cloudnative-pg
diff --git a/‎.github/workflows/bake.yml‎
Lines changed: 41 additions & 20 deletions b/‎.github/workflows/bake.yml‎
Lines changed: 41 additions & 20 deletions
diff --git a/‎.github/workflows/bake_targets.yml‎
Lines changed: 11 additions & 9 deletions b/‎.github/workflows/bake_targets.yml‎
Lines changed: 11 additions & 9 deletions
diff --git a/‎.github/workflows/update-catalogs.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/update-catalogs.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/update_os_libraries.yml‎
Lines changed: 6 additions & 6 deletions b/‎.github/workflows/update_os_libraries.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎CONTRIBUTING_NEW_EXTENSION.md‎
Lines changed: 28 additions & 11 deletions b/‎CONTRIBUTING_NEW_EXTENSION.md‎
Lines changed: 28 additions & 11 deletions
diff --git a/‎README.md‎
Lines changed: 21 additions & 21 deletions b/‎README.md‎
Lines changed: 21 additions & 21 deletions
@@ -7,12 +7,7 @@ on:
       extension_name:
         description: "The PostgreSQL extension to build (directory name)"
         required: true
-        type: choice
-        options:
-          - pgvector
-          - postgis
-          - pgaudit
-          - pg-crash
+        type: string
 
 defaults:
   run:
@@ -33,6 +28,43 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Fetch valid targets
+        id: get-targets
+        uses: dagger/dagger-for-github@27b130bf0f79a7f6fbbbe0fbca6760dc9bb40a77 # v8.4.1
+        env:
+          # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
+          DAGGER_VERSION: 0.20.8
+        with:
+          version: ${{ env.DAGGER_VERSION }}
+          verb: call
+          module: ./dagger/maintenance/
+          args: get-targets
+
+      - name: Validate extension name
+        if: github.event_name == 'workflow_dispatch'
+        env:
+          INPUT_EXTENSION_NAME: ${{ github.event.inputs.extension_name }}
+          VALID_TARGETS: ${{ steps.get-targets.outputs.output }}
+        run: |
+          if ! echo "$VALID_TARGETS" | jq -e --arg ext "$INPUT_EXTENSION_NAME" 'index($ext)' > /dev/null; then
+            echo "::error::'$INPUT_EXTENSION_NAME' is not a valid extension target. Valid targets: $VALID_TARGETS"
+            exit 1
+          fi
+
+      - name: Compute paths-filter extensions block
+        env:
+          VALID_TARGETS: ${{ steps.get-targets.outputs.output }}
+        run: |
+          if ! echo "$VALID_TARGETS" | jq -e 'length > 0' > /dev/null; then
+            echo "::error::dagger get-targets returned no extensions: $VALID_TARGETS"
+            exit 1
+          fi
+          {
+            echo 'EXTENSIONS<<YAML_EOF'
+            echo "$VALID_TARGETS" | jq -r '.[] | "\(.):\n  - \"\(.)/**\"\n  - *shared"'
+            echo 'YAML_EOF'
+          } >> "$GITHUB_ENV"
+
       - name: Check for changes
         uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
         id: filter
@@ -41,21 +73,10 @@ jobs:
             _shared: &shared
               - 'docker-bake.hcl'
               - 'Taskfile.yml'
-              - 'kind-config.yaml'
               - 'test/**'
-              - '.github/workflows/bake*.yml'
-            pgvector:
-              - 'pgvector/**'
-              - *shared
-            postgis:
-              - 'postgis/**'
-              - *shared
-            pgaudit:
-              - 'pgaudit/**'
-              - *shared
-            pg-crash:
-              - 'pg-crash/**'
-              - *shared
+              - 'dagger/maintenance/**'
+              - '.github/workflows/bake_targets.yml'
+            ${{ env.EXTENSIONS }}
 
       # Compute a matrix containing the list of all extensions that have been modified
       - name: Compute matrix
 
@@ -16,7 +16,7 @@ permissions: {}
 jobs:
   testbuild:
     name: Build ${{ inputs.extension_name }}
-    runs-on: ubuntu-24.04
+    runs-on: ${{ github.repository_owner == 'cloudnative-pg' && 'ubuntu-latest-16-cores' || 'ubuntu-24.04' }}
     permissions:
       contents: read
       packages: write
@@ -32,7 +32,7 @@ jobs:
           persist-credentials: false
 
       - name: Log in to the GitHub Container registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -44,10 +44,10 @@ jobs:
           platforms: 'linux/arm64'
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
 
       - name: Build and push
-        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7
         id: build
         env:
           BUILDX_METADATA_PROVENANCE: disabled
@@ -68,7 +68,7 @@ jobs:
 
       # Even if we're testing we sign the images, so we can push them to production later if that's required
       - name: Install cosign
-        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
         # See https://github.blog/security/supply-chain-security/safeguard-container-signing-capability-actions/
         # and https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml for more details on
         # how to use cosign.
@@ -119,26 +119,28 @@ jobs:
       fail-fast: false
       matrix:
         image: ${{fromJson(needs.testbuild.outputs.images)}}
-        cnpg: ["main", "1.27", "1.28"]
+        cnpg: ["main", "1.28", "1.29"]
     steps:
       - name: Checkout Code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           persist-credentials: false
 
       - name: Install Task
-        uses: go-task/setup-task@0ab1b2a65bc55236a3bc64cde78f80e20e8885c2 # v1.0.0
+        uses: go-task/setup-task@01a4adf9db2d14c1de7a560f09170b6e0df736aa # v2.1.0
 
       - name: Install Dagger
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.20.1
+          DAGGER_VERSION: 0.20.8
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
 
       - name: Set up environment
+        env:
+          CNPG_RELEASE: ${{ matrix.cnpg }}
         run: |
-          task e2e:setup-env
+          task e2e:setup-env CNPG_RELEASE=$CNPG_RELEASE
 
       - name: Generate Chainsaw testing values
         env:
 
@@ -36,18 +36,18 @@ jobs:
 
       - name: Update catalogs
         id: update-extension-catalogs
-        uses: dagger/dagger-for-github@496f1b3d8b0d823834c13e67cf8a8e08ca3b9602 # v8.4.0
+        uses: dagger/dagger-for-github@27b130bf0f79a7f6fbbbe0fbca6760dc9bb40a77 # v8.4.1
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.20.1
+          DAGGER_VERSION: 0.20.8
         with:
           version: ${{ env.DAGGER_VERSION }}
           verb: call
           module: ./dagger/maintenance/
           args: generate-catalogs --catalogs-dir artifacts/image-catalogs/ export --path artifacts/image-catalogs-extensions/
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       - name: Sign catalogs
         run: |
@@ -63,7 +63,7 @@ jobs:
           git status
           git diff --staged
 
-      - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
+      - uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10
         if: github.ref == 'refs/heads/main'
         with:
           cwd: 'artifacts'
 
@@ -25,10 +25,10 @@ jobs:
 
       - name: Fetch extensions
         id: get-extensions-dagger
-        uses: dagger/dagger-for-github@496f1b3d8b0d823834c13e67cf8a8e08ca3b9602 # v8.4.0
+        uses: dagger/dagger-for-github@27b130bf0f79a7f6fbbbe0fbca6760dc9bb40a77 # v8.4.1
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.20.1
+          DAGGER_VERSION: 0.20.8
         with:
           version: ${{ env.DAGGER_VERSION }}
           verb: call
@@ -56,17 +56,17 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Log in to the GitHub Container registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Update OS libs for ${{ matrix.extension }}
-        uses: dagger/dagger-for-github@496f1b3d8b0d823834c13e67cf8a8e08ca3b9602 # v8.4.0
+        uses: dagger/dagger-for-github@27b130bf0f79a7f6fbbbe0fbca6760dc9bb40a77 # v8.4.1
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.20.1
+          DAGGER_VERSION: 0.20.8
         with:
           version: ${{ env.DAGGER_VERSION }}
           verb: call
@@ -79,7 +79,7 @@ jobs:
           git diff
 
       - name: Create a PR if versions have been updated on main
-        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8
         if: github.ref == 'refs/heads/main'
         with:
           token: ${{ secrets.REPO_GHA_PAT }}
 
@@ -15,17 +15,17 @@ Before proposing a change, ensure your local machine is compatible with the
 
 1. **Fork** the [cloudnative-pg/postgres-extensions-containers](https://github.com/cloudnative-pg/postgres-extensions-containers) repository.
 2. **Clone** your fork and enter the directory:
-```sh
-git clone https://github.com/<your-username>/postgres-extensions-containers.git
-cd postgres-extensions-containers
-```
+    ```sh
+    git clone https://github.com/<your-username>/postgres-extensions-containers.git
+    cd postgres-extensions-containers
+    ```
 3. **Verify the Environment:** Run the following to ensure you can build the
    existing project ecosystem.
-```sh
-task prereqs      # Check if Go, Task, and Docker are ready
-task checks:all   # Validate current configurations
-task bake:all     # Optional: build all existing extensions to confirm the Dagger engine
-```
+    ```sh
+    task prereqs      # Check if Go, Task, and Docker are ready
+    task checks:all   # Validate current configurations
+    task bake:all     # Optional: build all existing extensions to confirm the Dagger engine
+    ```
 
 ---
 
@@ -152,9 +152,26 @@ The scaffolding generates `metadata.hcl`, `Dockerfile`, and `README.md`.
 Follow the specific instructions and "TODO" comments found within each
 generated file to finalize your extension.
 
