pgserve 2.6.7 → 2.6.9

package/CHANGELOG.md

@@ -14,6 +14,84 @@ All notable changes to `pgserve` are documented here. The format follows
 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.6.9] - 2026-05-12
+
+**The actual final v2.x publish.** Bundles every fix needed to get
+Build Tarballs → Sign + Attest → release-publish completing end-to-end
+on the two platforms the v2.x signed-tarball pipeline supports.
+
+### Fixed
+
+- `scripts/assemble-tarball.sh` — defensive `${tar_flags[@]+...}`
+  expansion. macOS BSD tar lacks `--sort`/`--mtime`/`--owner`, so the
+  array stays empty on darwin runners; under `set -u`, expanding an
+  empty array errored as `tar_flags[@]: unbound variable` and broke
+  every darwin-* build.
+
+### Changed (matrix scope)
+
+Per Felipe directive 2026-05-12 ("just windows macos and linux, no
+Intel Mac"), the signed-tarball pipeline matrix is reduced to the
+platforms that actually have a working @embedded-postgres npm
+package + a wired-in build path:
+
+- ✅ `linux-x64-glibc` (linux)
+- ✅ `darwin-arm64` (macos — Apple Silicon)
+- ❌ `darwin-x64` — dropped (Intel Mac)
+- ❌ `linux-arm64` — never working (no upstream pkg)
+- ❌ `linux-x64-musl` — never working (no upstream pkg)
+- 🔁 `windows-x64` — continues to ship via npm (version.yml inline
+  publish); not in the signed-tarball pipeline
+
+### Consumer impact
+
+- `@withone/cli` and any other npm dependent: zero impact — npm package
+  installs the same way, optional native deps still cover windows-x64
+  + darwin-x64 + linux-x64 + darwin-arm64 via @embedded-postgres.
+- Operators expecting GH Release signed tarballs: linux-x64 + darwin-
+  arm64 only. v2.x is end-of-line for Intel Mac signed tarballs.
+
+### Cohort wrap-up
+
+This is **the** last `pgserve`-named npm publish. Subsequent
+development moves to the `autopg` package starting at v3.0.0 from the
+new `automagik-dev/autopg` repo (post org transfer).
+
+## [2.6.8] - 2026-05-12
+
+**Final v2.x maintenance release with full signed-tarball GH Release.**
+v2.6.7 closed the `autopg --version` smoke gate but Build Tarballs
+still failed on the next smoke check — `postgres --version` couldn't
+load `libicui18n.so.60`. Root cause: `fetch-postgres-bins.sh` was
+copying `native/bin` + `native/share` from the npm
+`@embedded-postgres` payload but skipping `native/lib`, AND was not
+recreating the SONAME symlinks described in `pg-symlinks.json`
+(`libicui18n.so.60 → libicui18n.so.60.2`).
+
+### Fixed
+
+- `scripts/fetch-postgres-bins.sh:stage_from_pkg` now copies
+  `native/lib/` into the staging directory + replays
+  `native/pg-symlinks.json` to recreate the 14 SONAME aliases. The
+  postgres binary's RPATH is `../lib/` (origin-relative), so all
+  bundled deps (libxml2, libssl, libcrypto, libz, libicudata,
+  libicui18n, libicuuc, libecpg, libpgtypes, libpq, …) now resolve at
+  runtime regardless of what the host system has installed.
+
+### Validated
+
+- Local reproduction: extracted tarball, ran
+  `./postgres/bin/postgres --version` →
+  `postgres (PostgreSQL) 18.3` ✅
+
+### Cohort wrap-up
+
+This is the LAST `pgserve`-named npm publish. Subsequent development
+moves to the `autopg` package starting at v3.0.0 from the new
+`automagik-dev/autopg` repo (post org transfer). Consumers like
+`@withone/cli` (`pgserve: ^2.x`) stay on npm latest indefinitely;
+v2.6.8 is the cohort's final stable polish.
+
 ## [2.6.7] - 2026-05-12
 
