supabase · samrose · Jan 21, 2026 · Jan 26, 2026 · Jan 28, 2026 · Feb 4, 2026
@@ -0,0 +1,80 @@
+name: Check Docker Image Changes
+description: Determines if Docker image inputs have changed between current and base branch
+
+inputs:
+  base_ref:
+    description: 'Base branch ref for comparison (typically github.base_ref)'
+    required: false
+    default: ''
+  event_name:
+    description: 'GitHub event name (typically github.event_name)'
+    required: true
+
+outputs:
+  should_run:
+    description: 'Whether tests should run based on input changes'
+    value: ${{ steps.check.outputs.should_run }}
+  input_hash:
+    description: 'Current Docker image inputs hash'
+    value: ${{ steps.check.outputs.input_hash }}
+  base_hash:
+    description: 'Base branch Docker image inputs hash (empty if not a PR)'
+    value: ${{ steps.check.outputs.base_hash }}
+
+runs:
+  using: composite
+  steps:
+    - name: Get current Docker image inputs hash
+      id: current
+      shell: bash
+      run: |
+        HASH=$(nix run --accept-flake-config .#docker-image-inputs -- hash)
+        echo "hash=$HASH" >> "$GITHUB_OUTPUT"
+        echo "Current Docker image inputs hash: $HASH"
+
+    - name: Get base branch Docker image inputs hash
+      id: base
+      if: inputs.event_name == 'pull_request'
+      shell: bash
+      run: |
+        # Fetch base branch
+        git fetch origin ${{ inputs.base_ref }} --depth=1
+
+        # Checkout base branch files temporarily
+        git checkout FETCH_HEAD -- . 2>/dev/null || true
+
+        # Get hash from base branch
+        BASE_HASH=$(nix run --accept-flake-config .#docker-image-inputs -- hash 2>/dev/null || echo "")
+
+        # Restore current branch
+        git checkout HEAD -- .
+
+        echo "hash=$BASE_HASH" >> "$GITHUB_OUTPUT"
+        echo "Base branch Docker image inputs hash: $BASE_HASH"
+
+    - name: Determine if tests should run
+      id: check
+      shell: bash
+      run: |
+        CURRENT_HASH="${{ steps.current.outputs.hash }}"
+        BASE_HASH="${{ steps.base.outputs.hash }}"
+
+        echo "input_hash=$CURRENT_HASH" >> "$GITHUB_OUTPUT"
+        echo "base_hash=$BASE_HASH" >> "$GITHUB_OUTPUT"
+
+        if [[ "${{ inputs.event_name }}" == "workflow_dispatch" ]]; then
+          echo "Workflow dispatch - running tests"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        elif [[ "${{ inputs.event_name }}" == "push" ]]; then
+          echo "Push to protected branch - running tests"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        elif [[ -z "$BASE_HASH" ]]; then
+          echo "Could not get base hash - running tests to be safe"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        elif [[ "$CURRENT_HASH" != "$BASE_HASH" ]]; then
+          echo "Docker image inputs changed ($BASE_HASH -> $CURRENT_HASH) - running tests"
+          echo "should_run=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "Docker image inputs unchanged - skipping tests"
+          echo "should_run=false" >> "$GITHUB_OUTPUT"
+        fi
@@ -0,0 +1,112 @@
+name: CLI Smoke Test
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - develop
+      - release/*
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  check-changes:
+    name: Check Docker Image Changes
+    runs-on: blacksmith-2vcpu-ubuntu-2404
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+      input_hash: ${{ steps.check.outputs.input_hash }}
+      base_hash: ${{ steps.check.outputs.base_hash }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'false'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Check Docker image changes
+        id: check
+        uses: ./.github/actions/check-docker-image-changes
+        with:
+          event_name: ${{ github.event_name }}
+          base_ref: ${{ github.base_ref }}
+
+  cli-smoke-test:
+    name: CLI Smoke Test (PG ${{ matrix.pg_version }})
+    needs: check-changes
+    if: needs.check-changes.outputs.should_run == 'true'
+    runs-on: large-linux-arm
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        pg_version: ['15', '17']
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'false'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Create Docker context
+        run: docker context create builders
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        with:
+          endpoint: builders
+
+      - name: Build Docker image
+        run: |
+          DOCKERFILE="Dockerfile-${{ matrix.pg_version }}"
+          echo "Building $DOCKERFILE..."
+          # Tag with ECR prefix since CLI uses public.ecr.aws/supabase/postgres as base
+          docker build -f "$DOCKERFILE" -t "public.ecr.aws/supabase/postgres:${{ matrix.pg_version }}" .
+
+      - name: Run CLI smoke test
+        run: |
+          echo "Running CLI smoke test for PostgreSQL ${{ matrix.pg_version }}..."
+          nix run --accept-flake-config .#cli-smoke-test -- --no-build ${{ matrix.pg_version }}
+        timeout-minutes: 10
+
+      - name: Show logs on failure
+        if: failure()
+        run: |
+          echo "=== Supabase Status ==="
+          nix run --accept-flake-config .#supabase-cli -- status || true
+
+          echo "=== Docker containers ==="
+          docker ps -a
+
+          echo "=== Database container logs ==="
+          docker logs supabase_db_postgres 2>&1 | tail -100 || true
+
+      - name: Cleanup
+        if: always()
+        run: |
+          nix run --accept-flake-config .#supabase-cli -- stop --no-backup || true
+
+  skip-notification:
+    name: CLI Smoke Test (Skipped)
+    needs: check-changes
+    if: needs.check-changes.outputs.should_run == 'false'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Report skipped
+        run: |
+          echo "CLI smoke test skipped - Docker image inputs unchanged"
+          echo "Input hash: ${{ needs.check-changes.outputs.input_hash }}"
@@ -0,0 +1,139 @@
+name: Docker Image Test
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - develop
+      - release/*
+  workflow_call:
+    secrets:
+      DEV_AWS_ROLE:
+        required: true
+      NIX_SIGN_SECRET_KEY:
+        required: true
+  workflow_dispatch:
+    inputs:
+      dockerfile:
+        description: 'Specific Dockerfile to test (leave empty for all)'
+        required: false
+        default: ''
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  check-changes:
+    name: Check Docker Image Changes
+    runs-on: blacksmith-2vcpu-ubuntu-2404
+    outputs:
+      should_run: ${{ steps.check.outputs.should_run }}
+      input_hash: ${{ steps.check.outputs.input_hash }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'false'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Check Docker image changes
+        id: check
+        uses: ./.github/actions/check-docker-image-changes
+        with:
+          event_name: ${{ github.event_name }}
+          base_ref: ${{ github.base_ref }}
+
+  docker-image-test:
+    name: Test ${{ matrix.dockerfile }}
+    needs: check-changes
+    if: needs.check-changes.outputs.should_run == 'true'
+    runs-on: large-linux-arm
+    timeout-minutes: 120
+    strategy:
+      fail-fast: false
+      matrix:
+        dockerfile:
+          - Dockerfile-15
+          - Dockerfile-17
+          - Dockerfile-orioledb-17
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install nix
+        uses: ./.github/actions/nix-install-ephemeral
+        with:
+          push-to-cache: 'false'
+        env:
+          DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+          NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
+
+      - name: Create Docker context
+        run: docker context create builders
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        with:
+          endpoint: builders
+
+      - name: Build Docker image
+        run: |
+          echo "Building ${{ matrix.dockerfile }}..."
+          VERSION="${{ matrix.dockerfile }}"
+          VERSION="${VERSION#Dockerfile-}"
+          # Build with tags expected by both tools
+          docker build -f ${{ matrix.dockerfile }} \
+            -t "pg-docker-test:${VERSION}" \
+            -t "supabase-postgres:${VERSION}-analyze" \
+            .
+
+      - name: Run image size analysis
+        run: |
+          echo "=== Image Size Analysis for ${{ matrix.dockerfile }} ==="
+          nix run --accept-flake-config .#image-size-analyzer -- --image ${{ matrix.dockerfile }} --no-build
+
+      - name: Run Docker image tests
+        run: |
+          echo "=== Running tests for ${{ matrix.dockerfile }} ==="
+          nix run --accept-flake-config .#docker-image-test -- --no-build ${{ matrix.dockerfile }}
+
+      - name: Show container logs on failure
+        if: failure()
+        run: |
+          VERSION="${{ matrix.dockerfile }}"
+          VERSION="${VERSION#Dockerfile-}"
+          CONTAINER_NAME=$(docker ps -a --filter "name=pg-test-${VERSION}" --format "{{.Names}}" | head -1)
+          if [[ -n "$CONTAINER_NAME" ]]; then
+            echo "=== Container logs for $CONTAINER_NAME ==="
+            docker logs "$CONTAINER_NAME" 2>&1 || true
+          fi
+
+      - name: Cleanup
+        if: always()
+        run: |
+          VERSION="${{ matrix.dockerfile }}"
+          VERSION="${VERSION#Dockerfile-}"
+          # Remove test containers
+          docker ps -a --filter "name=pg-test-${VERSION}" -q | xargs -r docker rm -f || true
+          # Remove test images
+          docker rmi "pg-docker-test:${VERSION}" || true
+          docker rmi "supabase-postgres:${VERSION}-analyze" || true
+
+  skip-notification:
+    name: Docker Image Test (Skipped)
+    needs: check-changes
+    if: needs.check-changes.outputs.should_run == 'false'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Report skipped
+        run: |
+          echo "Docker image tests skipped - inputs unchanged"
+          echo "Input hash: ${{ needs.check-changes.outputs.input_hash }}"
@@ -213,3 +213,15 @@ jobs:
       (needs.nix-build-packages-x86_64-linux.result == 'skipped' || needs.nix-build-packages-x86_64-linux.result == 'success') &&
       (needs.nix-build-checks-x86_64-linux.result == 'skipped' || needs.nix-build-checks-x86_64-linux.result == 'success')
     uses: ./.github/workflows/test.yml
+
+  docker-image-test:
+    needs: [nix-eval, nix-build-packages-aarch64-linux, nix-build-checks-aarch64-linux]
+    if: |
+      !cancelled() &&
+      needs.nix-eval.result == 'success' &&
+      (needs.nix-build-packages-aarch64-linux.result == 'skipped' || needs.nix-build-packages-aarch64-linux.result == 'success') &&
+      (needs.nix-build-checks-aarch64-linux.result == 'skipped' || needs.nix-build-checks-aarch64-linux.result == 'success')
+    uses: ./.github/workflows/docker-image-test.yml
+    secrets:
+      DEV_AWS_ROLE: ${{ secrets.DEV_AWS_ROLE }}
+      NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}