chore(docker): tidy dev postgres + clickhouse images

[nicktrn]

Two small hygiene tweaks to dev-only images:

• docker/Dockerfile.postgres: add --no-install-recommends to the partman install (leaner image, skips unneeded recommended packages).
• internal-packages/clickhouse/Dockerfile: run the migration helper as a non-root user.

Both are local-dev images (the pnpm run docker stack) - no impact on the published webapp image, prod, or self-hosting.

[changeset-bot]

⚠️ No Changeset found

Latest commit: e6f44f7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b809af7c-c313-41a3-ba86-eb0bf4385f79

📥 Commits

Reviewing files that changed from the base of the PR and between 37eb4d8 and e6f44f7.

📒 Files selected for processing (2)

• docker/Dockerfile.postgres
• internal-packages/clickhouse/Dockerfile

✅ Files skipped from review due to trivial changes (1)

• docker/Dockerfile.postgres

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: typecheck / typecheck
• GitHub Check: audit
• GitHub Check: audit
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (actions)
• GitHub Check: Build and publish previews

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: zvictor
Repo: triggerdotdev/trigger.dev PR: 1686
File: packages/build/src/extensions/python.ts:85-87
Timestamp: 2025-02-10T10:54:17.345Z
Learning: In Python-related Dockerfiles for trigger.dev, avoid adding explicit Python version pinning as the base image already provides conservative version management. Additional pinning would unnecessarily slow down builds.

📚 Learning: 2026-06-02T21:20:43.541Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-06-02T21:20:43.541Z
Learning: Pin Zod to the exact same version as the rest of the repo (currently `3.25.76`) when adding it to any package - never use a different version or range

Applied to files:

• internal-packages/clickhouse/Dockerfile

🪛 Checkov (3.2.530)

internal-packages/clickhouse/Dockerfile

[medium] 10-11: Basic Auth Credentials

(CKV_SECRET_4)

🔇 Additional comments (1)

internal-packages/clickhouse/Dockerfile (1)

1-4: LGTM!

Also applies to: 13-14

---

Walkthrough

This PR updates two Dockerfiles: the PostgreSQL Dockerfile adds --no-install-recommends to the apt-get install of postgresql-14-partman. The ClickHouse Dockerfile pins the Go base image and the goose CLI to specific versions and sets the container runtime user to nobody so migrations run as a non-root user.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description adequately explains the changes and their scope, but is missing required template sections like Testing, Changelog, and the Checklist.	Add the complete template structure including the Checklist, Testing, and Changelog sections to match the repository's required PR description format.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: tidying dev postgres and clickhouse Docker images with specific hygiene improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/dev-dockerfile-hygiene

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 1 additional finding in Devin Review.

[pkg-pr-new]

Open in StackBlitz

@trigger.dev/build

npm i https://pkg.pr.new/@trigger.dev/build@e6f44f7

trigger.dev

npm i https://pkg.pr.new/trigger.dev@e6f44f7

@trigger.dev/core

npm i https://pkg.pr.new/@trigger.dev/core@e6f44f7

@trigger.dev/plugins

npm i https://pkg.pr.new/@trigger.dev/plugins@e6f44f7

@trigger.dev/python

npm i https://pkg.pr.new/@trigger.dev/python@e6f44f7

@trigger.dev/react-hooks

npm i https://pkg.pr.new/@trigger.dev/react-hooks@e6f44f7

@trigger.dev/redis-worker

npm i https://pkg.pr.new/@trigger.dev/redis-worker@e6f44f7

@trigger.dev/rsc

npm i https://pkg.pr.new/@trigger.dev/rsc@e6f44f7

@trigger.dev/schema-to-json

npm i https://pkg.pr.new/@trigger.dev/schema-to-json@e6f44f7

@trigger.dev/sdk

npm i https://pkg.pr.new/@trigger.dev/sdk@e6f44f7

commit: e6f44f7