Add missing semicolon to finalize_drop_subscriptions.sql

Signed-off-by: Tristan Partin <tristan@neon.tech>
2026-05-05 15:20:39 +00:00 · 2025-03-14 16:30:06 -05:00
206 changed files with 2779 additions and 7213 deletions
--- a/.github/scripts/generate_image_maps.py
+++ b/.github/scripts/generate_image_maps.py
@@ -49,10 +49,10 @@ target_stages = (
 for component_name, component_images in components.items():
    for stage in target_stages:
        outputs[f"{component_name}-{stage}"] = {
-            f"ghcr.io/neondatabase/{component_image}:{source_tag}": [
+            f"docker.io/neondatabase/{component_image}:{source_tag}": [
                f"{registry}/{component_image}:{tag}"
                for registry, tag in itertools.product(registries[stage], target_tags)
-                if not (registry == "ghcr.io/neondatabase" and tag == source_tag)
+                if not (registry == "docker.io/neondatabase" and tag == source_tag)
            ]
            for component_image in component_images
        }
--- a/.github/workflows/_benchmarking_preparation.yml
+++ b/.github/workflows/_benchmarking_preparation.yml
@@ -8,9 +8,6 @@ defaults:
  run:
    shell: bash -euxo pipefail {0}

-permissions:
-  contents: read
-
 jobs:
  setup-databases:
    permissions:
@@ -30,18 +27,13 @@ jobs:

    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
    - name: Set up Connection String
      id: set-up-prep-connstr
      run: |
@@ -66,10 +58,10 @@ jobs:

        echo "connstr=${CONNSTR}" >> $GITHUB_OUTPUT

-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
--- a/.github/workflows/_build-and-test-locally.yml
+++ b/.github/workflows/_build-and-test-locally.yml
@@ -37,20 +37,17 @@ env:
  RUST_BACKTRACE: 1
  COPT: '-Werror'

-permissions:
-  contents: read
-
 jobs:
  build-neon:
-    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', inputs.arch == 'arm64' && 'large-arm64' || 'large')) }}
+    runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', inputs.arch == 'arm64' && 'large-arm64' || 'large')) }}
    permissions:
      id-token: write # aws-actions/configure-aws-credentials
      contents: read
    container:
      image: ${{ inputs.build-tools-image }}
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      # Raise locked memory limit for tokio-epoll-uring.
      # On 5.10 LTS kernels < 5.10.162 (and generally mainline kernels < 5.12),
      # io_uring will account the memory of the CQ and SQ as locked.
@@ -62,12 +59,7 @@ jobs:
      BUILD_TAG: ${{ inputs.build-tag }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true

@@ -128,28 +120,28 @@ jobs:

      - name: Cache postgres v14 build
        id: cache_pg_14
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/v14
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v14_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}

      - name: Cache postgres v15 build
        id: cache_pg_15
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/v15
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v15_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}

      - name: Cache postgres v16 build
        id: cache_pg_16
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/v16
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v16_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}

      - name: Cache postgres v17 build
        id: cache_pg_17
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/v17
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v17_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}
@@ -229,7 +221,7 @@ jobs:
          fi

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: eu-central-1
          role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -326,24 +318,19 @@ jobs:
      contents: read
      statuses: write
    needs: [ build-neon ]
-    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', inputs.arch == 'arm64' && 'large-arm64' || 'large')) }}
+    runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', inputs.arch == 'arm64' && 'large-arm64' || 'large')) }}
    container:
      image: ${{ inputs.build-tools-image }}
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      # for changed limits, see comments on `options:` earlier in this file
      options: --init --shm-size=512mb --ulimit memlock=67108864:67108864
    strategy:
      fail-fast: false
      matrix: ${{ fromJSON(format('{{"include":{0}}}', inputs.test-cfg)) }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true

--- a/.github/workflows/_check-codestyle-python.yml
+++ b/.github/workflows/_check-codestyle-python.yml
@@ -12,32 +12,20 @@ defaults:
  run:
    shell: bash -euxo pipefail {0}

-permissions:
-  contents: read
-
 jobs:
  check-codestyle-python:
    runs-on: [ self-hosted, small ]
-
-    permissions:
-      packages: read
-
    container:
      image: ${{ inputs.build-tools-image }}
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
+      - uses: actions/checkout@v4

-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+      - uses: actions/cache@v4
        with:
          path: ~/.cache/pypoetry/virtualenvs
          key: v2-${{ runner.os }}-${{ runner.arch }}-python-deps-bookworm-${{ hashFiles('poetry.lock') }}
--- a/.github/workflows/_check-codestyle-rust.yml
+++ b/.github/workflows/_check-codestyle-rust.yml
@@ -23,32 +23,24 @@ jobs:
  check-codestyle-rust:
    strategy:
      matrix:
-        arch: ${{ fromJSON(inputs.archs) }}
-    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'small-arm64' || 'small')) }}
-
-    permissions:
-      packages: read
+        arch: ${{ fromJson(inputs.archs) }}
+    runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'small-arm64' || 'small')) }}

    container:
      image: ${{ inputs.build-tools-image }}
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

      - name: Cache cargo deps
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
--- a/.github/workflows/_create-release-pr.yml
+++ b/.github/workflows/_create-release-pr.yml
@@ -20,9 +20,6 @@ defaults:
  run:
    shell: bash -euo pipefail {0}

-permissions:
-  contents: read
-
 jobs:
  create-release-branch:
    runs-on: ubuntu-22.04
@@ -31,12 +28,7 @@ jobs:
      contents: write # for `git push`

