From 19d360f17330faca998fe7c0dec58ca4416755b6 Mon Sep 17 00:00:00 2001 From: Ethan <39577870+ethanndickson@users.noreply.github.com> Date: Thu, 4 Sep 2025 14:00:21 +1000 Subject: [PATCH] fix: pin pg_dump version when generating schema (#19696) The latest release of all `pg_dump` major versions, going back to 13, started inserting `\restrict` `\unrestrict` keywords into dumps. This currently breaks sqlc in `gen/dump` and our check migration script. Full details of the postgres change are available here: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=575f54d4c To fix, we'll always use the `pg_dump` in our postgres 13.21 docker image for schema dumps, instead of what's on the runner/local machine. Coder doesn't restore from postgres dumps, so we're not vulnerable to attacks that would be patched by the latest postgres version. Regardless, we'll unpin ASAP. Once sqlc is updated to handle these keywords, we need to start stripping them when comparing the schema in the migration check script, and then we can unpin the pg_dump version. This is being tracked at https://github.com/coder/internal/issues/965 (cherry picked from commit 1b4ce0909c03fb0e693af2eaa6b5298887ccde4b) --- coderd/database/dbtestutil/db.go | 38 ++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/coderd/database/dbtestutil/db.go b/coderd/database/dbtestutil/db.go index f67e3206b09d1..b70d00e4eb97b 100644 --- a/coderd/database/dbtestutil/db.go +++ b/coderd/database/dbtestutil/db.go @@ -10,7 +10,6 @@ import ( "os/exec" "path/filepath" "regexp" - "strconv" "strings" "testing" "time" @@ -251,26 +250,31 @@ func PGDump(dbURL string) ([]byte, error) { return stdout.Bytes(), nil } -const minimumPostgreSQLVersion = 13 +const ( + minimumPostgreSQLVersion = 13 + postgresImageSha = "sha256:467e7f2fb97b2f29d616e0be1d02218a7bbdfb94eb3cda7461fd80165edfd1f7" +) // PGDumpSchemaOnly is for use by gen/dump only. // It runs pg_dump against dbURL and sets a consistent timezone and encoding. func PGDumpSchemaOnly(dbURL string) ([]byte, error) { hasPGDump := false - if _, err := exec.LookPath("pg_dump"); err == nil { - out, err := exec.Command("pg_dump", "--version").Output() - if err == nil { - // Parse output: - // pg_dump (PostgreSQL) 14.5 (Ubuntu 14.5-0ubuntu0.22.04.1) - parts := strings.Split(string(out), " ") - if len(parts) > 2 { - version, err := strconv.Atoi(strings.Split(parts[2], ".")[0]) - if err == nil && version >= minimumPostgreSQLVersion { - hasPGDump = true - } - } - } - } + // TODO: Temporarily pin pg_dump to the docker image until + // https://github.com/sqlc-dev/sqlc/issues/4065 is resolved. + // if _, err := exec.LookPath("pg_dump"); err == nil { + // out, err := exec.Command("pg_dump", "--version").Output() + // if err == nil { + // // Parse output: + // // pg_dump (PostgreSQL) 14.5 (Ubuntu 14.5-0ubuntu0.22.04.1) + // parts := strings.Split(string(out), " ") + // if len(parts) > 2 { + // version, err := strconv.Atoi(strings.Split(parts[2], ".")[0]) + // if err == nil && version >= minimumPostgreSQLVersion { + // hasPGDump = true + // } + // } + // } + // } cmdArgs := []string{ "pg_dump", @@ -295,7 +299,7 @@ func PGDumpSchemaOnly(dbURL string) ([]byte, error) { "run", "--rm", "--network=host", - fmt.Sprintf("%s:%d", postgresImage, minimumPostgreSQLVersion), + fmt.Sprintf("%s:%d@%s", postgresImage, minimumPostgreSQLVersion, postgresImageSha), }, cmdArgs...) } cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...) //#nosec