Open
Conversation
- Add LICENSE file (IDPLv1, matching upstream Firebird) - Clean up .github/FUNDING.yml (keep only custom donation link) - Update .gitignore (ignore tmp/, generated/, logs) - Add AGENTS.md (AI agent guidelines) - PSFirebird v1.0.0 from PSGallery added as dependency (in CI steps)
Dockerfile:
- Replace 4 per-distro templates with single parameterized Dockerfile.template
- Use {{VAR}} placeholders instead of <% %> ExpandString syntax
- Use dpkg --print-architecture for runtime arch detection (no ARCH_ARM64 hack)
- Use dpkg-architecture for multi-arch libtommath symlink (fixes B6)
- Fix chmod 644 -> 755 on data directory (fixes B5)
- Add tini as PID 1 init for proper signal handling
- Add STOPSIGNAL SIGTERM for clean Firebird shutdown
- OCI labels now passed dynamically at build time (fixes I8)
Entrypoint:
- Fix SQL injection: escape single quotes in passwords/usernames (fixes S1)
- Fix %s format placeholders in error messages (fixes S2)
- Fix .bashrc overwrite: use /opt/firebird/.firebird_env with append (fixes B9)
- Fix unquoted array in process_sql (fixes B8)
- Fix init_db glob with compgen guard (fixes I5)
- Fix UUOC: use redirection instead of cat pipe (fixes SI3)
Build script:
- Replace Expand-Template (ExpandString) with safe {{VAR}} string replacement
- Rewrite Update-Assets to use PSFirebird Find-FirebirdRelease (PSGallery v1.0.0+)
- Rewrite Prepare task: single Dockerfile.template with distro config from assets.json
- Remove per-image image.build.ps1.template (centralized build/test/publish)
- Fix Publish task to use FilteredAssets (was unfiltered)
- Build and test only host architecture locally (CI handles cross-arch)
- Use UTF-8 encoding consistently
assets.json:
- Add config section: distros (baseImage, icuPackage, extraPackages), blockedVariants
- Normalize releases to uniform {amd64: {}, arm64?: {}} objects
- Remove generated/ from git tracking (now fully gitignored)
- Extract shared functions to src/functions.ps1 (sourced by build script and tests)
- Implement deterministic Get-ImageTags with full tag hierarchy:
{version}-{distro}, {major}-{distro}, {distro}, {version}, {major}, latest
- Add -bookworm suffix tags (fixes upstream Issue FirebirdSQL#34)
- Add Pester unit tests for tag generation (6 test cases)
- Remove duplicated function definitions from build script
ci.yaml: - Add workflow_dispatch inputs for version-filter and distro-filter - Forks: build only latest version + default distro (fast feedback) - Official repo: build full matrix - Install PSFirebird as dependency - Remove QEMU setup (no cross-arch builds locally) - Add tag unit tests step (Pester) publish.yaml: - Install PSFirebird as dependency - Remove QEMU setup (native builds only) - Add tag unit tests step - Remove log upload (generated/ is gitignored)
- Add Build-Snapshot task using PSFirebird Find-FirebirdSnapshotRelease - Supports branches: master (FB6), v5.0-release, v4.0 - Tags: 6-snapshot, 5-snapshot, 4-snapshot - Add snapshot.yaml workflow (daily schedule + manual dispatch) - Add -Branch parameter to build script
- FIREBIRD_ROOT_PASSWORD_with_special_characters: SQL injection resistance (single quotes) - FIREBIRD_USER_PASSWORD_with_special_characters: user passwords with quotes - Graceful_shutdown_via_SIGTERM: verify clean shutdown on SIGTERM - Tini_is_PID_1: verify tini is running as PID 1 All 20 tests pass.