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4
      with:
        ref: ${{ inputs.source-branch }}
        fetch-depth: 0
--- a/.github/workflows/_meta.yml
+++ b/.github/workflows/_meta.yml
@@ -9,9 +9,6 @@ on:
      build-tag:
        description: "Tag for the current workflow run"
        value: ${{ jobs.tags.outputs.build-tag }}
-      release-tag:
-        description: "Tag for the release if this is an RC PR run"
-        value: ${{ jobs.tags.outputs.release-tag }}
      previous-storage-release:
        description: "Tag of the last storage release"
        value: ${{ jobs.tags.outputs.storage }}
@@ -38,8 +35,7 @@ jobs:
  tags:
    runs-on: ubuntu-22.04
    outputs:
-      build-tag: ${{ steps.build-tag.outputs.build-tag }}
-      release-tag: ${{ steps.build-tag.outputs.release-tag }}
+      build-tag: ${{ steps.build-tag.outputs.tag }}
      compute: ${{ steps.previous-releases.outputs.compute }}
      proxy: ${{ steps.previous-releases.outputs.proxy }}
      storage: ${{ steps.previous-releases.outputs.storage }}
@@ -49,12 +45,7 @@ jobs:
      contents: read
    steps:
      # Need `fetch-depth: 0` to count the number of commits in the branch
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

@@ -88,16 +79,16 @@ jobs:
        run: |
          case $RUN_KIND in
          push-main)
-            echo "build-tag=$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
+            echo "tag=$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
            ;;
          storage-release)
-            echo "build-tag=release-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
+            echo "tag=release-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
            ;;
          proxy-release)
-            echo "build-tag=release-proxy-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
+            echo "tag=release-proxy-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
            ;;
          compute-release)
-            echo "build-tag=release-compute-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
+            echo "tag=release-compute-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
            ;;
          pr|storage-rc-pr|compute-rc-pr|proxy-rc-pr)
            BUILD_AND_TEST_RUN_ID=$(gh api --paginate \
@@ -105,21 +96,10 @@ jobs:
              -H "X-GitHub-Api-Version: 2022-11-28" \
              "/repos/${GITHUB_REPOSITORY}/actions/runs?head_sha=${CURRENT_SHA}&branch=${CURRENT_BRANCH}" \
              | jq '[.workflow_runs[] | select(.name == "Build and Test")][0].id // ("Error: No matching workflow run found." | halt_error(1))')
-            echo "build-tag=$BUILD_AND_TEST_RUN_ID" | tee -a $GITHUB_OUTPUT
-            case $RUN_KIND in
-            storage-rc-pr)
-              echo "release-tag=release-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
-              ;;
-            proxy-rc-pr)
-              echo "release-tag=release-proxy-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
-              ;;
-            compute-rc-pr)
-              echo "release-tag=release-compute-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
-              ;;
-            esac
+            echo "tag=$BUILD_AND_TEST_RUN_ID" | tee -a $GITHUB_OUTPUT
            ;;
          workflow-dispatch)
-            echo "build-tag=$GITHUB_RUN_ID" | tee -a $GITHUB_OUTPUT
+            echo "tag=$GITHUB_RUN_ID" | tee -a $GITHUB_OUTPUT
            ;;
          *)
            echo "Unexpected RUN_KIND ('${RUN_KIND}'), failing to assign build-tag!"
@@ -140,10 +120,10 @@ jobs:

      - name: Get the release PR run ID
        id: release-pr-run-id
-        if: ${{ contains(fromJSON('["storage-release", "compute-release", "proxy-release"]'), steps.run-kind.outputs.run-kind) }}
+        if: ${{ contains(fromJson('["storage-release", "compute-release", "proxy-release"]'), steps.run-kind.outputs.run-kind) }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CURRENT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
        run: |
-          RELEASE_PR_RUN_ID=$(gh api "/repos/${GITHUB_REPOSITORY}/actions/runs?head_sha=$CURRENT_SHA" | jq '[.workflow_runs[] | select(.name == "Build and Test") | select(.head_branch | test("^rc/release(-(proxy|compute))?/[0-9]{4}-[0-9]{2}-[0-9]{2}$"; "s"))] | first | .id // ("Failed to find Build and Test run from  RC PR!" | halt_error(1))')
+          RELEASE_PR_RUN_ID=$(gh api "/repos/${GITHUB_REPOSITORY}/actions/runs?head_sha=$CURRENT_SHA" | jq '[.workflow_runs[] | select(.name == "Build and Test") | select(.head_branch | test("^rc/release(-(proxy)|(compute))?/[0-9]{4}-[0-9]{2}-[0-9]{2}$"; "s"))] | first | .id // ("Falied to find Build and Test run from  RC PR!" | halt_error(1))')
          echo "release-pr-run-id=$RELEASE_PR_RUN_ID" | tee -a $GITHUB_OUTPUT
--- a/.github/workflows/_push-to-container-registry.yml
+++ b/.github/workflows/_push-to-container-registry.yml
@@ -49,12 +49,7 @@ jobs:
      id-token: write  # Required for aws/azure login
      packages: write  # required for pushing to GHCR
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          sparse-checkout: .github/scripts/push_with_image_map.py
          sparse-checkout-cone-mode: false
@@ -64,7 +59,7 @@ jobs:

      - name: Configure AWS credentials
        if: contains(inputs.image-map, 'amazonaws.com/')
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: "${{ inputs.aws-region }}"
          role-to-assume: "arn:aws:iam::${{ inputs.aws-account-id }}:role/${{ inputs.aws-role-to-assume }}"
@@ -72,7 +67,7 @@ jobs:

      - name: Login to ECR
        if: contains(inputs.image-map, 'amazonaws.com/')
-        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+        uses: aws-actions/amazon-ecr-login@v2
        with:
          registries: "${{ inputs.aws-account-id }}"

@@ -91,14 +86,14 @@ jobs:

      - name: Login to GHCR
        if: contains(inputs.image-map, 'ghcr.io/')
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log in to Docker Hub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -26,13 +26,8 @@ jobs:
    needs: [ check-permissions ]
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281 # v1.65.2
+      - uses: actions/checkout@v4
+      - uses: reviewdog/action-actionlint@v1
        env:
          # SC2046 - Quote this to prevent word splitting. - https://www.shellcheck.net/wiki/SC2046
          # SC2086 - Double quote to prevent globbing and word splitting. - https://www.shellcheck.net/wiki/SC2086
--- a/.github/workflows/approved-for-ci-run.yml
+++ b/.github/workflows/approved-for-ci-run.yml
@@ -47,11 +47,6 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run"

  create-or-update-pr-for-ci-run:
@@ -68,14 +63,9 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run"

-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          token: ${{ secrets.CI_ACCESS_TOKEN }}
@@ -163,11 +153,6 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Close PR and delete `ci-run/pr-${{ env.PR_NUMBER }}` branch
        run: |
          CLOSED="$(gh pr --repo ${GITHUB_REPOSITORY} list --head ${BRANCH} --json 'closed' --jq '.[].closed')"
--- a/.github/workflows/benchmarking.yml
+++ b/.github/workflows/benchmarking.yml
@@ -87,22 +87,17 @@ jobs:

    runs-on: ${{ matrix.RUNNER }}
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials # necessary on Azure runners
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -169,7 +164,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
@@ -195,22 +190,17 @@ jobs:

    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -255,22 +245,17 @@ jobs:

    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -329,7 +314,7 @@ jobs:
    # Post both success and failure to the Slack channel
    - name: Post to a Slack channel
      if: ${{ github.event.schedule && !cancelled() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06T9AMNDQQ" # on-call-compute-staging-stream
        slack-message: |
@@ -361,18 +346,13 @@ jobs:
      tpch-compare-matrix: ${{ steps.tpch-compare-matrix.outputs.matrix }}

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
    - name: Generate matrix for pgbench benchmark
      id: pgbench-compare-matrix
      run: |
        region_id_default=${{ env.DEFAULT_REGION_ID }}
        runner_default='["self-hosted", "us-east-2", "x64"]'
        runner_azure='["self-hosted", "eastus2", "x64"]'
-        image_default="ghcr.io/neondatabase/build-tools:pinned-bookworm"
+        image_default="neondatabase/build-tools:pinned-bookworm"
        matrix='{
          "pg_version" : [
            16
@@ -388,18 +368,18 @@ jobs:
          "db_size": [ "10gb" ],
          "runner": ['"$runner_default"'],
          "image": [ "'"$image_default"'" ],
-          "include": [{ "pg_version": 16, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-freetier",       "db_size": "3gb" ,"runner": '"$runner_default"', "image": "'"$image_default"'"                               },
-                      { "pg_version": 16, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new",            "db_size": "10gb","runner": '"$runner_default"', "image": "'"$image_default"'"                               },
-                      { "pg_version": 16, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new-many-tables","db_size": "10gb","runner": '"$runner_default"', "image": "'"$image_default"'"                               },
-                      { "pg_version": 16, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new",            "db_size": "50gb","runner": '"$runner_default"', "image": "'"$image_default"'"                               },
-                      { "pg_version": 16, "region_id": "azure-eastus2",          "platform": "neonvm-azure-captest-freetier", "db_size": "3gb" ,"runner": '"$runner_azure"',   "image": "ghcr.io/neondatabase/build-tools:pinned-bookworm" },
-                      { "pg_version": 16, "region_id": "azure-eastus2",          "platform": "neonvm-azure-captest-new",      "db_size": "10gb","runner": '"$runner_azure"',   "image": "ghcr.io/neondatabase/build-tools:pinned-bookworm" },
-                      { "pg_version": 16, "region_id": "azure-eastus2",          "platform": "neonvm-azure-captest-new",      "db_size": "50gb","runner": '"$runner_azure"',   "image": "ghcr.io/neondatabase/build-tools:pinned-bookworm" },
-                      { "pg_version": 16, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-sharding-reuse", "db_size": "50gb","runner": '"$runner_default"', "image": "'"$image_default"'"                               },
-                      { "pg_version": 17, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-freetier",       "db_size": "3gb" ,"runner": '"$runner_default"', "image": "'"$image_default"'"                               },
-                      { "pg_version": 17, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new",            "db_size": "10gb","runner": '"$runner_default"', "image": "'"$image_default"'"                               },
-                      { "pg_version": 17, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new-many-tables","db_size": "10gb","runner": '"$runner_default"', "image": "'"$image_default"'"                               },
-                      { "pg_version": 17, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new",            "db_size": "50gb","runner": '"$runner_default"', "image": "'"$image_default"'"                               }]
+          "include": [{ "pg_version": 16, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-freetier",       "db_size": "3gb" ,"runner": '"$runner_default"', "image": "'"$image_default"'" },
+                      { "pg_version": 16, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new",            "db_size": "10gb","runner": '"$runner_default"', "image": "'"$image_default"'" },
+                      { "pg_version": 16, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new-many-tables","db_size": "10gb","runner": '"$runner_default"', "image": "'"$image_default"'" },
+                      { "pg_version": 16, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new",            "db_size": "50gb","runner": '"$runner_default"', "image": "'"$image_default"'" },
+                      { "pg_version": 16, "region_id": "azure-eastus2",          "platform": "neonvm-azure-captest-freetier", "db_size": "3gb" ,"runner": '"$runner_azure"',   "image": "neondatabase/build-tools:pinned-bookworm" },
+                      { "pg_version": 16, "region_id": "azure-eastus2",          "platform": "neonvm-azure-captest-new",      "db_size": "10gb","runner": '"$runner_azure"',   "image": "neondatabase/build-tools:pinned-bookworm" },
+                      { "pg_version": 16, "region_id": "azure-eastus2",          "platform": "neonvm-azure-captest-new",      "db_size": "50gb","runner": '"$runner_azure"',   "image": "neondatabase/build-tools:pinned-bookworm" },
+                      { "pg_version": 16, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-sharding-reuse", "db_size": "50gb","runner": '"$runner_default"', "image": "'"$image_default"'" },
+                      { "pg_version": 17, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-freetier",       "db_size": "3gb" ,"runner": '"$runner_default"', "image": "'"$image_default"'" },
+                      { "pg_version": 17, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new",            "db_size": "10gb","runner": '"$runner_default"', "image": "'"$image_default"'" },
+                      { "pg_version": 17, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new-many-tables","db_size": "10gb","runner": '"$runner_default"', "image": "'"$image_default"'" },
+                      { "pg_version": 17, "region_id": "'"$region_id_default"'", "platform": "neonvm-captest-new",            "db_size": "50gb","runner": '"$runner_default"', "image": "'"$image_default"'" }]
        }'

        if [ "$(date +%A)" = "Saturday" ] || [ ${RUN_AWS_RDS_AND_AURORA} = "true" ]; then
@@ -461,7 +441,7 @@ jobs:

    strategy:
      fail-fast: false
-      matrix: ${{fromJSON(needs.generate-matrices.outputs.pgbench-compare-matrix)}}
+      matrix: ${{fromJson(needs.generate-matrices.outputs.pgbench-compare-matrix)}}

    env:
      TEST_PG_BENCH_DURATIONS_MATRIX: "60m"
@@ -477,23 +457,18 @@ jobs:
    container:
      image: ${{ matrix.image }}
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    # Increase timeout to 8h, default timeout is 6h
    timeout-minutes: 480

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -508,7 +483,7 @@ jobs:
        aws-oicd-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}

    - name: Create Neon Project
-      if: contains(fromJSON('["neonvm-captest-new", "neonvm-captest-new-many-tables", "neonvm-captest-freetier", "neonvm-azure-captest-freetier", "neonvm-azure-captest-new"]'), matrix.platform)
+      if: contains(fromJson('["neonvm-captest-new", "neonvm-captest-new-many-tables", "neonvm-captest-freetier", "neonvm-azure-captest-freetier", "neonvm-azure-captest-new"]'), matrix.platform)
      id: create-neon-project
      uses: ./.github/actions/neon-project-create
      with:
@@ -548,7 +523,7 @@ jobs:
    # without (neonvm-captest-new)
    # and with (neonvm-captest-new-many-tables) many relations in the database
    - name: Create many relations before the run
-      if: contains(fromJSON('["neonvm-captest-new-many-tables"]'), matrix.platform)
+      if: contains(fromJson('["neonvm-captest-new-many-tables"]'), matrix.platform)
      uses: ./.github/actions/run-python-test-set
      with:
        build_type: ${{ env.BUILD_TYPE }}
@@ -625,7 +600,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
@@ -667,22 +642,17 @@ jobs:

    runs-on: ${{ matrix.RUNNER }}
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -756,7 +726,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
@@ -783,7 +753,7 @@ jobs:

    strategy:
      fail-fast: false
-      matrix: ${{ fromJSON(needs.generate-matrices.outputs.olap-compare-matrix) }}
+      matrix: ${{ fromJson(needs.generate-matrices.outputs.olap-compare-matrix) }}

    env:
      POSTGRES_DISTRIB_DIR: /tmp/neon/pg_install
@@ -797,10 +767,10 @@ jobs:

    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    # Increase timeout to 12h, default timeout is 6h
@@ -808,15 +778,10 @@ jobs:
    timeout-minutes: 720

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -889,7 +854,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
@@ -915,7 +880,7 @@ jobs:

    strategy:
      fail-fast: false
-      matrix: ${{ fromJSON(needs.generate-matrices.outputs.tpch-compare-matrix) }}
+      matrix: ${{ fromJson(needs.generate-matrices.outputs.tpch-compare-matrix) }}

    env:
      POSTGRES_DISTRIB_DIR: /tmp/neon/pg_install
@@ -927,22 +892,17 @@ jobs:

    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -1019,7 +979,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
@@ -1039,7 +999,7 @@ jobs:

    strategy:
      fail-fast: false
-      matrix: ${{ fromJSON(needs.generate-matrices.outputs.olap-compare-matrix) }}
+      matrix: ${{ fromJson(needs.generate-matrices.outputs.olap-compare-matrix) }}

    env:
      POSTGRES_DISTRIB_DIR: /tmp/neon/pg_install
@@ -1051,22 +1011,17 @@ jobs:

    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -1136,7 +1091,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
--- a/.github/workflows/build-build-tools-image.yml
+++ b/.github/workflows/build-build-tools-image.yml
@@ -19,7 +19,7 @@ on:
        value: ${{ jobs.check-image.outputs.tag }}
      image:
        description: "build-tools image"
-        value: ghcr.io/neondatabase/build-tools:${{ jobs.check-image.outputs.tag }}
+        value: neondatabase/build-tools:${{ jobs.check-image.outputs.tag }}

 defaults:
  run:
@@ -49,22 +49,8 @@ jobs:
      everything: ${{ steps.set-more-variables.outputs.everything }}
      found: ${{ steps.set-more-variables.outputs.found }}

-    permissions:
-      packages: read
-
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v4

      - name: Set variables
        id: set-variables
@@ -84,12 +70,12 @@ jobs:
        env:
          IMAGE_TAG: ${{ steps.set-variables.outputs.image-tag }}
          EVERYTHING: |
-            ${{ contains(fromJSON(steps.set-variables.outputs.archs), 'x64') &&
-                contains(fromJSON(steps.set-variables.outputs.archs), 'arm64') &&
-                contains(fromJSON(steps.set-variables.outputs.debians), 'bullseye') &&
-                contains(fromJSON(steps.set-variables.outputs.debians), 'bookworm') }}
+            ${{ contains(fromJson(steps.set-variables.outputs.archs), 'x64') &&
+                contains(fromJson(steps.set-variables.outputs.archs), 'arm64') &&
+                contains(fromJson(steps.set-variables.outputs.debians), 'bullseye') &&
+                contains(fromJson(steps.set-variables.outputs.debians), 'bookworm') }}
        run: |
-          if docker manifest inspect ghcr.io/neondatabase/build-tools:${IMAGE_TAG}; then
+          if docker manifest inspect neondatabase/build-tools:${IMAGE_TAG}; then
            found=true
          else
            found=false
@@ -104,45 +90,31 @@ jobs:

    strategy:
      matrix:
-        arch: ${{ fromJSON(needs.check-image.outputs.archs) }}
-        debian: ${{ fromJSON(needs.check-image.outputs.debians) }}
+        arch: ${{ fromJson(needs.check-image.outputs.archs) }}
+        debian: ${{ fromJson(needs.check-image.outputs.debians) }}

