feat: allow checkout of fork repository on workflow approval (#1643)

* feat: allow checkout of fork repository on workflow approval

Based on #1635

* Do not use secrets if they are not available

In the forks, secrets are not available.

Author: jfroche

.github/workflows/ami-release-nix-single.yml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
         with:
           ref: ${{ github.event.inputs.branch }}
 

.github/workflows/ami-release-nix.yml

@@ -22,8 +22,8 @@ jobs:
       postgres_versions: ${{ steps.set-versions.outputs.postgres_versions }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
-      
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
       - uses: DeterminateSystems/nix-installer-action@main
 
       - name: Set PostgreSQL versions
@@ -48,7 +48,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - uses: DeterminateSystems/nix-installer-action@main
 

.github/workflows/check-shellscripts.yml

@@ -14,7 +14,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - name: Checkout Repo
+      uses: supabase/postgres/.github/actions/shared-checkout@HEAD
     - name: Run ShellCheck
       uses: ludeeus/action-shellcheck@master
       env:

.github/workflows/ci.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - name: Load postgres_release values
         id: load_postgres_release

.github/workflows/dockerhub-release-matrix.yml

@@ -22,7 +22,7 @@ jobs:
     steps:
       - uses: DeterminateSystems/nix-installer-action@main
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - name: Generate build matrix
         id: set-matrix
         run: |
@@ -53,7 +53,8 @@ jobs:
     outputs:
       build_args: ${{ steps.args.outputs.result }}
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
       - name: Set PostgreSQL version environment variable
         run: echo "POSTGRES_MAJOR_VERSION=${{ matrix.version }}" >> $GITHUB_ENV
@@ -77,7 +78,8 @@ jobs:
     runs-on: ${{ matrix.arch == 'amd64' && 'ubuntu-latest' || 'arm-runner' }}
     timeout-minutes: 180
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
       - run: docker context create builders
       - uses: docker/setup-buildx-action@v3
@@ -132,7 +134,8 @@ jobs:
         include: ${{ fromJson(needs.prepare.outputs.matrix_config).include }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: docker/setup-buildx-action@v3
       - uses: docker/login-action@v2
@@ -175,7 +178,8 @@ jobs:
     needs: [prepare, merge_manifest]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
 
       - name: Debug Input from Prepare

.github/workflows/manual-docker-release.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - uses: DeterminateSystems/nix-installer-action@main
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - name: Generate build matrix
         id: set-matrix
         run: |
@@ -50,7 +50,8 @@ jobs:
     outputs:
       build_args: ${{ steps.args.outputs.result }}
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
       - name: Set PostgreSQL version environment variable
         run: echo "POSTGRES_MAJOR_VERSION=${{ matrix.version }}" >> $GITHUB_ENV
@@ -74,7 +75,8 @@ jobs:
     runs-on: ${{ matrix.arch == 'amd64' && 'ubuntu-latest' || 'arm-runner' }}
     timeout-minutes: 180
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
       - run: docker context create builders
       - uses: docker/setup-buildx-action@v3
@@ -141,7 +143,8 @@ jobs:
         include: ${{ fromJson(needs.prepare.outputs.matrix_config).include }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: docker/setup-buildx-action@v3
       - uses: docker/login-action@v2
@@ -184,7 +187,8 @@ jobs:
     needs: [prepare, merge_manifest]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - uses: DeterminateSystems/nix-installer-action@main
 
       - name: Debug Input from Prepare

.github/workflows/mirror-postgrest.yml

@@ -17,7 +17,8 @@ jobs:
     outputs:
       postgrest_release: ${{ steps.args.outputs.result }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - id: args
         uses: mikefarah/yq@master
         with:

.github/workflows/nix-build.yml

@@ -27,15 +27,11 @@ jobs:
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 180
     steps:
-
-      - name: Check out code
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.ref || github.ref }}
-          fetch-depth: 0
-          fetch-tags: true
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - name: aws-creds
         uses: aws-actions/configure-aws-credentials@v4
+        if: ${{ github.secret_source == 'Actions' }}
         with:
           role-to-assume: ${{ secrets.DEV_AWS_ROLE }}
           aws-region: "us-east-1"
@@ -48,7 +44,7 @@ jobs:
         env:
           NIX_SIGN_SECRET_KEY: ${{ secrets.NIX_SIGN_SECRET_KEY }}
       - name: Log in to Docker Hub
-        if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13'
+        if: matrix.runner != 'macos-latest' && matrix.runner != 'macos-13' && github.secret_source == 'Actions'
         uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}