+#### Package Version vs. SQL Version
+
+Your `metadata.hcl` file requires two version fields:
+
+- **`package`**: The full Debian package version (e.g., `0.8.2-1.pgdg13+1`).
+  This includes packaging metadata and is used to install the correct package.
+
+- **`sql`**: The PostgreSQL extension version as it appears in the catalog
+  (e.g., `0.8.2`). This is the version of the extension that will be verified
+  as part of the automatic testing of the resulting containers. It should
+  match what is defined by the `default_version` field in the control file.
+
+
+> [!WARNING]
+> The `sql` version is optional and only needed if your extension uses
+> `CREATE EXTENSION` (when `create_extension = true` in metadata).
+
 > [!TIP]
-> Pay close attention to the `// renovate:` comments in the metadata; these are
-> required for automated version tracking.
+> Pay close attention to the `// renovate:` comments in the metadata and
+> `README.md` files; these are required for automated version tracking.
 
 ---
 
 
@@ -32,13 +32,12 @@ CloudNativePG actively maintains the following third-party extensions, provided
 they are maintained by their respective authors, and PostgreSQL Debian Group
 (PGDG) packages are available.
 
-| Extension | Description | Project URL |
-| :--- | :--- | :--- |
-| **[pgAudit](pgaudit)** | PostgreSQL audit extension | [github.com/pgaudit/pgaudit](https://github.com/pgaudit/pgaudit) |
-| **[pg_crash](pg-crash)** | **Disruptive** fault injection and chaos engineering extension | [github.com/cybertec-postgresql/pg_crash](https://github.com/cybertec-postgresql/pg_crash) |
-| **[pgvector](pgvector)** | Vector similarity search for PostgreSQL | [github.com/pgvector/pgvector](https://github.com/pgvector/pgvector) |
-| **[PostGIS](postgis)** | Geospatial database extension for PostgreSQL | [postgis.net/](https://postgis.net/) |
-
+| Extension | Description | Project URL | Maintained by |
+| :--- | :--- | :--- | :--- |
+| **[pgAudit](pgaudit)** | PostgreSQL audit extension | [github.com/pgaudit/pgaudit](https://github.com/pgaudit/pgaudit) | CNPG maintainers |
+| **[pg_crash](pg-crash)** | **Disruptive** fault injection and chaos engineering extension | [github.com/cybertec-postgresql/pg_crash](https://github.com/cybertec-postgresql/pg_crash) | CNPG maintainers |
+| **[pgvector](pgvector)** | Vector similarity search for PostgreSQL | [github.com/pgvector/pgvector](https://github.com/pgvector/pgvector) | CNPG maintainers |
+| **[PostGIS](postgis)** | Geospatial database extension for PostgreSQL | [postgis.net/](https://postgis.net/) | CNPG maintainers |
 
 Extensions are provided only for the OS versions already built by the
 [`cloudnative-pg/postgres-containers`](https://github.com/cloudnative-pg/postgres-containers) project,
@@ -138,26 +137,27 @@ other tools to identify the base PostgreSQL version and OS distribution.
 
 ### CloudNativePG-Specific Labels
 
-| Label | Description | Example |
-| :--- | :--- | :--- |
-| `io.cloudnativepg.image.base.name` | Base PostgreSQL container image | `ghcr.io/cloudnative-pg/postgresql:18-minimal-bookworm` |
-| `io.cloudnativepg.image.base.pgmajor` | PostgreSQL major version | `18` |
-| `io.cloudnativepg.image.base.os` | Operating system distribution | `bookworm` |
+| Label                                 | Description                      | Example                                                 |
+|:--------------------------------------|:---------------------------------|:--------------------------------------------------------|
+| `io.cloudnativepg.image.base.name`    | Base PostgreSQL container image  | `ghcr.io/cloudnative-pg/postgresql:18-minimal-bookworm` |
+| `io.cloudnativepg.image.base.pgmajor` | PostgreSQL major version         | `18`                                                    |
+| `io.cloudnativepg.image.base.os`      | Operating system distribution    | `bookworm`                                              |
+| `io.cloudnativepg.image.sql.version`  | PostgreSQL extension SQL version | `0.8.2`                                                 |
 
 ### Standard OCI Labels
 
 In addition to CloudNativePG-specific labels, all images include standard OCI
 annotations as defined by the [OCI Image Format Specification](https://github.com/opencontainers/image-spec/blob/main/annotations.md):
 
-| Label | Description |
-| :--- | :--- |
-| `org.opencontainers.image.created` | Image creation timestamp |
-| `org.opencontainers.image.version` | Extension version |
-| `org.opencontainers.image.revision` | Git commit SHA |
-| `org.opencontainers.image.title` | Human-readable image title |
-| `org.opencontainers.image.description` | Image description |
-| `org.opencontainers.image.source` | Source repository URL |
-| `org.opencontainers.image.licenses` | License identifier |
+| Label                                  | Description                 |
+|:---------------------------------------|:----------------------------|
+| `org.opencontainers.image.created`     | Image creation timestamp    |
+| `org.opencontainers.image.version`     | Extension's package version |
+| `org.opencontainers.image.revision`    | Git commit SHA              |
+| `org.opencontainers.image.title`       | Human-readable image title  |
+| `org.opencontainers.image.description` | Image description           |
+| `org.opencontainers.image.source`      | Source repository URL       |
+| `org.opencontainers.image.licenses`    | License identifier          |
 
 You can inspect these labels using container tools: