Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wScKZ-003IPb-12 for pgsql-hackers@arkaria.postgresql.org; Thu, 28 May 2026 15:07:31 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wScKV-00CWjO-32 for pgsql-hackers@arkaria.postgresql.org; Thu, 28 May 2026 15:07:28 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wScKV-00CWjF-24 for pgsql-hackers@lists.postgresql.org; Thu, 28 May 2026 15:07:28 +0000 Received: from fhigh-b2-smtp.messagingengine.com ([202.12.124.153]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wScKU-00000001sHa-1ZP1 for pgsql-hackers@postgresql.org; Thu, 28 May 2026 15:07:28 +0000 Received: from phl-compute-05.internal (phl-compute-05.internal [10.202.2.45]) by mailfhigh.stl.internal (Postfix) with ESMTP id 3BD8B7A00C8; Thu, 28 May 2026 11:07:24 -0400 (EDT) Received: from phl-frontend-04 ([10.202.2.163]) by phl-compute-05.internal (MEProxy); Thu, 28 May 2026 11:07:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anarazel.de; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1779980843; x=1780067243; bh=vD6L88HfL5R//lgUrtELf6OQz1WJi+F4RsW6tcfiJM0=; b= AtwI4DooECJWaAq+upv83k+ciw7IDMFFEPu9xDfr1yBxJRxSyZ4rRoc7yFHO7fJY Xa2UvDM3uX8n2mMKcwbw7MJblMvS85CwaMVpXkKNankbp2ZEnLb5LfwlUGkrorX/ oXTMxqFYLT59UQ8GmeVPEzgQX+UPbOGBtZ92ITse8FUlpuIgoLcU330QbPeDd44q hEWxyqwUEc88q1qjY2MSxjY3aCsVZo47j+W8MPiPOKlKvtmMSsERed0U/uZLUx7s ngkc1Khf0kTAx8I2DPHBTCquU3HfmMqogZqHY8iB89Ci5UPhxqaYPUPYDn8QREEe 4o4GL0BGSJec2vNnOmsQDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1779980843; x= 1780067243; bh=vD6L88HfL5R//lgUrtELf6OQz1WJi+F4RsW6tcfiJM0=; b=c CoZTm+OjT6XYEkHrol9UFXQtrTcfvJjvG4rJl5j/O9lZg22bkAvX0089eNeCTQ58 MMQld/DZXmfzciHUgxAaTfKXvqyuCsq1NNGlfE9Jh50m85miZigqFdEOkLqMOTMO pVenr5Twt7AfJXOWYv3v322N/k9+LDGU8FaLCC24Vpo+j31+N/Gb9f0Nf2+8DOx8 p/fZYOk5Xn9ADuNO0x3cscRtDjS8INPXxW2efdWfvQU9W3ZuWTxs5JJBBDI6X9rF 05coVSFc4wnJcFii3NKwFl0TdLU48NlfUAbKCaRov7UaCFc7wffRwUxlrK2R6ycD NIuV3WlzyhX78JDlCzH2Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: dmFkZTEgm4xH1InbUxeLwJjyUvIyvCmnmJNemunhZBaRY8e1chm0kdHeOFRk/oCbJjvnBE hTrWma8LQo4bC0snv+iNL9ZA/yrnTiTgFiAKuC49qEmWsHoqgpN4N/4wD+taPuCv1rI6sK Ve+AqpNwNq3wPByhZbksghWdwSVcgjw8+k+a+TCuhvAAUNRdD5tsFbU5abJjxuNQG1yK1r lYJBTtQN3d5uzycjnxb2wLBkx7okVReqYFTnQ5Fiqa+TH3ds0wXBFOspgIZFdyoIwKsMhH 4E34kbQt9pwDdzj2TsG+ZjP8EP68HdxRewsdHkyhB0SWQJIL4CoWJ54Nc1VXZ7pj3xA5Mv d9XxAHjnH5pwO+lEzEKO/yAr6yfQhaL+tNvGFlyaAlYHtAiWDY5mhgOJV/qERrYD1HWzmI yEufj5d/vO+bQEDWgYQwkszbjSdRZDtnVHvlKTUBdYlmXw2c1kctZFQVxWMhRfWSgEEhhI Wk55Krmrb9M29gDz/2nlCV4OF5qeky4pCghc7geVKxLE32xDzGmTp1V9C1abfSKxeOHrqE oLj0JEwrARsEMHH/37/OpTvfBDurnGIPLfo4fqHJGolL76jw/zLVDBW/WeZqcY3giFrhhf 2TmjrSiatDGtLCijjv4iXNVb0J2sG/uSWZRFRTnIWd5d2PVi3SfGciHxI+tQ X-ME-Proxy: Feedback-ID: id4a34324:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 28 May 2026 11:07:23 -0400 (EDT) Date: Thu, 28 May 2026 11:07:22 -0400 From: Andres Freund To: Jacob Champion Cc: Nazir Bilal Yavuz , Jelte Fennema-Nio , Thomas Munro , pgsql-hackers@postgresql.org Subject: Re: Heads Up: cirrus-ci is shutting down June 1st Message-ID: References: <3ydjipcr7kbss57nvi67noplncqhesl5eyb6wgol4ccjxynspv@yatlykpribmm> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi, On 2026-05-27 15:15:46 -0700, Jacob Champion wrote: > On Wed, May 27, 2026 at 11:10 AM Andres Freund wrote: > > > +# Default to the minimum privilege the jobs need (just reading the repo > > > +# contents during checkout). Individual jobs override this when they need > > > +# more, e.g. `cancel-previous` needs `actions: write` to cancel runs. > > > +permissions: > > > + contents: read > > > > I'm not sure I like that we ever need more than that. I'd expect that > > postgresql-cfbot will explicitly disable write permissions for runs. > > +1, and +1 for getting rid of the custom cancel, for that reason. > > - Do we need to defend our downstream forks from this workflow? (We > have 5,700 of them, apparently.) I don't see why. I think it's good if they run CI. Having forks not run CI by default would imo take one of the main advantages of using github actions away. > - Do the pginfra folks who own the repo need to lock down all the > Actions settings before we ship this? (On my fork, at least, the > default settings were horrifically permissive.) Yes, they are too permissive by default, including on postgres/postgres. I think postgres/postgres isn't *that* threatened, but we should make things are shored up anyway. Where it's really crucial is the postgresql-cfbot repo. Greetings, Andres Freund