feat: shared action use nix derivation to check changes and run test if change in inputs

Author: samrose

.github/actions/check-docker-image-changes/action.yml

@@ -0,0 +1,80 @@
+name: Check Docker Image Changes
+description: Determines if Docker image inputs have changed between current and base branch
+
+inputs:
+  base_ref:
+    description: 'Base branch ref for comparison (typically github.base_ref)'
+    required: false
+    default: ''
+  event_name:
+    description: 'GitHub event name (typically github.event_name)'
+    required: true
+
+outputs:
+  should_run:
+    description: 'Whether tests should run based on input changes'
+    value: ${{ steps.check.outputs.should_run }}
+  input_hash:
+    description: 'Current Docker image inputs hash'
+    value: ${{ steps.check.outputs.input_hash }}
+  base_hash:
+    description: 'Base branch Docker image inputs hash (empty if not a PR)'
+    value: ${{ steps.check.outputs.base_hash }}
+
+runs:
+  using: composite
+  steps:
+    - name: Get current Docker image inputs hash
+      id: current
+      shell: bash
+      run: |
+        HASH=$(nix run --accept-flake-config .#docker-image-inputs -- hash)
+        echo "hash=$HASH" >> "$GITHUB_OUTPUT"
+        echo "Current Docker image inputs hash: $HASH"
+
+    - name: Get base branch Docker image inputs hash
+      id: base
+      if: inputs.event_name == 'pull_request'
+      shell: bash
+      run: |
+        # Fetch base branch
+        git fetch origin ${{ inputs.base_ref }} --depth=1
+
+        # Checkout base branch files temporarily
+        git checkout FETCH_HEAD -- . 2>/dev/null || true
+
+        # Get hash from base branch
+        BASE_HASH=$(nix run --accept-flake-config .#docker-image-inputs -- hash 2>/dev/null || echo "")
+
+        # Restore current branch
+        git checkout HEAD -- .
+
+        echo "hash=$BASE_HASH" >> "$GITHUB_OUTPUT"
+        echo "Base branch Docker image inputs hash: $BASE_HASH"
+
+    - name: Determine if tests should run
+      id: check
+      shell: bash
+      run: |
+        CURRENT_HASH="${{ steps.current.outputs.hash }}"
+        BASE_HASH="${{ steps.base.outputs.hash }}"
+
+        echo "input_hash=$CURRENT_HASH" >> "$GITHUB_OUTPUT"
+        echo "base_hash=$BASE_HASH" >> "$GITHUB_OUTPUT"
+
+        if [[ "${{ inputs.event_name }}" == "workflow_dispatch" ]]; then
+          echo "Workflow dispatch - running tests"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        elif [[ "${{ inputs.event_name }}" == "push" ]]; then
+          echo "Push to protected branch - running tests"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        elif [[ -z "$BASE_HASH" ]]; then
+          echo "Could not get base hash - running tests to be safe"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        elif [[ "$CURRENT_HASH" != "$BASE_HASH" ]]; then
+          echo "Docker image inputs changed ($BASE_HASH -> $CURRENT_HASH) - running tests"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "Docker image inputs unchanged - skipping tests"
+          echo "should_run=false" >> "$GITHUB_OUTPUT"
+        fi

.github/workflows/cli-smoke-test.yml

@@ -33,57 +33,12 @@ jobs:
           DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
 
-      - name: Get current Docker image inputs hash
-        id: current
-        run: |
-          HASH=$(nix run --accept-flake-config .#docker-image-inputs -- hash)
-          echo "hash=$HASH" >> "$GITHUB_OUTPUT"
-          echo "Current Docker image inputs hash: $HASH"
-
-      - name: Get base branch Docker image inputs hash
-        id: base
-        if: github.event_name == 'pull_request'
-        run: |
-          # Fetch base branch
-          git fetch origin ${{ github.base_ref }} --depth=1
-
-          # Checkout base branch files temporarily
-          git checkout FETCH_HEAD -- . 2>/dev/null || true
-
-          # Get hash from base branch
-          BASE_HASH=$(nix run --accept-flake-config .#docker-image-inputs -- hash 2>/dev/null || echo "")
-
-          # Restore current branch
-          git checkout HEAD -- .
-
-          echo "hash=$BASE_HASH" >> "$GITHUB_OUTPUT"
-          echo "Base branch Docker image inputs hash: $BASE_HASH"
-
-      - name: Determine if tests should run
+      - name: Check Docker image changes
         id: check
-        run: |
-          CURRENT_HASH="${{ steps.current.outputs.hash }}"
-          BASE_HASH="${{ steps.base.outputs.hash }}"
-
-          echo "input_hash=$CURRENT_HASH" >> "$GITHUB_OUTPUT"
-          echo "base_hash=$BASE_HASH" >> "$GITHUB_OUTPUT"
-
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            echo "Workflow dispatch - running tests"
-            echo "should_run=true" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event_name }}" == "push" ]]; then
-            echo "Push to protected branch - running tests"
-            echo "should_run=true" >> "$GITHUB_OUTPUT"
-          elif [[ -z "$BASE_HASH" ]]; then
-            echo "Could not get base hash - running tests to be safe"
-            echo "should_run=true" >> "$GITHUB_OUTPUT"
-          elif [[ "$CURRENT_HASH" != "$BASE_HASH" ]]; then
-            echo "Docker image inputs changed ($BASE_HASH -> $CURRENT_HASH) - running tests"
-            echo "should_run=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "Docker image inputs unchanged - skipping tests"
-            echo "should_run=false" >> "$GITHUB_OUTPUT"
-          fi
+        uses: ./.github/actions/check-docker-image-changes
+        with:
+          event_name: ${{ github.event_name }}
+          base_ref: ${{ github.base_ref }}
 
