chore: use saved GPG key for Postgres' PPA; update pg_upgrade version detection regexp

.github/workflows/collect-u18-binaries.yml

@@ -96,6 +96,7 @@ jobs:
       - name: Build surrogate Docker image
         uses: docker/build-push-action@v5
         with:
+          context: .
           load: true
           file: Dockerfile-u18
           target: pg_binary_collection
@@ -112,7 +113,7 @@ jobs:
       - name: Copy binary tarball
         run: |
           CONTAINER_ID=$(docker create supabase/postgres:u18-binaries)
-          docker cp "${CONTAINER_ID}:/tmp/pg_binaries/${{ matrix.ubuntu_version }}.tar.gz" > /tmp/pg_binaries.tar.gz
+          docker cp "${CONTAINER_ID}:/tmp/pg_binaries/${{ matrix.ubuntu_version }}.tar.gz" - > /tmp/pg_binaries.tar.gz
           docker rm "${CONTAINER_ID}"
 
       - name: configure aws credentials - staging

Dockerfile

@@ -49,10 +49,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 # Add Postgres PPA
-ARG postgresql_gpg_key=B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8
-RUN mkdir -p /root/.gnupg && chmod 700 /root/.gnupg && \
-    gpg --recv-keys --no-default-keyring --keyring /tmp/pgdg.key --keyserver keyserver.ubuntu.com --recv-keys "${postgresql_gpg_key}" && \
-    gpg --no-default-keyring --keyring /tmp/pgdg.key --export "${postgresql_gpg_key}" > /etc/apt/trusted.gpg.d/pgdg.gpg && \
+# In the off-chance that the key in the repository expires, it can be replaced by running the following in the repository's root:
+#  gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys $NEW_POSTGRESQL_GPG_KEY
+#  gpg --export --armor $NEW_POSTGRESQL_GPG_KEY > postgresql.gpg.key
+COPY postgresql.gpg.key /tmp/postgresql.gpg.key
+RUN apt-key add /tmp/postgresql.gpg.key && \
     echo "deb https://apt-archive.postgresql.org/pub/repos/apt focal-pgdg-archive main" > /etc/apt/sources.list.d/pgdg.list
 
 ####################

Dockerfile-u18

@@ -131,10 +131,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 # Add Postgres PPA
-ARG postgresql_gpg_key=B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8
-RUN mkdir -p /root/.gnupg && chmod 700 /root/.gnupg && \
-    gpg --recv-keys --no-default-keyring --keyring /tmp/pgdg.key --keyserver keyserver.ubuntu.com --recv-keys "${postgresql_gpg_key}" && \
-    gpg --no-default-keyring --keyring /tmp/pgdg.key --export "${postgresql_gpg_key}" > /etc/apt/trusted.gpg.d/pgdg.gpg && \
+# In the off-chance that the key in the repository expires, it can be replaced by running the following in the repository's root:
+#  gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys $NEW_POSTGRESQL_GPG_KEY
+#  gpg --export --armor $NEW_POSTGRESQL_GPG_KEY > postgresql.gpg.key
+COPY postgresql.gpg.key /tmp/postgresql.gpg.key
+RUN apt-key add /tmp/postgresql.gpg.key && \
     echo "deb https://apt-archive.postgresql.org/pub/repos/apt bionic-pgdg-archive main" > /etc/apt/sources.list.d/pgdg.list
 
 ####################
@@ -1004,9 +1005,11 @@ FROM scratch as buildcache
 COPY --from=stats /tmp /
 
 FROM ubuntu:bionic as pg_binary_collection_base
+ARG postgresql_major
+ARG postgresql_release
 ENV DEBIAN_FRONTEND=noninteractive
 
-COPY ansible/files/extensions/* /tmp/build/extensions/
+COPY --from=extensions /tmp/* /tmp/build/extensions/
 COPY ansible/files/postgres/* /tmp/build/
 
 RUN echo "deb [ trusted=yes ] file:///tmp/build ./" > /etc/apt/sources.list.d/temp.list
@@ -1020,6 +1023,8 @@ RUN rm -f /tmp/build/extensions/postgis* && \
     dpkg -i /tmp/build/extensions/*
 
