Fix qemu/k8s image builds#2274
Conversation
PostgreSQL Extension Dependency Analysis: PR #2274
SummaryNo extensions had dependencies with MAJOR version updates. Full Analysis ResultsPostgreSQL 15 Extension DependenciesPostgreSQL 17 Extension DependenciesOrioleDB 17 Extension Dependencies |
PostgreSQL Package Dependency Analysis: PR #2274
SummaryNo packages had MAJOR version updates. Full Analysis ResultsPostgreSQL 15 Dependency ChangesExtracting PostgreSQL 15 dependencies...
Runtime Closure Size
Raw Dependency ClosurePostgreSQL 17 Dependency ChangesExtracting PostgreSQL 17 dependencies...
Runtime Closure Size
Raw Dependency Closure |
samrose
left a comment
There was a problem hiding this comment.
qemu workflow's ungated AWS steps
.github/workflows/qemu-image-build.yml now triggers on push to any branch (path-filtered), where before it was gated to develop + release/*. The stated intent is "always build to test, only push under the old conditions." The two docker push steps are correctly gated, but the steps before them are not:
- configure aws credentials - staging (assumes CONTROL_PLANE_DEV_ROLE)
- Login to Amazon ECR (dev)
- configure aws credentials - prod (assumes CONTROL_PLANE_PROD_ROLE)
- Login to Amazon ECR (prod)
These four now run on every changed-path push to any feature branch. I confirmed they are not needed for the build itself: Dockerfile-kubernetes is FROM alpine:3.23 and just ADDs the qemu output (./output-cloudimg/packer-cloudimg) — no private-ECR pull. So AWS is only needed for the push.
Consequences on a non-develop/release branch push:
- If the OIDC role trust policies are branch-scoped (common), configure aws credentials fails → the whole job fails → this defeats the PR's own goal of "make sure qemu builds keep working via CI test builds" precisely on the feature branches meant to benefit.
- If the trust policies are only repo-scoped, it works but needlessly assumes the prod role on arbitrary branches — a mild security/noise smell.
Suggested fix: put the same gate on the four AWS/ECR steps (or lift auth+push into a separate job gated at the job level):
- name: configure aws credentials - staging
if: ${{ github.event_name == 'workflow_dispatch' || github.ref == 'refs/heads/develop' || startsWith(github.ref, 'refs/heads/release/') }}
Its not being run now and we don't need yet another slightly different way to build AMI at the moment.
Both AMIs are load bearing now, we should not be releasing just one AMI ever so drop the ability to do so.
Hasn't been used internally since 2024/07/23!
Dead code just taking up space and having to be read, delete it.
For qemu, pin the qemu plugin to the version resolved at the last successful build and drop amazon because its unused. For stage2, pin amazon just like in the stage1 files.
Remove unused variable inputs, make it look more like stage2 hcl file since they already look so similar.
This fixes qemu builds because the there's no extra disk in that case.
Lets make sure this continues to work by doing test builds in CI but only push if we are in the same scenario before this change.
Fixed |
What kind of change does this PR introduce?
Bug fix
What is the current behavior?
Qemu build fails to build due to requiring /data mount, which does not exist during qemu builds.
What is the new behavior?
Couple of new things: