Skip to content

feature: query performance health checks #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
randoneering wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feature: query performance health checks #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a5dbd8f
update readme based on new changes
randoneering Feb 28, 2026
9d64b09
Merge remote-tracking branch 'origin/main' into feature/query_checks
randoneering Mar 11, 2026
7f2fb1c
update workflows due to mismatch var
randoneering Mar 11, 2026
987ab5f
update workflows-missing engine ver in aws for 16 and 18
randoneering Mar 11, 2026
45da1ed
remove tofu workflows-too much
randoneering Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 1 addition & 7 deletions .github/CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,7 @@ This project follows the [Contributor Covenant](https://www.contributor-covenant

## Development Setup

The `testing/` directory contains OpenTofu modules for provisioning PostgreSQL instances on major cloud providers (AWS RDS, Aurora, GCP Cloud SQL, Azure). Use these to validate your changes against real managed database environments.

```bash
cd testing/<provider>
tofu init
tofu apply
```
The `testing/` directory contains integration and pgTAP coverage used to validate pgFirstAid against live PostgreSQL environments. You can run the test suite against any database you control by setting the standard PostgreSQL connection environment variables described in `testing/integration/README.md`.

## Testing Requirements

Expand Down
83 changes: 14 additions & 69 deletions .github/workflows/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,81 +1,26 @@
# Manual Cloud Deploy Workflows
# Workflow Notes

This repo uses three manual deployment workflows and one reusable validation workflow:
This repo keeps `managed-db-validate.yml` as a reusable validation workflow.

- `deploy-aws-rds.yml`
- `deploy-gcp-postgres.yml`
- `azure-postgres-opentofu.yml`
- `managed-db-validate.yml` (reusable via `workflow_call`)
`managed-db-validate.yml` installs `pgFirstAid.sql`, recreates `view_pgFirstAid_managed.sql`, and runs integration tests, including the pgTAP-backed checks in the integration harness.

Deploy workflows are run manually from the Actions tab.

AWS and GCP also support trusted PR comment triggers:

- AWS: `/deploy-aws-rds [target|command] [command]`
- GCP: `/deploy-gcp-pg [target|command] [command]`

## Deploy Inputs

AWS and GCP workflows support `target` (`pg15`-`pg18` or `all`) and `command` (`plan`, `apply`, `destroy`).

Azure workflow supports:

- `action`: `plan`, `apply`, `destroy`
- `postgres_version`: `pg15`, `pg16`, `pg17`, `pg18`
- `personal_ip`: optional (falls back to secret)

## Secrets

### AWS

- `AWS_ACCESS_KEY_ID`
- `AWS_SECRET_ACCESS_KEY`
- `AWS_ALLOWED_CIDR_BLOCK`
- `AWS_DB_PASSWORD`

### GCP

- `GCP_SA_KEY`
- `DEPLOY_PERSONAL_IP_CIDR` (unless provided as workflow input)
- `GCP_DB_PASSWORD`

### Azure

- OIDC: `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`
- or service principal JSON: `AZURE_CREDENTIALS`
- `AZURE_PERSONAL_IP` (unless provided as workflow input)
- `AZURE_DB_PASSWORD`

### Shared deploy controls

- `DEPLOY_TRIGGER_USER` (used by AWS/GCP manual and comment-triggered deploy checks)

## Validation Workflow

`managed-db-validate.yml` installs `pgFirstAid.sql`, recreates `view_pgFirstAid_managed.sql`, and runs integration tests (including pgTAP coverage through the integration test harness).

It supports three connection modes:
## Supported connection modes

- `direct`: caller passes `pg_host`
- `aws`: resolves host from `aws_db_identifier`
- `gcp`: resolves host from `gcp_project_id` + `gcp_instance_name`
- `gcp`: resolves host from `gcp_project_id` and `gcp_instance_name`

Current wiring:
## Required inputs and secrets

- Azure apply calls `managed-db-validate.yml` automatically after deploy.
- AWS apply calls `managed-db-validate.yml` for each selected version after deploy.
- GCP apply calls `managed-db-validate.yml` for each selected version after deploy.
Connection details depend on the selected connection mode. The reusable workflow always requires:

## Secret Handling
- `pg_user`
- `pg_database`
- `pg_password`

- DB passwords are passed to OpenTofu as `TF_VAR_db_password`.
- Password variables in the OpenTofu stacks are marked `sensitive = true`.
- Workflows use step-level environment variables and masking for secret values used in shell steps.
- Avoid printing secret values in custom debug statements.
Provider-specific auth is optional and only needed when the workflow resolves the host automatically.

## Recommended Run Order
## Secret handling

1. Run `plan`
2. Run `apply`
3. Confirm validation results
4. Run `destroy` when done with test resources
- Passwords are passed through workflow inputs and masked by GitHub Actions
- Avoid printing secret values in custom debug statements
154 changes: 0 additions & 154 deletions .github/workflows/azure-postgres-opentofu.yml
View file
Open in desktop

This file was deleted.

Loading