Skip to content

Add .deb packaging workflow with GitHub Releases#57

Open
iskakaushik wants to merge 2 commits intomainfrom
add-deb-packaging
Open

Add .deb packaging workflow with GitHub Releases#57
iskakaushik wants to merge 2 commits intomainfrom
add-deb-packaging

Conversation

@iskakaushik
Copy link
Copy Markdown
Collaborator

@iskakaushik iskakaushik commented Apr 7, 2026

Summary

  • Adds .github/workflows/deb.yml — builds .deb packages for PG 16-18 on Ubuntu 22.04 (amd64 + arm64)
  • Adds nfpm.yml — declarative package config for nfpm
  • Uploads .debs to GitHub Releases for unauthenticated public downloads:
    • main → rolling dev pre-release
    • customer-* → rolling customer-<name> pre-release
    • v* tags → attached to the version release

Download URLs

https://github.com/ClickHouse/pg_stat_ch/releases/download/dev/pg-stat-ch-0.3.3-pg18-amd64.deb
https://github.com/ClickHouse/pg_stat_ch/releases/download/dev/pg-stat-ch-0.3.3-pg18-arm64.deb

Test plan

  • Verify all 6 matrix jobs (3 PG × 2 arch) pass
  • Verify dev pre-release is created with .deb assets on merge to main

@iskakaushik
Add .deb packaging workflow with GitHub Releases
5c32a44 
Build .deb packages for PG 16-18 on Ubuntu 22.04 (amd64 + arm64)
and upload them to GitHub Releases for public unauthenticated downloads.

- main pushes → rolling `dev` pre-release
- customer-* pushes → rolling `customer-<name>` pre-release
- v* tags → attached to the version release
Copilot AI review requested due to automatic review settings April 7, 2026 21:31
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds automated Debian packaging to the project CI/CD so .deb artifacts for PG 16–18 (amd64/arm64) can be built and published to GitHub Releases for easy installation.

Changes:

  • Introduces an nfpm configuration (nfpm.yml) describing the Debian package metadata and installed file layout.
  • Adds a GitHub Actions workflow (.github/workflows/deb.yml) to build .deb packages across a PG/arch matrix and upload them to rolling prereleases (dev, customer-*) and versioned releases (v* tags).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
nfpm.yml Defines package metadata, dependencies, and which staged install files go into the .deb.
.github/workflows/deb.yml Builds, packages, and uploads .deb artifacts; manages release tags for dev/customer/tag flows.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread nfpm.yml Outdated
@@ -0,0 +1,25 @@
name: pg-stat-ch
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All three builds (PG16/17/18) produce a .deb with the same Debian package name (name: pg-stat-ch). Debian packages are not co-installable when Package is identical, so installing the PG17 build would replace/remove the PG16 files (and vice versa). Consider including ${PG_MAJOR} in the package name (e.g., postgresql-${PG_MAJOR}-pg-stat-ch or pg-stat-ch-pg${PG_MAJOR}), or otherwise making packages explicitly co-installable.

Suggested change
name: pg-stat-ch
name: postgresql-${PG_MAJOR}-pg-stat-ch

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/deb.yml Outdated
sudo apt-get update
sudo apt-get install -y curl ca-certificates gnupg
curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg >/dev/null
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/pgdg.list
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The APT source is configured using plain HTTP (deb http://apt.postgresql.org/...). This allows repository metadata/package downloads to be intercepted/modified in transit. Switch the repository URL to HTTPS (matching the key download) to avoid MITM risk.

Suggested change
echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/pgdg.list
echo "deb https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/pgdg.list

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/deb.yml
Comment on lines +121 to +139
# Create the release if it doesn't exist yet.
gh release view "$TAG" -R "$GITHUB_REPOSITORY" >/dev/null 2>&1 || \
gh release create "$TAG" -R "$GITHUB_REPOSITORY" \
--prerelease \
--title "$TAG" \
--notes "Rolling pre-release for \`$TAG\`. Updated on every push."

# Upload .deb files, replacing any existing ones.
gh release upload "$TAG" debs/*.deb -R "$GITHUB_REPOSITORY" --clobber
else
# For version tags, the release is created by release.yml.
# Wait briefly for it to exist, then attach .debs.
for i in 1 2 3 4 5; do
gh release view "$TAG" -R "$GITHUB_REPOSITORY" >/dev/null 2>&1 && break
echo "Waiting for release $TAG to be created..."
sleep 10
done
gh release upload "$TAG" debs/*.deb -R "$GITHUB_REPOSITORY" --clobber
fi
Copy link

Copilot AI Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For tag builds, this job assumes the release already exists (created by release.yml) and only waits up to ~50 seconds before attempting gh release upload. release.yml creates the release only after its own build matrix completes, which can take many minutes, so this workflow can fail spuriously on tags. Consider creating the release here if it doesn’t exist (even for version tags), or waiting/polling until it exists with a longer timeout and failing explicitly if it never appears.

Suggested change
# Create the release if it doesn't exist yet.
gh release view "$TAG" -R "$GITHUB_REPOSITORY" >/dev/null 2>&1 || \
gh release create "$TAG" -R "$GITHUB_REPOSITORY" \
--prerelease \
--title "$TAG" \
--notes "Rolling pre-release for \`$TAG\`. Updated on every push."
# Upload .deb files, replacing any existing ones.
gh release upload "$TAG" debs/*.deb -R "$GITHUB_REPOSITORY" --clobber
else
# For version tags, the release is created by release.yml.
# Wait briefly for it to exist, then attach .debs.
for i in 1 2 3 4 5; do
gh release view "$TAG" -R "$GITHUB_REPOSITORY" >/dev/null 2>&1 && break
echo "Waiting for release $TAG to be created..."
sleep 10
done
gh release upload "$TAG" debs/*.deb -R "$GITHUB_REPOSITORY" --clobber
fi
# Create the pre-release if it doesn't exist yet.
gh release view "$TAG" -R "$GITHUB_REPOSITORY" >/dev/null 2>&1 || \
gh release create "$TAG" -R "$GITHUB_REPOSITORY" \
--prerelease \
--title "$TAG" \
--notes "Rolling pre-release for \`$TAG\`. Updated on every push."
else
# For version tags, ensure the release exists before uploading assets.
gh release view "$TAG" -R "$GITHUB_REPOSITORY" >/dev/null 2>&1 || \
gh release create "$TAG" -R "$GITHUB_REPOSITORY" \
--title "$TAG" \
--notes "Release $TAG"
fi
# Upload .deb files, replacing any existing ones.
gh release upload "$TAG" debs/*.deb -R "$GITHUB_REPOSITORY" --clobber

Copilot uses AI. Check for mistakes.
@iskakaushik
fix: address Copilot review comments on deb packaging
d43dcf8 
- Use HTTPS for PostgreSQL APT repo to prevent MITM risk
- Include PG major version in package name for co-installability
- Create release if missing instead of fragile wait loop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iskakaushik