   cli-smoke-test:
     name: CLI Smoke Test (PG ${{ matrix.pg_version }})

.github/workflows/docker-image-test.yml

@@ -1,6 +1,12 @@
 name: Docker Image Test
 
 on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - develop
+      - release/*
   workflow_call:
     secrets:
       DEV_AWS_ROLE:
@@ -20,8 +26,35 @@ permissions:
   contents: read
 
 jobs:
+  check-changes:
+    name: Check Docker Image Changes
+    runs-on: blacksmith-2vcpu-ubuntu-2404
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+      input_hash: ${{ steps.check.outputs.input_hash }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'false'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Check Docker image changes
+        id: check
+        uses: ./.github/actions/check-docker-image-changes
+        with:
+          event_name: ${{ github.event_name }}
+          base_ref: ${{ github.base_ref }}
+
   docker-image-test:
     name: Test ${{ matrix.dockerfile }}
+    needs: check-changes
+    if: needs.check-changes.outputs.should_run == 'true'
     runs-on: large-linux-arm
     timeout-minutes: 120
     strategy:
@@ -98,3 +131,14 @@ jobs:
           docker rmi "supabase-postgres:${{ matrix.dockerfile }}-test" || true
           docker rmi "supabase-postgres:${VERSION}-analyze" || true
           docker rmi "pg-docker-test:${VERSION}" || true
+
+  skip-notification:
+    name: Docker Image Test (Skipped)
+    needs: check-changes
+    if: needs.check-changes.outputs.should_run == 'false'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Report skipped
+        run: |
+          echo "Docker image tests skipped - inputs unchanged"
+          echo "Input hash: ${{ needs.check-changes.outputs.input_hash }}"

nix/packages/default.nix

@@ -40,7 +40,12 @@
           build-test-ami = pkgs.callPackage ./build-test-ami.nix { packer = self'.packages.packer; };
           cleanup-ami = pkgs.callPackage ./cleanup-ami.nix { };
           dbmate-tool = pkgs.callPackage ./dbmate-tool.nix { inherit (self.supabase) defaults; };
-          docker-image-inputs = pkgs.callPackage ./docker-image-inputs.nix { };
+          docker-image-inputs = pkgs.callPackage ./docker-image-inputs.nix {
+            psql_15_slim = self'.packages."psql_15_slim/bin";
+            psql_17_slim = self'.packages."psql_17_slim/bin";
+            psql_orioledb-17_slim = self'.packages."psql_orioledb-17_slim/bin";
+            supabase-groonga = self'.packages.supabase-groonga;
+          };
           docs = pkgs.callPackage ./docs.nix { };
           pgbouncer = pkgs.callPackage ../pgbouncer.nix { };
           github-matrix = pkgs.callPackage ./github-matrix {

nix/packages/docker-image-inputs.nix

@@ -2,14 +2,20 @@
   lib,
   stdenv,
   writeShellApplication,
+  writeText,
   jq,
+  # Slim packages used in Docker images
+  psql_15_slim,
+  psql_17_slim,
+  psql_orioledb-17_slim,
+  # Groonga is also installed in images
+  supabase-groonga,
 }:
 
 let
   root = ../..;
 
-  # Bundle all files that affect Docker image builds
-  # When any of these change, the derivation hash changes
+  # Bundle all source files that are copied into Docker images
   dockerSources = stdenv.mkDerivation {
     name = "docker-image-sources";
     src = lib.fileset.toSource {
@@ -30,19 +36,6 @@ let
 
         # Database migrations (copied into images)
         (root + "/migrations/db")
-
-        # Nix flake (defines the psql packages used in images)
-        (root + "/flake.nix")
-        (root + "/flake.lock")
-
-        # Nix package definitions that affect slim images
-        (root + "/nix/packages")
-        (root + "/nix/config.nix")
-        (root + "/nix/overlays")
-
-        # PostgreSQL and extension definitions
-        (root + "/nix/ext")
-        (root + "/nix/postgresql")
       ];
     };
 
