feat: add Dockerfile-supabase and rewrite Dockerfile-multigres as layered image

- Add Dockerfile-supabase: parameterised replacement for Dockerfile-15/17,
  selects PostgreSQL version via --build-arg PG_VERSION (default 17)
- Rewrite Dockerfile-multigres: two-stage layered build on top of supabase
  base image; pgctld compiled from Go source (pinned to MUL-484 commit for
  --pg-initdb-sql-dirs support), pgbackrest added, wal-g files removed
- Add docker/pgctld/pgctld wrapper script
- Update ansible/vars.yml: add release_matrix_base and release_matrix_layered
  sections; tags derived from postgres_release via release_key at build time
- Update dockerhub-release-matrix.yml and manual-docker-release.yml: split
  build into two sequential jobs (build_base_images then build_layered_images)
  so multigres is built after its base image is pushed to the registry
- Update docker-image-test.yml: replace Dockerfile-15/17 matrix entries with
  Dockerfile-supabase; add inline base build for multigres; always pass
  --target production; use base_dockerfile field to discriminate layered builds
- Update docker-image-test.nix and image-size-analyzer.nix: add --pg-version
  flag and Dockerfile-supabase support
- Update README.md with new Dockerfile documentation

Author: mkindahl

.github/workflows/docker-image-test.yml

@@ -61,11 +61,24 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - { dockerfile: Dockerfile-15,          target: "",                  name: 15                      }
-          - { dockerfile: Dockerfile-17,          target: "",                  name: 17                      }
-          - { dockerfile: Dockerfile-orioledb-17, target: "",                  name: orioledb-17             }
-          - { dockerfile: Dockerfile-multigres,   target: variant-17,          name: multigres-17            }
-          - { dockerfile: Dockerfile-multigres,   target: variant-orioledb-17, name: multigres-orioledb-17   }
+          # CHANGED: Dockerfile-15/17 replaced by parameterised Dockerfile-supabase.
+          # pg_version is passed as --build-arg PG_VERSION to select the PostgreSQL version.
+          - dockerfile: Dockerfile-supabase
+            name: 15
+            pg_version: "15"
+          - dockerfile: Dockerfile-supabase
+            name: 17
+            pg_version: "17"
+          - dockerfile: Dockerfile-orioledb-17
+            name: orioledb-17
+            pg_version: "17"
+          # CHANGED: base_dockerfile causes the build step to build the supabase base image
+          # locally first and pass it as SUPABASE_IMAGE. The variant-orioledb-17 entry was
+          # removed — that target does not exist in Dockerfile-multigres.
+          - dockerfile: Dockerfile-multigres
+            name: multigres-17
+            pg_version: "17"
+            base_dockerfile: Dockerfile-supabase
     steps:
       - name: Checkout Repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -89,32 +102,45 @@ jobs:
       - name: Build Docker image
         run: |
           echo "Building ${{ matrix.name }}..."
-          TARGET_ARG=""
-          if [ -n "${{ matrix.target }}" ]; then
-            TARGET_ARG="--target ${{ matrix.target }}"
+          # CHANGED: pass PG_VERSION for Dockerfile-supabase and Dockerfile-multigres builds.
+          PG_VERSION_ARG=""
+          if [ -n "${{ matrix.pg_version }}" ]; then
+            PG_VERSION_ARG="--build-arg PG_VERSION=${{ matrix.pg_version }}"
           fi
-          docker build -f "${{ matrix.dockerfile }}" $TARGET_ARG \
+          # CHANGED: layered images (multigres) need their base image available locally.
+          # Each matrix job runs on an isolated runner, so we build the base inline here
+          # and pass it as SUPABASE_IMAGE rather than pulling from a registry.
+          BASE_IMAGE_ARG=""
+          if [ -n "${{ matrix.base_dockerfile }}" ]; then
+            docker build -f "${{ matrix.base_dockerfile }}" \
+              --build-arg PG_VERSION=${{ matrix.pg_version }} \
+              --target production \
+              -t "pg-docker-test:base-${{ matrix.name }}" \
+              .
+            BASE_IMAGE_ARG="--build-arg SUPABASE_IMAGE=pg-docker-test:base-${{ matrix.name }}"
+          fi
+          docker build -f "${{ matrix.dockerfile }}" --target production $PG_VERSION_ARG $BASE_IMAGE_ARG \
             -t "pg-docker-test:${{ matrix.name }}" \
             -t "supabase-postgres:${{ matrix.name }}-analyze" \
             .
 