- Create DECISIONS.md with 11 architecture decisions and rationale - Regenerate README.md from template (with full tag table)
- Wait-Port: use $ContainerName and $Port params instead of hardcoded $cId/3050 - Use-Container: remove Start-Sleep before Wait-Port (let polling handle warmup) - Fixes tasks 6.1 and 6.2 from V2 plan
- ci.yaml: matrix strategy with amd64 (ubuntu-latest) + arm64 (ubuntu-24.04-arm) - ci.yaml: forks skip arm64 to save CI minutes; official repo runs both - ci.yaml: scope determination moved to separate job for matrix reuse - publish.yaml: split into build-and-test (per-arch) + create-manifests jobs - publish.yaml: Publish-Arch pushes arch-specific images, Publish-Manifests creates OCI manifests - snapshot.yaml: add arm64 matrix dimension - All workflows: add FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 env - Build script: add Publish-Arch and Publish-Manifests tasks - Completes tasks 4.2 and 4.3
- Snapshot images section with tag table and usage warning - Architecture availability section (arm64 for FB5+ only) - Regenerated README.md from template - Completes task 5.5
…ion test - FIREBIRD_ROOT_PASSWORD_FILE: loads SYSDBA password from file - FIREBIRD_PASSWORD_FILE: loads user password from file - Mutual exclusion: setting both _FILE and env var fails with clear error - Tag correctness: verifies OCI version label matches semver pattern - All 24 tests pass - Completes tasks 6.6, 6.8, 6.11 (ARM64 smoke via task 4.3)
- Prerequisites, quick start, project structure overview - Key rules for contributors - Instructions for following new Firebird releases - Completes task 7.2
… deprecated environment variable
- Build script: add $Registry parameter (default: 'firebirdsql') Override with 'ghcr.io/<owner>' to publish to GitHub Packages - All tasks (Build, Test, Publish-Arch, Publish-Manifests, Publish, Build-Snapshot) use $script:imagePrefix from the parameter - New workflow: publish-fork.yaml - workflow_dispatch only (manual trigger, no push events) - Uses built-in GITHUB_TOKEN — no extra secrets needed - Defaults to latest version + default distro (bookworm) for fast testing - Optional: include-arm64, include-snapshots inputs - Builds, tests, pushes to ghcr.io/<owner>/firebird - Creates multi-arch manifests when both arches are built - Job summary with ready-to-use pull commands
publish-fork.yaml: - amd64-only (default): Publish-Direct pushes final image name directly (ghcr.io/owner/firebird) — produces exactly ONE package, no staging - multi-arch (include-arm64=true): Publish-Arch + create-manifests as before (staging packages firebird-amd64/-arm64 exist as necessary side effect) - Workflow summary moved to build-and-push job for amd64-only case - create-manifests job skipped entirely when include-arm64=false firebird-docker.build.ps1: - Add Publish-Direct task: retags -arch staging images to final name, pushes only the final image (no staging in registry) CONTRIBUTING.md: - Full developer documentation: Building, Testing, Maintenance, Release process - Added -Registry parameter documentation for fork builds - Added tag unit tests section - Updated Project Structure and Key Rules src/README.md.template / README.md: - Removed 'Development notes' section (moved to CONTRIBUTING.md) - README is now end-user only
…n to v4 Publish-Arch / Publish-Manifests / Publish: - Change staging image naming from 'firebird-amd64:tag' to 'firebird:tag-amd64' This keeps all images (staging + final) within the single 'firebird' package instead of creating separate 'firebird-amd64' and 'firebird-arm64' packages - amd64-only (Publish-Direct / default fork path): unchanged, pushes final name - Legacy Publish task: same staging tag convention Workflows (publish-fork.yaml, publish.yaml, snapshot.yaml): - Update docker/login-action@v3 -> @v4 (Node 24 runtime, no deprecation warnings) publish-fork.yaml summary: - Remove 'staging packages can be deleted' note (no separate packages anymore) - Remove 'make package public' note (public repos -> public packages by default)
FIREBIRD_DATABASE_PAGE_SIZE test: - Change from 4096 to 8192 as the small page size under test Firebird 6 raised the minimum page size to 8192 (4096 is rounded up silently) FIREBIRD_CONF_can_change_any_setting test: - Replace FileSystemCacheThreshold (removed in FB6) with TempCacheLimit TempCacheLimit exists in all supported versions (3, 4, 5, 6) - Also remove the duplicate DefaultDbCachePages env var in the container params Tag_correctness_via_docker_inspect test: - Accept snapshot version labels (e.g. '5-snapshot') in addition to semver Snapshot images have FIREBIRD_VERSION set to the tag name, not a semver
firebird-docker.build.ps1: - New task Test-Published: runs the full test suite against final published images (ghcr.io/<owner>/firebird:tag) — same images end users pull. Pulls each image before testing. Requires -Registry. Unlike Test (which targets local arch-specific staging images), this exercises the actual multi-arch manifest from the registry. CONTRIBUTING.md: - Document Test-Published with usage examples - Document snapshot testing via FULL_IMAGE_NAME override
This was referenced Apr 7, 2026
asfernandes
reviewed
Apr 7, 2026
Member
Author
|
Pushed a new version. But now the CI times went from ... 
to... 
