From 3855fb7afef1c894dee42a2e24524aa81d6b1c00 Mon Sep 17 00:00:00 2001 From: Patrick Reynolds Date: Wed, 17 Jun 2026 18:18:33 -0400 Subject: [PATCH 1/4] Build and release .deb files based on git tags To make an appropriate tag: ``` git tag v1.2.0-1.pscale1 && git push origin v1.2.0-1.pscale1 ``` --- .dockerignore | 9 +++ .github/workflows/release.yml | 143 ++++++++++++++++++++++++++++++++++ Dockerfile.pscale-debian12 | 42 ++++++++++ debian/changelog | 8 ++ debian/control | 38 +++++++++ debian/control.in | 26 +++++++ debian/copyright | 27 +++++++ debian/pgversions | 1 + debian/rules | 24 ++++++ debian/source/format | 1 + 10 files changed, 319 insertions(+) create mode 100644 .dockerignore create mode 100644 .github/workflows/release.yml create mode 100644 Dockerfile.pscale-debian12 create mode 100644 debian/changelog create mode 100644 debian/control create mode 100644 debian/control.in create mode 100644 debian/copyright create mode 100644 debian/pgversions create mode 100755 debian/rules create mode 100644 debian/source/format diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..f110a87 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,9 @@ +*.o +*.a +*.so +*.dylib +*.pc +results/ +regression.diffs +regression.out +.git diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..b9a3e0d --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,143 @@ +name: Release + +on: + push: + tags: + - 'v*' + +jobs: + build: + strategy: + matrix: + include: + - arch: amd64 + runner: ubuntu-latest + - arch: arm64 + runner: ubuntu-latest + fail-fast: false + runs-on: ${{ matrix.runner }} + outputs: + version: ${{ steps.version.outputs.VERSION }} + + steps: + - uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + if: matrix.arch == 'arm64' + + - name: Get version from tag + id: version + run: | + echo "VERSION=${GITHUB_REF#refs/tags/v}-1" >> $GITHUB_OUTPUT + echo "GIT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image with packages + uses: docker/build-push-action@v5 + with: + context: . + file: ./Dockerfile.pscale-debian12 + push: false + load: true + tags: pg-roaringbitmap-builder + platforms: linux/${{ matrix.arch }} + build-args: | + VERSION=${{ steps.version.outputs.VERSION }} + GIT_SHA=${{ steps.version.outputs.GIT_SHA }} + + - name: Extract .deb packages from Docker image + run: | + # Create a temporary container to copy files from + CONTAINER_ID=$(docker create \ + --stop-timeout=1 \ + --entrypoint="" \ + pg-roaringbitmap-builder \ + tail -f /dev/null) + docker start "${CONTAINER_ID}" + + # Copy .deb files from container + docker exec ${CONTAINER_ID} sh -c 'tar -cf - /*.deb' | tar -xf - + + # Clean up the container + docker stop ${CONTAINER_ID} || true + docker rm ${CONTAINER_ID} || true + + # List the .deb files for verification + ls -la *.deb + + - name: Verify package contents + run: | + # Verify that each PostgreSQL version package contains the crucial files + for deb in postgresql-*-roaringbitmap_*.deb; do + echo "Verifying $deb..." + + # Extract the package and check contents + ar x "$deb" data.tar.xz + + # Derive the PostgreSQL major version from the package name + PG_VERSION=$(echo "$deb" | sed -n 's/postgresql-\([0-9]*\)-roaringbitmap_.*/\1/p') + + # Verify .so file exists + if ! tar -tf data.tar.xz | grep -q "./usr/lib/postgresql/${PG_VERSION}/lib/roaringbitmap.so"; then + echo "ERROR: Missing roaringbitmap.so in $deb" + exit 1 + fi + + # Verify control file exists + if ! tar -tf data.tar.xz | grep -q "./usr/share/postgresql/${PG_VERSION}/extension/roaringbitmap.control"; then + echo "ERROR: Missing roaringbitmap.control in $deb" + exit 1 + fi + + # Verify SQL file exists + if ! tar -tf data.tar.xz | grep -q "./usr/share/postgresql/${PG_VERSION}/extension/roaringbitmap--1.2.sql"; then + echo "ERROR: Missing roaringbitmap--1.2.sql in $deb" + exit 1 + fi + + echo "✓ $deb contains all crucial files" + rm -f data.tar.xz + done + echo "All packages verified successfully!" + + - name: Calculate checksums + run: | + for file in *.deb; do + sha256sum "$file" > "$file.sha256" + done + + - name: Upload artifacts + uses: actions/upload-artifact@v4 + with: + name: pg-roaringbitmap-${{ matrix.arch }} + path: | + *.deb + *.deb.sha256 + retention-days: 30 + + release: + needs: build + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v4 + + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: packages/ + + - name: Create Release + uses: softprops/action-gh-release@v2 + with: + files: | + packages/**/*.deb + packages/**/*.deb.sha256 + generate_release_notes: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/Dockerfile.pscale-debian12 b/Dockerfile.pscale-debian12 new file mode 100644 index 0000000..6b4f375 --- /dev/null +++ b/Dockerfile.pscale-debian12 @@ -0,0 +1,42 @@ +FROM postgres:18.1-bookworm AS deps + +# VERSION should be injected by the ci release workflow as a build-arg based on the git tag pushed to the repo +ARG VERSION=1.2.0-1.pscale1 +ARG GIT_SHA=unknown +ENV VERSION=${VERSION} +ENV GIT_SHA=${GIT_SHA} + +RUN apt-get -qy update && \ + apt-get install -qy --no-install-recommends \ + architecture-is-64-bit \ + build-essential \ + devscripts \ + debhelper-compat \ + lsb-release \ + postgresql-all \ + postgresql-server-dev-all + +FROM deps AS builder + +COPY . /src +WORKDIR /src + +# this modifies the /src/debian/control.in template to make entries for all supported PostgreSQL versions +RUN pg_buildext updatecontrol + +# this modifies the /src/debian/changelog file used by dpkg-buildpackage to set the version to use on the packages +RUN dch -v "${VERSION}" \ + --distribution "$(lsb_release -cs)" \ + "Custom PlanetScale build" + +# This builds .deb packages for all supported PostgreSQL versions +# and places them in ../ (relative to WORKDIR) +RUN dpkg-buildpackage -us -uc -b + +# final image simply holds the built .deb packages +# +# this is an optimization to speed up CI by avoiding the slow process of +# copying the full builder image into the local docker daemon when all we do +# is start it once to copy out the packages. +FROM postgres:18.1-bookworm +COPY --from=builder /*.deb / diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..6fdcda4 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,8 @@ +pg-roaringbitmap (1.2.0-1.pscale1) unstable; urgency=medium + + * Initial PlanetScale build of pg_roaringbitmap. + * Includes upstream fix hardening validation of untrusted bitmap blobs + in the recv functions (bounds all deserialization by the BYTEA length). + * Support for PostgreSQL 17-18. + + -- PlanetScale Wed, 17 Jun 2026 00:00:00 +0000 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..d7daaa8 --- /dev/null +++ b/debian/control @@ -0,0 +1,38 @@ +Source: pg-roaringbitmap +Priority: optional +Maintainer: PlanetScale +Build-Depends: + architecture-is-64-bit , + debhelper-compat (= 13), + postgresql-all , + postgresql-server-dev-all, +Standards-Version: 4.7.0 +Rules-Requires-Root: no +Section: database +Homepage: https://github.com/planetscale/pg_roaringbitmap +Vcs-Git: https://github.com/planetscale/pg_roaringbitmap.git +Vcs-Browser: https://github.com/planetscale/pg_roaringbitmap + +Package: postgresql-17-roaringbitmap +Section: libs +Architecture: any +Depends: + ${misc:Depends}, + ${postgresql:Depends}, + ${shlibs:Depends}, +Description: RoaringBitmap data type for PostgreSQL + This extension provides a Roaring Bitmap data type called "roaringbitmap" + for PostgreSQL, along with convenience operators and functions for + constructing and handling Roaring Bitmaps. + +Package: postgresql-18-roaringbitmap +Section: libs +Architecture: any +Depends: + ${misc:Depends}, + ${postgresql:Depends}, + ${shlibs:Depends}, +Description: RoaringBitmap data type for PostgreSQL + This extension provides a Roaring Bitmap data type called "roaringbitmap" + for PostgreSQL, along with convenience operators and functions for + constructing and handling Roaring Bitmaps. diff --git a/debian/control.in b/debian/control.in new file mode 100644 index 0000000..b136c26 --- /dev/null +++ b/debian/control.in @@ -0,0 +1,26 @@ +Source: pg-roaringbitmap +Priority: optional +Maintainer: PlanetScale +Build-Depends: + architecture-is-64-bit , + debhelper-compat (= 13), + postgresql-all , + postgresql-server-dev-all, +Standards-Version: 4.7.0 +Rules-Requires-Root: no +Section: database +Homepage: https://github.com/planetscale/pg_roaringbitmap +Vcs-Git: https://github.com/planetscale/pg_roaringbitmap.git +Vcs-Browser: https://github.com/planetscale/pg_roaringbitmap + +Package: postgresql-PGVERSION-roaringbitmap +Section: libs +Architecture: any +Depends: + ${misc:Depends}, + ${postgresql:Depends}, + ${shlibs:Depends}, +Description: RoaringBitmap data type for PostgreSQL + This extension provides a Roaring Bitmap data type called "roaringbitmap" + for PostgreSQL, along with convenience operators and functions for + constructing and handling Roaring Bitmaps. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..65ff70e --- /dev/null +++ b/debian/copyright @@ -0,0 +1,27 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: pg_roaringbitmap +Source: https://github.com/ChenHuajun/pg_roaringbitmap + +Files: * +Copyright: 2018-2026 Chen Huajun +License: Apache-2.0 + +Files: roaring.c roaring.h +Copyright: The CRoaring authors +License: Apache-2.0 + +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the full text of the Apache License version 2.0 can be + found in the file /usr/share/common-licenses/Apache-2.0. diff --git a/debian/pgversions b/debian/pgversions new file mode 100644 index 0000000..f1d28e4 --- /dev/null +++ b/debian/pgversions @@ -0,0 +1 @@ +17+ diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..113b53c --- /dev/null +++ b/debian/rules @@ -0,0 +1,24 @@ +#!/usr/bin/make -f + +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + +export USE_PGXS=1 + +override_dh_installdocs: + dh_installdocs --all README.md + # remove docs that belong elsewhere + rm -rf debian/*/usr/share/doc/postgresql-doc-* + +override_dh_auto_clean: + dh_auto_clean + # skip pg_buildext clean operations + +clean: + dh_clean + +override_dh_pgxs_test: + # Skip tests in docker build - they fail in containerized environment + +%: + dh $@ --with pgxs_loop diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) From 16a5fbbcad7932d2caa694c2971ad71a7e0bdc08 Mon Sep 17 00:00:00 2001 From: Patrick Reynolds Date: Wed, 17 Jun 2026 18:50:01 -0400 Subject: [PATCH 2/4] Pin all the GHA dependencies --- .github/workflows/build-test.yml | 2 +- .github/workflows/release.yml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 1d44d20..c0e8e0a 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -15,7 +15,7 @@ jobs: run: pg-start ${{ matrix.pg }} - name: Check out repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Build & test extension run: pg-build-test diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b9a3e0d..3faf001 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,10 +20,10 @@ jobs: version: ${{ steps.version.outputs.VERSION }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 if: matrix.arch == 'arm64' - name: Get version from tag @@ -33,10 +33,10 @@ jobs: echo "GIT_SHA=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Build Docker image with packages - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 with: context: . file: ./Dockerfile.pscale-debian12 @@ -110,7 +110,7 @@ jobs: done - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: pg-roaringbitmap-${{ matrix.arch }} path: | @@ -125,15 +125,15 @@ jobs: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: path: packages/ - name: Create Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 with: files: | packages/**/*.deb From 8bd5dd72cf2bbc3a62fd238a45c6bd4cd48958a3 Mon Sep 17 00:00:00 2001 From: Patrick Reynolds Date: Wed, 17 Jun 2026 18:50:19 -0400 Subject: [PATCH 3/4] Shrink the Pg-major matrix to just 17+18 --- .github/workflows/build-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index c0e8e0a..e9dae38 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -7,7 +7,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - pg: [13, 14, 15, 16, 17, 18] + pg: [17, 18] container: image: pgxn/pgxn-tools steps: From f491c29108be5b4404ccf83f49e4bb9778b30f1c Mon Sep 17 00:00:00 2001 From: Patrick Reynolds Date: Wed, 17 Jun 2026 18:55:01 -0400 Subject: [PATCH 4/4] Suppress some build warnings Build environment for Pg18 has -Werror -Wmissing-variable-declarations, which throws some warnings in roaring.[ch] and makes them fatal. Just ignore that. We can't change roaring.[ch], because they're vendored from CRoaring. --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 4ef6ed0..9ad325c 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,8 @@ MODULE_big = roaringbitmap OBJS = roaring_buffer_reader.o roaringbitmap.o roaring64_buffer_reader.o roaringbitmap64.o $(OBJS): override CFLAGS += -std=c11 -Wno-error=maybe-uninitialized \ - -Wno-declaration-after-statement -Wno-missing-prototypes + -Wno-declaration-after-statement -Wno-missing-prototypes \ + -Wno-missing-variable-declarations PG_CONFIG = pg_config