 **Stability-focused follow-up to v2.6.6** — closes the missing

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pgserve",
-  "version": "2.6.7",
+  "version": "2.6.9",
   "description": "Embedded PostgreSQL server with true concurrent connections - zero config, auto-provision databases",
   "main": "src/index.js",
   "type": "module",

package/scripts/assemble-tarball.sh

@@ -165,7 +165,12 @@ assemble_one() {
     tar_flags+=(--owner=0 --group=0 --numeric-owner)
   fi
 
-  tar -C "$stage" -czf "$tarball" "${tar_flags[@]}" autopg/ || return 1
+  # macOS BSD tar lacks --sort/--mtime/--owner, so tar_flags can stay
+  # empty on darwin-* runners. Under `set -u` (script-wide), expanding
+  # "${tar_flags[@]}" on an empty array errors as `tar_flags[@]: unbound
+  # variable`. The `${arr[@]+"${arr[@]}"}` pattern expands the array
+  # only when it has elements, leaving the command intact otherwise.
+  tar -C "$stage" -czf "$tarball" ${tar_flags[@]+"${tar_flags[@]}"} autopg/ || return 1
   echo "    ✓ tarball: $tarball ($(du -h "$tarball" | cut -f1))"
 
   # 4) outer SHA256 — Group 8 cosign-signs this; Group 9 publishes both.

package/scripts/fetch-postgres-bins.sh

@@ -142,6 +142,56 @@ EOF
 
   cp -R "${native}/bin"   "${out_dir}/bin"
   cp -R "${native}/share" "${out_dir}/share" 2>/dev/null || mkdir -p "${out_dir}/share"
+
+  # The postgres binary's RPATH is `../lib/` (origin-relative), so it
+  # looks for libxml2 / libssl / libcrypto / libicu* in
+  # ${out_dir}/lib at runtime. The npm payload bundles all of these
+  # under native/lib (verified: libicui18n.so.60.2, libssl.so.1.1,
+  # etc. — 25 MB of bundled deps). Without copying lib/ the tarball
+  # extracts a postgres binary that fails with
+  # `error while loading shared libraries: libicui18n.so.60: cannot
+  # open shared object file: No such file or directory` on any
+  # platform that doesn't ship libicu60 system-wide (Ubuntu >= 20.04
+  # ships libicu70/74; only 18.04 ships libicu60).
+  #
+  # The package's normal postinstall creates SONAME symlinks
+  # (libicui18n.so.60 → libicui18n.so.60.2) from pg-symlinks.json, but
+  # we install with `--ignore-scripts` (security posture), so we must
+  # replay the symlink manifest manually. Without these symlinks the
+  # binary still can't find libicui18n.so.60 because npm packs only
+  # the real `.so.60.2` files, not the SONAME aliases.
+  if [[ -d "${native}/lib" ]]; then
+    cp -R "${native}/lib" "${out_dir}/lib"
+  fi
+
+  if [[ -f "${native}/pg-symlinks.json" ]]; then
+    # Strip the `native/` prefix from `source` + `target` and recreate
+    # symlinks under out_dir using relative names. Uses node so we get
+    # robust JSON parsing without yanking jq in as a dep.
+    OUT_DIR="$out_dir" MANIFEST="${native}/pg-symlinks.json" node -e '
+      const fs = require("fs");
+      const path = require("path");
+      const out = process.env.OUT_DIR;
+      const manifest = JSON.parse(fs.readFileSync(process.env.MANIFEST, "utf8"));
+      let made = 0;
+      for (const entry of manifest) {
+        // {"source":"native/lib/libicui18n.so.60.2","target":"native/lib/libicui18n.so.60"}
+        const src = entry.source.replace(/^native\//, "");
+        const tgt = entry.target.replace(/^native\//, "");
+        const tgtPath = path.join(out, tgt);
+        const srcRel = path.basename(src);
+        try { fs.unlinkSync(tgtPath); } catch {}
+        try {
+          fs.mkdirSync(path.dirname(tgtPath), { recursive: true });
+          fs.symlinkSync(srcRel, tgtPath);
+          made++;
+        } catch (err) {
+          console.error("  symlink failed: " + tgt + " -> " + srcRel + ": " + err.message);
+        }
+      }
+      console.error("    -> created " + made + " library SONAME symlinks");
+    ' || echo "    -> warning: pg-symlinks.json processing failed (postgres may not load shared libs)"
+  fi
   popd >/dev/null
 }