From 4b88a168b8e80ca3bd93a2c5c9bacbd5c8349738 Mon Sep 17 00:00:00 2001
From: Dimitrios Liappis <dimitrios.liappis@gmail.com>
Date: Fri, 15 May 2026 16:39:03 +0300
Subject: [PATCH] ci: add OCI smoke gate workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Builds the AMI as an OCI image via supabox's support/ami/Dockerfile,
brings up the supabox platform stack, and runs dctest's supadev-smoke
spec as a fast pre-flight check before any EC2/testinfra work.

Triggers on pull_request paths that affect the AMI build
(ansible/, nix/, migrations/, flake.{nix,lock}, Dockerfile-*), plus
workflow_dispatch and merge_group.

Flow:
  1. Checkout postgres at PR commit.
  2. Checkout supabox at pinned SHA (env.SUPABOX_REF).
  3. Substitute PR's postgres into supabox/repos/postgres.
  4. Install Nix + add the postgres binary cache substituter so
     stage 1 of the AMI image is mostly a cache pull.
  5. ./supabox init systemd,pg17 (generates env + certs, npm install).
  6. docker compose build supabase-postgres-17 (AMI-as-OCI).
  7. docker compose up -d --wait --wait-timeout 300.
  8. ./dctest test/supadev-smoke.yaml --results-file ... --results-verbose.
  9. Always capture docker state; on failure dump last 500 lines per
     container log.
 10. Upload supabox/diagnostics/ as a 14-day artifact.

Conventions followed:
- Runner blacksmith-2vcpu-ubuntu-2404 (matches testinfra-ami-build.yml).
- supabase/postgres/.github/actions/shared-checkout@HEAD for postgres
  checkout.
- ./postgres/.github/actions/nix-install-ephemeral for Nix.
- Concurrency group includes pull_request.number || github.ref.

Deliberate first-iteration omissions:
- Not gating testinfra-ami-build.yml yet — that wiring is a follow-up
  once this proves stable.
- pause-restore.yaml coverage is a follow-up (blocked on the upstream
  supabox YAML parse fix and on this gate stabilising).
- No matrix over PG 15 / 17 / 17-orioledb — starting with pg17.

SUPABOX_REF is SHA-pinned (not a tracking branch) so a sibling-team
change can't silently break postgres CI. Bump deliberately.

Local-trial evidence: validated end-to-end on macOS Docker against
supabox a0fe25c on 2026-05-15 with 59/59 supadev-smoke tests passing
in ~5.5 min after init. CI-side wall-clock expected ~15-25 min cold
cache, less on warm.

Tracks RELENG-31.
---
 .github/workflows/oci-smoke-gate.yml | 130 +++++++++++++++++++++++++++
 1 file changed, 130 insertions(+)
 create mode 100644 .github/workflows/oci-smoke-gate.yml

diff --git a/.github/workflows/oci-smoke-gate.yml b/.github/workflows/oci-smoke-gate.yml
new file mode 100644
index 000000000..faac0295d
--- /dev/null
+++ b/.github/workflows/oci-smoke-gate.yml
@@ -0,0 +1,130 @@
+name: OCI smoke gate
+
+# Builds the AMI as an OCI image via supabox's support/ami/Dockerfile,
+# brings up the supabox platform stack, and runs supadev-smoke as a
+# fast pre-flight check before the more expensive testinfra/EC2 path.
+#
+# Intent: catch service-level, migration, and contract regressions in
+# ~5-10 min on a GH runner, so that PRs touching ansible/nix/migrations
+# fail fast and never burn EC2 minutes on broken builds.
+#
+# pause-restore.yaml coverage will be added in a follow-up once the
+# upstream test/pause-restore.yaml YAML parse fix lands.
+#
+# Tracked under RELENG-31.
+
+on:
+  pull_request:
+    paths:
+      - 'ansible/**'
+      - 'nix/**'
+      - 'migrations/**'
+      - 'flake.nix'
+      - 'flake.lock'
+      - 'Dockerfile-15'
+      - 'Dockerfile-17'
+      - 'Dockerfile-orioledb-17'
+      - 'Dockerfile-multigres'
+      - 'Dockerfile-kubernetes'
+      - '.github/workflows/oci-smoke-gate.yml'
+  workflow_dispatch:
+  merge_group:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: oci-smoke-gate-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  smoke:
+    runs-on: blacksmith-2vcpu-ubuntu-2404
+    timeout-minutes: 60
+
+    env:
+      # Pinned supabox commit. Bump deliberately; tracks supabox `main`.
+      # Verified locally against this ref on 2026-05-15.
+      SUPABOX_REF: a0fe25c
+
+    steps:
+      - name: Checkout postgres at PR commit
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+        with:
+          path: postgres
+
+      - name: Checkout supabox at pinned ref
+        uses: actions/checkout@v4
+        with:
+          repository: supabase/supabox
+          ref: ${{ env.SUPABOX_REF }}
+          path: supabox
+
+      - name: Use this postgres commit from this PR in supabox/repos/postgres
+        run: |
+          set -euo pipefail
+          rm -rf supabox/repos/postgres
+          cp -a postgres supabox/repos/postgres
+          echo "PR postgres SHA inside supabox is: $(git -C supabox/repos/postgres rev-parse HEAD)"
+
+      - name: Install Nix
+        uses: ./postgres/.github/actions/nix-install-ephemeral
+
+      - name: Configure Nix substituter for postgres binary cache
+        run: |
+          sudo tee -a /etc/nix/nix.conf > /dev/null <<'EOF'
+          extra-substituters = https://nix-postgres-artifacts.s3.amazonaws.com
+          extra-trusted-public-keys = nix-postgres-artifacts:dGZlQOvKcNEjvT7QEAJbcV6b6uk7VF/hWMjhYleiaLI=
+          EOF
+          sudo systemctl restart nix-daemon || true
+
+      - name: Initialize supabox in systemd mode
+        working-directory: supabox
+        run: |
+          ./supabox clean  # unnecessary here being a fresh runner, but useful if copied/pasted to a running env
+          ./supabox init systemd,pg17
+
+      - name: Build AMI-as-OCI image
+        working-directory: supabox
+        run: |
+          docker compose build supabase-postgres-17
+
+      - name: Bring platform stack up
+        working-directory: supabox
+        run: |
+          docker compose up -d --wait --wait-timeout 300
+
+      - name: Run supadev-smoke
+        working-directory: supabox
+        run: |
+          mkdir -p diagnostics
+          ./dctest test/supadev-smoke.yaml \
+            --results-file diagnostics/dctest-smoke-results.json \
+            --results-verbose
+
+      - name: Capture supabox state (always)
+        if: always()
+        working-directory: supabox
+        run: |
+          mkdir -p diagnostics/state
+          docker compose ps --all > diagnostics/state/compose-ps.txt 2>&1 || true
+          docker ps -a --format 'table {{.Names}}\t{{.Status}}\t{{.Image}}' \
+            > diagnostics/state/docker-ps.txt 2>&1 || true
+
+      - name: Dump container logs on failure
+        if: failure()
+        working-directory: supabox
+        run: |
+          mkdir -p diagnostics/logs
+          for c in $(docker ps -a --format '{{.Names}}'); do
+            docker logs --tail 500 "$c" > "diagnostics/logs/${c}.log" 2>&1 || true
+          done
+
+      - name: Upload diagnostics
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: oci-smoke-diagnostics-${{ github.run_id }}
+          path: supabox/diagnostics/
+          retention-days: 14
+          if-no-files-found: warn