feat: publish and use nix-catalog (#1995)

samrose · tomashley · web-flow · commit 73c19221d09e · 2026-01-08T05:18:43.000Z
* feat: publish and use nix-catalog * fix: catalog entries hash plus version * chore: use OIDC to auth shared services bucket (#1997) * fix: use aws cli to access catalog * chore: bump to release --------- Co-authored-by: Tom Ashley <tom.ashley@gmail.com>
diff --git a/.github/workflows/ami-release-nix.yml b/.github/workflows/ami-release-nix.yml
@@ -138,6 +138,52 @@ jobs:
           aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/24.04.tar.gz
           aws s3 cp /tmp/pg_binaries.tar.gz s3://${{ secrets.PROD_ARTIFACTS_BUCKET }}/upgrades/postgres/supabase-postgres-${{ steps.process_release_version.outputs.version }}/upgrade_bundle.tar.gz
 
+      - name: GitHub OIDC Auth
+        uses: aws-actions/configure-aws-credentials@v4.1.0
+        with:
+          aws-region: ap-southeast-1
+          role-to-assume: arn:aws:iam::279559813984:role/supabase-github-oidc-role
+          role-session-name: shared-services-jump
+
+      - name: Assume destination role
+        uses: aws-actions/configure-aws-credentials@v4.1.0
+        with:
+          aws-region: ap-southeast-1
+          role-to-assume: arn:aws:iam::279559813984:role/supabase-nix-catalog-artifacts-role-6387512
+          role-skip-session-tagging: true
+          role-session-name: upload-assets
+          role-chaining: true
+
+      - name: Update nix store path catalog
+        run: |
+          VERSION="${{ steps.process_release_version.outputs.version }}"
+          GIT_SHA="${{ github.sha }}"
+          PG_VERSION="${{ matrix.postgres_version }}"
+          SYSTEM="aarch64-linux"
+
+          # Get store path for this build
+          STORE_PATH=$(nix eval --raw ".#psql_${PG_VERSION}/bin.outPath")
+
+          # Each postgres version gets its own catalog file (no race conditions)
+          CATALOG_S3="s3://${{ secrets.SHARED_AWS_ARTIFACTS_BUCKET }}/nix-catalog/${GIT_SHA}-psql_${PG_VERSION}.json"
+
+          # Create catalog JSON for this version
+          jq -n \
+             --arg ver "$VERSION" \
+             --arg sha "$GIT_SHA" \
+             --arg sys "$SYSTEM" \
+             --arg path "$STORE_PATH" \
+             '{version: $ver, git_sha: $sha, ($sys): $path}' > /tmp/catalog.json
+
+          echo "Catalog for psql_${PG_VERSION}:"
+          cat /tmp/catalog.json
+
+          # Upload catalog
+          aws s3 cp /tmp/catalog.json "$CATALOG_S3" \
+            --content-type "application/json"
+
+          echo "Catalog uploaded to ${CATALOG_S3}"
+
       - name: Create release
         uses: softprops/action-gh-release@v2
         with:
diff --git a/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh b/ansible/files/admin_api_scripts/pg_upgrade_scripts/initiate.sh
@@ -301,11 +301,48 @@ EXTRA_NIX_CONF
             fi
         fi
 
-        echo "1.2. Installing flake revision: $NIX_FLAKE_VERSION"
+        echo "1.2. Fetching store path for flake revision: $NIX_FLAKE_VERSION"
         # shellcheck disable=SC1091
         source /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
         nix-collect-garbage -d > /tmp/pg_upgrade-nix-gc.log 2>&1 || true
-        PG_UPGRADE_BIN_DIR=$(nix build "github:supabase/postgres/${NIX_FLAKE_VERSION}#psql_${PGVERSION}/bin" --no-link --print-out-paths --extra-experimental-features nix-command --extra-experimental-features flakes)
+
+        # Determine system architecture
+        ARCH=$(uname -m)
+        if [ "$ARCH" = "aarch64" ]; then
+            SYSTEM="aarch64-linux"
+        elif [ "$ARCH" = "x86_64" ]; then
+            SYSTEM="x86_64-linux"
+        else
+            echo "ERROR: Unsupported architecture: $ARCH"
+            exit 1
+        fi
+
+        # Fetch store path from catalog (avoids expensive nix eval - prevents OOM on small instances)
+        # Each postgres version has its own catalog file: {git_sha}-psql_{version}.json
+        CATALOG_S3="s3://supabase-internal-artifacts/nix-catalog/${NIX_FLAKE_VERSION}-psql_${PGVERSION}.json"
+        CATALOG_LOCAL="/tmp/nix-catalog-${NIX_FLAKE_VERSION}-psql_${PGVERSION}.json"
+        echo "Fetching catalog from: $CATALOG_S3"
+
+        if ! aws s3 cp "$CATALOG_S3" "$CATALOG_LOCAL" --region ap-southeast-1; then
+            echo "ERROR: Failed to fetch catalog from $CATALOG_S3"
+            exit 1
+        fi
+
+        STORE_PATH=$(jq -r ".\"${SYSTEM}\"" "$CATALOG_LOCAL")
+
+        if [ -z "$STORE_PATH" ] || [ "$STORE_PATH" = "null" ]; then
+            echo "ERROR: Could not find store path in catalog for ${SYSTEM}"
+            echo "Catalog contents:"
+            jq . "$CATALOG_LOCAL"
+            exit 1
+        fi
+
+        echo "Store path: $STORE_PATH"
+
+        # Realize from binary cache (no nix evaluation needed!)
+        nix-store -r "$STORE_PATH"
+
+        PG_UPGRADE_BIN_DIR="$STORE_PATH"
         PGSHARENEW="$PG_UPGRADE_BIN_DIR/share/postgresql"
     fi
 
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -10,9 +10,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.6.0.027-orioledb"
-  postgres17: "17.6.1.070"
-  postgres15: "15.14.1.070"
+  postgresorioledb-17: "17.6.0.028-orioledb"
+  postgres17: "17.6.1.071"
+  postgres15: "15.14.1.071"
 
 # Non Postgres Extensions
 pgbouncer_release: 1.19.0
