Skip to content

harden even more #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
paudley merged 9 commits into from
Nov 14, 2025
Merged

harden even more #30

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
b0d15d8
harden even more
paudley Nov 14, 2025
d81c0d5
Merge branch 'main' into is_ready_fails
paudley Nov 14, 2025
83b5e62
harden even more
paudley Nov 14, 2025
9df1c40
fix smoke test image
paudley Nov 14, 2025
c005613
harden more
paudley Nov 14, 2025
85f47f9
harden more
paudley Nov 14, 2025
d491506
harden more
paudley Nov 14, 2025
e2c4477
harden more
paudley Nov 14, 2025
8564fd1
try harder
paudley Nov 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
harden even more
  • Loading branch information
@paudley
paudley committed Nov 14, 2025
commit b0d15d8820073e8c4b3e2f55743c974fbf35ebf7
16 changes: 16 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,22 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Smoke-test Docker image
env:
PGPASSWORD: thinice-test
Comment on lines +180 to +181
Copy link

Copilot AI Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exposing credentials in plaintext environment variables is a security risk. While this is a test environment, it's better practice to avoid plaintext passwords in CI configuration files.

Consider using GitHub secrets or at minimum, use the PGPASSFILE mechanism instead of PGPASSWORD.

Copilot uses AI. Check for mistakes.
run: |
docker run -d --name postgres-smoke \
-e POSTGRES_USER=thinice-test \
-e POSTGRES_PASSWORD=thinice-test \
-e POSTGRES_DB=thinice-test \
core-data-postgres:test
timeout 120 bash -c 'until docker exec postgres-smoke pg_isready -h localhost -U thinice-test >/dev/null 2>&1; do sleep 2; done'
docker exec postgres-smoke psql -U thinice-test -d thinice-test -c "SELECT 1" >/dev/null

- name: Stop Docker smoke container
if: always()
run: docker rm -f postgres-smoke

- name: Validate Dockerfile with hadolint
uses: hadolint/[email protected]
with:
Expand Down
36 changes: 23 additions & 13 deletions postgres/initdb/00-render-config.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,17 +81,19 @@ export \

mkdir -p "${PGDATA}"

first_render=1
if [[ -f "${SENTINEL}" ]]; then
if [[ "${FORCE_RENDER_CONFIG}" != "1" ]]; then
echo "[core_data] Configuration already rendered; refreshing network allow entries." >&2
apply_network_allow_entries
if ! pg_ctl -D "${PGDATA}" reload >/dev/null 2>&1; then
echo "[core_data] WARNING: pg_ctl reload failed while refreshing network allow entries." >&2
fi
exit 0
fi
echo "[core_data] FORCE_RENDER_CONFIG=1 set; re-rendering templates." >&2
rm -f "${SENTINEL}"
first_render=0
if [[ "${FORCE_RENDER_CONFIG}" != "1" ]]; then
echo "[core_data] Configuration already rendered; refreshing network allow entries." >&2
apply_network_allow_entries
if ! pg_ctl -D "${PGDATA}" reload >/dev/null 2>&1; then
echo "[core_data] WARNING: pg_ctl reload failed while refreshing network allow entries." >&2
fi
exit 0
fi
echo "[core_data] FORCE_RENDER_CONFIG=1 set; re-rendering templates." >&2
rm -f "${SENTINEL}"
fi

if [[ "${POSTGRES_SSL_ENABLED}" == "on" ]]; then
Expand Down Expand Up @@ -161,8 +163,16 @@ CONF

echo "[core_data] Rendered PostgreSQL configs and pgBackRest configuration." >&2

pg_ctl -D "${PGDATA}" -m fast -w restart >/dev/null 2>&1 || {
echo "[core_data] WARNING: pg_ctl restart failed during initialization." >&2
}
if pg_ctl -D "${PGDATA}" status >/dev/null 2>&1; then
if [[ "${first_render}" -eq 1 ]]; then
if ! pg_ctl -D "${PGDATA}" reload >/dev/null 2>&1; then
echo "[core_data] WARNING: pg_ctl reload failed during initial configuration." >&2
fi
else
if ! pg_ctl -D "${PGDATA}" -m fast -w restart >/dev/null 2>&1; then
echo "[core_data] WARNING: pg_ctl restart failed during configuration refresh." >&2
fi
fi
fi

touch "${SENTINEL}"
Loading