@@ -55,6 +48,54 @@ let
       cp -r . $out/
     '';
   };
+
+  # Create a manifest of all package store paths
+  # This ensures the hash changes when any package changes
+  packageManifest = writeText "docker-image-packages-manifest" ''
+    # Slim PostgreSQL packages installed in Docker images
+    psql_15_slim=${psql_15_slim}
+    psql_17_slim=${psql_17_slim}
+    psql_orioledb-17_slim=${psql_orioledb-17_slim}
+
+    # Groonga (installed in all images)
+    supabase-groonga=${supabase-groonga}
+  '';
+
+  # Combined derivation that depends on both sources and packages
+  dockerImageInputs = stdenv.mkDerivation {
+    name = "docker-image-inputs";
+
+    # No source needed - we just create a manifest
+    dontUnpack = true;
+
+    # These are the actual dependencies that affect the hash
+    buildInputs = [
+      dockerSources
+      psql_15_slim
+      psql_17_slim
+      psql_orioledb-17_slim
+      supabase-groonga
+    ];
+
+    installPhase = ''
+      mkdir -p $out
+
+      # Include source files reference
+      echo "sources=${dockerSources}" > $out/manifest
+
+      # Include package manifest
+      cat ${packageManifest} >> $out/manifest
+
+      # Create a combined hash from all inputs
+      echo "" >> $out/manifest
+      echo "# Combined input paths:" >> $out/manifest
+      echo "${dockerSources}" >> $out/manifest
+      echo "${psql_15_slim}" >> $out/manifest
+      echo "${psql_17_slim}" >> $out/manifest
+      echo "${psql_orioledb-17_slim}" >> $out/manifest
+      echo "${supabase-groonga}" >> $out/manifest
+    '';
+  };
 in
 writeShellApplication {
   name = "docker-image-inputs-hash";
@@ -64,24 +105,42 @@ writeShellApplication {
   text = ''
     set -euo pipefail
 
-    DOCKER_SOURCES="${dockerSources}"
-    INPUT_HASH=$(basename "$DOCKER_SOURCES" | cut -d- -f1)
+    DOCKER_INPUTS="${dockerImageInputs}"
+    INPUT_HASH=$(basename "$DOCKER_INPUTS" | cut -d- -f1)
 
     case "''${1:-hash}" in
       hash)
         echo "$INPUT_HASH"
         ;;
       path)
-        echo "$DOCKER_SOURCES"
+        echo "$DOCKER_INPUTS"
+        ;;
+      manifest)
+        cat "$DOCKER_INPUTS/manifest"
         ;;
       json)
         jq -n \
           --arg hash "$INPUT_HASH" \
-          --arg path "$DOCKER_SOURCES" \
-          '{hash: $hash, path: $path}'
+          --arg path "$DOCKER_INPUTS" \
+          --arg sources "${dockerSources}" \
+          --arg psql_15_slim "${psql_15_slim}" \
+          --arg psql_17_slim "${psql_17_slim}" \
+          --arg psql_orioledb_17_slim "${psql_orioledb-17_slim}" \
+          --arg supabase_groonga "${supabase-groonga}" \
+          '{
+            hash: $hash,
+            path: $path,
+            sources: $sources,
+            packages: {
+              psql_15_slim: $psql_15_slim,
+              psql_17_slim: $psql_17_slim,
+              "psql_orioledb-17_slim": $psql_orioledb_17_slim,
+              "supabase-groonga": $supabase_groonga
+            }
+          }'
         ;;
       *)
-        echo "Usage: docker-image-inputs-hash [hash|path|json]" >&2
+        echo "Usage: docker-image-inputs-hash [hash|path|manifest|json]" >&2
         exit 1
         ;;
     esac
@@ -90,15 +149,18 @@ writeShellApplication {
   meta = {
     description = "Get the content hash of all Docker image inputs";
     longDescription = ''
-      This package bundles all source files that affect Docker image builds.
-      The hash is computed from the Nix store path, which changes when any
-      input file changes. Use this to detect when Docker images need to be
-      rebuilt and tested.
+      This package tracks all inputs that affect Docker image builds:
+      - Source files: Dockerfiles, configs, migrations
+      - Nix packages: psql_*_slim, supabase-groonga
+
+      The hash changes when ANY of these change, including transitive
+      dependencies of the Nix packages.
 
       Usage:
-        docker-image-inputs-hash hash  # Get just the hash
-        docker-image-inputs-hash path  # Get the Nix store path
-        docker-image-inputs-hash json  # Get both as JSON
+        docker-image-inputs-hash hash      # Get just the hash
+        docker-image-inputs-hash path      # Get the Nix store path
+        docker-image-inputs-hash manifest  # Show all tracked inputs
+        docker-image-inputs-hash json      # Get detailed JSON output
     '';
   };
 }