Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wSMXn-0038Ox-2x
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 27 May 2026 22:16:07 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1wSMXl-009mjT-2K
	for pgsql-hackers@arkaria.postgresql.org;
	Wed, 27 May 2026 22:16:06 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1wSMXl-009mjK-1Q
	for pgsql-hackers@lists.postgresql.org;
	Wed, 27 May 2026 22:16:06 +0000
Received: from mail-ed1-x52c.google.com ([2a00:1450:4864:20::52c])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <jacob.champion@enterprisedb.com>)
	id 1wSMXj-000000014j8-12Ku
	for pgsql-hackers@postgresql.org;
	Wed, 27 May 2026 22:16:04 +0000
Received: by mail-ed1-x52c.google.com with SMTP id
 4fb4d7f45d1cf-6763cc8775cso21932409a12.0
        for <pgsql-hackers@postgresql.org>;
 Wed, 27 May 2026 15:16:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779920160; cv=none;
        d=google.com; s=arc-20240605;
        b=N5ohhLj1gmW4QvzCtsqP9Owjk+ahkrocpcL6J3aGPtBYhrjNm9kZ+9hKvH/S8o+Rb2
         U/pexJ+Ec/IoZWrP7NRcr6HCjpikbLAg9+ujPAy6iNuGv9K91MKtaUv6veZDOyxP4yVw
         fkZ+pxjXPb1/8O8iD+u6JJgPee93FG+GrEEz2VRE8ltxWxmE9ZjhAOr7C06HI3VySJJ/
         9H8WwoQ9cbIGw0enRo1EEW0rpkit5INPoe43R6fRSnk14EgzLTqQ4HraF0F4W9TLkBy9
         NoHgdlIm7puO6qWJ3TUBu1aUip6obWZCtMgYZ1i0vv709ifZ7zKdyBlE0bli+NYvxVTB
         hrJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=8tLdzZfds6BE+/z2jzHrrFeojzDJvCoToCit8qfdijM=;
        fh=TsG5JLtPD5hnlZ5puqB+V9bc+5NVz1eWPNudYK9X5Mo=;
        b=NmTvfZ+e7ag20aFwzDPGDch4CZR4PxM/MjRoX4x502JpLWIea870ynJdW7AlhpA3TP
         tDW7mK0GoFbZQ4igBOARB2ruZEB6y2ACamlhb1EIv42cSan/tsDoQ/JXPTMiyZNEAWKp
         TAmFUivftVeb9yeEw0cj/LfjaC5O0pePTzi5g7IyjcqaGBXtNmDYSyIjGI0WEsuh/3lK
         jadOd1yMFRPqysOPj7FkDwu9TePGxMJ0kvy//6kKxqiiOD6JuCD03hEkX1DZC8COl5Ea
         7hbdux8dUvvD/isNPSPnzojXykGm2+uELRpzF2TpMR50sm4DFG+tO4F75ihLR/NwtRRp
         P/lA==;
        darn=postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=enterprisedb.com; s=google; t=1779920160; x=1780524960;
 darn=postgresql.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=8tLdzZfds6BE+/z2jzHrrFeojzDJvCoToCit8qfdijM=;
        b=jzMf3tIirgbAfhHuN/cC/JXL4u5LJjOY/RlOHi3WmAGrfT1HFxbiHPbwx2aFq8AyG8
         LM0PvL691nxa2hHMXDWsiVRlssPkwhy+SrO1d46EjstLd9FHsjniof+WEomARI30Xf5F
         fXKKYuC2sh0FXgdbsBL++m8uDcBWMaReyBDwG6jY9CThzyjLKRk7Il95x3cyDD+PVVsj
         e/NTyP+7EU9YGKwFOP7gXyrr9mJTk1z/hWu5VijS1kqmryX31dY0p9RxSnbc6Ltu+AxE
         948ZLcQv5s24bZS1n9jOdkAZQNSo+oK/i6C9Bm5Hie8oRg6dv1KJagUSBLvBw1XtEBZN
         czbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779920160; x=1780524960;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=8tLdzZfds6BE+/z2jzHrrFeojzDJvCoToCit8qfdijM=;
        b=nOSXkMqKiioxG0ukHfiz3W5dGsje2tjfEHy4D3ZI3TrP3LwxDJisFZeODhC8Zl4nnf
         dzUqtvSifCf0kylnyxt0xaW6JNQjxiNp5S8xDgvAhQEHWLtHc2mfanqzEIWDHF/30Yod
         uAqJSIdkJjJLP5xsrV4KJx3lVsJcyolK4YR5OOcbcVlYzfxYz/KDS2mSkKAimRhocHeB
