Re: Heads Up: cirrus-ci is shutting down June 1st
Jelte Fennema <postgres@jeltef.nl>
From: Jelte Fennema-Nio <postgres@jeltef.nl>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Andres Freund <andres@anarazel.de>,
Nazir Bilal Yavuz <byavuz81@gmail.com>, Thomas Munro <thomas.munro@gmail.com>, pgsql-hackers@postgresql.org, Zsolt Parragi <zsolt.parragi@percona.com>,
Peter Eisentraut <peter@eisentraut.org>
Date: 2026-06-11T06:44:07Z
Lists: pgsql-hackers
On Thu, 11 Jun 2026 at 01:42, Jacob Champion <jacob.champion@enterprisedb.com> wrote: > > On Wed, Jun 10, 2026 at 4:26 PM Andres Freund <andres@anarazel.de> wrote: > > Isn't that a rather bogus complaint? After all, pacman is then used to install > > a lot of stuff that's under control of the msys2/ org. And the github images > > *also* install msys2 releases that are under control of the msys2/ org. So > > what increase in safety are we gaining by implementing this ourselves? > > 1) It depends on whether you think it's as easy to poison upstream > MSYS servers as it is to poison a mutable GitHub tag. > 2) I think we should *also* move away from live installs of the latest > versions of stuff, but that seems like a much heavier lift than just > pinning a tag, which is easy. > > The goal isn't to completely avoid trusting any other software > organizations, but to avoid letting a GitHub supply chain attack > spread like wildfire. I don't really understand what actual problem is that you're trying to protect against. i.e. what's the worst thing that a hostile takeover of the msys github action (or any other action for that matter) can result in? We already allow anyone to run arbitrary CI on the postgresql-cfbot repo by simply submitting a patch to the mainlinglist. This seems fine, since we don't have any secrets associated with the repo. Neither do we have any secrets on the postgres/postgres repo. Usually what these attacks target secrets used to deploy or publish releases. Our repos don't do any of that.
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
ci: Add GitHub Actions based CI
- 9c126063b19a 19 (unreleased) landed
-
ci: Remove support for cirrus-ci based CI
- 68c8a365d4dc 19 (unreleased) landed