[SCM] PostGIS branch master updated. 3.6.0rc2-163-g5faa572a7

git at osgeo.org git at osgeo.org
Wed Oct 29 16:16:50 PDT 2025 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "PostGIS".

The branch, master has been updated
       via  5faa572a734cce40195709a14db60301c1bf5a0c (commit)
      from  be84ae80b1539e6b05a28911d765d83058ba03fe (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5faa572a734cce40195709a14db60301c1bf5a0c
Author: Darafei Praliaskouski <me at komzpa.net>
Date:   Thu Oct 30 03:16:32 2025 +0400

    [doc] Document POSTGIS_REGRESS_DB_OWNER for sandboxed regression roles
    
    Closes #5950

diff --git a/NEWS b/NEWS
index 29083c77d..5ba9497a8 100644
--- a/NEWS
+++ b/NEWS
@@ -17,6 +17,7 @@ xxxx/xx/xx
  - #5992, Optimize GiST index for repeated edge subdivision in topology (Darafei Praliaskouski)
  - #5702, Allow the compiler to detect the parallelism -flto=auto (Darafei Praliaskouski)
  - #4798, ST_AsGeoJSON warns about duplicate property keys (Darafei Praliaskouski)
+ - #5950, Document POSTGIS_REGRESS_DB_OWNER for sandboxed regression roles (Darafei Praliaskouski)
 
 * Bug Fixes *
 
diff --git a/doc/developer.md b/doc/developer.md
index 95da8837f..550f90490 100644
--- a/doc/developer.md
+++ b/doc/developer.md
@@ -275,6 +275,27 @@ with lib xxx or higher. Also the function has to be available in the C lib, as s
 on the C lib side and very rarely on the sql files.
 
 
+Regression harness privileges
+=============================
+
+Continuous integration workers are frequently configured with sandboxed PostgreSQL roles
+that cannot create databases or install extensions. The regression harness accepts two
+environment variables to test the complete installation flow without granting superuser
+rights to the calling account:
+
+* `POSTGIS_REGRESS_DB_OWNER` – instructs `regress/run_test.pl` to hand ownership of the
+  temporary regression database to a privileged role while the less privileged caller
+  maintains the session. This mirrors production setups where database creation is
+  delegated to controlled roles.
+* `POSTGIS_REGRESS_ROLE_EXT_CREATOR` – optional override when the extension creation role
+  is distinct from the database owner.
+
+When both roles are configured in PostgreSQL to create the PostGIS extensions, the test
+suite exercises the same upgrade and `CREATE EXTENSION` pathways as a superuser-driven
+run. This avoids the traps described in <https://trac.osgeo.org/postgis/ticket/5212>
+while keeping the CI account unprivileged.
+
+
 
 
 
diff --git a/doc/installation.xml b/doc/installation.xml
index e7ff09792..de6ec932c 100644
--- a/doc/installation.xml
+++ b/doc/installation.xml
@@ -758,23 +758,41 @@ CREATE EXTENSION postgis_tiger_geocoder FROM unpackaged;
 		</para>
 	  </note>
 
-	  <caution>
-		<para>
-		  Currently, the <command>make check</command> relies on the
-		  <code>PATH</code> and <code>PGPORT</code> environment variables when
-		  performing the checks - it does <emphasis>not</emphasis> use the
-		  PostgreSQL version that may have been specified using the
-		  configuration parameter <command>--with-pgconfig</command>. So make
-		  sure to modify your PATH to match the detected PostgreSQL installation
-		  during configuration or be prepared to deal with the impending
-		  headaches.
-		</para>
-	  </caution>
+          <caution>
+                <para>
+                  Currently, the <command>make check</command> relies on the
+                  <code>PATH</code> and <code>PGPORT</code> environment variables when
+                  performing the checks - it does <emphasis>not</emphasis> use the
+                  PostgreSQL version that may have been specified using the
+                  configuration parameter <command>--with-pgconfig</command>. So make
+                  sure to modify your PATH to match the detected PostgreSQL installation
+                  during configuration or be prepared to deal with the impending
+                  headaches.
+                </para>
+          </caution>
 
-	  <para>
-		If successful, make check will produce the output of almost 500 tests.  The results will look similar to the
-		following (numerous lines omitted below):
-	  </para>
+          <note>
+                <para>
+                  Sandboxed build accounts that are not PostgreSQL superusers can
+                  delegate database ownership during the regression cycle by exporting
+                  <varname>POSTGIS_REGRESS_DB_OWNER</varname>. The harness will create
+                  the temporary regression database owned by the nominated role while
+                  continuing to connect using the less privileged account. Combine this
+                  with <varname>POSTGIS_REGRESS_ROLE_EXT_CREATOR</varname> when the
+                  extension creation role must differ from the database owner.
+                </para>
+                <para>
+                  These variables allow automated environments to exercise the full
+                  upgrade and extension install paths without promoting the calling
+                  account to superuser, provided the target PostgreSQL instance permits
+                  extension installation by those delegate roles.
+                </para>
+          </note>
+
+          <para>
+                If successful, make check will produce the output of almost 500 tests.  The results will look similar to the
+                following (numerous lines omitted below):
+          </para>
 
 	  <programlisting>
 
diff --git a/regress/README b/regress/README
index 7e29fd909..afff17c6d 100644
--- a/regress/README
+++ b/regress/README
@@ -39,5 +39,12 @@ Notes about running individual regression tests
 The script run_test.pl can be called directly to run individual
 regression tests. Run it without parameters for info about its usage.
 
+When the account invoking the harness lacks database ownership or extension
+creation privileges, export `POSTGIS_REGRESS_DB_OWNER` to nominate a role that
+will own the temporary regression database. If extension installation must be
+delegated further, set `POSTGIS_REGRESS_ROLE_EXT_CREATOR`. These variables allow
+tests to succeed from sandboxed environments without elevating the calling
+account.
+
 Note that tests run in a staged install which is created by running
 make staged-install. This step is a part of the complete make check.

-----------------------------------------------------------------------

Summary of changes:
 NEWS                 |  1 +
 doc/developer.md     | 21 +++++++++++++++++++++
 doc/installation.xml | 52 +++++++++++++++++++++++++++++++++++-----------------
 regress/README       |  7 +++++++
 4 files changed, 64 insertions(+), 17 deletions(-)


hooks/post-receive
-- 
PostGIS

More information about the postgis-tickets mailing list