ci(github): add workflow to generate nix dependency change reports for postgresql + extensions #2003
+960
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WalkthroughAdds a GitHub Actions workflow and two new Bash scripts that run PR analyses, build PostgreSQL variants via Nix, compare dependency and extension trees between base and PR, and emit structured Markdown reports which the workflow posts or updates as PR comments. Changes
Sequence DiagramsequenceDiagram
participant GHA as GitHub Actions
participant Script as Analysis Script (postgresql-diff.sh / extensions-diff.sh)
participant GH as GitHub API
participant Nix as Nix Build
participant Repo as git Repos (OLD/NEW)
participant Report as Markdown Report
participant Comment as PR Comment
GHA->>Script: Run job with PR URL
Script->>GH: Query PR metadata (head, base, commits)
GH-->>Script: PR details
Script->>Repo: Clone / update OLD at base commit
Script->>Repo: Clone / update NEW at PR commit
Script->>Nix: Build variants in OLD
Nix-->>Script: build artifacts
Script->>Nix: Build variants in NEW
Nix-->>Script: build artifacts
Script->>Script: Compare dependency/extension trees
Script->>Report: Generate Markdown report
Report-->>Script: report file path
GHA->>GH: Read report and call comment action
GH->>Comment: Create or update PR comment with marker
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
🧹 Recent nitpick comments
📜 Recent review detailsConfiguration used: Repository UI Review profile: CHILL Plan: Pro 📒 Files selected for processing (3)
🧰 Additional context used🧠 Learnings (1)📚 Learning: 2026-01-14T23:56:04.047ZApplied to files:
🧬 Code graph analysis (1)ci/extensions-diff.sh (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
🔇 Additional comments (12)
✏️ Tip: You can disable this entire section by setting Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PostgreSQL Extension Dependency Analysis: PR #2003
SummaryNo extensions had dependencies with MAJOR version updates. Full Analysis ResultsPostgreSQL 15 Extension DependenciesPostgreSQL 17 Extension DependenciesOrioleDB 17 Extension Dependencies |
PostgreSQL Package Dependency Analysis: PR #2003
SummaryNo packages had MAJOR version updates. Full Analysis ResultsPostgreSQL 15 Dependency ChangesExtracting PostgreSQL 15 dependencies...
Raw Dependency ClosurePostgreSQL 17 Dependency ChangesExtracting PostgreSQL 17 dependencies...
Raw Dependency ClosureOrioleDB 17 Dependency ChangesExtracting OrioleDB 17 dependencies...
Raw Dependency Closure |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Fix all issues with AI agents
In @.github/workflows/nix-dependency-analysis.yml:
- Around line 32-33: Replace the floating external action reference used in the
workflow ("uses: supabase/postgres/.github/actions/shared-checkout@HEAD") with a
pinned commit SHA (or a specific released tag and include its commit SHA as a
comment) to ensure reproducible, immutable behavior; update the "uses" value to
the full commit SHA for supabase/postgres/.github/actions/shared-checkout and
apply the same pattern to other workflows that reference this action to
standardize pinning.
In `@ci/extensions-diff.sh`:
- Around line 117-156: The function ensure_repo_at_commit changes directories
with cd but never restores the original working directory; wrap the body in a
subshell or save the current directory (e.g., original_dir=$(pwd)) and ensure
you cd back (or use pushd/popd) before returning so the caller's working
directory is unchanged; apply this around both the existing-branch and clone
branches and on all error/early-exit paths, ensuring the final echo still runs
after returning to the original directory.
- Around line 306-312: Temp files created for dependency diffs use fixed names
(/tmp/old-$ext-deps.txt and /tmp/new-$ext-deps.txt) which can collide across
concurrent runs and are not removed in cleanup(); change the filenames to
include the current PID (use $$) or use mktemp to create unique temp files when
writing outputs from parse_store_path in the blocks that produce old/new deps,
and add removal of those temp files to the existing cleanup() trap so they are
deleted on exit (reference the parse_store_path usage that writes to the temp
files and the cleanup() function to update).
♻️ Duplicate comments (1)
ci/postgresql-diff.sh (1)
117-156: Samecdwithout restore issue as inextensions-diff.sh.The
ensure_repo_at_commitfunction changes directory but doesn't restore it. See the fix suggested forextensions-diff.sh.
