fix: fix and restore issues with release workflows

[samrose]

Historical behavior (from git):

• From 2022 until Nov 2025: Published to us-east-1 (via vars file)
• Nov 13, 2025 (ab99074): Explicit -var "region=us-east-1" override added after vars file changed
• Dec 2025 - Jan 22, 2026: Composite action with explicit us-east-1
• Jan 27, 2026 (f77bfb9): Override lost when composite action removed

Actual AWS state:

• 17.6.1.079 is only in ap-southeast-1 (wrong region)

Fix applied:

• Stage 1 build: explicit -var "region=us-east-1" -var 'ami_regions=["us-east-1"]'
• Find stage 1 AMI: REGION="us-east-1"
• Stage 2 build: explicit -var "region=us-east-1" -var 'ami_regions=["us-east-1"]'

This restores the intended behavior for both workflow_dispatch and merge-triggered releases.

ansible/tasks/setup-supabase-internal.yml

• Added separate download step for Vector package using get_url with 120s timeout, 3 retries, and 10s delay between attempts to fix intermittent download failures from packages.timber.io

publish-nix-pgupgrade-scripts.yml

• Changed publish-prod condition from contains(github.ref, 'release') to startsWith(github.ref_name, 'release/') to prevent branches containing "release" in the name (like
  ami-release-regions) from triggering prod publishing

publish-nix-pgupgrade-bin-flake-version.yml

• Same publish-prod condition fix as above
• Added missing -r flag to yq command in publish-staging job (line 54) to output raw strings without quotes, fixing shell parse error with quoted version numbers

ami-release-nix.yml

• Removed ami_regions variable from stage2 packer build command since stage2-nix-psql.pkr.hcl only defines region, not ami_regions
• Removed branch-based versioning feature for workflow_dispatch builds (the logic that appended branch name and run_id suffix to versions for non-develop/non-release branches)

nix-build.yml

• Re-added concurrency block that was lost in PR ci: Custom GitHub Runners for Nix Builds #1745, enabling cancellation of previous workflow runs when new commits are pushed to a PR

Summary by CodeRabbit

• Chores
  • Builds and AMI releases now consistently target us-east-1 across stages.
  • Updated PostgreSQL package versions in deployment metadata.
  • CI publishing workflows always read versions from release metadata, tightened release-branch matching, and added workflow concurrency controls.
• New Features
  • Added a platform-aware download-and-install step for the Vector logging package.

[coderabbitai]

📝 Walkthrough

Walkthrough

.github/workflows/ami-release-nix.yml: hardcodes AWS region to "us-east-1" for stage‑1 and stage‑2 Packer builds and AMI lookups, and removes BRANCH_NAME extraction / branch‑suffix logic used to derive PG_VERSION on workflow_dispatch. ansible/vars.yml: bumps postgres_release entries — postgresorioledb-17 to "17.6.0.038-orioledb", postgres17 to "17.6.1.081", and postgres15 to "15.14.1.081". ansible/tasks/setup-supabase-internal.yml: adds a task to download a Vector .deb to /tmp/vector.deb and changes the install step to install that local file. Several GitHub Actions workflows were simplified to always compute PostgreSQL versions from ansible/vars.yml (yq/jq) and tightened publish-prod branch checks to use startsWith(github.ref_name, 'release/').

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore: bump version to correct new version for potential release #1991: Modifies the same ansible/vars.yml postgres_release entries (overlapping version-string bumps).
• fix: look up and pass stage 1 name #2032: Touches .github/workflows/ami-release-nix.yml stage‑1 AMI lookup and stage1→stage2 AMI propagation (overlapping AMI/region changes).
• feat: add branch-based versioning for PR AMI builds #1910: Introduced the branch‑suffix/BRANCH_NAME logic that is removed in this PR (directly related to workflow logic).

Suggested labels

ci, infrastructure, ami

Suggested reviewers

• hunleyd
• LGUG2Z
• Crispy1975

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: fix and restore issues with release workflows' clearly summarizes the main changes: fixing regressions in release workflows and restoring intended behavior for AMI publishing to us-east-1.
Description check	✅ Passed	The description comprehensively documents the regression timeline, root cause, and all fixes applied across multiple files. It explains the historical behavior, actual AWS state issue, specific fixes for each file, and restoration of intended behavior.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ami-release-regions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/publish-nix-pgupgrade-scripts.yml:
- Around line 32-33: The workflow_dispatch input `postgresVersion` is now
misleading because `VERSIONS` is always read from `ansible/vars.yml` (see the
VERSIONS assignment using yq/jq); either remove or deprecate the
`workflow_dispatch.inputs.postgresVersion` input and update its description to
reflect that the action ignores manual version selection, or change the workflow
to honor that input before falling back to ansible/vars.yml. Locate the
`workflow_dispatch.inputs.postgresVersion` definition and either (A) remove it,
or (B) prepend a clear deprecation note to its description and, if desired, add
conditional logic to use `github.event.inputs.postgresVersion` only when present
and otherwise read `ansible/vars.yml` (ensure VERSIONS assignment or a wrapper
variable references that input when set).