fix: improve security and error handling in OS libs automation

mnencia · mnencia · commit cdd6153bbfb5 · 2025-12-05T19:39:08.000+01:00
Signed-off-by: Marco Nenciarini &lt;marco.nenciarini@enterprisedb.com&gt;
diff --git a/.github/workflows/update_os_libraries.yml b/.github/workflows/update_os_libraries.yml
@@ -23,18 +23,20 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Install Dagger
-        env:
+      - name: Fetch extensions
+        id: get-extensions-dagger
+        uses: dagger/dagger-for-github@v8.2.0
+        with:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.7
-        run: |
-          curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
+          version: 0.19.7
+          verb: call
+          module: ./dagger/maintenance/
+          args: get-oslibs-targets
 
-      - name: Fetch extensions
+      - name: Set extensions output
         id: get-extensions
         run: |
-          EXTENSIONS_JSON=$(dagger call -m ./dagger/maintenance/ get-oslibs-targets)
-          echo "extensions=$EXTENSIONS_JSON" >> $GITHUB_OUTPUT
+          echo "extensions=${{ steps.get-extensions-dagger.outputs.output }}" >> $GITHUB_OUTPUT
 
   update-extension-os-libs:
     name: Update OS libs for ${{ matrix.extension }}
@@ -55,26 +57,34 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install Dagger
-        env:
-          # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.7
-        run: |
-          curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
-
       - name: Update OS libs for ${{ matrix.extension }}
-        run: |
-          dagger call -m ./dagger/maintenance/ update-oslibs --target ${{ matrix.extension }} \
-            export --path .
+        uses: dagger/dagger-for-github@v8.2.0
+        with:
+          # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
+          version: 0.19.7
+          verb: call
+          module: ./dagger/maintenance/
+          args: update-oslibs --target ${{ matrix.extension }} export --path=.
 
       - name: Diff
         run: |
           git status
           git diff
 
+      - name: Check for changes
+        id: check-changes
+        run: |
+          if git diff --quiet; then
+            echo "No changes detected for ${{ matrix.extension }}"
+            echo "changed=false" >> $GITHUB_OUTPUT
+          else
+            echo "Changes detected for ${{ matrix.extension }}"
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
       - name: Create a PR if versions have been updated on main
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
-        if: github.ref == 'refs/heads/main'
+        if: github.ref == 'refs/heads/main' && steps.check-changes.outputs.changed == 'true'
         with:
           token: ${{ secrets.REPO_GHA_PAT }}
           title: "chore: update ${{ matrix.extension }} OS libraries"
diff --git a/dagger/maintenance/updatelibs.go b/dagger/maintenance/updatelibs.go
@@ -9,6 +9,10 @@ import (
 	"dagger/maintenance/internal/dagger"
 )
 
+// libsRegex matches library dependencies from apt-get output
+// Format: library-name MD5Sum:checksum
+var libsRegex = regexp.MustCompile(`(?m)^.*\s(lib\S*).*(MD5Sum:.*)$`)
+
 func updateOSLibsOnTarget(
 	ctx context.Context,
 	target string,
@@ -17,6 +21,7 @@ func updateOSLibsOnTarget(
 ) (*dagger.File, error) {
 	postgresBaseImage := fmt.Sprintf("ghcr.io/cloudnative-pg/postgresql:%s-minimal-%s", majorVersion, distribution)
 	packageName := fmt.Sprintf("postgresql-%s-%s", majorVersion, target)
+
 	out, err := dag.Container().
 		From(postgresBaseImage).
 		WithUser("root").
@@ -26,17 +31,30 @@ func updateOSLibsOnTarget(
 			"apt-get install -qq --print-uris --no-install-recommends " + packageName,
 		}).Stdout(ctx)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to fetch OS libs for extension %s (PostgreSQL %s on %s): %w",
+			target, majorVersion, distribution, err)
+	}
+
+	matches := libsRegex.FindAllStringSubmatch(out, -1)
+	if len(matches) == 0 {
+		return nil, fmt.Errorf("no library dependencies found for extension %s (PostgreSQL %s on %s): apt-get may have failed or package has no lib dependencies",
+			target, majorVersion, distribution)
 	}
-	var re = regexp.MustCompile(`(?m)^.*\s(lib\S*).*(MD5Sum:.*)$`)
-	matches := re.FindAllStringSubmatch(out, -1)
+
 	var result string
 	for _, m := range matches {
 		if len(m) >= 3 {
 			result += m[1] + " " + m[2] + "\n"
 		}
 	}
-	file := dag.File(fmt.Sprintf("%s-%s-os-libs.txt", majorVersion, distribution), result)
+
+	if result == "" {
+		return nil, fmt.Errorf("parsed empty content for extension %s (PostgreSQL %s on %s): regex matched but extracted no data",
+			target, majorVersion, distribution)
+	}
+
+	fileName := fmt.Sprintf("%s-%s-os-libs.txt", majorVersion, distribution)
+	file := dag.File(fileName, result)
 
 	return file, nil
 }
