ci: fetch latest versions at runtime; run weekly or on demand

Replace pinned TIMESCALE_VERSION / TIMESCALE_TOOLKIT_VERSION env vars and
the postgres_version / cnpg_version matrix with a runtime resolver:

- TimescaleDB + Toolkit: GitHub releases/latest
- PostgreSQL (CNPG): ghcr.io tags/list filtered to ^16\.[0-9]+$, sort -V

Add schedule (Sun 00:00 UTC) and workflow_dispatch triggers so the image
can be rebuilt against upstream without a PR to bump pins. Push is still
gated to main; branch pushes remain validation-only.

Add CLAUDE.md documenting the resolver, build contract, triggers, and
tag scheme.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: gugu

.github/workflows/build.yaml

@@ -1,57 +1,57 @@
 name: Build
 
-on: push
-
-env:
-  # renovate datasource=github-releases depName=timescale/timescaledb
-  TIMESCALE_VERSION: 2.24.0
-
-  # renovate datasource=github-releases depName=timescale/timescaledb-toolkit
-  TIMESCALE_TOOLKIT_VERSION: 1.22.0
+on:
+  push:
+  schedule:
+    # Weekly, Sunday 00:00 UTC
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
 
 jobs:
   build:
-    name: Build Image (pg${{ matrix.postgres_version }})
+    name: Build Image
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
-    strategy:
-      matrix:
-        include:
-          - postgres_version: "16.11"
-            # renovate datasource=docker depName=ghcr.io/cloudnative-pg/postgresql
-            cnpg_version: 16.11
-            latest: "true"
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - name: Get CloudNativePG version
-        id: cnpg
+      - name: Resolve latest versions
+        id: versions
         env:
-          VERSION: ${{ matrix.cnpg_version }}
-        run: |
-          {
-            echo "version=$VERSION"
-            echo "minor=$(cut -d- -f1 <<<"$VERSION")"
-            echo "major=$(cut -d. -f1 <<<"$VERSION")"
-          } >> $GITHUB_OUTPUT
-      - name: Get Timescale version
-        id: timescale
+          GH_TOKEN: ${{ github.token }}
         run: |
+          set -euo pipefail
+
+          ts=$(curl -fsSL -H "Authorization: Bearer $GH_TOKEN" \
+            https://api.github.com/repos/timescale/timescaledb/releases/latest \
+            | jq -r .tag_name | sed 's/^v//')
+          tk=$(curl -fsSL -H "Authorization: Bearer $GH_TOKEN" \
+            https://api.github.com/repos/timescale/timescaledb-toolkit/releases/latest \
+            | jq -r .tag_name | sed 's/^v//')
+
+          reg_token=$(curl -fsSL 'https://ghcr.io/token?service=ghcr.io&scope=repository:cloudnative-pg/postgresql:pull' | jq -r .token)
+          pg=$(curl -fsSL -H "Authorization: Bearer $reg_token" \
+            'https://ghcr.io/v2/cloudnative-pg/postgresql/tags/list?n=10000' \
+            | jq -r '.tags[]' | grep -E '^16\.[0-9]+$' | sort -V | tail -1)
+
           {
-            echo "version=$TIMESCALE_VERSION"
-            echo "minor=$(cut -d. -f-2 <<<"$TIMESCALE_VERSION")"
-            echo "major=$(cut -d. -f1 <<<"$TIMESCALE_VERSION")"
-          } >> $GITHUB_OUTPUT
-      - name: Get Timescale Toolkit version
-        id: timescale_toolkit
-        run: |
+            echo "timescale=$ts"
+            echo "timescale_minor=$(echo "$ts" | cut -d. -f-2)"
+            echo "timescale_major=$(echo "$ts" | cut -d. -f1)"
+            echo "timescale_toolkit=$tk"
+            echo "postgres=$pg"
+            echo "postgres_minor=$(echo "$pg" | cut -d. -f-2)"
+            echo "postgres_major=$(echo "$pg" | cut -d. -f1)"
+          } >> "$GITHUB_OUTPUT"
+
           {
-            echo "version=$TIMESCALE_TOOLKIT_VERSION"
-            echo "minor=$(cut -d. -f-2 <<<"$TIMESCALE_TOOLKIT_VERSION")"
-            echo "major=$(cut -d. -f1 <<<"$TIMESCALE_TOOLKIT_VERSION")"
-          } >> $GITHUB_OUTPUT
+            echo "## Resolved versions"
+            echo "- TimescaleDB: \`$ts\`"
+            echo "- TimescaleDB Toolkit: \`$tk\`"
+            echo "- PostgreSQL (CNPG): \`$pg\`"
+          } >> "$GITHUB_STEP_SUMMARY"
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -60,13 +60,13 @@ jobs:
             ghcr.io/${{ github.repository_owner }}/cloudnativepg-timescale
           flavor: latest=false
           tags: |
-            type=raw,priority=1000,value=latest,enable=${{ matrix.latest || 'false' }}
-            type=raw,priority=999,value=${{ steps.cnpg.outputs.version }}-ts${{ steps.timescale.outputs.version }}
-            type=raw,priority=998,value=${{ steps.cnpg.outputs.minor }}-ts${{ steps.timescale.outputs.minor }}
-            type=raw,priority=997,value=${{ steps.cnpg.outputs.major }}-ts${{ steps.timescale.outputs.major }}
-            type=raw,priority=996,value=${{ steps.cnpg.outputs.version }}
-            type=raw,priority=995,value=${{ steps.cnpg.outputs.minor }}
-            type=raw,priority=994,value=${{ steps.cnpg.outputs.major }}
+            type=raw,priority=1000,value=latest
+            type=raw,priority=999,value=${{ steps.versions.outputs.postgres }}-ts${{ steps.versions.outputs.timescale }}
+            type=raw,priority=998,value=${{ steps.versions.outputs.postgres_minor }}-ts${{ steps.versions.outputs.timescale_minor }}
+            type=raw,priority=997,value=${{ steps.versions.outputs.postgres_major }}-ts${{ steps.versions.outputs.timescale_major }}
+            type=raw,priority=996,value=${{ steps.versions.outputs.postgres }}
+            type=raw,priority=995,value=${{ steps.versions.outputs.postgres_minor }}
+            type=raw,priority=994,value=${{ steps.versions.outputs.postgres_major }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Buildx
@@ -87,20 +87,9 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
-            POSTGRES_VERSION=${{ matrix.postgres_version }}
-            CLOUDNATIVEPG_VERSION=${{ steps.cnpg.outputs.version }}
-            TIMESCALE_VERSION=${{ steps.timescale.outputs.version }}
-            TIMESCALE_TOOLKIT_VERSION=${{ steps.timescale_toolkit.outputs.version }}
+            POSTGRES_VERSION=${{ steps.versions.outputs.postgres }}
+            CLOUDNATIVEPG_VERSION=${{ steps.versions.outputs.postgres }}
+            TIMESCALE_VERSION=${{ steps.versions.outputs.timescale }}
+            TIMESCALE_TOOLKIT_VERSION=${{ steps.versions.outputs.timescale_toolkit }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-
-  # Summarize matrix https://github.community/t/status-check-for-a-matrix-jobs/127354/7
-  build-success:
-    name: Build Successful
-    runs-on: ubuntu-latest
-    needs: build
-    if: ${{ always() }}
-    steps:
-      - if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
-        name: Check matrix status
-        run: exit 1

