Re: Heads Up: cirrus-ci is shutting down June 1st

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Andres Freund <andres@anarazel.de>
Cc: Nazir Bilal Yavuz <byavuz81@gmail.com>, Jelte Fennema-Nio <postgres@jeltef.nl>, Thomas Munro <thomas.munro@gmail.com>, pgsql-hackers@postgresql.org, Zsolt Parragi <zsolt.parragi@percona.com>, Peter Eisentraut <peter@eisentraut.org>
Date: 2026-06-11T16:08:49Z
Lists: pgsql-hackers
On Thu, Jun 11, 2026 at 6:09 AM Andres Freund <andres@anarazel.de> wrote:
> > 1) It depends on whether you think it's as easy to poison upstream
> > MSYS servers as it is to poison a mutable GitHub tag.
>
> It's just as easy I think.

Okay. In that case it's probably not as useful to pin this, when
compared to the pg-vm-images alternative.

> I think you maybe understimate the noise of constant "bump version of xzy"
> commits across N branches.

Even if our MinGW setup action needs to be constantly on the
leading-edge, it released roughly once a quarter last year. (But I'd
say just update it when there's a security alert, or else switch to
pg-vm-images, to both speed things up and control the
reproducibility.)

> I guess I just don't see the supply chain danger here. This is for testing,
> not for making releases. What's the threat model in which attacking postgres'
> CI helps you spread the attack further?

Well, we went through a similar conversation upthread -- if no one
ever makes mistakes in the token permissions, and no one ever does
anything odd in a downstream fork, and GitHub doesn't turn out to have
a corner case that lets you escalate from a read-only token in an
unintuitive way, then I guess we're probably fine?

It's just a lot of 'if's, and the cost of pinning a single SHA really
didn't seem to outweigh all that to me, since GitHub has a bunch of
tools like dependabot that assist people who are pinning SHAs.

--Jacob



Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. ci: Add GitHub Actions based CI

  2. ci: Remove support for cirrus-ci based CI