feat(): upgrade to pg18 and upgrade to latest others #296
Conversation
|
I think, we should also upgrade HAProxy version to 3.2.0 it brings tons of performance improvements |
|
According to the linked issue pg 18 is supported now |
I would update the pr tomorrow and also will upgrade HA Proxy |
|
Updated all others minors to latest, upgraded pg to 18.1, and also HAProxy to 3.3! I think this pr is ready to be reviewed :) |
|
Hey there, thanks for the PR! The changes look good overall. For now though, I’d like to scope the HAProxy 2.8 → 3.3 bump to the Happy to revisit bumping HAProxy for older PG versions once we’ve built some confidence. |
That makes a lot of sense, let me revert it back and we can ship this for now. |
semoal
force-pushed
the
semoal/upgrade-deps-pg18
branch
from
9f756d5 to
c38a1b2
Compare
semoal
force-pushed
the
semoal/upgrade-deps-pg18
branch
from
c38a1b2 to
1272287
Compare
|
By the way, had the possibility to test the Dockerfile and run a new machine and dump our development database and everything is running smoothly: |
There was a problem hiding this comment.
Pull request overview
This PR upgrades PostgreSQL versions across multiple major releases and introduces support for PostgreSQL 18. The changes update existing Dockerfiles with newer patch versions and add new Docker image configurations for PostgreSQL 18.
- Updates PostgreSQL 15 from 15.10 to 15.15
- Updates PostgreSQL 16 from 16.6 to 16.11
- Updates PostgreSQL 17 from 17.2 to 17.7
- Adds support for PostgreSQL 18.1 with both standard and TimescaleDB variants
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pg15/Dockerfile | Updates PG_VERSION to 15.15 |
| pg15/Dockerfile-timescaledb | Updates PG_VERSION to 15.15 for TimescaleDB variant |
| pg16/Dockerfile | Updates PG_VERSION to 16.11 |
| pg16/Dockerfile-timescaledb | Updates PG_VERSION to 16.11 for TimescaleDB variant |
| pg17/Dockerfile | Updates PG_VERSION to 17.7 |
| pg17/Dockerfile-timescaledb | Updates PG_VERSION to 17.7 for TimescaleDB variant |
| pg18/Dockerfile | Adds new Dockerfile for PostgreSQL 18.1 with HAProxy 3.3 |
| pg18/Dockerfile-timescaledb | Adds new Dockerfile for PostgreSQL 18.1 with TimescaleDB support |
| .github/workflows/ci.yaml | Updates CI workflow to build and push all updated versions including new pg18 images |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| RUN echo "deb https://packagecloud.io/timescale/timescaledb/ubuntu/ jammy main" > /etc/apt/sources.list.d/timescaledb.list \ | ||
| && curl -L https://packagecloud.io/timescale/timescaledb/gpgkey | apt-key add - |
There was a problem hiding this comment.
The command 'apt-key add' is deprecated and should not be used in modern Dockerfiles. Consider using the signed-by method with gpg --dearmor similar to how PostgreSQL repository is set up on lines 62-63. This approach is more secure and aligns with current best practices.
| RUN echo "deb https://packagecloud.io/timescale/timescaledb/ubuntu/ jammy main" > /etc/apt/sources.list.d/timescaledb.list \ | |
| && curl -L https://packagecloud.io/timescale/timescaledb/gpgkey | apt-key add - | |
| RUN curl -fsSL https://packagecloud.io/timescale/timescaledb/gpgkey | gpg --dearmor -o /usr/share/keyrings/timescaledb-archive-keyring.gpg \ | |
| && echo "deb [signed-by=/usr/share/keyrings/timescaledb-archive-keyring.gpg] https://packagecloud.io/timescale/timescaledb/ubuntu/ jammy main" > /etc/apt/sources.list.d/timescaledb.list |
| COPY --from=builder /fly/bin/* /usr/local/bin | ||
|
|
||
| # Copy Postgres exporter | ||
| COPY --from=wrouesnel/postgres_exporter:latest /postgres_exporter /usr/local/bin/ |
There was a problem hiding this comment.
This image copies the postgres_exporter binary from the third-party image wrouesnel/postgres_exporter:latest, which is a mutable Docker Hub tag and not an official vendor namespace. If that image or its tag is compromised, a malicious binary could be injected into this Postgres container at build time and executed with access to database metrics and potentially credentials. To reduce supply-chain risk, pin this dependency to a trusted image reference (e.g., image digest or vetted version) from a trusted source instead of using the unpinned latest tag.
| COPY --from=builder /fly/bin/* /usr/local/bin | ||
|
|
||
| # Copy Postgres exporter | ||
| COPY --from=wrouesnel/postgres_exporter:latest /postgres_exporter /usr/local/bin/ |
There was a problem hiding this comment.
This line imports the postgres_exporter binary from the external image wrouesnel/postgres_exporter:latest, which is a mutable tag in a third-party Docker Hub namespace. If that image or tag is ever compromised or retagged, builds of this image will transparently consume and ship a potentially malicious exporter binary with access to the Postgres instance. To mitigate this supply-chain risk, use a trusted image source and pin to an immutable reference (such as a specific version or image digest) instead of relying on latest.
3 participants
15.10 -> 15.15
16.6 -> 16.11
17.2 -> 17.7
18.1