 FROM ubuntu:bionic as pg_binary_collection
+ARG postgresql_major
+ARG postgresql_release
 
 RUN mkdir -p /tmp/pg_binaries/${postgresql_major}
 COPY --from=pg_binary_collection_base /usr/lib/postgresql/${postgresql_major} /tmp/pg_binaries/${postgresql_major}

ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh

@@ -48,11 +48,11 @@ POSTGRES_CONFIG_PATH="/etc/postgresql/postgresql.conf"
 PGBINOLD="/usr/lib/postgresql/bin"
 
 # If upgrading from older major PG versions, disable specific extensions
-if [[ "$OLD_PGVERSION" =~ 14* ]]; then
+if [[ "$OLD_PGVERSION" =~ ^14.* ]]; then
     EXTENSIONS_TO_DISABLE+=("${PG14_EXTENSIONS_TO_DISABLE[@]}")
-elif [[ "$OLD_PGVERSION" =~ 13* ]]; then
+elif [[ "$OLD_PGVERSION" =~ ^13.* ]]; then
     EXTENSIONS_TO_DISABLE+=("${PG13_EXTENSIONS_TO_DISABLE[@]}")
-elif [[ "$OLD_PGVERSION" =~ 12* ]]; then
+elif [[ "$OLD_PGVERSION" =~ ^12.* ]]; then
     POSTGRES_CONFIG_PATH="/etc/postgresql/12/main/postgresql.conf"
     PGBINOLD="/usr/lib/postgresql/12/bin"
 fi

docker/Dockerfile

@@ -16,10 +16,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 # Add Postgres PPA
-ARG postgresql_gpg_key=B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8
-RUN mkdir -p /root/.gnupg && chmod 700 /root/.gnupg && \
-    gpg --recv-keys --no-default-keyring --keyring /tmp/pgdg.key --keyserver keyserver.ubuntu.com --recv-keys "${postgresql_gpg_key}" && \
-    gpg --no-default-keyring --keyring /tmp/pgdg.key --export "${postgresql_gpg_key}" > /etc/apt/trusted.gpg.d/pgdg.gpg && \
+# In the off-chance that the key in the repository expires, it can be replaced by running the following in the repository's root:
+#  gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys $NEW_POSTGRESQL_GPG_KEY
+#  gpg --export --armor $NEW_POSTGRESQL_GPG_KEY > postgresql.gpg.key
+COPY postgresql.gpg.key /tmp/postgresql.gpg.key
+RUN apt-key add /tmp/postgresql.gpg.key && \
     echo "deb https://apt-archive.postgresql.org/pub/repos/apt ${ubuntu_release}-pgdg-archive main" > /etc/apt/sources.list.d/pgdg.list && \
     echo "deb-src https://apt-archive.postgresql.org/pub/repos/apt ${ubuntu_release}-pgdg-archive main" > /etc/apt/sources.list.d/pgdg.list
 

