feat(nix/docker)Cli docker image size reduce (#2019)

* feat(nix): add latestOnly parameter support to postgres.nix

Add latestOnly parameter that flows through makeOurPostgresPkgs,
makePostgresBin, and makePostgres functions. When true, this parameter
will enable building only the latest version of each extension.

Also adds psql_17_slim package that uses latestOnly=true.

feat(ext): add latestOnly support to pgvector

feat(ext): add latestOnly support to wrappers

Add latestOnly parameter to wrappers extension that:
- Filters versionsToUse when latestOnly=true to build only latest version
- Skips migration SQL file generation when latestOnly=true
- Skips previously packaged version symlinks when latestOnly=true
- Updates library count verification for slim builds (expects 2 files)
- Updates passthru metadata with versionsBuilt and latestOnly flag

This is part of the psql_17_slim implementation to reduce image size.

feat(ext): add latestOnly support to pg_graphql

feat(ext): add latestOnly support to pg_net

* feat: variant of pkgs for image size reduce

* fix: deal with systemd in slim vs regular

* feat: slimmed image with tests and image analysis tool

* tests: workflow to check image size and test images with pg_regress

* fix: running docker test ci

* fix: running apps fix

* fix: pg_isready in proper place

* docs: add pg-startup-profiler design document

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: add pg-startup-profiler implementation plan

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(pg-startup-profiler): scaffold project structure

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(pg-startup-profiler): add pluggable rules system

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(pg-startup-profiler): add Docker client wrapper

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(pg-startup-profiler): add log parser

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: docker startup profiler

* cli smoke test, nix package to trigger test runs

* feat: shared action use nix derivation to check changes and run test if change in inputs

* feat: local and ci cli-smoke and image tests

* chore: test suffix

* fix: use http_mock_host

* fix: match develop branch on these changes

fix: docker image test

fix: resolve merge conflicts

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: samrose

.github/actions/check-docker-image-changes/action.yml

@@ -0,0 +1,80 @@
+name: Check Docker Image Changes
+description: Determines if Docker image inputs have changed between current and base branch
+
+inputs:
+  base_ref:
+    description: 'Base branch ref for comparison (typically github.base_ref)'
+    required: false
+    default: ''
+  event_name:
+    description: 'GitHub event name (typically github.event_name)'
+    required: true
+
+outputs:
+  should_run:
+    description: 'Whether tests should run based on input changes'
+    value: ${{ steps.check.outputs.should_run }}
+  input_hash:
+    description: 'Current Docker image inputs hash'
+    value: ${{ steps.check.outputs.input_hash }}
+  base_hash:
+    description: 'Base branch Docker image inputs hash (empty if not a PR)'
+    value: ${{ steps.check.outputs.base_hash }}
+
+runs:
+  using: composite
+  steps:
+    - name: Get current Docker image inputs hash
+      id: current
+      shell: bash
+      run: |
+        HASH=$(nix run --accept-flake-config .#docker-image-inputs -- hash)
+        echo "hash=$HASH" >> "$GITHUB_OUTPUT"
+        echo "Current Docker image inputs hash: $HASH"
+
+    - name: Get base branch Docker image inputs hash
+      id: base
+      if: inputs.event_name == 'pull_request'
+      shell: bash
+      run: |
+        # Fetch base branch
+        git fetch origin ${{ inputs.base_ref }} --depth=1
+
+        # Checkout base branch files temporarily
+        git checkout FETCH_HEAD -- . 2>/dev/null || true
+
+        # Get hash from base branch
+        BASE_HASH=$(nix run --accept-flake-config .#docker-image-inputs -- hash 2>/dev/null || echo "")
+
+        # Restore current branch
+        git checkout HEAD -- .
+
+        echo "hash=$BASE_HASH" >> "$GITHUB_OUTPUT"
+        echo "Base branch Docker image inputs hash: $BASE_HASH"
+
+    - name: Determine if tests should run
+      id: check
+      shell: bash
+      run: |
+        CURRENT_HASH="${{ steps.current.outputs.hash }}"
+        BASE_HASH="${{ steps.base.outputs.hash }}"
+
+        echo "input_hash=$CURRENT_HASH" >> "$GITHUB_OUTPUT"
+        echo "base_hash=$BASE_HASH" >> "$GITHUB_OUTPUT"
+
+        if [[ "${{ inputs.event_name }}" == "workflow_dispatch" ]]; then
+          echo "Workflow dispatch - running tests"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        elif [[ "${{ inputs.event_name }}" == "push" ]]; then
+          echo "Push to protected branch - running tests"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        elif [[ -z "$BASE_HASH" ]]; then
+          echo "Could not get base hash - running tests to be safe"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        elif [[ "$CURRENT_HASH" != "$BASE_HASH" ]]; then
+          echo "Docker image inputs changed ($BASE_HASH -> $CURRENT_HASH) - running tests"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "Docker image inputs unchanged - skipping tests"
+          echo "should_run=false" >> "$GITHUB_OUTPUT"
+        fi

