ci(FS-7045): Update sonarqube-scan.yml

2026-03-23 15:16:29 +00:00 · 2024-01-30 11:23:07 -05:00
6 changed files with 88 additions and 56 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,7 +0,0 @@
-# Each line is a file pattern followed by one or more owners.
-
-# These owners will be the default owners for everything in
-# the repo. Unless a later match takes precedence,
-# @global-owner1 and @global-owner2 will be requested for
-# review when someone opens a pull request.
-*       @EnterpriseDB/repmgr-dev
--- a/.github/workflows/sonarqube-scan.yml
+++ b/.github/workflows/sonarqube-scan.yml
@@ -0,0 +1,77 @@
+###
+# Foundation-security SonarQube workflow
+# version: 2.1
+###
+name: Foundation-Security/SonarQube Scan
+
+on:
+  push:
+    tags:
+      - "**"
+    branches:
+      - "*main*"
+      - "*master*"
+      - "*STABLE*"
+  pull_request:
+    types: [opened, synchronize, reopened]
+    branches:
+      - "**"
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Branch to scan"
+        required: true
+        default: "main"
+
+jobs:
+  SonarQube-Scan:
+    name: SonarQube Scan Job
+    if: ${{ github.actor != 'dependabot[bot]' }}
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout source repository for dispatch runs
+        id: checkout-source-dispatch
+        if: github.event_name == 'workflow_dispatch'
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ inputs.ref }}
+          path: source
+          token: ${{ secrets.GH_SLONIK }}
+
+      - name: Checkout source repository for non-dispatch runs
+        id: checkout-source
+        if: github.event_name != 'workflow_dispatch'
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.repository }}
+          ref: ${{ github.ref }}
+          path: source
+          token: ${{ secrets.GH_SLONIK }}
+
+      - name: Checkout foundation-security repository
+        id: checkout-foundation-security
+        uses: actions/checkout@v4
+        with:
+          repository: EnterpriseDB/foundation-security
+          ref: v2
+          path: foundation-security
+          token: ${{ secrets.GH_SLONIK }}
+
+      - name: SonarQube Scan
+        id: call-sq-composite
+        uses: ./foundation-security/actions/sonarqube
+        with:
+          github-token: ${{ secrets.GH_SLONIK }}
+          github-ref: ${{ github.ref_name }}
+          sonarqube-url: ${{ vars.SQ_URL }}
+          sonarqube-token: ${{ secrets.SONARQUBE_TOKEN }}
+          project-name: ${{ github.event.repository.name }}
+          pull-request-key: ${{ github.event.number }}
+          pull-request-branch: ${{ github.head_ref }}
+          pull-request-base-branch: ${{ github.base_ref }}
+          foundation-security-sonarqube-token: ${{ secrets.FOUNDATION_SECURITY_SONARQUBE_TOKEN }}
+          cloudsmith-token: ${{ secrets.CLOUDSMITH_READ_ALL }}
--- a/dbutils.c
+++ b/dbutils.c
@@ -1913,47 +1913,15 @@ can_disable_walsender(PGconn *conn)
 	if (is_superuser_connection(conn, NULL) == true)
 		return true;

-	PQExpBufferData query;
-	PGresult   *res;
-	bool		has_alter_system_priv = false;
+	/*
+	 * As of PostgreSQL 14, it is not possible for a non-superuser
+	 * to execute ALTER SYSTEM, so further checks are superfluous.
+	 * This will need modifying for PostgreSQL 15.
+	 */
+	log_warning(_("\"standby_disconnect_on_failover\" specified, but repmgr user is not a superuser"));
+	log_detail(_("superuser permission required to disable standbys on failover"));

-	/* GRANT ALTER SYSTEM available from PostgreSQL 15 */
-	if (PQserverVersion(conn) >= 150000)
-	{
-		initPQExpBuffer(&query);
-		appendPQExpBufferStr(&query,
-						" SELECT pg_catalog.has_parameter_privilege('wal_retrieve_retry_interval', 'ALTER SYSTEM') ");
-
-		res = PQexec(conn, query.data);
-
-		if (PQresultStatus(res) != PGRES_TUPLES_OK)
-		{
-			log_db_error(conn, query.data,
-					_("can_disable_walsender(): unable to query user parameter privileges"));
-		}
-		else
-		{
-			has_alter_system_priv = atobool(PQgetvalue(res, 0, 0));
-		}
-		termPQExpBuffer(&query);
-		PQclear(res);
-	}
-
-	if (has_alter_system_priv == false)
-	{
-		log_warning(_("\"standby_disconnect_on_failover\" specified, but repmgr user is not authorized to perform ALTER SYSTEM wal_retrieve_retry_interval"));
-
-		if (PQserverVersion(conn) >= 150000)
-		{
-			log_detail(_("superuser or ALTER SYSTEM wal_retrieve_retry_interval permission required to disable standbys on failover"));
-		}
-		else
-		{
-			log_detail(_("superuser permission required to disable standbys on failover"));
-		}
-	}
-
-	return has_alter_system_priv;
+	return false;
 }

 /*
--- a/doc/configuration-permissions.xml
+++ b/doc/configuration-permissions.xml
@@ -159,10 +159,8 @@
            <simpara>
              The <command>ALTER SYSTEM</command> is executed by &repmgrd; if
              <varname>standby_disconnect_on_failover</varname> is set to <literal>true</literal> in
-              <filename>repmgr.conf</filename>. Until PostgreSQL 14 <command>ALTER SYSTEM</command> can only be executed by
+              <filename>repmgr.conf</filename>. <command>ALTER SYSTEM</command> can only be executed by
              a superuser; if the &repmgr; user is not a superuser, this functionality will not be available.
-              From PostgreSQL 15 a specific ALTER SYSTEM privilege can be granted with e.g.
-              <command>GRANT ALTER SYSTEM ON PARAMETER wal_retrieve_retry_interval TO repmgr</command>.
            </simpara>
          </listitem>
        </itemizedlist>
--- a/doc/repmgrd-automatic-failover.xml
+++ b/doc/repmgrd-automatic-failover.xml
@@ -279,9 +279,7 @@
  <note>
    <para>
      <option>standby_disconnect_on_failover</option> is available with PostgreSQL 9.5 and later.
-      Until PostgreSQL 14 this requires that the <literal>repmgr</literal> database user is a superuser.
-      From PostgreSQL 15 a specific ALTER SYSTEM privilege can be granted to the <literal>repmgr</literal> database
-      user with e.g. <command>GRANT ALTER SYSTEM ON PARAMETER wal_retrieve_retry_interval TO repmgr</command>.
+      Additionally this requires that the <literal>repmgr</literal> database user is a superuser.
    </para>
  </note>
  <para>
--- a/repmgr.conf.sample
+++ b/repmgr.conf.sample
@@ -340,9 +340,7 @@ ssh_options='-q -o ConnectTimeout=10'	# Options to append to "ssh"
 #repmgrd_exit_on_inactive_node=false	# If "true", and the node record is marked as "inactive", abort repmgrd startup
 #standby_disconnect_on_failover=false	# If "true", in a failover situation wait for all standbys to
 					# disconnect their WAL receivers before electing a new primary
-					# Can be true in PostgreSQL 9.5 and later only. Until PostgreSQL 14 repmgr user must be a superuser to use this.
-					# From PostgreSQL 15 repmgr must be a superuser or have 'ALTER SYSTEM wal_retrieve_retry_interval' privilege.
-					# (see: https://repmgr.org/docs/current/repmgrd-standby-disconnection-on-failover.html )
+					# (PostgreSQL 9.5 and later only; repmgr user must be a superuser for this)
 #sibling_nodes_disconnect_timeout=30	# If "standby_disconnect_on_failover" is true, the maximum length of time
 					#  (in seconds) to wait for other standbys to confirm they have disconnected their
 					# WAL receivers