Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wSd16-003Ion-0n
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 28 May 2026 15:51:28 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wSd13-00Ccun-0Z
	for pgsql-hackers@arkaria.postgresql.org;
	Thu, 28 May 2026 15:51:26 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1wSd12-00Ccuf-2I
	for pgsql-hackers@lists.postgresql.org;
	Thu, 28 May 2026 15:51:25 +0000
Received: from mail-qv1-xf2a.google.com ([2607:f8b0:4864:20::f2a])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1wSd10-00000001BiD-28fZ
	for pgsql-hackers@postgresql.org;
	Thu, 28 May 2026 15:51:23 +0000
Received: by mail-qv1-xf2a.google.com with SMTP id
 6a1803df08f44-8b74b460d77so170822736d6.3
        for <pgsql-hackers@postgresql.org>;
 Thu, 28 May 2026 08:51:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779983481; cv=none;
        d=google.com; s=arc-20240605;
        b=GDybW5XMeNGM3yzaqQJZysmKViCLiotAOgPb9FB6qlnkOrZCdsq7zYMG+TsbCE/j0P
         vqJM1CJH6AScK0f6Dk32lWEmIbVcUZOwg19bgfW3nBimOwabNwn7wOM1I3hN2b3L2Tpj
         IZ4gCs0ZCLq9r8y7Zu3Y3ufxsD25SlebMaues3E5PDGL8NNhHp8cXAMSfin23ipE/1RV
         zx0Fdf+rqkKc/q+pRkeotKshYybkZlRV8zu4PuBwQHNTHkM9S3p8Tne204c4uzgdGxV0
         l04sqwe1kMRlH3FgmDCWJdzpXlGb8jAzf0HyQpGIGJ8R21piX09uI2uhH/x5a2NfXPLh
         oVSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=CoxXZ9D1FHu6obtBKoCL8aOeC2EC1EN7tLLgg572Qu4=;
        fh=4i4Fny7zuNqW4gHrwwsFNiBNqrduo4ihlp6N+DeZXXs=;
        b=RDDaL31kSmszbAMj6H2BlWJBCiIcfS9bvxsTaAiiJ7Vp2+AlwUMRh7CIzMrH/qx6sZ
         TrtwQIW8UNGkj0eOADAr9BiBJ+eNLotxdI8OojJKHcRW48li8bGQETQJx4OzrVYdcBo4
         YIashntjxKbDLcdaNTnf/c3VwLJAUx6g+JA7zE18CZMWjZHx4XvXuu/M9S8uIbv7Fftq
         yMgihwvNlxG+spPV86lkjhAR25opZ/nwmV0DCUWzMAocqNlECuc5t/OV71f5wKAE4x5f
         iwGLcCnjPjNUOGLqLR9JPPfBcg0A5oV5o2ynmNmofQq+x/Px4iLbGuAXaN4NRik6+hjo
         pQkw==;
        darn=postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1779983481; x=1780588281;
 darn=postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=CoxXZ9D1FHu6obtBKoCL8aOeC2EC1EN7tLLgg572Qu4=;
        b=N9TRZBaeNy5zbrhRKqHWheK7pRxeMsKSgj7EgVsqwpUYrOW77P1oHG2lDzyxtvqnla
         9E/v0B+Y8n9pYtnO6r1JbEpCr9Il8V3JuHzmS2RUZt7SQpfOz8neGsf6+9SlR+tIh0cW
         84XasScY8+H1xxzo6E9YIn5HHIZX4kRO85ffdyYfjRrnum3EmDjLFdfpekMfy5T1FCUy
         10X73x9jG1WevtqMPX2sHJChsgAqlpURBrVdHrMhw3Uu/TosS90aKINppj7sS3ukI/0/
         0M49/ZQRQ+Y04pG+nSMbFD7iHCF4adJsWmElVpK7GMP3Ube1k2l7uZ7yxHTEuozwTy5Q
         ixIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779983481; x=1780588281;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=CoxXZ9D1FHu6obtBKoCL8aOeC2EC1EN7tLLgg572Qu4=;
        b=NsnOtqR+Cn0GvOMyVorPPOkI1cbtnNzdtSkZ94MPXMsXxFFI8z6NL2kog0Ufy1Rera
         dxWvHk6fuZGgUrvA48Me5w2y97WCKM9gqo+5gnUYI/j0mS9k2SlV12vB+nYNpHEjzSoP
         n8k0HmaRqlWtcR96fMYuEwlZI3XwlBxmJE614rDUDHo3bqcrmxsDn/DXblbs3CCeO9iO
         fJGHqTGBM98d/ye+0dghKtRIvXMUkphIGS+LnO2y24LTiCFqRc+0q3uBTRF6Yb1g6XMQ
         b/7xqVoXR//Dk4BxDK1jWPE7oE5domxXmwbYZvyk07U0w1eVFM8QNPxnYJ9JrnmSLwAA
         LNaA==
X-Forwarded-Encrypted: i=1;