postgresql.gpg.key

@@ -0,0 +1,64 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBE6XR8IBEACVdDKT2HEH1IyHzXkb4nIWAY7echjRxo7MTcj4vbXAyBKOfjja
+UrBEJWHN6fjKJXOYWXHLIYg0hOGeW9qcSiaa1/rYIbOzjfGfhE4x0Y+NJHS1db0V
+G6GUj3qXaeyqIJGS2z7m0Thy4Lgr/LpZlZ78Nf1fliSzBlMo1sV7PpP/7zUO+aA4
+bKa8Rio3weMXQOZgclzgeSdqtwKnyKTQdXY5MkH1QXyFIk1nTfWwyqpJjHlgtwMi
+c2cxjqG5nnV9rIYlTTjYG6RBglq0SmzF/raBnF4Lwjxq4qRqvRllBXdFu5+2pMfC
+IZ10HPRdqDCTN60DUix+BTzBUT30NzaLhZbOMT5RvQtvTVgWpeIn20i2NrPWNCUh
+hj490dKDLpK/v+A5/i8zPvN4c6MkDHi1FZfaoz3863dylUBR3Ip26oM0hHXf4/2U
+A/oA4pCl2W0hc4aNtozjKHkVjRx5Q8/hVYu+39csFWxo6YSB/KgIEw+0W8DiTII3
+RQj/OlD68ZDmGLyQPiJvaEtY9fDrcSpI0Esm0i4sjkNbuuh0Cvwwwqo5EF1zfkVj
+Tqz2REYQGMJGc5LUbIpk5sMHo1HWV038TWxlDRwtOdzw08zQA6BeWe9FOokRPeR2
+AqhyaJJwOZJodKZ76S+LDwFkTLzEKnYPCzkoRwLrEdNt1M7wQBThnC5z6wARAQAB
+tBxQb3N0Z3JlU1FMIERlYmlhbiBSZXBvc2l0b3J5iQJOBBMBCAA4AhsDBQsJCAcD
+BRUKCQgLBRYCAwEAAh4BAheAFiEEuXsK/KoaR/BE8kSgf8x9RqzMTPgFAlhtCD8A
+CgkQf8x9RqzMTPgECxAAk8uL+dwveTv6eH21tIHcltt8U3Ofajdo+D/ayO53LiYO
+xi27kdHD0zvFMUWXLGxQtWyeqqDRvDagfWglHucIcaLxoxNwL8+e+9hVFIEskQAY
+kVToBCKMXTQDLarz8/J030Pmcv3ihbwB+jhnykMuyyNmht4kq0CNgnlcMCdVz0d3
+z/09puryIHJrD+A8y3TD4RM74snQuwc9u5bsckvRtRJKbP3GX5JaFZAqUyZNRJRJ
+Tn2OQRBhCpxhlZ2afkAPFIq2aVnEt/Ie6tmeRCzsW3lOxEH2K7MQSfSu/kRz7ELf
+Cz3NJHj7rMzC+76Rhsas60t9CjmvMuGONEpctijDWONLCuch3Pdj6XpC+MVxpgBy
+2VUdkunb48YhXNW0jgFGM/BFRj+dMQOUbY8PjJjsmVV0joDruWATQG/M4C7O8iU0
+B7o6yVv4m8LDEN9CiR6r7H17m4xZseT3f+0QpMe7iQjz6XxTUFRQxXqzmNnloA1T
+7VjwPqIIzkj/u0V8nICG/ktLzp1OsCFatWXh7LbU+hwYl6gsFH/mFDqVxJ3+DKQi
+vyf1NatzEwl62foVjGUSpvh3ymtmtUQ4JUkNDsXiRBWczaiGSuzD9Qi0ONdkAX3b
+ewqmN4TfE+XIpCPxxHXwGq9Rv1IFjOdCX0iG436GHyTLC1tTUIKF5xV4Y0+cXIOJ
+Aj0EEwEIACcCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLpFRkFCQ6EJy0A
+CgkQf8x9RqzMTPjOZA//Zp0e25pcvle7cLc0YuFr9pBv2JIkLzPm83nkcwKmxaWa
+yUIG4Sv6pH6hm8+S/CHQij/yFCX+o3ngMw2J9HBUvafZ4bnbI0RGJ70GsAwraQ0V
+lkIfg7GUw3TzvoGYO42rZTru9S0K/6nFP6D1HUu+U+AsJONLeb6oypQgInfXQExP
+ZyliUnHdipei4WR1YFW6sjSkZT/5C3J1wkAvPl5lvOVthI9Zs6bZlJLZwusKxU0U
+M4Btgu1Sf3nnJcHmzisixwS9PMHE+AgPWIGSec/N27a0KmTTvImV6K6nEjXJey0K
