Re: Heads Up: cirrus-ci is shutting down June 1st
Jacob Champion <jacob.champion@enterprisedb.com>
From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Andres Freund <andres@anarazel.de>
Cc: Nazir Bilal Yavuz <byavuz81@gmail.com>,
Jelte Fennema-Nio <postgres@jeltef.nl>, Thomas Munro <thomas.munro@gmail.com>, pgsql-hackers@postgresql.org, Zsolt Parragi <zsolt.parragi@percona.com>,
Peter Eisentraut <peter@eisentraut.org>
Date: 2026-06-11T16:08:49Z
Lists: pgsql-hackers
On Thu, Jun 11, 2026 at 6:09 AM Andres Freund <andres@anarazel.de> wrote: > > 1) It depends on whether you think it's as easy to poison upstream > > MSYS servers as it is to poison a mutable GitHub tag. > > It's just as easy I think. Okay. In that case it's probably not as useful to pin this, when compared to the pg-vm-images alternative. > I think you maybe understimate the noise of constant "bump version of xzy" > commits across N branches. Even if our MinGW setup action needs to be constantly on the leading-edge, it released roughly once a quarter last year. (But I'd say just update it when there's a security alert, or else switch to pg-vm-images, to both speed things up and control the reproducibility.) > I guess I just don't see the supply chain danger here. This is for testing, > not for making releases. What's the threat model in which attacking postgres' > CI helps you spread the attack further? Well, we went through a similar conversation upthread -- if no one ever makes mistakes in the token permissions, and no one ever does anything odd in a downstream fork, and GitHub doesn't turn out to have a corner case that lets you escalate from a read-only token in an unintuitive way, then I guess we're probably fine? It's just a lot of 'if's, and the cost of pinning a single SHA really didn't seem to outweigh all that to me, since GitHub has a bunch of tools like dependabot that assist people who are pinning SHAs. --Jacob
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
ci: Add GitHub Actions based CI
- 9c126063b19a 19 (unreleased) landed
-
ci: Remove support for cirrus-ci based CI
- 68c8a365d4dc 19 (unreleased) landed