What if, when working on forks, after each push, we build and test only the latest release for each major Firebird version? For example, just four images:
For the official repository, keep the current behavior unchanged (i.e., always perform a full build). |
Member
|
I did a test run with Jaybird (master) against ghcr.io/fdcastel/firebird:6-snapshot, and it seems to be working. I did have some test failures, but those were caused by tests assuming a default port (I mapped to another port) that I need to fix or exclude. |
Member
|
I've also run against ghcr.io/fdcastel/firebird:latest, and that also works fine. I have a failing test with ghcr.io/fdcastel/firebird:5-snapshot, but based on the failure, I think that is a problem in the snapshot itself. |
asfernandes
reviewed
Apr 10, 2026
asfernandes
approved these changes
Apr 10, 2026
Member
Author
Working on it. |
asfernandes
reviewed
Apr 10, 2026
Member
Author
|
All done! Changed:
|
Replace tag-suffix staging (firebird:tag-amd64/arm64) with push-by-digest using docker buildx. Multi-arch manifests are now assembled via `docker buildx imagetools create` from raw SHA256 digests passed between GitHub Actions jobs as artifacts. Changes: - Build: docker build → docker buildx build --load (all tasks) - New Push-Digests task: pushes images by digest, saves mapping to file - Publish-Manifests: reads digest files, uses imagetools create - Removed: Publish-Arch (replaced by Push-Digests) - Removed: Publish (legacy single-machine QEMU workflow) - Workflows: add setup-buildx-action, artifact upload/download - D-012 added to DECISIONS.md
Member
Author
|
Switched the multi-arch assembly to use What changed:
Result: zero staging tags or staging repos in the registry. The only tags in What changedReplaced the tag-suffix staging approach ( Before (tag-suffix staging)Problem: staging tags ( After (digest-based, zero visible staging)Result: only user-facing tags ( Technical detailsPush-Digests
Publish-Manifests
Build
What's unchanged
|
- Remove /generated/ from .gitignore so Dockerfiles are tracked in git
- Add {{IMAGE_FULL_NAME}} template variable to README.md.template so
the table header reflects the actual registry (fork vs upstream)
- Update-Readme now substitutes {{IMAGE_FULL_NAME}} from $imagePrefix
- Add update-repo job to publish-fork.yaml and publish.yaml: after every
successful publish, Prepare + Update-Readme run and changes are
committed back with [skip ci] — preventing broken Dockerfile links
Member
Author
|
Just pushed some changes to ensure that the Changes: The
Upstream compatibility:
The GitHub page at https://github.com/fdcastel/firebird-docker-fork/tree/feature/v2 now properly points each |
In PowerShell 7, [ordered]@{} is System.Collections.Specialized.OrderedDictionary,
which exposes Contains(key) but not ContainsKey(). The Push-Digests task
(multi-arch path) failed on the first include-arm64 dispatch with:
"Method invocation failed because [System.Collections.Specialized.OrderedDictionary]
does not contain a method named 'ContainsKey'."
The amd64-only path via Publish-Direct never hit this branch, which is why the
bug lay dormant since the switch to digest-based multi-arch assembly (0bd74f9).