 AFNElJ/fP6+ANks7nWxlg0g8IDEEZV/EROsgr6sMX7m1FWsUF3URpKpqQC0Vp8979a+0Cg8kit7A5U4du+mT9xBD@postgresql.org
X-Gm-Message-State: AOJu0YxO+2JMdxlTNKdYveF//G7rXQscnv2OFGtoHhOOjmXHKyWpwfEk
	YXBnBUTOoJvsiLhjnEdJix7r4O6ltKGNrqjeUM42k2bZIoDnLCkWO2RbVN6DrUkoS1WcUL0+Mj7
	okBF2mxk6pC1DhihTXIGqUMLZk0s+Jrq0PHJRhRVM
X-Gm-Gg: Acq92OG8f9SqShHZOJcbvkC6LYy+rrZtbKW3miR7leXKoi7kQn1n86cx6bvfKAtkgWB
	uA82r/8tZajOBEc+vkwSRk+MkwOk9hKp1Ftz3tSvOUq9/1h+U6GLcLZc2LWh8JMs4CJNqIIx+yE
	DR+OqRie8nk8QkpEdTXqn0KGLj3Ml+0aDdHlwua/BLMGlemNzZidBWUZqaRPeeMIhKvecVDbAVU
	mFKUH4fkLqgM9rs+S+lw1/2p58FI9X3JDNEKn8E3Fvq/qXRdfRH44Ine3oPyzP4MTSoLOY6x+gq
	ehmlKXdBcrMkF0TfMJ0U+T13i+CIPp0=
X-Received: by 2002:a05:6214:238e:b0:8ca:1e6b:ac97 with SMTP id
 6a1803df08f44-8cc7b5019ffmr446607496d6.10.1779983480742; Thu, 28 May 2026
 08:51:20 -0700 (PDT)
MIME-Version: 1.0
References: <3ydjipcr7kbss57nvi67noplncqhesl5eyb6wgol4ccjxynspv@yatlykpribmm>
 <DIM49A100EY1.2YFS2A6WAI3ZJ@jeltef.nl>
 <CAN55FZ30Np67cATsqYxF1SsP598VoRv4hJQZ4w9RA3Qe55prnQ@mail.gmail.com>
 <CAN55FZ13uX0cLSbgtSnnFeh5sTLeMr7+8UzmqpU6QjOtrRJTLg@mail.gmail.com>
 <qe4lh2i5di2gh7bxkbfisifaohrvyfukbybwxwzxdnll45hnt3@luod7i2mon67>
 <CAOYmi+n8RRmtGUr_fZkYzX5XbGH5+Q0c1M1XMr7ytXbRs1JxJA@mail.gmail.com>
 <qs2jmmyqlmvvj5jfhrkdo5q5fzfjulgiu3dqmgz4gvfscqi4vc@r5rvsrblxres>
In-Reply-To: <qs2jmmyqlmvvj5jfhrkdo5q5fzfjulgiu3dqmgz4gvfscqi4vc@r5rvsrblxres>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Thu, 28 May 2026 08:51:09 -0700
X-Gm-Features: AVHnY4K2dBHl1X2_ggGi3yyyLvGhkx9pAvfilZo6e5EZE1GkqEQ9nSM1oDD_Ba4
Message-ID: 
 <CAOYmi+mpks_rE5E8fLzANbmhEySK=XC8rAtxi_qPVQKiu6nUGA@mail.gmail.com>
Subject: Re: Heads Up: cirrus-ci is shutting down June 1st
To: Andres Freund <andres@anarazel.de>
Cc: Nazir Bilal Yavuz <byavuz81@gmail.com>,
 Jelte Fennema-Nio <postgres@jeltef.nl>,
	Thomas Munro <thomas.munro@gmail.com>, pgsql-hackers@postgresql.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAOYmi%2Bmpks_rE5E8fLzANbmhEySK%3DXC8rAtxi_qPVQKiu6nUGA%40mail.gmail.com>
Precedence: bulk

On Thu, May 28, 2026 at 8:07=E2=80=AFAM Andres Freund <andres@anarazel.de> =
wrote:
> On 2026-05-27 15:15:46 -0700, Jacob Champion wrote:
> > - Do we need to defend our downstream forks from this workflow? (We
> > have 5,700 of them, apparently.)
>
> I don't see why. I think it's good if they run CI. Having forks not run C=
I by
> default would imo take one of the main advantages of using github actions
> away.

I was imagining a quick opt-in, like the Cirrus flow did, that fork
owners can do once they have checked their settings.

(I thought we planned to research medium-term alternatives to Actions
anyway; is it important that the entire graph starts running hundreds
or thousands of CI copies right away?)

> Yes, they are too permissive by default, including on postgres/postgres. =
 I
> think postgres/postgres isn't *that* threatened, but we should make thing=
s are
> shored up anyway. Where it's really crucial is the postgresql-cfbot repo.

Combining with the above: I'm worried that if all of our 5.7k forks
have permissive settings, and we accidentally ship a workflow
vulnerability that doesn't affect us but does affect them, that would
not be a fun cleanup.

--Jacob