CLAUDE.md

@@ -0,0 +1,36 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## What this repo is
+
+A Dockerfile + GitHub Actions pipeline that layers TimescaleDB and TimescaleDB Toolkit onto the upstream `ghcr.io/cloudnative-pg/postgresql` image and publishes it to `ghcr.io/clevyr/cloudnativepg-timescale`. There is no application code, no tests, and no local build scripts — the source of truth is the workflow.
+
+## How versions are resolved
+
+Versions are **not pinned** in this repo. The `Resolve latest versions` step in `.github/workflows/build.yaml` fetches them at build time:
+
+- TimescaleDB + Toolkit: GitHub `releases/latest` of `timescale/timescaledb` and `timescale/timescaledb-toolkit` (leading `v` stripped).
+- PostgreSQL / CNPG: `ghcr.io/v2/cloudnative-pg/postgresql/tags/list`, filtered to `^16\.[0-9]+$` and `sort -V | tail -1`. Only Postgres 16 is tracked — to add another major, add a parallel filter or matrix, don't change `16` in place.
+
+`POSTGRES_VERSION` and `CLOUDNATIVEPG_VERSION` are fed the **same** resolved value (the CNPG tag like `16.11`). The Dockerfile uses `$POSTGRES_VERSION` inside the Timescale apt package name, so this relies on Timescale's Debian repo accepting the full `major.minor` (or on apt's loose matching for the major). If a scheduled build starts failing on `apt-get install` of `timescaledb-2-postgresql-<ver>`, verify the packagecloud triplet first — upstream may not have published yet for a brand-new CNPG minor.
+
+Renovate (`renovate.json`) no longer drives these versions; its regex managers now match nothing in `build.yaml` but are left in place for future use. Don't reintroduce the old Renovate comment pragmas — they'd fight the runtime resolver.
+
+## Build cadence and triggers
+
+`build.yaml` runs on `push`, on `workflow_dispatch` (manual), and weekly via `schedule: '0 0 * * 0'` (Sun 00:00 UTC). Only runs on `main` actually push images (`push: ${{ github.ref_name == 'main' }}`); branch pushes are validation-only. Because versions resolve at runtime, two runs minutes apart can produce different images if upstream cut a release in between — that's intentional.
+
+## Build contract
+
+`Dockerfile` consumes four build args: `CLOUDNATIVEPG_VERSION`, `POSTGRES_VERSION`, `TIMESCALE_VERSION`, `TIMESCALE_TOOLKIT_VERSION`. It installs `timescaledb-2-postgresql-$POSTGRES_VERSION=$TIMESCALE_VERSION~debian$VERSION_ID` and the Toolkit as `=1:$TIMESCALE_TOOLKIT_VERSION~debian$VERSION_ID`, so upstream has to have published a matching `~debianNN` package before a build will succeed.
+
+The image ends with `USER 26` (the `postgres` user id CNPG expects). Do not add layers after that as root without resetting the user.
+
+## Tag scheme
+
+`docker/metadata-action` emits seven tags per build, in priority order: `latest`, `<pg>-ts<ts>` (full), `<pg-minor>-ts<ts-minor>`, `<pg-major>-ts<ts-major>`, then the same three without the `-ts…` suffix. The README example `16-ts2` is the major/major form. Toolkit version does not appear in any tag.
+
+## Local iteration
+
+`docker build --build-arg ...` against the four args above; no scheduled/remote infra needed. Branches are safe to experiment on — pushes are gated to `main`.