-    permissions:
-      packages: write
-
-    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}
+    runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - uses: neondatabase/dev-actions/set-docker-config-dir@6094485bf440001c94a94a3f9e221e81ff6b6193
-      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/setup-buildx-action@v3
        with:
          cache-binary: false

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: cache.neon.build
          username: ${{ secrets.NEON_CI_DOCKERCACHE_USERNAME }}
          password: ${{ secrets.NEON_CI_DOCKERCACHE_PASSWORD }}

-      - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      - uses: docker/build-push-action@v6
        with:
          file: build-tools.Dockerfile
          context: .
@@ -154,49 +126,35 @@ jobs:
          cache-from: type=registry,ref=cache.neon.build/build-tools:cache-${{ matrix.debian }}-${{ matrix.arch }}
          cache-to: ${{ github.ref_name == 'main' && format('type=registry,ref=cache.neon.build/build-tools:cache-{0}-{1},mode=max', matrix.debian, matrix.arch) || '' }}
          tags: |
-            ghcr.io/neondatabase/build-tools:${{ needs.check-image.outputs.tag }}-${{ matrix.debian }}-${{ matrix.arch }}
+            neondatabase/build-tools:${{ needs.check-image.outputs.tag }}-${{ matrix.debian }}-${{ matrix.arch }}

  merge-images:
    needs: [ check-image, build-image ]
    runs-on: ubuntu-22.04

-    permissions:
-      packages: write
-
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
      - name: Create multi-arch image
        env:
          DEFAULT_DEBIAN_VERSION: bookworm
-          ARCHS: ${{ join(fromJSON(needs.check-image.outputs.archs), ' ') }}
-          DEBIANS: ${{ join(fromJSON(needs.check-image.outputs.debians), ' ') }}
+          ARCHS: ${{ join(fromJson(needs.check-image.outputs.archs), ' ') }}
+          DEBIANS: ${{ join(fromJson(needs.check-image.outputs.debians), ' ') }}
          EVERYTHING: ${{ needs.check-image.outputs.everything }}
          IMAGE_TAG: ${{ needs.check-image.outputs.tag }}
        run: |
          for debian in ${DEBIANS}; do
-            tags=("-t" "ghcr.io/neondatabase/build-tools:${IMAGE_TAG}-${debian}")
+            tags=("-t" "neondatabase/build-tools:${IMAGE_TAG}-${debian}")

            if [ "${EVERYTHING}" == "true" ] && [ "${debian}" == "${DEFAULT_DEBIAN_VERSION}" ]; then
-              tags+=("-t" "ghcr.io/neondatabase/build-tools:${IMAGE_TAG}")
+              tags+=("-t" "neondatabase/build-tools:${IMAGE_TAG}")
            fi

            for arch in ${ARCHS}; do
-              tags+=("ghcr.io/neondatabase/build-tools:${IMAGE_TAG}-${debian}-${arch}")
+              tags+=("neondatabase/build-tools:${IMAGE_TAG}-${debian}-${arch}")
            done

            docker buildx imagetools create "${tags[@]}"
--- a/.github/workflows/build-macos.yml
+++ b/.github/workflows/build-macos.yml
@@ -28,9 +28,6 @@ env:
 # - You can connect up to four levels of workflows
 # - You can call a maximum of 20 unique reusable workflows from a single workflow file.
 # https://docs.github.com/en/actions/sharing-automations/reusing-workflows#limitations
-permissions:
-  contents: read
-
 jobs:
  build-pgxn:
    if: |
@@ -43,19 +40,14 @@ jobs:
    runs-on: macos-15
    strategy:
      matrix:
-        postgres-version: ${{ inputs.rebuild_everything && fromJSON('["v14", "v15", "v16", "v17"]') || fromJSON(inputs.pg_versions) }}
+        postgres-version: ${{ inputs.rebuild_everything && fromJson('["v14", "v15", "v16", "v17"]') || fromJSON(inputs.pg_versions) }}
    env:
      # Use release build only, to have less debug info around
      # Hence keeping target/ (and general cache size) smaller
      BUILD_TYPE: release
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout main repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4

      - name: Set pg ${{ matrix.postgres-version }} for caching
        id: pg_rev
@@ -63,7 +55,7 @@ jobs:

      - name: Cache postgres ${{ matrix.postgres-version }} build
        id: cache_pg
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/${{ matrix.postgres-version }}
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-${{ matrix.postgres-version }}-${{ steps.pg_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
@@ -115,13 +107,8 @@ jobs:
      # Hence keeping target/ (and general cache size) smaller
      BUILD_TYPE: release
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout main repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4

      - name: Set pg v17 for caching
        id: pg_rev
@@ -129,14 +116,14 @@ jobs:

      - name: Cache postgres v17 build
        id: cache_pg
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/v17
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-v17-${{ steps.pg_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}

      - name: Cache walproposer-lib
        id: cache_walproposer_lib
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/build/walproposer-lib
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-walproposer_lib-v17-${{ steps.pg_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
@@ -178,13 +165,8 @@ jobs:
      # Hence keeping target/ (and general cache size) smaller
      BUILD_TYPE: release
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout main repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

@@ -203,31 +185,31 @@ jobs:

      - name: Cache postgres v14 build
        id: cache_pg
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/v14
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-v14-${{ steps.pg_rev_v14.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Cache postgres v15 build
        id: cache_pg_v15
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/v15
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-v15-${{ steps.pg_rev_v15.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Cache postgres v16 build
        id: cache_pg_v16
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/v16
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-v16-${{ steps.pg_rev_v16.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Cache postgres v17 build
        id: cache_pg_v17
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/v17
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-v17-${{ steps.pg_rev_v17.outputs.pg_rev }}-${{ hashFiles('Makefile') }}

      - name: Cache cargo deps (only for v17)
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
@@ -238,7 +220,7 @@ jobs:

