Re: Heads Up: cirrus-ci is shutting down June 1st

Jelte Fennema <postgres@jeltef.nl>

From: Jelte Fennema-Nio <postgres@jeltef.nl>
To: Jacob Champion <jacob.champion@enterprisedb.com>
Cc: Andres Freund <andres@anarazel.de>, Nazir Bilal Yavuz <byavuz81@gmail.com>, Thomas Munro <thomas.munro@gmail.com>, pgsql-hackers@postgresql.org, Zsolt Parragi <zsolt.parragi@percona.com>, Peter Eisentraut <peter@eisentraut.org>
Date: 2026-06-11T06:44:07Z
Lists: pgsql-hackers
On Thu, 11 Jun 2026 at 01:42, Jacob Champion
<jacob.champion@enterprisedb.com> wrote:
>
> On Wed, Jun 10, 2026 at 4:26 PM Andres Freund <andres@anarazel.de> wrote:
> > Isn't that a rather bogus complaint? After all, pacman is then used to install
> > a lot of stuff that's under control of the msys2/ org. And the github images
> > *also* install msys2 releases that are under control of the msys2/ org.  So
> > what increase in safety are we gaining by implementing this ourselves?
>
> 1) It depends on whether you think it's as easy to poison upstream
> MSYS servers as it is to poison a mutable GitHub tag.
> 2) I think we should *also* move away from live installs of the latest
> versions of stuff, but that seems like a much heavier lift than just
> pinning a tag, which is easy.
>
> The goal isn't to completely avoid trusting any other software
> organizations, but to avoid letting a GitHub supply chain attack
> spread like wildfire.

I don't really understand what actual problem is that you're trying to
protect against. i.e. what's the worst thing that a hostile takeover
of the msys github action (or any other action for that matter) can
result in?

We already allow anyone to run arbitrary CI on the postgresql-cfbot
repo by simply submitting a patch to the mainlinglist. This seems
fine, since we don't have any secrets associated with the repo.
Neither do we have any secrets on the postgres/postgres repo. Usually
what these attacks target secrets used to deploy or publish releases.
Our repos don't do any of that.



Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. ci: Add GitHub Actions based CI

  2. ci: Remove support for cirrus-ci based CI