+2+EYJuIBsYUNorOGBwDFIhfRk9qGlpgt0KRyguV+AP5qvgry95IrYtrOuE7307Si
+dEbSnvO5ezNemE7gT9Z1tM7IMPfmoKph4BfpNoH7aXiQh1Wo+ChdP92hZUtQrY2N
+m13cmkxYjQ4ZgMWfYMC+DA/GooSgZM5i6hYqyyfAuUD9kwRN6BqTbuAUAp+hCWYe
+N4D88sLYpFh3paDYNKJ+Gf7Yyi6gThcV956RUFDH3ys5Dk0vDL9NiWwdebWfRFbz
+oRM3dyGP889aOyLzS3mh6nHzZrNGhW73kslSQek8tjKrB+56hXOnb4HaElTZGDvD
+5wmrrhN94kbyGtz3cydIohvNO9d90+29h0eGEDYti7j7maHkBKUAwlcPvMg5m3aJ
+Aj0EEwEIACcCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlEqbZUFCQg2wEEA
+CgkQf8x9RqzMTPhFMQ//WxAfKMdpSIA9oIC/yPD/dJpY/+DyouOljpE6MucMy/Ar
+BECjFTBwi/j9NYM4ynAk34IkhuNexc1i9/05f5RM6+riLCLgAOsADDbHD4miZzoS
+xiVr6GQ3YXMbOGld9kV9Sy6mGNjcUov7iFcf5Hy5w3AjPfKuR9zXswyfzIU1YXOb
+iiZT38l55pp/BSgvGVQsvbNjsff5CbEKXS7q3xW+WzN0QWF6YsfNVhFjRGj8hKtH
+vwKcA02wwjLeLXVTm6915ZUKhZXUFc0vM4Pj4EgNswH8Ojw9AJaKWJIZmLyW+aP+
+wpu6YwVCicxBY59CzBO2pPJDfKFQzUtrErk9irXeuCCLesDyirxJhv8o0JAvmnMA
+KOLhNFUrSQ2m+3EnF7zhfz70gHW+EG8X8mL/EN3/dUM09j6TVrjtw43RLxBzwMDe
+ariFF9yC+5bLtnGgxjsB9Ik6GV5v34/NEEGf1qBiAzFmDVFRZlrNDkq6gmpvGnA5
+hUWNr+y0i01LjGyaLSWHYjgw2UEQOqcUtTFK9MNzbZze4mVaHMEz9/aMfX25R6qb
+iNqCChveIm8mYr5Ds2zdZx+G5bAKdzX7nx2IUAxFQJEE94VLSp3npAaTWv3sHr7d
+R8tSyUJ9poDwgw4W9BIcnAM7zvFYbLF5FNggg/26njHCCN70sHt8zGxKQINMc6SJ
+Aj0EEwEIACcCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlB5KywFCQPDFt8A
+CgkQf8x9RqzMTPhuCQ//QAjRSAOCQ02qmUAikT+mTB6baOAakkYq6uHbEO7qPZkv
+4E/M+HPIJ4wdnBNeSQjfvdNcZBA/x0hr5EMcBneKKPDj4hJ0panOIRQmNSTThQw9
+OU351gm3YQctAMPRUu1fTJAL/AuZUQf9ESmhyVtWNlH/56HBfYjE4iVeaRkkNLJy
+X3vkWdJSMwC/LO3Lw/0M3R8itDsm74F8w4xOdSQ52nSRFRh7PunFtREl+QzQ3EA/
+WB4AIj3VohIGkWDfPFCzV3cyZQiEnjAe9gG5pHsXHUWQsDFZ12t784JgkGyO5wT2
+6pzTiuApWM3k/9V+o3HJSgH5hn7wuTi3TelEFwP1fNzI5iUUtZdtxbFOfWMnZAyp
+EhaLmXNkg4zDkH44r0ss9fR0DAgUav1a25UnbOn4PgIEQy2fgHKHwRpCy20d6oCS
+lmgyWsR40EPPYvtGq49A2aK6ibXmdvvFT+Ts8Z+q2SkFpoYFX20mR2nsF0fbt1lf
+H65P64dukxeRGteWIeNakDD40bAAOH8+OaoTGVBJ2ACJfLVNM53PEoftavAwUYMr
+R910qvwYfd/46rh46g1Frr9SFMKYE9uvIJIgDsQB3QBp71houU4H55M5GD8XURYs
++bfiQpJG1p7eB8e5jZx1SagNWc4XwL2FzQ9svrkbg1Y+359buUiP7T6QXX2zY+8=
+=XSRU
+-----END PGP PUBLIC KEY BLOCK-----