.github/workflows/cli-smoke-test.yml

@@ -0,0 +1,112 @@
+name: CLI Smoke Test
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - develop
+      - release/*
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  check-changes:
+    name: Check Docker Image Changes
+    runs-on: blacksmith-2vcpu-ubuntu-2404
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+      input_hash: ${{ steps.check.outputs.input_hash }}
+      base_hash: ${{ steps.check.outputs.base_hash }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'false'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Check Docker image changes
+        id: check
+        uses: ./.github/actions/check-docker-image-changes
+        with:
+          event_name: ${{ github.event_name }}
+          base_ref: ${{ github.base_ref }}
+
+  cli-smoke-test:
+    name: CLI Smoke Test (PG ${{ matrix.pg_version }})
+    needs: check-changes
+    if: needs.check-changes.outputs.should_run == 'true'
+    runs-on: large-linux-arm
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        pg_version: ['15', '17']
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'false'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Create Docker context
+        run: docker context create builders
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        with:
+          endpoint: builders
+
+      - name: Build Docker image
+        run: |
+          DOCKERFILE="Dockerfile-${{ matrix.pg_version }}"
+          echo "Building $DOCKERFILE..."
+          # Tag with ECR prefix since CLI uses public.ecr.aws/supabase/postgres as base
+          docker build -f "$DOCKERFILE" -t "public.ecr.aws/supabase/postgres:${{ matrix.pg_version }}" .
+
+      - name: Run CLI smoke test
+        run: |
+          echo "Running CLI smoke test for PostgreSQL ${{ matrix.pg_version }}..."
+          nix run --accept-flake-config .#cli-smoke-test -- --no-build ${{ matrix.pg_version }}
+        timeout-minutes: 10
+
+      - name: Show logs on failure
+        if: failure()
+        run: |
+          echo "=== Supabase Status ==="
+          nix run --accept-flake-config .#supabase-cli -- status || true
+
+          echo "=== Docker containers ==="
+          docker ps -a
+
+          echo "=== Database container logs ==="
+          docker logs supabase_db_postgres 2>&1 | tail -100 || true
+
+      - name: Cleanup
+        if: always()
+        run: |
+          nix run --accept-flake-config .#supabase-cli -- stop --no-backup || true
+
+  skip-notification:
+    name: CLI Smoke Test (Skipped)
+    needs: check-changes
+    if: needs.check-changes.outputs.should_run == 'false'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Report skipped
+        run: |
+          echo "CLI smoke test skipped - Docker image inputs unchanged"
+          echo "Input hash: ${{ needs.check-changes.outputs.input_hash }}"