         TKdE0OsYFehT5tJxy/em+K4GU4AzJyAKsV1hXab4MS4dPJeZQhVNsXPdBRd7g7s2c1an
         QcVD2n2wAZ6fte08aGqPqTR6QaHGvjOcZ9CkY4ci99TOLGri/+RW69fm5vwthKX1MgOy
         X7wA==
X-Forwarded-Encrypted: i=1;
 AFNElJ//p3O1r7ZN9XvxCsp/THoXjPz3wrNl9w5h8TyFTzQo/JWsjhgmBhG77MhyBKX7+1NmZOHb7OIxZQ/kvzpx@postgresql.org
X-Gm-Message-State: AOJu0YzTJkJdiLx8ePpQAcxkBMvsgM0/3Tky2ZSUBp3awhciM95U/dMN
	dhi0JIpPqcjlxh5yMrk26kv5s0C4hqlwG3arn2kC+jOfUsloWAw0vfUzoYCOMFgrOgMU43dCyBf
	CaTQnZTz3Qu/B4aQ5RS/sfA0IZMCrneFKon6ULu0B
X-Gm-Gg: Acq92OFFQXtul3TnU1JKCHv0JkcqJjz63HdMue6jSUZDdwOwkI3OX/Fa8U8QBGVs2oW
	OIlq9C6hCQqWpijTHNzZYwvEz3o7U0vVJ/4i3obXayhiVpew71MeTYJuA/hjLTgGlgV40EPUv+2
	qdUTlTbiQ+1fFUdDQIyRintfFj8gL9I+39ZnVOqnPf0Km1F6tRfltJzcLVTFm1OwGuM91cBPUtm
	oLL4Ss9s0JG0T53Zv48nyqYrLkB42wut7ArqMyCkP/SZMTjZ7DX4i7aMJQ4n4HZXDRq9PmvdWL0
	2ft1H7mb/l1pxOcA8ZDH
X-Received: by 2002:a17:907:b0c:b0:bc1:c4d:cc70 with SMTP id
 a640c23a62f3a-bdd47df5a02mr1000671466b.2.1779920160500; Wed, 27 May 2026
 15:16:00 -0700 (PDT)
MIME-Version: 1.0
References: <3ydjipcr7kbss57nvi67noplncqhesl5eyb6wgol4ccjxynspv@yatlykpribmm>
 <DIM49A100EY1.2YFS2A6WAI3ZJ@jeltef.nl>
 <CAN55FZ30Np67cATsqYxF1SsP598VoRv4hJQZ4w9RA3Qe55prnQ@mail.gmail.com>
 <CAN55FZ13uX0cLSbgtSnnFeh5sTLeMr7+8UzmqpU6QjOtrRJTLg@mail.gmail.com>
 <qe4lh2i5di2gh7bxkbfisifaohrvyfukbybwxwzxdnll45hnt3@luod7i2mon67>
In-Reply-To: <qe4lh2i5di2gh7bxkbfisifaohrvyfukbybwxwzxdnll45hnt3@luod7i2mon67>
From: Jacob Champion <jacob.champion@enterprisedb.com>
Date: Wed, 27 May 2026 15:15:46 -0700
X-Gm-Features: AVHnY4JhVH3rtkDoEos4hZTo4dX5HI7blRoFk41kXuxAiJMbIBwAZZaCcLB_n_Q
Message-ID: 
 <CAOYmi+n8RRmtGUr_fZkYzX5XbGH5+Q0c1M1XMr7ytXbRs1JxJA@mail.gmail.com>
Subject: Re: Heads Up: cirrus-ci is shutting down June 1st
To: Andres Freund <andres@anarazel.de>
Cc: Nazir Bilal Yavuz <byavuz81@gmail.com>,
 Jelte Fennema-Nio <postgres@jeltef.nl>,
	Thomas Munro <thomas.munro@gmail.com>, pgsql-hackers@postgresql.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Archived-At: 
 <https://www.postgresql.org/message-id/CAOYmi%2Bn8RRmtGUr_fZkYzX5XbGH5%2BQ0c1M1XMr7ytXbRs1JxJA%40mail.gmail.com>
Precedence: bulk

On Wed, May 27, 2026 at 11:10=E2=80=AFAM Andres Freund <andres@anarazel.de>=
 wrote:
> > +# Default to the minimum privilege the jobs need (just reading the rep=
o
> > +# contents during checkout). Individual jobs override this when they n=
eed
> > +# more, e.g. `cancel-previous` needs `actions: write` to cancel runs.
> > +permissions:
> > +  contents: read
>
> I'm not sure I like that we ever need more than that. I'd expect that
> postgresql-cfbot will explicitly disable write permissions for runs.

+1, and +1 for getting rid of the custom cancel, for that reason.

- Do we need to defend our downstream forks from this workflow? (We
have 5,700 of them, apparently.)
- Do the pginfra folks who own the repo need to lock down all the
Actions settings before we ship this? (On my fork, at least, the
default settings were horrifically permissive.)

--Jacob