Merge branch 'main' into feat/add-pg_vim-extension

Author: shusaan

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,4 @@
+blank_issues_enabled: true
+  - name: Slack chat
+    url: https://github.com/cloudnative-pg/cloudnative-pg?tab=readme-ov-file#communications
+    about: Please join the slack channel and interact with our community

.github/ISSUE_TEMPLATE/extension.yaml

@@ -0,0 +1,120 @@
+name: New Extension Proposal
+description: Propose a new PostgreSQL extension to be included in the containers and commit to its maintenance.
+title: "[New Extension]: "
+labels: ["triage", "new-extension"]
+projects: ["cloudnative-pg/postgres-extensions-containers"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for proposing a new extension for the PostgreSQL Extensions Containers project!
+
+        The submission process requires the proposer to commit to becoming the **Component Owner** and taking on the long-term maintenance of the extension image. Please review the [governance document for the submission process](https://github.com/cloudnative-pg/postgres-extensions-containers?tab=readme-ov-file#submission-process).
+
+  - type: checkboxes
+    id: search
+    attributes:
+      label: Is there an existing issue for this extension request?
+      description: Before you submit a request, please **search existing issues** to ensure this extension hasn't already been proposed.
+      options:
+        - label: I have searched for an existing issue, and could not find a duplicate request.
+          required: true
+
+  - type: input
+    id: extension-name
+    attributes:
+      label: Extension Name
+      description: What is the official name of the PostgreSQL extension?
+      placeholder: ex. pgvector
+    validations:
+      required: true
+
+  - type: input
+    id: project-url
+    attributes:
+      label: Project Repository URL
+      description: The URL of the main source code repository (e.g., GitHub, GitLab).
+      placeholder: ex. https://github.com/pgvector/pgvector
+    validations:
+      required: true
+
+  - type: input
+    id: website-url
+    attributes:
+      label: Extension Website URL (Optional)
+      description: The URL of the official website or main documentation page.
+      placeholder: ex. https://pgvector.io/
+    validations:
+      required: false
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Short Description
+      description: A brief description of the extension and its primary use case.
+      placeholder: ex. The pgvector extension provides vector similarity search capabilities for PostgreSQL.
+    validations:
+      required: true
+
+  - type: input
+    id: license-url
+    attributes:
+      label: Main LICENSE Link
+      description: A direct link to the main license file in the repository (e.g., a link to the raw LICENSE file).
+      placeholder: ex. https://github.com/pgvector/pgvector/blob/master/LICENSE
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: license-check
+    attributes:
+      label: License Compliance
+      description: Please confirm the license of the extension complies with the **allowed licenses** for this project.
+      options:
+        - label: The extension's license (linked above) complies with the list of allowed licenses.
+          required: true
+
+  - type: textarea
+    id: dependent-extensions
+    attributes:
+      label: Known Dependent Extensions
+      description: List any other PostgreSQL extensions that MUST be installed before or alongside this extension (e.g., if this extension requires 'plpgsql' or 'postgis' to be present). If none, please state "None".
+      placeholder: ex. postgis
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: maintenance-commitment
+    attributes:
+      label: Component Owner and Maintenance Commitment
+      description: By checking this box, you confirm your commitment to the long-term maintenance of the extension image. This includes providing updates for new upstream versions, responding to security issues, and ensuring compatibility with new PostgreSQL/OS versions.
+      options:
+        - label: I/My organization commit to becoming the Component Owner and maintaining the extension image in the future.
+          required: true
+
+  - type: textarea
+    id: additional-notes
+    attributes:
+      label: Additional Notes (Optional)
+      description: Any other relevant information, required dependencies (like OS packages), or context that might be useful for packaging.
+      placeholder: ex. This extension requires the 'openssl' library (OS package) to be installed.
+    validations:
+      required: false
+
+  - type: input
+    id: github-handles
+    attributes:
+      label: GitHub Handles of Component Owners
+      description: List the GitHub handles (e.g., `@user1`, `@org/team`) that will be responsible for maintaining the extension and should be added to the `CODEOWNERS` file.
+      placeholder: ex. @user1
+    validations:
+      required: true
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://github.com/cloudnative-pg/governance/blob/main/CODE_OF_CONDUCT.md)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true

.github/workflows/bake.yml

@@ -29,7 +29,7 @@ jobs:
       matrix: ${{ steps.get-matrix.outputs.matrix}}
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
@@ -40,7 +40,7 @@ jobs:
           filters: |
             _shared: &shared
               - 'docker-bake.hcl'
-              - 'Makefile'
+              - 'Taskfile.yml'
               - 'kind-config.yaml'
               - 'test/**'
               - '.github/workflows/bake*.yml'
@@ -93,3 +93,16 @@ jobs:
       extension_name: ${{ matrix.extension }}
     secrets:
       SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  Catalogs:
+    name: Update Catalogs
+    needs: Bake
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+    if: github.ref == 'refs/heads/main'
+    steps:
+      - name: Repository Dispatch
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4
+        with:
+          event-type: update-catalogs

