microsoft · pinodeca · Mar 31, 2026 · Mar 30, 2026
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -33,9 +33,6 @@
 
   // onCreateCommand runs during Codespaces prebuild (heavy setup)
   "onCreateCommand": "bash .devcontainer/onCreateCommand.sh",
-
-  // postCreateCommand runs when user opens the Codespace (quick verification)
-  "postCreateCommand": "bash .devcontainer/postCreateCommand.sh",
-
+
   "remoteUser": "vscode"
 }
diff --git a/.devcontainer/onCreateCommand.sh b/.devcontainer/onCreateCommand.sh
@@ -1,46 +1,68 @@
 #!/bin/bash
 set -e
 
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+# shellcheck source=../scripts/pg-common.sh
+. "$PROJECT_DIR/scripts/pg-common.sh"
+
+PG_MAJOR=17
+SMOKE_MODE="${PG_DURABLE_SMOKE:-0}"
+
 echo "========================================="
 echo "Running Codespaces prebuild setup"
 echo "This runs during the prebuild and installs all dependencies"
 echo "========================================="
 
 # Install system dependencies (skip if called from fallback)
 if [ "$SKIP_APT_UPDATE" != "1" ]; then
-    echo "Installing system dependencies..."
-    sudo apt-get update
-    sudo apt-get install -y \
-        pkg-config \
-        libssl-dev \
-        libclang-dev \
-        clang \
-        bison \
-        flex \
-        libreadline-dev \
-        zlib1g-dev \
-        libxml2-dev \
-        libxslt1-dev \
-        libicu-dev
+    if [ "$SMOKE_MODE" = "1" ]; then
+        echo "Smoke mode: skipping apt-get install"
+    else
+        echo "Installing system dependencies..."
+        sudo apt-get update
+        sudo apt-get install -y \
+            pkg-config \
+            libssl-dev \
+            libclang-dev \
+            clang \
+            bison \
+            flex \
+            libreadline-dev \
+            zlib1g-dev \
+            libxml2-dev \
+            libxslt1-dev \
+            libicu-dev
+    fi
 else
     echo "Skipping apt-get update (SKIP_APT_UPDATE=1)"
 fi
 
 # Install cargo-pgrx
 echo "Installing cargo-pgrx 0.16.1..."
-cargo install cargo-pgrx --version 0.16.1 --locked
+if [ "$SMOKE_MODE" = "1" ]; then
+    echo "Smoke mode: skipping cargo-pgrx install"
+else
+    cargo install cargo-pgrx --version 0.16.1 --locked
+fi
 
 # Initialize pgrx with PostgreSQL 17 (pgrx will download and compile PG17)
 # This is the most time-consuming step (~5-8 minutes)
 echo "Initializing pgrx with PostgreSQL 17..."
-cargo pgrx init --pg17 download
+if [ "$SMOKE_MODE" = "1" ]; then
+    echo "Smoke mode: skipping cargo pgrx init"
+else
+    cargo pgrx init --pg17 download
+fi
 
 # ── Initialize private submodule (duroxide-pg-opt) ──────────────────
 # duroxide-pg-opt is a private repo.  Two auth mechanisms:
 #
 # 1. Prebuild phase: GH_PAT Codespace secret provides access.
-#    The PAT is injected as a temporary git insteadOf rewrite, used
-#    for clone, then scrubbed so it never persists in the image.
+#    We use a temporary git insteadOf rewrite during submodule clone.
+#    The secret remains available in the Codespace environment, so there
+#    is no meaningful security benefit to trying to scrub local traces.
 #
 # 2. Interactive Codespace: devcontainer.json grants the built-in
 #    GITHUB_TOKEN read access via customizations.codespaces.repositories.
@@ -54,30 +76,39 @@ if [ -n "$GH_PAT" ]; then
     echo "GH_PAT detected — initializing submodule with PAT..."
 
     # Temporarily rewrite GitHub HTTPS URLs to include the token.
-    git config --global url."https://x-access-token:${GH_PAT}@github.com/".insteadOf "https://github.com/"
+    PAT_REWRITE_URL="https://x-access-token:${GH_PAT}@github.com/"
+
+    cleanup_pat_rewrite() {
+        local rc=$?
+        # GH_PAT is still available in Codespace env vars; cleanup here ensures
+        # subsequent user git operations prefer devcontainer.json repo permissions
+        # and Codespaces credential helper instead of forcing PAT rewrite behavior.
+        git config --global --remove-section "url.${PAT_REWRITE_URL}" 2>/dev/null || true
+        return $rc
+    }
+
+    trap cleanup_pat_rewrite EXIT
+    git config --global url."${PAT_REWRITE_URL}".insteadOf "https://github.com/"
 