.github/workflows/publish-migrations-prod.yml

@@ -21,8 +21,8 @@ jobs:
         env:
           GITHUB_REF: ${{ github.ref }}
 
-      - name: Checkout Repo
-        uses: actions/checkout@v2
+      - name: Checkout repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - name: Merging migration files
         run: cat $(ls -1) > ../migration-output.sql

.github/workflows/publish-migrations-staging.yml

@@ -16,8 +16,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v2
-
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - name: Merging migration files
         run: cat $(ls -1) > ../migration-output.sql
         working-directory: ${{ github.workspace }}/migrations/db/migrations

.github/workflows/publish-nix-pgupgrade-bin-flake-version.yml

@@ -17,8 +17,8 @@ jobs:
       postgres_versions: ${{ steps.set-versions.outputs.postgres_versions }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
-      
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
       - uses: DeterminateSystems/nix-installer-action@main
 
       - name: Set PostgreSQL versions
@@ -36,8 +36,8 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
-      
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
       - uses: DeterminateSystems/nix-installer-action@main  
 
       - name: Grab release version
@@ -88,7 +88,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - name: Grab release version
         id: process_release_version

.github/workflows/publish-nix-pgupgrade-scripts.yml

@@ -24,7 +24,7 @@ jobs:
       postgres_versions: ${{ steps.set-versions.outputs.postgres_versions }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - uses: DeterminateSystems/nix-installer-action@main
 
@@ -43,7 +43,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - uses: DeterminateSystems/nix-installer-action@main
 
@@ -94,8 +94,8 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
-      
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
+
       - uses: DeterminateSystems/nix-installer-action@main
 
       - name: Grab release version

.github/workflows/qemu-image-build.yml

@@ -23,7 +23,7 @@ jobs:
       postgres_versions: ${{ steps.set-versions.outputs.postgres_versions }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - uses: DeterminateSystems/nix-installer-action@main
 
@@ -47,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - uses: DeterminateSystems/nix-installer-action@main
 

.github/workflows/test.yml

@@ -17,7 +17,7 @@ jobs:
       postgres_versions: ${{ steps.set-versions.outputs.postgres_versions }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - name: Clear Nix cache
         run: |
@@ -49,7 +49,8 @@ jobs:
       POSTGRES_PORT: 5478
       POSTGRES_PASSWORD: password
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout Repo
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
       - name: Clear Nix cache
         run: |
           sudo rm -rf /home/runner/.cache/nix
@@ -86,4 +87,4 @@ jobs:
             echo "Detected changes in schema.sql:"
             git diff migrations/schema-${{ env.PGMAJOR }}.sql
             exit 1
-          fi
+          fi

.github/workflows/testinfra-ami-build.yml

@@ -15,7 +15,7 @@ jobs:
       postgres_versions: ${{ steps.set-versions.outputs.postgres_versions }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - uses: DeterminateSystems/nix-installer-action@main
 
@@ -52,7 +52,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: supabase/postgres/.github/actions/shared-checkout@HEAD
 
       - id: args
         uses: mikefarah/yq@master

docker/nix/build_nix.sh

@@ -18,11 +18,13 @@ nix build .#wal-g-2 -o wal-g-2 -L
 nix build .#wal-g-3 -o wal-g-3 -L
 
 # Copy to S3
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./wal-g-2
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./wal-g-3
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_15
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_orioledb_17
-nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_17
+if [[ -n "${AWS_ACCESS_KEY_ID-}" && -n "${AWS_SECRET_ACCESS_KEY-}" ]]; then
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./wal-g-2
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./wal-g-3
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_15
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_orioledb_17
+    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./psql_17
+fi
 
 if [ "$SYSTEM" = "aarch64-linux" ]; then
     nix build .#postgresql_15_debug -o ./postgresql_15_debug
@@ -31,10 +33,13 @@ if [ "$SYSTEM" = "aarch64-linux" ]; then
     nix build .#postgresql_orioledb-17_src -o ./postgresql_orioledb-17_src
     nix build .#postgresql_17_debug -o ./postgresql_17_debug
     nix build .#postgresql_17_src -o ./postgresql_17_src
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_15_debug-debug
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_15_src
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_orioledb-17_debug-debug
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_orioledb-17_src
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_17_debug-debug
-    nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_17_src
+
+    if [[ -n "${AWS_ACCESS_KEY_ID-}" && -n "${AWS_SECRET_ACCESS_KEY-}" ]]; then
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_15_debug-debug
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_15_src
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_orioledb-17_debug-debug
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_orioledb-17_src
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key ./postgresql_17_debug-debug
+        nix copy --to s3://nix-postgres-artifacts?secret-key=nix-secret-key  ./postgresql_17_src
+    fi
 fi