.github/workflows/bake_targets.yml

@@ -27,12 +27,12 @@ jobs:
       images: ${{ steps.images.outputs.images }}
     steps:
       - name: Checkout Code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - name: Log in to the GitHub Container registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -44,12 +44,13 @@ jobs:
           platforms: 'linux/arm64'
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Build and push
         uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6
         id: build
         env:
+          BUILDX_METADATA_PROVENANCE: disabled
           environment: testing
           registry: ghcr.io/${{ github.repository_owner }}
           revision: ${{ github.sha }}
@@ -93,7 +94,7 @@ jobs:
         image: ${{fromJson(needs.testbuild.outputs.images)}}
     steps:
       - name: Checkout Code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
@@ -118,76 +119,37 @@ jobs:
       fail-fast: false
       matrix:
         image: ${{fromJson(needs.testbuild.outputs.images)}}
-        cnpg: ["main", "1.27"]
-    env:
-      # renovate: datasource=github-tags depName=kubernetes-sigs/kind versioning=semver
-      KIND_VERSION: "v0.30.0"
-      # renovate: datasource=docker depName=kindest/node
-      KIND_NODE_VERSION: "v1.34.0"
+        cnpg: ["main", "1.27", "1.28"]
     steps:
       - name: Checkout Code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
-      - name: Install Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
-        with:
-          cache: false
-          go-version: 'stable'
-
-      - name: Create kind cluster
-        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
-        with:
-          version: ${{ env.KIND_VERSION }}
-          kubectl_version: ${{ env.KIND_NODE_VERSION }}
-          node_image: kindest/node:${{ env.KIND_NODE_VERSION }}
-          config: kind-config.yaml
+      - name: Install Task
+        uses: go-task/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1.0.0
 
-      - name: Install CNPG (${{ matrix.cnpg }})
-        env:
-          CNPG_RELEASE: ${{ matrix.cnpg }}
-        run: |
-          operator_manifest="https://raw.githubusercontent.com/cloudnative-pg/artifacts/release-$CNPG_RELEASE/manifests/operator-manifest.yaml"
-          if [[ "$CNPG_RELEASE" == "main" ]]; then
-            operator_manifest="https://raw.githubusercontent.com/cloudnative-pg/artifacts/main/manifests/operator-manifest.yaml"
-          fi
-          curl -sSfL "$operator_manifest" | kubectl apply --server-side -f -
-          kubectl wait --for=condition=Available --timeout=2m -n cnpg-system deployments cnpg-controller-manager
-
-      - name: Generate Chainsaw runtime values
+      - name: Install Dagger
         env:
-          EXT_NAME: ${{ inputs.extension_name }}
-          EXT_IMAGE: ${{ matrix.image }}
+          # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
+          DAGGER_VERSION: 0.19.11
         run: |
-          # Get the PG base image
-          export PG_IMAGE=$(skopeo inspect "docker://$EXT_IMAGE" -f '{{ json .Labels }}' | jq -r '."io.cloudnativepg.image.base.name"')
+          curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
 
-          go install github.com/tmccombs/hcl2json@v0.6.8
-          go install github.com/mikefarah/yq/v4@v4
-
-          # Convert metadata.hcl to YAML and merge it with runtime values to generate a valid Chainsaw values.yaml
-          yq eval -P '
-            .metadata.extension_image = strenv(EXT_IMAGE) |
-            .metadata.pg_image = strenv(PG_IMAGE) |
-            .metadata
-          ' <(hcl2json "$EXT_NAME/metadata.hcl") > "$EXT_NAME/values.yaml"
-          cat "$EXT_NAME/values.yaml"
+      - name: Set up environment
+        run: |
+          task e2e:setup-env
 
-      - name: Install Chainsaw
-        uses: kyverno/action-install-chainsaw@6354895e0f99ab23d3e38d85cf5c71b5dc21d727 # v0.2.13
+      - name: Generate Chainsaw testing values
+        run: |
+          task e2e:generate-values EXTENSION_IMAGE="${{ matrix.image }}" TARGET="${{ inputs.extension_name }}"
 
-      - name: Run Kyverno/Chainsaw
-        env:
-          EXT_NAME: ${{ inputs.extension_name }}
+      - name: Run e2e tests
         run: |
-          # Common smoke tests
-          chainsaw test ./test --values "$EXT_NAME/values.yaml"
+          # Get Kind cluster internal kubeconfig
+          task e2e:export-kubeconfig KUBECONFIG_PATH=./kubeconfig INTERNAL=true
 
-          # Specific smoke tests
-          if [ -d "$EXT_NAME/test" ]; then
-            chainsaw test "$EXT_NAME/test" --values "$EXT_NAME/values.yaml"
-          fi
+          task e2e:test TARGET="${{ inputs.extension_name }}" KUBECONFIG_PATH="./kubeconfig"
 
   copytoproduction:
     name: Copy images to production

.github/workflows/update-catalogs.yml

@@ -0,0 +1,60 @@
+name: Update Extension Image Catalogs
+
+on:
+  schedule:
+    # Refresh Catalogs once a week, on Mondays - 1h after postgres-container images
+    - cron: 0 9 * * 1
+  workflow_dispatch:
+  repository_dispatch:
+    types: [update-catalogs]
+
+permissions: read-all
+
+defaults:
+  run:
+    shell: "bash -Eeuo pipefail -x {0}"
+
+jobs:
+  update-catalogs:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Checkout artifacts
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          path: artifacts
+          repository: cloudnative-pg/artifacts
+          token: ${{ secrets.REPO_GHA_PAT }}
+          ref: main
+
+      - name: Update catalogs
+        id: update-extension-catalogs
+        uses: dagger/dagger-for-github@d913e70051faf3b907d4dd96ef1161083c88c644 # v8.2.0
+        env:
+          # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
+          DAGGER_VERSION: 0.19.11
+        with:
+          version: ${{ env.DAGGER_VERSION }}
+          verb: call
+          module: ./dagger/maintenance/
+          args: generate-catalogs --catalogs-dir artifacts/image-catalogs/ export --path artifacts/image-catalogs/
+
+      - name: Diff
+        working-directory: artifacts
+        run: |
+          git add -A .
+          git status
+          git diff --staged
+
+      - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
+        if: github.ref == 'refs/heads/main'
+        with:
+          cwd: 'artifacts'
+          add: 'image-catalogs'
+          author_name: CloudNativePG Automated Updates
+          author_email: noreply@cnpg.com
+          message: 'chore: update extensions imageCatalogs'