Trim PostgreSQL Windows runtime package

[lukyrys]

Summary

• stage only PostgreSQL runtime directories from the EnterpriseDB Windows archive
• exclude pgAdmin, StackBuilder, GUI DLLs, and test binaries from the Windows release asset
• update release and README wording for the runtime-only package

Verification

• git diff --check
• PostgreSQL workflow will be run on this branch for version 18.3

Summary by CodeRabbit

• Documentation

  • Updated to accurately describe the PostgreSQL Windows artifact as a runtime-only package.

• Chores

  • Refined Windows PostgreSQL build process to stage only necessary components and validate their presence.
  • Enhanced build artifact quality by excluding unnecessary files from the package.

[coderabbitai]

📝 Walkthrough

Walkthrough

The Windows PostgreSQL build staging logic is refined to copy only runtime directories (bin, lib, share, include), remove auxiliary executables, and validate postgres.exe and initdb.exe exist. Release description and README documentation are updated to reflect this "runtime-only" packaging approach.

Changes

PostgreSQL Build & Documentation Update

Layer / File(s)	Summary
Windows Build Staging .github/workflows/build-postgresql.yml (lines 38–59)	Windows job now copies only bin, lib, share, and include directories from EnterpriseDB runtime ZIP; removes stackbuilder.exe, wx*.dll, and test*.exe; asserts postgres.exe and initdb.exe exist; fails if pgAdmin 4 is present.
Release Description .github/workflows/build-postgresql.yml (line 97)	Windows x64 artifact description updated from "repackaged" to "runtime-only package staged" to clarify the staged nature of the build output.
Documentation README.md (lines 17, 79)	Features section and Build Matrix are updated to describe PostgreSQL as a "runtime-only" EnterpriseDB Windows package and a "runtime subset" respectively.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• feat(postgresql): add binary build workflow #36: Modifies the same Windows PostgreSQL staging workflow logic and EnterpriseDB runtime ZIP handling.

Poem

A rabbit hops through staging directories so fine,
Keeping only the runtime, each binary and line.
No pgAdmin, no stackbuilder to clutter the way,
Just postgres and lib—a lean ZIP for the day! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: reducing the PostgreSQL Windows runtime package to only essential components.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/postgresql-windows-runtime-package

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build-postgresql.yml (1)

43-44: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

No integrity check on the upstream EDB ZIP — supply chain gap vs. the Unix build.

The Unix job fetches a .sha256 sidecar from the official PostgreSQL FTP and verifies it before extraction. The Windows job trusts the EDB binary ZIP on TLS alone. A compromised EDB origin or CDN swap would propagate silently.

EnterpriseDB does not appear to publish SHA256 checksums for the binary ZIP archives, so a byte-for-byte expected-hash cannot be pinned the same way as the Unix source tarball. However, at minimum, hash the downloaded archive and surface it in the step summary so that any divergence across re-runs is visible:

🛡️ Proposed mitigation: log the hash for audit

  Invoke-WebRequest -Uri $url -OutFile upstream.zip
+ $hash = (Get-FileHash upstream.zip -Algorithm SHA256).Hash
+ Write-Output "upstream.zip SHA256: $hash"
+ "## Windows upstream ZIP hash`n``$hash``" | Out-File $env:GITHUB_STEP_SUMMARY -Append
  Expand-Archive upstream.zip -DestinationPath upstream -Force

If EDB ever ships per-version checksum files alongside the ZIP (e.g., .sha256), replace this with a verification step identical to the Unix job.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-postgresql.yml around lines 43 - 44, After
downloading upstream.zip with Invoke-WebRequest (before Expand-Archive), compute
a SHA256 of upstream.zip (using Get-FileHash -Algorithm SHA256) and append the
resulting hex digest to the GitHub Actions step summary (via the
GITHUB_STEP_SUMMARY file or $env:GITHUB_STEP_SUMMARY) so the fingerprint is
recorded for audit; keep the existing Expand-Archive step, and add a note to
replace this with an actual checksum verification (matching the Unix job) if EDB
publishes a per-version .sha256 in the future.

🧹 Nitpick comments (1)

.github/workflows/build-postgresql.yml (1)

59-59: 💤 Low value

The pgAdmin 4 guard is a dead assertion — it can never be true.

Since only bin, lib, share, and include are copied into stage/, and pgAdmin resides at pgsql/pgAdmin 4/ in the EDB archive (not inside any of those four directories), Test-Path 'stage/pgAdmin 4' is structurally always false. The check conveys intent but provides no real protection.

If the goal is to guard against future staging regressions, a broader assertion (e.g., asserting that stage contains only the four expected subdirectories plus VERSION) would be more meaningful.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/build-postgresql.yml:
- Around line 43-44: After downloading upstream.zip with Invoke-WebRequest
(before Expand-Archive), compute a SHA256 of upstream.zip (using Get-FileHash
-Algorithm SHA256) and append the resulting hex digest to the GitHub Actions
step summary (via the GITHUB_STEP_SUMMARY file or $env:GITHUB_STEP_SUMMARY) so
the fingerprint is recorded for audit; keep the existing Expand-Archive step,
and add a note to replace this with an actual checksum verification (matching
the Unix job) if EDB publishes a per-version .sha256 in the future.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b9c87d44-24c3-4262-a9d8-07e09e17809b

📥 Commits

Reviewing files that changed from the base of the PR and between 6aa280b and fc38b22.

📒 Files selected for processing (2)

• .github/workflows/build-postgresql.yml
• README.md