Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,089 changes: 1,026 additions & 63 deletions .github/workflows/release.yml

Large diffs are not rendered by default.

25 changes: 23 additions & 2 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,13 +50,34 @@ builds:
- amd64
- arm64

# One tarball per platform containing both binaries — archiver and partitioner
# are deployed together.
# compactor lives in its own Go module (cmd/compactor/go.mod, heavy iceberg-go
# deps), so it is built with dir: pointed at that module. Still pure-Go
# (CGO_ENABLED=0), so it cross-compiles statically like the others.
- id: compactor
binary: compactor
main: .
dir: cmd/compactor
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- -s -w
goos:
- linux
- darwin
goarch:
- amd64
- arm64

# One tarball per platform containing all three binaries — archiver,
# partitioner and compactor are deployed together.
archives:
- id: coldfront
ids:
- archiver
- partitioner
- compactor
formats:
- tar.gz
name_template: >-
Expand Down
29 changes: 29 additions & 0 deletions common/build.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#!/usr/bin/env bash
set -euo pipefail

# Entry point for the pgEdge builder-action. Invoked as:
# common/build.sh <component>
# where <component> is a packaging dir under the repo root that holds a
# common.sh + build-rpm.sh / build-deb.sh (e.g. "packaging/pg_duckdb").
COMPONENT_NAME=$1
source "$(dirname "$0")/../${COMPONENT_NAME}/common.sh"

# common-functions.sh is a committed copy of the shared pgEdge build helpers
# (from pgedge-enterprise-packages/common/). The builder-action mounts the repo
# and runs this script but does not supply it, so it must live in the repo —
# same pattern as ai-dba-workbench's packaging/scripts/common-functions.sh.
COMMON_FILE="$(dirname "$0")/common-functions.sh"
if [ -f "$COMMON_FILE" ]; then
source "$COMMON_FILE"
else
echo "Error: $COMMON_FILE not found!" >&2
exit 1
fi

###########
# Main
###########
detect_os_type
prepare
build
post_build
281 changes: 281 additions & 0 deletions common/common-functions.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,281 @@
#!/bin/bash

install_syft(){

# Install syft from its pinned release tarball and verify it against the
# published checksums before installing — avoids piping a remote installer
# script straight into a root shell. Override SYFT_VERSION to bump.
SYFT_VERSION="${SYFT_VERSION:-v1.45.1}"
local ver="${SYFT_VERSION#v}" arch
case "$(uname -m)" in
x86_64) arch=amd64 ;;
aarch64) arch=arm64 ;;
*) echo "unsupported arch for syft: $(uname -m)" >&2; return 1 ;;
esac
local tgz="syft_${ver}_linux_${arch}.tar.gz"
local base="https://github.com/anchore/syft/releases/download/v${ver}"
local tmp; tmp="$(mktemp -d)"
echo "Installing syft ${SYFT_VERSION} (${arch})..."
curl -sSfL "${base}/${tgz}" -o "${tmp}/${tgz}"
curl -sSfL "${base}/syft_${ver}_checksums.txt" -o "${tmp}/checksums.txt"
( cd "${tmp}" && grep " ${tgz}\$" checksums.txt | sha256sum -c - )
tar -xzf "${tmp}/${tgz}" -C "${tmp}" syft
sudo install -m 0755 "${tmp}/syft" /usr/local/bin/syft
rm -rf "${tmp}"
syft version
}
Comment thread
maqeel75 marked this conversation as resolved.

setup_dnf_build_env(){

echo "Installing required packages..."
dnf groupinstall "Development Tools" -y
dnf install -y rpm-build rpmdevtools yum-utils tar wget git gnupg2 sudo

echo "📦 Enabling additional repositories..."
dnf install -y epel-release
if [ "$RHEL" = "8" ]; then
dnf config-manager --set-enabled powertools
else
dnf config-manager --set-enabled crb
fi

echo "Configuring pgEdge repository..."
configure_pgedge_dnf_repo $REPO_TYPE

echo "Setting up RPM build environment..."
rpmdev-setuptree

install_syft
}

setup_apt_build_env(){

echo "Installing build tools and dependencies..."
sudo ln -fs /usr/share/zoneinfo/UTC /etc/localtime

sudo apt-get update
sudo apt-get install -y devscripts build-essential pkg-config fakeroot git curl \
ca-certificates debhelper dpkg-dev gnupg2 wget sudo lsb-release

echo "Configuring pgEdge repository..."
configure_pgedge_apt_repo $REPO_TYPE

install_syft
}

rename_ddeb_packages(){
# Rename any *.ddeb (debug-symbol packages) to *.deb. Uses find -print0 so it
# is safe under `set -euo pipefail` when there are NO .ddeb files (no grep
# non-zero exit) and tolerates filenames with spaces.
local build_dir="$1" f
find "$build_dir" -maxdepth 1 -type f -name '*.ddeb' -print0 | while IFS= read -r -d '' f; do
mv -- "$f" "${f%.ddeb}.deb"
done
}

configure_pgedge_dnf_repo() {
local REPO_TYPE="${1:-daily}" # "daily" or "staging"

sudo dnf install -y https://dnf.pgedge.com/reporpm/pgedge-release-latest.noarch.rpm
sudo sed -i "s|release|$REPO_TYPE|g" /etc/yum.repos.d/pgedge.repo

echo "Repo configured at /etc/yum.repos.d/pgedge.repo"
}

configure_pgedge_apt_repo(){
local REPO_TYPE="${1:-daily}" # "daily" or "staging"
local REPO_PATH="repodeb"

curl -sSL https://apt.pgedge.com/${REPO_PATH}/pgedge-release_latest_all.deb -o /tmp/pgedge-release.deb && sudo dpkg -i /tmp/pgedge-release.deb && rm -f /tmp/pgedge-release.deb || true
sed -i "s|release|$REPO_TYPE|g" /etc/apt/sources.list.d/pgedge.sources
apt-get update

echo "Repo configured at /etc/apt/sources.list.d/pgedge.sources"
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.

detect_os_type(){
if command -v dnf &>/dev/null || command -v yum &>/dev/null; then
echo "Detected RPM-based system"
source "$(dirname "$0")/../${COMPONENT_NAME}/build-rpm.sh"
elif command -v apt-get &>/dev/null; then
echo "Detected Debian-based system"
source "$(dirname "$0")/../${COMPONENT_NAME}/build-deb.sh"
else
echo "Unsupported platform: No known package manager found" >&2
exit 1
fi
}

import_gpg_keys() {
if ! command -v rpm &>/dev/null || ! command -v gpg &>/dev/null; then
echo "Installing rpm or gpg"
if command -v dnf &>/dev/null; then
sudo dnf install -y rpm gnupg2
elif command -v apt-get &>/dev/null; then
sudo apt-get install -y rpm gnupg2
fi
if [ $? -ne 0 ]; then
echo "Error: Failed to install rpm or gnupg2"
return 1
fi
fi

PRI_FILE=$(dirname "$0")/public.key
PUB_FILE=$(dirname "$0")/private.key

GPG_PUBLIC_KEY=$(cat $PRI_FILE)
GPG_PRIVATE_KEY=$(cat $PUB_FILE)
rm -f $PRI_FILE $PUB_FILE
Comment thread
maqeel75 marked this conversation as resolved.

[ -z "$GPG_PUBLIC_KEY" ] && { echo "Error: GPG_PUBLIC_KEY is unset"; return 1; }
[ -z "$GPG_PRIVATE_KEY" ] && { echo "Error: GPG_PRIVATE_KEY is unset"; return 1; }

PUBLIC_KEY_FILE=$(mktemp)
echo "$GPG_PUBLIC_KEY" > "$PUBLIC_KEY_FILE"

gpg --import "$PUBLIC_KEY_FILE" || {
echo "Error: Failed to import public key"
rm -f "$PUBLIC_KEY_FILE"
return 1
}

rpm --import "$PUBLIC_KEY_FILE" || {
echo "Error: Failed to import public key to RPM"
rm -f "$PUBLIC_KEY_FILE"
return 1
}

PRIVATE_KEY_FILE=$(mktemp)
echo "$GPG_PRIVATE_KEY" > "$PRIVATE_KEY_FILE"
gpg --import "$PRIVATE_KEY_FILE" || {
echo "Error: Failed to import private key"
rm -f "$PRIVATE_KEY_FILE"
rm -f "$PUBLIC_KEY_FILE"
return 1
}
rm -f "$PRIVATE_KEY_FILE"
rm -f "$PUBLIC_KEY_FILE"
return 0
}

sign_rpms() {
# Check if at least one file is provided
if [ $# -eq 0 ]; then
echo "Error: No files provided to sign."
return 1
fi

# Check if rpmsign and gpg are installed, install if not
if ! command -v rpmsign &>/dev/null; then
echo "rpmsign not found. Installing rpm-sign"
if command -v sudo &>/dev/null; then
sudo dnf install -y rpm-sign
else
dnf install -y rpm-sign
fi
if [ $? -ne 0 ]; then
echo "Error: Failed to install rpm-sign"
return 1
fi
fi

# Get the key ID of the imported private key
KEY_ID=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec/{print $5}' | head -n 1)
Comment thread
coderabbitai[bot] marked this conversation as resolved.
if [ -z "$KEY_ID" ]; then
echo "Error: No private key found after import."
rm -f "$PRIVATE_KEY_FILE"
rm -rf "$GNUPGHOME"
return 1
fi
Comment thread
coderabbitai[bot] marked this conversation as resolved.

echo "=======================Signing RPMs======================="
# Sign each RPM file
for file in "$@"; do
# Ensure the file has /output/ prefix if relative
if [[ ! "$file" = /* ]]; then
file="/output/$file"
fi

if [ ! -f "$file" ]; then
echo "Error: File '$file' does not exist."
continue
fi

# Check if the file is an RPM
if ! file "$file" | grep -q "RPM"; then
echo "Error: File '$file' is not an RPM file."
continue
fi

# Sign the RPM using rpmsign, using passphrase if provided
rpmsign --define "_gpg_name $KEY_ID" --addsign "$file" >/dev/null 2>&1

if [ $? -eq 0 ]; then
echo "Successfully signed '$file'."
else
echo "Error: Failed to sign '$file'."
fi
done
echo "=======================Signing Completes=================="

# Clean up
rm -f "$PRIVATE_KEY_FILE"
}

validate_signatures() {

# Check if files are provided
if [ $# -eq 0 ]; then
echo "Error: No files provided to validate."
return 1
fi

# Install dependencies
if ! command -v rpm &>/dev/null; then
echo "Installing rpm"
if command -v sudo &>/dev/null; then
sudo dnf install -y rpm
else
dnf install -y rpm
fi
if [ $? -ne 0 ]; then
echo "Error: Failed to install rpm"
return 1
fi
fi

# Validate each RPM
local all_valid=0
echo "=======================Starting validation======================="
for file in "$@"; do
if [[ ! "$file" = /* ]]; then
file="/output/$file"
fi

if [ ! -f "$file" ]; then
echo "Error: File '$file' does not exist."
all_valid=1
continue
fi

if ! file "$file" | grep -q "RPM"; then
echo "Error: File '$file' is not an RPM file."
all_valid=1
continue
fi

CHECKSIG_OUTPUT=$(rpm --checksig "$file" 2>&1)
echo "$CHECKSIG_OUTPUT"
if echo "$CHECKSIG_OUTPUT" | grep -q "digests signatures OK"; then
echo "Signature for '$file' is valid."
else
echo "Error: Signature for '$file' is invalid or missing."
all_valid=1
fi
done
echo "=======================Validation completes======================"
# Clean up
rm -f "$PUBLIC_KEY_FILE"

return $all_valid
}
Loading