-    if git submodule update --init --recursive; then
+    if [ "$SMOKE_MODE" = "1" ]; then
+        echo "Smoke mode: skipping git submodule update"
+        if [ -f "duroxide-pg-opt/Cargo.toml" ]; then
+            SUBMODULE_INITIALIZED=1
+        fi
+    elif git submodule update --init --recursive; then
         echo "✅ Submodule initialized successfully (via PAT)"
         SUBMODULE_INITIALIZED=1
     else
         echo "⚠️  Submodule initialization failed with PAT"
     fi
-
-    # ── Credential cleanup ──────────────────────────────────────────
-    # Remove the insteadOf rewrite so the PAT is NOT baked into the
-    # prebuild filesystem snapshot.
-    git config --global --remove-section "url.https://x-access-token:${GH_PAT}@github.com/" 2>/dev/null || true
-    echo -e "protocol=https\nhost=github.com" | git credential reject 2>/dev/null || true
-
-    # Belt-and-suspenders: verify no PAT traces remain
-    if grep -q "x-access-token" "$HOME/.gitconfig" 2>/dev/null; then
-        echo "⚠️  WARNING: PAT trace found in ~/.gitconfig — scrubbing"
-        sed -i '/x-access-token/d' "$HOME/.gitconfig"
-    fi
-    echo "✅ Credentials cleaned up"
 else
     echo "GH_PAT not set — trying submodule init with default credentials..."
-    if git submodule update --init --recursive; then
+    if [ "$SMOKE_MODE" = "1" ]; then
+        echo "Smoke mode: skipping git submodule update"
+        if [ -f "duroxide-pg-opt/Cargo.toml" ]; then
+            SUBMODULE_INITIALIZED=1
+        fi
+    elif git submodule update --init --recursive; then
         echo "✅ Submodule initialized successfully"
         SUBMODULE_INITIALIZED=1
     else
@@ -90,8 +121,32 @@ fi
 # Only build if the submodule is present (needed for compilation)
 if [ "$SUBMODULE_INITIALIZED" = "1" ] && [ -f "duroxide-pg-opt/Cargo.toml" ]; then
     echo "Building pg_durable..."
-    cargo build --features pg17
-    echo "✅ pg_durable built successfully"
+    if [ "$SMOKE_MODE" = "1" ]; then
+        echo "Smoke mode: skipping cargo build"
+    else
+        cargo build --features pg17
+        echo "✅ pg_durable built successfully"
+    fi
+
+    echo "Installing pg_durable into PostgreSQL ${PG_MAJOR}..."
+    if [ "$SMOKE_MODE" = "1" ]; then
+        echo "Smoke mode: skipping install/cluster bootstrap"
+    else
+        resolve_pgrx_environment "$PG_MAJOR"
+        cargo pgrx install --release --pg-config "$PG_CONFIG"
+
+        echo "Preparing PostgreSQL ${PG_MAJOR} cluster..."
+        recreate_local_cluster
+        start_local_postgres
+        ensure_compatible_roles
+        ensure_pg_durable_extension
+
+        VERSION=$(pg_durable_version)
+        echo "✅ pg_durable ${VERSION} installed and verified"
+
+        echo "Stopping PostgreSQL ${PG_MAJOR} after prebuild verification..."
+        stop_local_postgres
+    fi
 else
     echo "⚠️  Submodule not available — skipping pg_durable build"
 fi

diff --git a/.devcontainer/postCreateCommand.sh b/.devcontainer/postCreateCommand.sh
diff --git a/.github/workflows/prebuild.yml b/.github/workflows/prebuild.yml
@@ -9,9 +9,11 @@ on:
     branches: [main]
     paths:
       - '.devcontainer/**'
+      - 'scripts/pg-common.sh'
   pull_request:
     paths:
       - '.devcontainer/**'
+      - 'scripts/pg-common.sh'
   workflow_dispatch: # Allow manual trigger
 
 jobs:
@@ -39,11 +41,6 @@ jobs:
             exit 1
           fi
 
-          if [ ! -f .devcontainer/postCreateCommand.sh ]; then
-            echo "❌ postCreateCommand.sh not found"
-            exit 1
-          fi
-
           echo "✅ All required files exist"
 
           # Check that onCreateCommand is configured properly
@@ -55,17 +52,30 @@ jobs:
             echo "Expected: \"onCreateCommand\": \"bash .devcontainer/onCreateCommand.sh\""
           fi
 
-          # Check that postCreateCommand is configured
-          if grep -E '"postCreateCommand"\s*:\s*".*postCreateCommand\.sh"' .devcontainer/devcontainer.json > /dev/null; then
-            echo "✅ postCreateCommand is configured"
-          else
-            echo "⚠️  postCreateCommand not found"
-          fi
-
           echo ""
           echo "✅ Devcontainer configuration is valid"
           echo ""
           echo "To enable Codespaces prebuilds:"
           echo "1. Go to repository Settings > Codespaces"
           echo "2. Click 'Set up prebuild'"
           echo "3. Configure prebuild for the main branch"
+
+  smoke:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Smoke test devcontainer scripts
+        run: |
+          set -euo pipefail
+
+          # Exercise script entrypoints without running heavy setup.
+          export SKIP_APT_UPDATE=1
+          export PG_DURABLE_SMOKE=1
+          export GH_PAT="smoke-test-token"
+
+          bash .devcontainer/onCreateCommand.sh
diff --git a/Makefile b/Makefile
@@ -53,7 +53,7 @@ test-regress:
 	@echo "Resetting PostgreSQL..."
 	./scripts/pg-reset.sh $(subst pg,,$(PG_VERSION))
 	@echo "Starting PostgreSQL with PGDATABASE=contrib_regression..."
-	PGDATABASE=contrib_regression ./scripts/pg-start.sh $(subst pg,,$(PG_VERSION))
+	PGDATABASE=contrib_regression ./scripts/pg-start.sh --pg-version $(subst pg,,$(PG_VERSION))
 	@echo "Running pg_regress tests..."
 	PGHOST=$(HOME)/.pgrx PGUSER=postgres PG_CONFIG=$$(cargo pgrx info pg-config $(PG_VERSION)) $(MAKE) -e installcheck