From f0409e549dcdde5460ae4df105a56784a79b9ac3 Mon Sep 17 00:00:00 2001
From: Christoph Berg <myon@debian.org>
Date: Fri, 22 Mar 2024 15:01:36 +0100
Subject: [PATCH 1/4] Limit architectures to those that have sbcl available and
 working thread support (notably, this excludes armel and armhf).

---
 debian/changelog | 7 +++++++
 debian/control   | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 5b631f6..ba93b10 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pgloader (3.6.10-2) unstable; urgency=medium
+
+  * Limit architectures to those that have sbcl available and working thread
+    support (notably, this excludes armel and armhf).
+
+ -- Christoph Berg <myon@debian.org>  Fri, 22 Mar 2024 14:59:27 +0100
+
 pgloader (3.6.10-1) unstable; urgency=medium
 
   * New upstream version.
diff --git a/debian/control b/debian/control
index 9768941..3f7da2e 100644
--- a/debian/control
+++ b/debian/control
@@ -62,7 +62,7 @@ Vcs-Git: https://github.com/dimitri/pgloader.git
 Vcs-Browser: https://github.com/dimitri/pgloader
 
 Package: pgloader
-Architecture: any
+Architecture: amd64 arm64 i386 ppc64el powerpc ppc64
 Depends:
  freetds-dev,
  ${misc:Depends},

From 44f04aff78f642cef48889225d17e6b84a135329 Mon Sep 17 00:00:00 2001
From: Christoph Berg <myon@debian.org>
Date: Tue, 11 Jun 2024 16:59:21 +0000
Subject: [PATCH 2/4] Bump pgloader minor version and add checks

The version number in `pgloader --version` was missed in the last few
releases.
---
 debian/rules    | 3 +++
 src/params.lisp | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index 37f902e..d2089c9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -18,6 +18,8 @@ MAKEFILE_VERSION = $(shell awk '/^VERSION/ { print $$3 }' Makefile)
 DOC_VERSION = $(shell awk '/^release/ { print $$3 }' docs/conf.py | tr -d "'")
 SPECFILE_VERSION = $(shell awk '/^Version/ { print $$2 }' pgloader.spec)
 DEBIAN_VERSION = $(shell dpkg-parsechangelog -SVersion | cut -d- -f 1)
+PGLOADER_MAJOR_VERSION = $(shell awk '/^.defparameter .major-version/ { print $$3 }' src/params.lisp | grep -Eo '[0-9.]+')
+PGLOADER_MINOR_VERSION = $(shell awk '/^.defparameter .minor-version/ { print $$3 }' src/params.lisp | grep -Eo '[0-9.]+')
 
 # buildd provides a build environment where $HOME is not writable, but the
 # CL compilers here will need to fill-in a per-user cache
@@ -30,6 +32,7 @@ override_dh_auto_clean:
 	[ "$(MAKEFILE_VERSION)" = "$(DOC_VERSION)" ] # Makefile = docs/conf.py version
 	[ "$(MAKEFILE_VERSION)" = "$(SPECFILE_VERSION)" ] # Makefile = pgloader.spec version
 	[ "$(MAKEFILE_VERSION)" = "$(DEBIAN_VERSION)" ] # Makefile = debian/changelog version
+	[ "$(MAKEFILE_VERSION)" = "$(PGLOADER_MAJOR_VERSION).$(PGLOADER_MINOR_VERSION)" ] # Makefile = src/params.lisp version
 
 override_dh_auto_build-indep:
 	# do nothing
diff --git a/src/params.lisp b/src/params.lisp
index 4f8ddaa..eeaef9f 100644
--- a/src/params.lisp
+++ b/src/params.lisp
@@ -44,7 +44,7 @@
   "non-nil when this build is a release build.")
 
 (defparameter *major-version* "3.6")
-(defparameter *minor-version* "7")
+(defparameter *minor-version* "10")
 
 (defun git-hash ()
   "Return the current abbreviated git hash of the development tree."

From edc1a4fde960081c81f50c13dfb8a75b536ee94c Mon Sep 17 00:00:00 2001
From: Arunprasad Rajkumar <ar.arunprasad@gmail.com>
Date: Wed, 18 Sep 2024 15:07:57 +0530
Subject: [PATCH 3/4] Install CA certificates on docker image (#1612)

Currently, we install ca-certificates package only on the builder, not
on the docker image which is distributed to the user. Without CA
certificates, we see errors like below,
```
2024-09-18T05:30:46.112001Z ERROR Connecting to PostgreSQL <host name>: SSL verify error: 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
DB-CONNECTION-ERROR: Failed to connect to pgsql at "<host name>" (port 30025) as user "tsdbadmin": SSL verify error: 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
An unhandled error condition has been signalled:
   Failed to connect to pgsql at "<host name>" (port 30025) as user "tsdbadmin": SSL verify error: 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
```

Signed-off-by: Arunprasad Rajkumar <ar.arunprasad@gmail.com>
---
 Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 1d0117a..3c34f0a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,6 +34,7 @@ FROM debian:bookworm-slim
 
   RUN apt-get update \
       && apt-get install -y --no-install-recommends \
+        ca-certificates \
         curl \
         freetds-dev \
         gawk \
@@ -42,6 +43,7 @@ FROM debian:bookworm-slim
         make \
         sbcl \
         unzip \
+      && update-ca-certificates \
       && rm -rf /var/lib/apt/lists/*
 
   COPY --from=builder /opt/src/pgloader/build/bin/pgloader /usr/local/bin

From 70f355767018cc1d2770948563100b328fcc3f26 Mon Sep 17 00:00:00 2001
From: Arunprasad Rajkumar <ar.arunprasad@gmail.com>
Date: Wed, 18 Sep 2024 17:56:47 +0530
Subject: [PATCH 4/4] Use latest cosign action to fix signing issue on docker
 publish (#1613)

Signed-off-by: Arunprasad Rajkumar <ar.arunprasad@gmail.com>
---
 .github/workflows/docker-publish.yml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 2d37c23..eb8df72 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -36,13 +36,15 @@ jobs:
         uses: actions/checkout@v2
         
 
-      # Install the cosign tool except on PR
+      # Install the cosign tool (not used on PR, still installed)
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v1.4.1
+        uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.4.1'
+          cosign-release: 'v2.2.3'
+
+      - name: Check cosign version
+        run: cosign version
 
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
@@ -88,8 +90,11 @@ jobs:
       # https://github.com/sigstore/cosign
       - name: Sign the published Docker image
         if: ${{ github.event_name != 'pull_request' }}
-        env:
-          COSIGN_EXPERIMENTAL: "true"
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }}
+        run: cosign sign --yes ${TAGS}
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          # should use @${{ steps.build-and-push.outputs.digest }}
+          # but that leads to "entity not found in registry"
+          COSIGN_EXPERIMENTAL: "true"