🧹 Nitpick comments (4)
ci/extensions-diff.sh (2)
17-17: PR URL extraction may match unintended patterns.The regex
[0-9]+$will match any trailing digits, including issue numbers, discussion numbers, or malformed URLs. Consider a more specific pattern that validates the expected URL structure.Suggested improvement
-PR_NUMBER=$(echo "$PR_URL" | grep -oE '[0-9]+$') +PR_NUMBER=$(echo "$PR_URL" | grep -oE '/pull/([0-9]+)$' | grep -oE '[0-9]+')
380-401: macOS and Linux branches have identical logic.The if/else branches for macOS and Linux (lines 410-431 in this file, 380-401 in postgresql-diff.sh) contain identical code. This duplication can be removed.
Consolidate the branches
-# Insert summary after the header but before PostgreSQL version sections -# We need to insert it after the header (line with "Analysis Date") and before first "##" heading -if [[ "$OSTYPE" == "darwin"* ]]; then - # macOS - create temp file with proper structure - { - # Read header (including bullet point lines) - sed -n '1,/^- \*\*Analysis Date:/p' "$OUTPUT_FILE" - echo "" - # Insert summary - echo "$SUMMARY_CONTENT" - # Append rest of file (everything after the header) - sed -n '/^- \*\*Analysis Date:/,$p' "$OUTPUT_FILE" | tail -n +2 - } >"$OUTPUT_FILE.tmp" - mv "$OUTPUT_FILE.tmp" "$OUTPUT_FILE" -else - # GNU/Linux - similar approach - { - sed -n '1,/^- \*\*Analysis Date:/p' "$OUTPUT_FILE" - echo "" - echo "$SUMMARY_CONTENT" - sed -n '/^- \*\*Analysis Date:/,$p' "$OUTPUT_FILE" | tail -n +2 - } >"$OUTPUT_FILE.tmp" - mv "$OUTPUT_FILE.tmp" "$OUTPUT_FILE" -fi +# Insert summary after the header but before PostgreSQL version sections +{ + sed -n '1,/^- \*\*Analysis Date:/p' "$OUTPUT_FILE" + echo "" + echo "$SUMMARY_CONTENT" + sed -n '/^- \*\*Analysis Date:/,$p' "$OUTPUT_FILE" | tail -n +2 +} >"$OUTPUT_FILE.tmp" +mv "$OUTPUT_FILE.tmp" "$OUTPUT_FILE"ci/postgresql-diff.sh (1)
1-2: Consider extracting shared functions to a common library.Both
postgresql-diff.shandextensions-diff.shshare significant code:ensure_repo_at_commit,parse_store_path,compare_versions, and the summary insertion logic. Extracting these to a shared file (e.g.,ci/lib/diff-utils.sh) would reduce maintenance burden and ensure consistent behavior..github/workflows/nix-dependency-analysis.yml (1)
47-60: Script failure may not be caught if markdown file exists from a previous run.The
findcommand on line 53 looks for any matching file in the current directory. If a previous run left a stale file and the script fails silently (despiteset -e), the workflow might pick up the old file. Consider adding explicit error checking or cleaning up old files first.Suggested improvement
run: | PR_URL="${{ github.event.pull_request.html_url || format('https://github.com/{0}/pull/{1}', github.repository, github.event.inputs.pr_number) }}" echo "Analyzing PR: $PR_URL" + # Clean up any stale output files + rm -f postgresql-diff-pr-*.md ./ci/postgresql-diff.sh "$PR_URL"
📜 Review details
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (3)
.github/workflows/nix-dependency-analysis.ymlci/extensions-diff.shci/postgresql-diff.sh
🧰 Additional context used
🧬 Code graph analysis (1)
ci/postgresql-diff.sh (1)
ci/extensions-diff.sh (5)
cleanup(110-113)ensure_repo_at_commit(118-156)parse_store_path(179-182)compare_versions(185-246)generate_summary(369-389)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: run-testinfra / prepare
- GitHub Check: run-tests / prepare
🔇 Additional comments (2)
.github/workflows/nix-dependency-analysis.yml (2)
18-21: Good permission scoping.The workflow requests minimal permissions:
contents: readfor checkout,pull-requests: writefor commenting, andid-token: writefor AWS OIDC. This follows the principle of least privilege.
23-25: Good use of concurrency control.The concurrency group keyed on workflow + PR number with
cancel-in-progress: trueprevents wasteful parallel runs and ensures only the latest push is analyzed.
✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.
…r postgresql + extensions
LGUG2Z
force-pushed
the
feature/nix-dependency-analysis
branch
from
05ffa4f to
abd2f20
Compare
samrose
approved these changes
Jan 15, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR aims to automate comments like these on PRs which touch
flake.nix,flake.nix,nix/**and the files which generate the reports inci/**Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.