "default"
 
-      - name: Snyk
-        uses: snyk/actions/docker@master
-        continue-on-error: true
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          image: "${{ matrix.image }}"
-          args: --severity-threshold=high --file=Dockerfile
-
-      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@2d92b76c45b91eb80fc44c74ce3fce0ee94e8f9d # v3
-        continue-on-error: true
-        with:
-          sarif_file: snyk.sarif
-
-  # Use the metadata generated in the `testbuild` step to find all the images
-  # that have been built. We copy them one by one to the production registry
-  # using skopeo. Then we sign the production images too.
-  copytoproduction:
-    name: Copy images to production
-    if: |
-      github.ref == 'refs/heads/main' &&
-      ( github.event.inputs.environment == 'production' || github.event_name == 'schedule' )
-    runs-on: ubuntu-latest
-    needs:
-      - testbuild
-      - security
-    permissions:
-      contents: read
-      packages: write
-      security-events: write
-      # Required by the cosign step
-      id-token: write
-    steps:
-      - name: Log in to the GitHub Container registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Copy images
+      - name: Extract targets per version
+        id: extract_targets
         run: |
-          images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
-            jq -r '
-              .[] as $items |
-              (
-                $items."image.name" |
-                split(",")[] +
-                  "@" +
-                  $items."containerimage.digest"
-              )
-            '
-          )
-          for image in $images
-          do
-            testimageshaonly="${image%:*@*}@${image#*@}"
-            testimagenosha="${image%@*}"
-            prodimage="${testimagenosha/-testing/}"
-            echo "Copying ${testimageshaonly} to ${prodimage}"
-            docker run --quiet quay.io/skopeo/stable:v1.17.0-immutable copy -q -a \
-              --dest-creds ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} \
-              docker://${testimageshaonly} docker://${prodimage}
-          done
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
+          target=$(echo '${{ steps.targets.outputs.matrix }}' | jq -r '.[] | .[] | select(match("${{ matrix.pgversion }}"))' | xargs echo | sed 's/ /,/g')
+          echo "Targets for PostgreSQL ${{ matrix.pgversion }}: $target"
+          echo "filtered_targets=$target" >> "$GITHUB_OUTPUT"
 
-      - name: Sign images
+      - name: Show version
         run: |
-          images=$(echo '${{ needs.testbuild.outputs.metadata }}' |
-            jq -r '.[] |
-              (
-                ."image.name" |
-                sub(",.*";"") |
-                sub("-testing:[^@]+";"")
-              ) + "@" + ."containerimage.digest"
-            '
-          )
-          echo "Signing ${images}"
-          cosign sign --yes ${images}
+          echo "PostgreSQL version: ${{ matrix.pgversion }}"
+          echo "Matrix Targets: ${{ steps.targets.outputs.matrix }}"
+          echo "Filtered Targets: ${{ steps.extract_targets.outputs.filtered_targets }}"
+
+      - name: Build
+        uses: ./.github/actions/bake
+        with:
+          environment: ${{ github.event.inputs.environment }}
+          target: ${{ steps.extract_targets.outputs.filtered_targets }}