PostgreSQL MCP Server

name: Build and Push Docker Images on: # Only run after lint-and-test completes successfully workflow_run: workflows: ["Lint and Test"] types: [completed] branches: [master] env: REGISTRY: docker.io IMAGE_NAME: writenotenow/postgres-mcp permissions: contents: read packages: write security-events: write pull-requests: write id-token: write attestations: write jobs: # Security scan BEFORE any images are pushed # This ensures no vulnerable images reach Docker Hub security-scan: if: github.event.workflow_run.conclusion == 'success' runs-on: ubuntu-latest permissions: contents: read security-events: write steps: - name: Checkout repository uses: actions/checkout@v6 with: ref: ${{ github.event.workflow_run.head_sha }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build image for scanning (local only) uses: docker/build-push-action@v6 with: context: . file: Dockerfile platforms: linux/amd64 push: false load: true tags: local-scan:latest cache-from: type=gha,scope=linux/amd64 cache-to: type=gha,scope=linux/amd64,mode=max - name: Docker Scout security scan timeout-minutes: 10 env: DOCKER_SCOUT_HUB_USER: ${{ secrets.DOCKER_USERNAME }} DOCKER_SCOUT_HUB_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} run: | curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- docker images local-scan:latest echo "🔍 Running Docker Scout security scan for local-scan:latest" echo "⏱️ Running Docker Scout scan for FIXABLE vulnerabilities..." # Use --only-fixed to find CVEs that HAVE fixes available # This ensures we block on things we CAN fix while allowing unfixable upstream CVEs if timeout 480 docker scout cves local-scan:latest --only-fixed --only-severity critical,high > scout_fixable.txt 2>&1; then echo "📊 Scan completed" # Check if any fixable critical/high CVEs were found if grep -qE "(CRITICAL|HIGH)" scout_fixable.txt 2>/dev/null; then echo "❌ Fixable CRITICAL/HIGH CVEs detected - blocking deploy" cat scout_fixable.txt echo "" echo "🚨 Deploy blocked: These vulnerabilities have available fixes." echo " Update dependencies or Dockerfile to resolve." exit 1 else echo "✅ No fixable critical/high CVEs found" fi else exit_code=$? if [ $exit_code -eq 2 ]; then # Exit code 2 means vulnerabilities found echo "❌ Fixable CVEs detected by Docker Scout" cat scout_fixable.txt exit 1 elif [ $exit_code -eq 124 ]; then echo "⚠️ Docker Scout scan timed out" echo "🔄 Continuing build - scan timeout is not a security failure" else echo "⚠️ Docker Scout scan failed with exit code $exit_code" echo "🔄 Continuing build - will rely on Trivy for security validation" fi fi echo "✅ Security gate passed - images will now be built and pushed" # Build each platform on native architecture (only runs if security scan passes) build-platform: needs: [security-scan] if: always() && needs.security-scan.result == 'success' && github.event_name != 'pull_request' strategy: fail-fast: false matrix: include: - platform: linux/amd64 runner: ubuntu-latest - platform: linux/arm64 runner: ubuntu-24.04-arm runs-on: ${{ matrix.runner }} permissions: contents: read packages: write id-token: write attestations: write outputs: version: ${{ steps.version.outputs.version }} steps: - name: Checkout repository uses: actions/checkout@v6 with: ref: ${{ github.event.workflow_run.head_sha }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to Docker Hub uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Read version from package.json id: version run: | VERSION=$(grep -oP '"version":\s*"\K[0-9.]+' package.json | head -1) if [ -z "$VERSION" ]; then VERSION="1.0.0" fi echo "version=$VERSION" >> $GITHUB_OUTPUT echo "Detected version: $VERSION" - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} flavor: | latest=false suffix=-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }} tags: | type=sha,prefix=sha-,format=short - name: Build and push platform image id: build uses: docker/build-push-action@v6 with: context: . file: Dockerfile platforms: ${{ matrix.platform }} push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha,scope=${{ matrix.platform }} cache-to: type=gha,scope=${{ matrix.platform }},mode=max provenance: mode=max sbom: true - name: Export digest run: | mkdir -p /tmp/digests digest="${{ steps.build.outputs.digest }}" touch "/tmp/digests/${digest#sha256:}" - name: Upload digest uses: actions/upload-artifact@v6 with: name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }} path: /tmp/digests/* if-no-files-found: error retention-days: 1 # Merge platform images into multi-arch manifest merge-and-push: runs-on: ubuntu-latest needs: [build-platform] if: always() && needs.build-platform.result == 'success' && github.event_name != 'pull_request' permissions: contents: read packages: write id-token: write attestations: write deployments: write environment: name: ${{ github.ref == 'refs/heads/master' && 'production' || '' }} url: https://hub.docker.com/r/writenotenow/postgres-mcp steps: - name: Checkout repository uses: actions/checkout@v6 with: ref: ${{ github.event.workflow_run.head_sha }} - name: Download digests uses: actions/download-artifact@v7 with: path: /tmp/digests pattern: digests-* merge-multiple: true - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to Docker Hub uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Read version id: version run: | VERSION=$(grep -oP '"version":\s*"\K[0-9.]+' package.json | head -1) if [ -z "$VERSION" ]; then VERSION="1.0.0" fi echo "version=$VERSION" >> $GITHUB_OUTPUT - name: Extract metadata for manifest id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} flavor: | latest=false tags: | type=raw,value=v${{ steps.version.outputs.version }},enable=${{ github.event.workflow_run.head_branch == 'master' }} type=raw,value=latest,enable=${{ github.event.workflow_run.head_branch == 'master' }} type=sha,prefix=sha-,format=short - name: Create and push manifest working-directory: /tmp/digests run: | docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) - name: Inspect manifest run: | docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} # Update Docker Hub description - name: Update Docker Hub Description if: github.ref == 'refs/heads/master' uses: peter-evans/dockerhub-description@v5 continue-on-error: true timeout-minutes: 5 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} repository: ${{ env.IMAGE_NAME }} readme-filepath: ./DOCKER_README.md short-description: "MCP Server with 203 tools, connection pooling, HTTP/SSE, OAuth 2.1, Code Mode, & tool filtering." - name: Deployment Summary if: github.ref == 'refs/heads/master' run: | echo "✅ Successfully published Docker images to production" echo "🐳 Registry: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" echo "🏷️ Tags: ${{ steps.meta.outputs.tags }}" echo "📝 Commit: ${{ github.sha }}" echo "👤 Published by: ${{ github.actor }}"