Member
Author
|
@asfernandes @mrotteveel I’m planning to merge this unless there are any remaining objections. It will also align with the recently released versions. |
|
@fdcastel tested OK without problems. It would be great to also have Thank you for your work! |
- Add trixie distro (debian:trixie-slim, libicu76); block FB3 on trixie (libncurses5 unavailable); switch defaultDistro to trixie so bare/major/ latest tags point at the current Debian stable - Drop `-ge 5` arm64 gate in Update-Assets; Firebird ships arm64 tarballs for all FB3 (>= 3.0.9) and FB4 releases, so all 19 versions are now multi-arch - Fix Update-Assets missing `$script:assetsData` init (Get-ValidDistros requires it); raise minimum version floor from 3.0.8 to 3.0.9 to match PSFirebird support - Regenerate assets.json, generated/ and README.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Snapshot tags like `6-snapshot` don't reveal which Debian/Ubuntu base the image was built on, making it hard to tell whether you'd be pulling bookworm, trixie, etc. Add a distro-qualified alias alongside the bare tag: `6-snapshot` AND `6-snapshot-trixie`. Also fix the stale hardcoded `$defaultDistro = 'bookworm'` in Build-Snapshot — it now reads from `$script:assetsData.config.defaultDistro`, so switching the default distro in assets.json automatically flows through to snapshots. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- snapshot.yaml: make docker buildx dependency explicit via setup-buildx-action - Publish-Manifests: validate digest JSON (existence, parseability, sha256 format, non-empty) and log a sample digest before assembly, so missing or corrupted artifacts fail fast with a clear message instead of a cryptic Docker error downstream - DECISIONS.md: document why Trixie is default (D-012) and that generated/ is tracked in git (D-014) - CONTRIBUTING.md: explain the auto-commit policy and how to opt in to the local pre-commit hook - .githooks/pre-commit: regenerate and warn when assets.json is staged but generated/ or README.md are out of sync Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…taller)
Firebird 3.x and 4.x do ship `.arm64.tar.gz` binaries on GitHub, but they
use a different internal layout from the amd64/FB5 tarballs:
FB5 arm64 → Firebird-X-linux-arm64/install.sh (installer bundle)
FB4 arm64 → firebird/AfterUntar.sh (pre-extracted tree)
FB3 arm64 → firebird/AfterUntar.sh (pre-extracted tree)
Our Dockerfile template assumes `./install.sh -silent` after a
`--strip-components=1` extract, which fails with exit 127 ("install.sh:
not found") on the FB3/FB4 arm64 bundles. Rather than teach the template
two install paths, restore the original `-ge 5` gate in Update-Assets and
regenerate — FB3/FB4 are amd64-only again, FB5 stays multi-arch.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
GitHub is forcing Node.js 24 for JavaScript actions by June 2026 and removing Node 20 in September. Bump the actions that still ran on Node 20 to their current major so we stop seeing deprecation warnings on every run: actions/upload-artifact v4 → v7 actions/download-artifact v4 → v8 docker/setup-buildx-action v3 → v4 Already current and left unchanged: actions/checkout v6 docker/login-action v4 None of the breaking-change notes between v4 and the new majors affect how we invoke these actions (we don't use download-by-ID paths, no archive:false, no deprecated buildx inputs). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Member
Author
|
@level420 New images/tags available! Enjoy 😉 If everything is good, I intend to release them tomorrow. |
This comment was marked as resolved.
This comment was marked as resolved.
Member
Never mind, PEBKAC issue, I still had it pointed to 5-snapshot and not to latest or 5. |
Per asfernandes in FirebirdSQL#38, the `.arm64.tar.gz` assets for FB3/FB4 are Android builds with a misleading filename. Linux ARM* packaging only starts at FB5. Tightens the code comment at the `-ge 5` gate in `Update-Assets` and adds a D-015 entry in DECISIONS.md so the rationale for the gate lives in the customary place (the previous code comment framed this as a fixable "packaging layout" inconsistency, which the upstream answer ruled out). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TL;DR: Test images available here.
This is a complete rewrite of the Firebird Docker build system.
Closes:
Key Changes
Security Fixes
entrypoint.sh: Passwords with single quotes no longer break or inject SQL (escape_sql_string)ExpandString(arbitrary PowerShell code execution) with safe{{VAR}}string replacement.bashrcoverwrite: Environment file written to/opt/firebird/.firebird_envinstead of clobbering user's.bashrcBug Fixes
chmod 644→chmod 755on data directory (was preventing file creation)libtommathsymlink for multi-arch (was hardcoded tox86_64-linux-gnu)process_sqlinit_dbglob that would fail when no init scripts presentWait-Port/Test-Portusing hardcoded values instead of parametersStart-Sleepbefore port pollingNew Features
ubuntu-24.04-armrunners (no QEMU)-{distro}suffix tags (e.g.,5-bookworm,5.0.3-bookworm)FirebirdSQL/snapshotspre-release builds, including Firebird 6 snapshotsSTOPSIGNAL SIGTERMfor clean Firebird shutdownworkflow_dispatchinputs for version and distro filteringghcr.ioin addition to Docker HubArchitecture
assets.jsonrestructured withconfigsection (distro settings, blocked variants)src/functions.ps1Find-FirebirdRelease,Find-FirebirdSnapshotRelease)ubuntu-latest) + arm64 (ubuntu-24.04-arm) with manifest creationCI Workflows
ci.yamlpublish.yamlpublish-fork.yamlsnapshot.yamlTest Results
_FILEvariants, mutual exclusion, tag correctness