.github/workflows/docker-image-test.yml

@@ -0,0 +1,139 @@
+name: Docker Image Test
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - develop
+      - release/*
+  workflow_call:
+    secrets:
+      DEV_AWS_ROLE:
+        required: true
+      NIX_SIGN_SECRET_KEY:
+        required: true
+  workflow_dispatch:
+    inputs:
+      dockerfile:
+        description: 'Specific Dockerfile to test (leave empty for all)'
+        required: false
+        default: ''
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  check-changes:
+    name: Check Docker Image Changes
+    runs-on: blacksmith-2vcpu-ubuntu-2404
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+      input_hash: ${{ steps.check.outputs.input_hash }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'false'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Check Docker image changes
+        id: check
+        uses: ./.github/actions/check-docker-image-changes
+        with:
+          event_name: ${{ github.event_name }}
+          base_ref: ${{ github.base_ref }}
+
+  docker-image-test:
+    name: Test ${{ matrix.dockerfile }}
+    needs: check-changes
+    if: needs.check-changes.outputs.should_run == 'true'
+    runs-on: large-linux-arm
+    timeout-minutes: 120
+    strategy:
+      fail-fast: false
+      matrix:
+        dockerfile:
+          - Dockerfile-15
+          - Dockerfile-17
+          - Dockerfile-orioledb-17
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'false'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Create Docker context
+        run: docker context create builders
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        with:
+          endpoint: builders
+
+      - name: Build Docker image
+        run: |
+          echo "Building ${{ matrix.dockerfile }}..."
+          VERSION="${{ matrix.dockerfile }}"
+          VERSION="${VERSION#Dockerfile-}"
+          # Build with tags expected by both tools
+          docker build -f ${{ matrix.dockerfile }} \
+            -t "pg-docker-test:${VERSION}" \
+            -t "supabase-postgres:${VERSION}-analyze" \
+            .
+
+      - name: Run image size analysis
+        run: |
+          echo "=== Image Size Analysis for ${{ matrix.dockerfile }} ==="
+          nix run --accept-flake-config .#image-size-analyzer -- --image ${{ matrix.dockerfile }} --no-build
+
+      - name: Run Docker image tests
+        run: |
+          echo "=== Running tests for ${{ matrix.dockerfile }} ==="
+          nix run --accept-flake-config .#docker-image-test -- --no-build ${{ matrix.dockerfile }}
+
+      - name: Show container logs on failure
+        if: failure()
+        run: |
+          VERSION="${{ matrix.dockerfile }}"
+          VERSION="${VERSION#Dockerfile-}"
+          CONTAINER_NAME=$(docker ps -a --filter "name=pg-test-${VERSION}" --format "{{.Names}}" | head -1)
+          if [[ -n "$CONTAINER_NAME" ]]; then
+            echo "=== Container logs for $CONTAINER_NAME ==="
+            docker logs "$CONTAINER_NAME" 2>&1 || true
+          fi
+
+      - name: Cleanup
+        if: always()
+        run: |
+          VERSION="${{ matrix.dockerfile }}"
+          VERSION="${VERSION#Dockerfile-}"
+          # Remove test containers
+          docker ps -a --filter "name=pg-test-${VERSION}" -q | xargs -r docker rm -f || true
+          # Remove test images
+          docker rmi "pg-docker-test:${VERSION}" || true
+          docker rmi "supabase-postgres:${VERSION}-analyze" || true
+
+  skip-notification:
+    name: Docker Image Test (Skipped)
+    needs: check-changes
+    if: needs.check-changes.outputs.should_run == 'false'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Report skipped
+        run: |
+          echo "Docker image tests skipped - inputs unchanged"
+          echo "Input hash: ${{ needs.check-changes.outputs.input_hash }}"

.github/workflows/nix-build.yml

@@ -217,3 +217,15 @@ jobs:
       (needs.nix-build-packages-x86_64-linux.result == 'skipped' || needs.nix-build-packages-x86_64-linux.result == 'success') &&
       (needs.nix-build-checks-x86_64-linux.result == 'skipped' || needs.nix-build-checks-x86_64-linux.result == 'success')
     uses: ./.github/workflows/test.yml
+
+  docker-image-test:
+    needs: [nix-eval, nix-build-packages-aarch64-linux, nix-build-checks-aarch64-linux]
+    if: |
+      !cancelled() &&
+      needs.nix-eval.result == 'success' &&
+      (needs.nix-build-packages-aarch64-linux.result == 'skipped' || needs.nix-build-packages-aarch64-linux.result == 'success') &&
+      (needs.nix-build-checks-aarch64-linux.result == 'skipped' || needs.nix-build-checks-aarch64-linux.result == 'success')
+    uses: ./.github/workflows/docker-image-test.yml
+    secrets:
+      DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+      NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}