chore: rebase and small changes from review

Author: staaldraad

.github/workflows/nix-build.yml

@@ -24,7 +24,7 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - runner: blacksmith-32vcpu-ubuntu-2404	
+          - runner: blacksmith-32vcpu-ubuntu-2404
             arch: amd64
           - runner: blacksmith-32vcpu-ubuntu-2404-arm
             arch: arm64
@@ -56,12 +56,6 @@ jobs:
           sudo -E python -c "import os; file = open('/etc/nix/nix-secret-key', 'w'); file.write(os.environ['NIX_SIGN_SECRET_KEY']); file.close()"
         env:
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
-      - name: Setup SSH for deploy key
-        run: |
-          mkdir -p ~/.ssh
-          echo "${{ secrets.GK_DEPLOY_KEY }}" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan github.com >> ~/.ssh/known_hosts
       - name: Setup cache script
         if: ${{ github.secret_source == 'Actions' }}
         run: |
@@ -116,7 +110,7 @@ jobs:
           df -h
       - name: Build psql bundle
         run: >
-          nix run "github:Mic92/nix-fast-build?rev=b1dae483ab7d4139a6297e02b6de9e5d30e43d48" 
+          nix run "github:Mic92/nix-fast-build?rev=b1dae483ab7d4139a6297e02b6de9e5d30e43d48"
           -- --skip-cached --no-nom ${{ matrix.runner == 'macos-latest-xlarge' && '--max-jobs 1' || '' }}
           --flake ".#checks.$(nix eval --raw --impure --expr 'builtins.currentSystem')"
         env:

nix/packages/gatekeeper.nix

@@ -18,7 +18,7 @@ buildGoModule {
   src = pkgs.fetchFromGitHub {
     owner = "supabase";
     repo = "jit-db-gatekeeper";
-    rev = "refs/heads/main";
+    rev = "v1.0.0";
     hash = "sha256-hrYh1dBxk+aN3b/J9mZqk/ZXHmWA/MIqZLVgICT7e90=";
   };
 

testinfra/test_ami_nix.py

@@ -403,9 +403,9 @@ def is_healthy(ssh) -> bool:
 def test_postgrest_is_running(host):
     """Check if postgrest service is running using our SSH connection."""
     result = run_ssh_command(host["ssh"], "systemctl is-active postgrest")
-    assert (
-        result["succeeded"] and result["stdout"].strip() == "active"
-    ), "PostgREST service is not running"
+    assert result["succeeded"] and result["stdout"].strip() == "active", (
+        "PostgREST service is not running"
+    )
 
 
 def test_postgrest_responds_to_requests(host):
@@ -547,9 +547,9 @@ def test_postgresql_version(host):
         if version_match:
             major_version = int(version_match.group(1))
             print(f"PostgreSQL major version: {major_version}")
-            assert (
-                major_version >= 14
-            ), f"PostgreSQL version {major_version} is less than 14"
+            assert major_version >= 14, (
+                f"PostgreSQL version {major_version} is less than 14"
+            )
         else:
             assert False, "Could not parse PostgreSQL version number"
     else:
@@ -579,9 +579,9 @@ def test_libpq5_version(host):
         if version_match:
             major_version = int(version_match.group(1))
             print(f"libpq5 major version: {major_version}")
-            assert (
-                major_version >= 14
-            ), f"libpq5 version {major_version} is less than 14"
+            assert major_version >= 14, (
+                f"libpq5 version {major_version} is less than 14"
+            )
         else:
             print("Could not parse libpq5 version from dpkg output")
     else:
@@ -614,9 +614,9 @@ def test_libpq5_version(host):
         if version_match:
             major_version = int(version_match.group(1))
             print(f"psql/libpq major version: {major_version}")
-            assert (
-                major_version >= 14
-            ), f"psql/libpq version {major_version} is less than 14"
+            assert major_version >= 14, (
+                f"psql/libpq version {major_version} is less than 14"
+            )
         else:
             print("Could not parse psql version")
 
@@ -706,9 +706,9 @@ def test_pam_postgresql_config(host):
                 perms = result["stdout"].strip()
                 print(f"PAM config permissions: {perms}")
                 # Should be owned by postgres:postgres with 664 permissions
-                assert (
-                    "postgres postgres" in perms
-                ), "PAM config not owned by postgres:postgres"
+                assert "postgres postgres" in perms, (
+                    "PAM config not owned by postgres:postgres"
+                )
         else:
             print("\nPAM config file not found")
             assert False, "PAM configuration file /etc/pam.d/postgresql not found"
@@ -743,7 +743,7 @@ def test_jit_pam_gatekeeper_profile(host):
     # Check if gatekeeper is in the postgres user's Nix profile
     result = run_ssh_command(
         host["ssh"],
-        "sudo -u postgres nix profile list 2>/dev/null | grep -i gatekeeper",
+        "sudo -u postgres nix profile list --json | jq -r '.elements.gatekeeper.storePaths[0]'",
     )
     if result["succeeded"] and result["stdout"].strip():
         print(f"\nGatekeeper found in Nix profile:\n{result['stdout']}")
@@ -998,7 +998,9 @@ def test_postgrest_read_only_session_attrs(host):
             print(
                 f"\nFound 'session is not read-only' errors in PostgREST logs:\n{result['stdout']}"
             )
-            assert False, "PostgREST logs contain 'session is not read-only' errors even though PostgreSQL is configured for read-only mode"
+            assert False, (
+                "PostgREST logs contain 'session is not read-only' errors even though PostgreSQL is configured for read-only mode"
+            )
         else:
             print("\nNo 'session is not read-only' errors found in PostgREST logs")