       - name: Run image size analysis
-        if: ${{ matrix.target == '' }}
+        if: ${{ matrix.base_dockerfile == '' }}
         run: |
           echo "=== Image Size Analysis for ${{ matrix.name }} ==="
-          nix run --accept-flake-config .#image-size-analyzer -- --image Dockerfile-${{ matrix.name }} --no-build
+          nix run --accept-flake-config .#image-size-analyzer -- --image ${{ matrix.dockerfile }} --pg-version ${{ matrix.pg_version }} --no-build
 
       - name: Run Docker image tests
-        if: ${{ matrix.target == '' }}
+        if: ${{ matrix.base_dockerfile == '' }}
         run: |
           echo "=== Running tests for ${{ matrix.name }} ==="
-          nix run --accept-flake-config .#docker-image-test -- --no-build Dockerfile-${{ matrix.name }}
+          nix run --accept-flake-config .#docker-image-test -- --no-build --pg-version ${{ matrix.pg_version }} ${{ matrix.dockerfile }}
 
       - name: Run multigres Docker image tests
-        if: ${{ matrix.target != '' }}
+        if: ${{ matrix.base_dockerfile != '' }}
         run: |
           echo "=== Running tests for ${{ matrix.name }} ==="
-          nix run --accept-flake-config .#docker-image-test -- --no-build --target ${{ matrix.target }} ${{ matrix.dockerfile }}
+          nix run --accept-flake-config .#docker-image-test -- --no-build --target production ${{ matrix.dockerfile }}
 
       - name: Show container logs on failure
         if: failure()
@@ -130,6 +156,7 @@ jobs:
         run: |
           docker ps -a --filter "name=pg-test-${{ matrix.name }}" -q | xargs -r docker rm -f || true
           docker rmi "pg-docker-test:${{ matrix.name }}" || true
+          docker rmi "pg-docker-test:base-${{ matrix.name }}" || true  # CHANGED: remove ephemeral base image built for layered builds
           docker rmi "supabase-postgres:${{ matrix.name }}-analyze" || true
 
   skip-notification:

.github/workflows/dockerhub-release-matrix.yml

@@ -19,52 +19,29 @@ jobs:
     runs-on: blacksmith-4vcpu-ubuntu-2404
     outputs:
       matrix_config: ${{ steps.set-matrix.outputs.matrix_config }}
+      base_matrix: ${{ steps.set-matrix.outputs.base_matrix }}
+      layered_matrix: ${{ steps.set-matrix.outputs.layered_matrix }}
     steps:
       - name: Checkout Repo
         uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: ./.github/actions/nix-install-ephemeral
       - name: Generate build matrix
         id: set-matrix
         run: |
-          nix run nixpkgs#nushell -- -c 'let versions = (open ansible/vars.yml | get postgres_major)
-          let base_matrix = ($versions | each { |ver|
-            let version = ($ver | str trim)
-            let dockerfile = $"Dockerfile-($version)"
-            if ($dockerfile | path exists) {
-              {
-                version: $version,
-                dockerfile: $dockerfile,
-                target: "production"
-              }
-            } else {
-              null
-            }
-          } | compact)
-
-          # Discover multigres variants by checking for matching targets in Dockerfile-multigres
-          let multigres_matrix = ($versions | each { |ver|
-            let version = ($ver | str trim)
-            let mg_version = $"multigres-($version)"
-            let mg_dockerfile = "Dockerfile-multigres"
-            let mg_target = $"variant-($version)"
-            if ($mg_dockerfile | path exists) and (open --raw $mg_dockerfile | str contains $"AS ($mg_target)") {
-              {
-                version: $mg_version,
-                dockerfile: $mg_dockerfile,
-                target: $mg_target
-              }
-            } else {
-              null
-            }
-          } | compact)
-
-          let matrix = ($base_matrix | append $multigres_matrix)
-
-          let matrix_config = {
-            include: $matrix
-          }
-
-          $"matrix_config=($matrix_config | to json -r)" | save --append $env.GITHUB_OUTPUT'
+          nix run nixpkgs#nushell -- -c '
+          let releases = (open ansible/vars.yml | get postgres_release)
+          let base = (open ansible/vars.yml | get release_matrix_base
+            | each { |e| $e | insert tag ($releases | get $e.release_key) })
+          let layered = (open ansible/vars.yml | get release_matrix_layered
+            | each { |e|
+                let ver = ($releases | get $e.release_key)
+                $e | insert tag $"($ver)($e.tag_suffix)" | insert base_tag $ver
+              })
+          let combined = ($base | append $layered)
+          $"base_matrix=({include: $base} | to json -r)" | save --append $env.GITHUB_OUTPUT
+          $"layered_matrix=({include: $layered} | to json -r)" | save --append $env.GITHUB_OUTPUT
+          $"matrix_config=({include: $combined} | to json -r)" | save --append $env.GITHUB_OUTPUT
+          '
   build:
     needs: prepare
     strategy:
@@ -89,11 +66,11 @@ jobs:
             | str join "\n" 
             | save --append $env.GITHUB_OUTPUT
           '    
-  build_release_image:
+  build_base_images:
     needs: [prepare, build]
     strategy:
       matrix:
-        postgres: ${{ fromJson(needs.prepare.outputs.matrix_config).include }}
+        postgres: ${{ fromJson(needs.prepare.outputs.base_matrix).include }}
         arch: [amd64, arm64]
     runs-on: ${{ matrix.arch == 'amd64' && 'large-linux-x86' || 'large-linux-arm' }}
     timeout-minutes: 180
@@ -109,52 +86,56 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Get image tag
-        id: image
-        run: |
-          if [[ "${{ matrix.arch }}" == "arm64" ]]; then
-            pg_version=$(nix run nixpkgs#nushell -- -c '
-              let version = "${{ matrix.postgres.version }}"
-              let is_multigres = ($version | str starts-with "multigres-")
-              let base_version = if $is_multigres { $version | str replace "multigres-" "" } else { $version }
-              let release_key = if ($base_version | str contains "orioledb") {
-                $"postgresorioledb-17"
-              } else {
-                $"postgres($base_version)"
-              }
-              let base_tag = (open ansible/vars.yml | get postgres_release | get $release_key | str trim)
-              if $is_multigres { $"($base_tag)-multigres" } else { $base_tag }
-            ')
-            echo "pg_version=supabase/postgres:$pg_version" >> $GITHUB_OUTPUT
-          else
-            pg_version=$(nix run nixpkgs#nushell -- -c '
-              let version = "${{ matrix.postgres.version }}"
-              let is_multigres = ($version | str starts-with "multigres-")
-              let base_version = if $is_multigres { $version | str replace "multigres-" "" } else { $version }
-              let release_key = if ($base_version | str contains "orioledb") {
-                $"postgresorioledb-17"
-              } else {
-                $"postgres($base_version)"
-              }
-              let base_tag = (open ansible/vars.yml | get postgres_release | get $release_key | str trim)
-              if $is_multigres { $"($base_tag)-multigres" } else { $base_tag }
-            ')
-            echo "pg_version=supabase/postgres:$pg_version" >> $GITHUB_OUTPUT
-          fi
       - id: build
         uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
         with:
           push: true
           build-args: |
             ${{ needs.build.outputs.build_args }}
+            PG_VERSION=${{ matrix.postgres.pg_version }}
           target: ${{ matrix.postgres.target }}
-          tags: ${{ steps.image.outputs.pg_version }}_${{ matrix.arch }}
+          tags: supabase/postgres:${{ matrix.postgres.tag }}_${{ matrix.arch }}
+          platforms: linux/${{ matrix.arch }}
+          cache-from: type=gha,scope=${{ github.ref_name }}-latest-${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ github.ref_name }}-latest-${{ matrix.arch }}
+          file: ${{ matrix.postgres.dockerfile }}
+
+  build_layered_images:
+    needs: [prepare, build, build_base_images]
+    strategy:
+      matrix:
+        postgres: ${{ fromJson(needs.prepare.outputs.layered_matrix).include }}
+        arch: [amd64, arm64]
+    runs-on: ${{ matrix.arch == 'amd64' && 'large-linux-x86' || 'large-linux-arm' }}
+    timeout-minutes: 180
+    steps:
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+      - uses: ./.github/actions/nix-install-ephemeral
+      - run: docker context create builders
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        with:
+          endpoint: builders
+      - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - id: build
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+        with:
+          push: true
+          build-args: |
+            ${{ needs.build.outputs.build_args }}
+            PG_VERSION=${{ matrix.postgres.pg_version }}
+            SUPABASE_IMAGE=supabase/postgres:${{ matrix.postgres.base_tag }}_${{ matrix.arch }}
+          target: ${{ matrix.postgres.target }}
+          tags: supabase/postgres:${{ matrix.postgres.tag }}_${{ matrix.arch }}
           platforms: linux/${{ matrix.arch }}
           cache-from: type=gha,scope=${{ github.ref_name }}-latest-${{ matrix.arch }}
           cache-to: type=gha,mode=max,scope=${{ github.ref_name }}-latest-${{ matrix.arch }}
           file: ${{ matrix.postgres.dockerfile }}
   merge_manifest:
-    needs: [prepare, build, build_release_image]
+    needs: [prepare, build, build_base_images, build_layered_images]
     strategy:
       matrix:
         include: ${{ fromJson(needs.prepare.outputs.matrix_config).include }}
@@ -170,20 +151,7 @@ jobs:
           password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Get image tag
         id: get_version
-        run: |
-          nix run nixpkgs#nushell -- -c '
-            let version = "${{ matrix.version }}"
-            let is_multigres = ($version | str starts-with "multigres-")
-            let base_version = if $is_multigres { $version | str replace "multigres-" "" } else { $version }
-            let release_key = if ($base_version | str contains "orioledb") {
-              $"postgresorioledb-17"
-            } else {
-              $"postgres($base_version)"
-            }
-            let base_tag = (open ansible/vars.yml | get postgres_release | get $release_key | str trim)
-            let pg_version = if $is_multigres { $"($base_tag)-multigres" } else { $base_tag }
-            $"pg_version=supabase/postgres:($pg_version)" | save --append $env.GITHUB_OUTPUT
-          '
+        run: echo "pg_version=supabase/postgres:${{ matrix.tag }}" >> $GITHUB_OUTPUT
       - name: Output version
         id: output_version
         run: |
@@ -195,7 +163,7 @@ jobs:
       - name: Upload Results Artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: merge_results-${{ matrix.version }}
+          name: merge_results-${{ matrix.tag }}
           path: results.txt
           if-no-files-found: warn
       - name: Merge multi-arch manifests