      - name: Cache walproposer-lib
        id: cache_walproposer_lib
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: pg_install/build/walproposer-lib
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-walproposer_lib-v17-${{ steps.pg_rev_v17.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -37,11 +37,6 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Cancel previous e2e-tests runs for this PR
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
@@ -58,13 +53,8 @@ jobs:
      check-rust-dependencies: ${{ steps.files-changed.outputs.rust_dependencies }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

@@ -87,33 +77,25 @@ jobs:
    secrets: inherit

  check-codestyle-python:
-    needs: [ meta, check-permissions, build-build-tools-image ]
-    # No need to run on `main` because we this in the merge queue
-    if: ${{ needs.meta.outputs.run-kind == 'pr' }}
+    needs: [ check-permissions, build-build-tools-image ]
    uses: ./.github/workflows/_check-codestyle-python.yml
    with:
      build-tools-image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
    secrets: inherit

  check-codestyle-jsonnet:
-    needs: [ meta, check-permissions, build-build-tools-image ]
-    if: ${{ contains(fromJSON('["pr", "push-main"]'), needs.meta.outputs.run-kind) }}
+    needs: [ check-permissions, build-build-tools-image ]
    runs-on: [ self-hosted, small ]
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4

      - name: Check Jsonnet code formatting
        run: |
@@ -125,17 +107,12 @@ jobs:
    needs: [ check-permissions ]
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+      - uses: dorny/paths-filter@v3
        id: check-if-submodules-changed
        with:
          filters: |
@@ -144,7 +121,7 @@ jobs:

      - name: Check vendor/postgres-v14 submodule reference
        if: steps.check-if-submodules-changed.outputs.vendor == 'true'
-        uses: jtmullen/submodule-branch-check-action@ab0d3a69278e3fa0a2d4f3be3199d2514b676e13 # v1.3.0
+        uses: jtmullen/submodule-branch-check-action@v1
        with:
          path: "vendor/postgres-v14"
          fetch_depth: "50"
@@ -153,7 +130,7 @@ jobs:

      - name: Check vendor/postgres-v15 submodule reference
        if: steps.check-if-submodules-changed.outputs.vendor == 'true'
-        uses: jtmullen/submodule-branch-check-action@ab0d3a69278e3fa0a2d4f3be3199d2514b676e13 # v1.3.0
+        uses: jtmullen/submodule-branch-check-action@v1
        with:
          path: "vendor/postgres-v15"
          fetch_depth: "50"
@@ -162,7 +139,7 @@ jobs:

      - name: Check vendor/postgres-v16 submodule reference
        if: steps.check-if-submodules-changed.outputs.vendor == 'true'
-        uses: jtmullen/submodule-branch-check-action@ab0d3a69278e3fa0a2d4f3be3199d2514b676e13 # v1.3.0
+        uses: jtmullen/submodule-branch-check-action@v1
        with:
          path: "vendor/postgres-v16"
          fetch_depth: "50"
@@ -171,7 +148,7 @@ jobs:

      - name: Check vendor/postgres-v17 submodule reference
        if: steps.check-if-submodules-changed.outputs.vendor == 'true'
-        uses: jtmullen/submodule-branch-check-action@ab0d3a69278e3fa0a2d4f3be3199d2514b676e13 # v1.3.0
+        uses: jtmullen/submodule-branch-check-action@v1
        with:
          path: "vendor/postgres-v17"
          fetch_depth: "50"
@@ -179,9 +156,7 @@ jobs:
          pass_if_unchanged: true

  check-codestyle-rust:
-    needs: [ meta, check-permissions, build-build-tools-image ]
-    # No need to run on `main` because we this in the merge queue
-    if: ${{ needs.meta.outputs.run-kind == 'pr' }}
+    needs: [ check-permissions, build-build-tools-image ]
    uses: ./.github/workflows/_check-codestyle-rust.yml
    with:
      build-tools-image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
@@ -189,8 +164,8 @@ jobs:
    secrets: inherit

  check-dependencies-rust:
-    needs: [ meta, files-changed, build-build-tools-image ]
-    if: ${{ needs.files-changed.outputs.check-rust-dependencies == 'true' && needs.meta.outputs.run-kind == 'pr' }}
+    needs: [ files-changed, build-build-tools-image ]
+    if: ${{ needs.files-changed.outputs.check-rust-dependencies == 'true' }}
    uses: ./.github/workflows/cargo-deny.yml
    with:
      build-tools-image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
@@ -198,13 +173,12 @@ jobs:

  build-and-test-locally:
    needs: [ meta, build-build-tools-image ]
-    if: ${{ contains(fromJSON('["pr", "push-main"]'), needs.meta.outputs.run-kind) }}
    strategy:
      fail-fast: false
      matrix:
        arch: [ x64, arm64 ]
        # Do not build or run tests in debug for release branches
-        build-type: ${{ fromJSON((startsWith(github.ref_name, 'release') && github.event_name == 'push') && '["release"]' || '["debug", "release"]') }}
+        build-type: ${{ fromJson((startsWith(github.ref_name, 'release') && github.event_name == 'push') && '["release"]' || '["debug", "release"]') }}
        include:
          - build-type: release
            arch: arm64
@@ -235,20 +209,15 @@ jobs:
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4

      - name: Cache poetry deps
-        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2
+        uses: actions/cache@v4
        with:
          path: ~/.cache/pypoetry/virtualenvs
          key: v2-${{ runner.os }}-${{ runner.arch }}-python-deps-bookworm-${{ hashFiles('poetry.lock') }}
@@ -279,8 +248,8 @@ jobs:
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      # for changed limits, see comments on `options:` earlier in this file
      options: --init --shm-size=512mb --ulimit memlock=67108864:67108864
    strategy:
@@ -290,13 +259,8 @@ jobs:
        pytest_split_group: [ 1, 2, 3, 4, 5 ]
        build_type: [ release ]
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4

      - name: Pytest benchmarks
        uses: ./.github/actions/run-python-test-set
@@ -324,12 +288,7 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+    - uses: slackapi/slack-github-action@v2
      with:
        method: chat.postMessage
        token: ${{ secrets.SLACK_BOT_TOKEN }}
@@ -355,17 +314,12 @@ jobs:
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - name: Create Allure report
        if: ${{ !cancelled() }}
@@ -377,7 +331,7 @@ jobs:
        env:
          REGRESS_TEST_RESULT_CONNSTR_NEW: ${{ secrets.REGRESS_TEST_RESULT_CONNSTR_NEW }}

-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - uses: actions/github-script@v7
        if: ${{ !cancelled() }}
        with:
          # Retry script for 5XX server errors: https://github.com/actions/github-script#retries
@@ -413,8 +367,8 @@ jobs:
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init
    strategy:
      fail-fast: false
@@ -425,12 +379,7 @@ jobs:
        coverage-json: ${{ steps.upload-coverage-report-new.outputs.summary-json }}
    steps:
      # Need `fetch-depth: 0` for differential coverage (to get diff between two commits)
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true
          fetch-depth: 0
@@ -501,7 +450,7 @@ jobs:
          REPORT_URL=https://${BUCKET}.s3.amazonaws.com/code-coverage/${COMMIT_SHA}/lcov/summary.json
          echo "summary-json=${REPORT_URL}" >> $GITHUB_OUTPUT

-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - uses: actions/github-script@v7
        env:
          REPORT_URL_NEW: ${{ steps.upload-coverage-report-new.outputs.report-url }}
          COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
@@ -521,20 +470,14 @@ jobs:
            })

  trigger-e2e-tests:
-    # !failure() && !cancelled() because it depends on jobs that can get skipped
+    # Depends on jobs that can get skipped
    if: >-
      ${{
        (
-          (
-            needs.meta.outputs.run-kind == 'pr'
-            && (
-              !github.event.pull_request.draft
-              || contains(github.event.pull_request.labels.*.name, 'run-e2e-tests-in-draft')
-            )
-          )
-          || contains(fromJSON('["push-main", "storage-rc-pr", "proxy-rc-pr", "compute-rc-pr"]'), needs.meta.outputs.run-kind)
-        )
-        && !failure() && !cancelled()
+          !github.event.pull_request.draft
+          || contains( github.event.pull_request.labels.*.name, 'run-e2e-tests-in-draft')
+          || needs.meta.outputs.run-kind == 'push-main'
+        ) && !failure() && !cancelled()
      }}
    needs: [ check-permissions, push-neon-image-dev, push-compute-image-dev, meta ]
    uses: ./.github/workflows/trigger-e2e-tests.yml
@@ -549,44 +492,30 @@ jobs:
      matrix:
        arch: [ x64, arm64 ]

-    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}
-
-    permissions:
-      packages: write
+    runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true

      - uses: neondatabase/dev-actions/set-docker-config-dir@6094485bf440001c94a94a3f9e221e81ff6b6193
-      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/setup-buildx-action@v3
        with:
          cache-binary: false

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: cache.neon.build
          username: ${{ secrets.NEON_CI_DOCKERCACHE_USERNAME }}
          password: ${{ secrets.NEON_CI_DOCKERCACHE_PASSWORD }}

-      - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      - uses: docker/build-push-action@v6
        with:
          context: .
          # ARM-specific flags are recommended for Graviton ≥ 2, these flags are also supported by Ampere Altra (Azure)
@@ -594,7 +523,7 @@ jobs:
          build-args: |
            ADDITIONAL_RUSTFLAGS=${{ matrix.arch == 'arm64' && '-Ctarget-feature=+lse -Ctarget-cpu=neoverse-n1' || '' }}
            GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
-            BUILD_TAG=${{ needs.meta.outputs.release-tag || needs.meta.outputs.build-tag }}
+            BUILD_TAG=${{ needs.meta.outputs.build-tag }}
            TAG=${{ needs.build-build-tools-image.outputs.image-tag }}-bookworm
            DEBIAN_VERSION=bookworm
          provenance: false
@@ -604,7 +533,7 @@ jobs:
          cache-from: type=registry,ref=cache.neon.build/neon:cache-bookworm-${{ matrix.arch }}
          cache-to: ${{ github.ref_name == 'main' && format('type=registry,ref=cache.neon.build/neon:cache-{0}-{1},mode=max', 'bookworm', matrix.arch) || '' }}
          tags: |
-            ghcr.io/neondatabase/neon:${{ needs.meta.outputs.build-tag }}-bookworm-${{ matrix.arch }}
+            neondatabase/neon:${{ needs.meta.outputs.build-tag }}-bookworm-${{ matrix.arch }}

  neon-image:
    needs: [ neon-image-arch, meta ]
@@ -614,26 +543,19 @@ jobs:
      id-token: write # aws-actions/configure-aws-credentials
      statuses: write
      contents: read
-      packages: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      - uses: docker/login-action@v3
        with:
-          egress-policy: audit
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

      - name: Create multi-arch image
        run: |
-          docker buildx imagetools create -t ghcr.io/neondatabase/neon:${{ needs.meta.outputs.build-tag }} \
-                                          -t ghcr.io/neondatabase/neon:${{ needs.meta.outputs.build-tag }}-bookworm \
-                                             ghcr.io/neondatabase/neon:${{ needs.meta.outputs.build-tag }}-bookworm-x64 \
-                                             ghcr.io/neondatabase/neon:${{ needs.meta.outputs.build-tag }}-bookworm-arm64
+          docker buildx imagetools create -t neondatabase/neon:${{ needs.meta.outputs.build-tag }} \
+                                          -t neondatabase/neon:${{ needs.meta.outputs.build-tag }}-bookworm \
+                                             neondatabase/neon:${{ needs.meta.outputs.build-tag }}-bookworm-x64 \
+                                             neondatabase/neon:${{ needs.meta.outputs.build-tag }}-bookworm-arm64

  compute-node-image-arch:
    needs: [ check-permissions, build-build-tools-image, meta ]
@@ -642,7 +564,6 @@ jobs:
      id-token: write # aws-actions/configure-aws-credentials
      statuses: write
      contents: read
-      packages: write
    strategy:
      fail-fast: false
      matrix:
@@ -661,20 +582,15 @@ jobs:
            debian: bookworm
        arch: [ x64, arm64 ]

-    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}
+    runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true

      - uses: neondatabase/dev-actions/set-docker-config-dir@6094485bf440001c94a94a3f9e221e81ff6b6193
-      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/setup-buildx-action@v3
        with:
          cache-binary: false
          # Disable parallelism for docker buildkit.
@@ -683,31 +599,25 @@ jobs:
            [worker.oci]
              max-parallelism = 1

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: cache.neon.build
          username: ${{ secrets.NEON_CI_DOCKERCACHE_USERNAME }}
          password: ${{ secrets.NEON_CI_DOCKERCACHE_PASSWORD }}

      - name: Build compute-node image
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@v6
        with:
          context: .
          build-args: |
            GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
            PG_VERSION=${{ matrix.version.pg }}
-            BUILD_TAG=${{ needs.meta.outputs.release-tag || needs.meta.outputs.build-tag }}
+            BUILD_TAG=${{ needs.meta.outputs.build-tag }}
            TAG=${{ needs.build-build-tools-image.outputs.image-tag }}-${{ matrix.version.debian }}
            DEBIAN_VERSION=${{ matrix.version.debian }}
          provenance: false
@@ -717,17 +627,17 @@ jobs:
          cache-from: type=registry,ref=cache.neon.build/compute-node-${{ matrix.version.pg }}:cache-${{ matrix.version.debian }}-${{ matrix.arch }}
          cache-to: ${{ github.ref_name == 'main' && format('type=registry,ref=cache.neon.build/compute-node-{0}:cache-{1}-{2},mode=max', matrix.version.pg, matrix.version.debian, matrix.arch) || '' }}
          tags: |
-            ghcr.io/neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }}-${{ matrix.arch }}
+            neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }}-${{ matrix.arch }}

      - name: Build neon extensions test image
        if: matrix.version.pg >= 'v16'
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@v6
        with:
          context: .
          build-args: |
            GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
            PG_VERSION=${{ matrix.version.pg }}
-            BUILD_TAG=${{ needs.meta.outputs.release-tag || needs.meta.outputs.build-tag }}
+            BUILD_TAG=${{ needs.meta.outputs.build-tag }}
            TAG=${{ needs.build-build-tools-image.outputs.image-tag }}-${{ matrix.version.debian }}
            DEBIAN_VERSION=${{ matrix.version.debian }}
          provenance: false
@@ -737,7 +647,7 @@ jobs:
          target: extension-tests
          cache-from: type=registry,ref=cache.neon.build/compute-node-${{ matrix.version.pg }}:cache-${{ matrix.version.debian }}-${{ matrix.arch }}
          tags: |
-            ghcr.io/neondatabase/neon-test-extensions-${{ matrix.version.pg }}:${{needs.meta.outputs.build-tag}}-${{ matrix.version.debian }}-${{ matrix.arch }}
+            neondatabase/neon-test-extensions-${{ matrix.version.pg }}:${{needs.meta.outputs.build-tag}}-${{ matrix.version.debian }}-${{ matrix.arch }}

  compute-node-image:
    needs: [ compute-node-image-arch, meta ]
@@ -746,7 +656,6 @@ jobs:
      id-token: write # aws-actions/configure-aws-credentials
      statuses: write
      contents: read
-      packages: write
    runs-on: ubuntu-22.04

    strategy:
@@ -763,39 +672,30 @@ jobs:
            debian: bookworm

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      - uses: docker/login-action@v3
        with:
-          egress-policy: audit
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

      - name: Create multi-arch compute-node image
        run: |
-          docker buildx imagetools create -t ghcr.io/neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }} \
-                                          -t ghcr.io/neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }} \
-                                             ghcr.io/neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }}-x64 \
-                                             ghcr.io/neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }}-arm64
+          docker buildx imagetools create -t neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }} \
+                                          -t neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }} \
+                                             neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }}-x64 \
+                                             neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }}-arm64

      - name: Create multi-arch neon-test-extensions image
        if: matrix.version.pg >= 'v16'
        run: |
-          docker buildx imagetools create -t ghcr.io/neondatabase/neon-test-extensions-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }} \
-                                          -t ghcr.io/neondatabase/neon-test-extensions-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }} \
-                                             ghcr.io/neondatabase/neon-test-extensions-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }}-x64 \
-                                             ghcr.io/neondatabase/neon-test-extensions-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }}-arm64
+          docker buildx imagetools create -t neondatabase/neon-test-extensions-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }} \
+                                          -t neondatabase/neon-test-extensions-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }} \
+                                             neondatabase/neon-test-extensions-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }}-x64 \
+                                             neondatabase/neon-test-extensions-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.version.debian }}-arm64

  vm-compute-node-image-arch:
    needs: [ check-permissions, meta, compute-node-image ]
    if: ${{ contains(fromJSON('["push-main", "pr", "compute-rc-pr"]'), needs.meta.outputs.run-kind) }}
-    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}
-    permissions:
-      contents: read
-      packages: write
+    runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}
    strategy:
      fail-fast: false
      matrix:
@@ -813,12 +713,7 @@ jobs:
      VM_BUILDER_VERSION: v0.42.2

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - name: Downloading vm-builder
        run: |
@@ -826,36 +721,33 @@ jobs:
          chmod +x vm-builder

      - uses: neondatabase/dev-actions/set-docker-config-dir@6094485bf440001c94a94a3f9e221e81ff6b6193
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

      # Note: we need a separate pull step here because otherwise vm-builder will try to pull, and
      # it won't have the proper authentication (written at v0.6.0)
      - name: Pulling compute-node image
        run: |
-          docker pull ghcr.io/neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}
+          docker pull neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}

      - name: Build vm image
        run: |
          ./vm-builder \
            -size=2G \
            -spec=compute/vm-image-spec-${{ matrix.version.debian }}.yaml \
-            -src=ghcr.io/neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }} \
-            -dst=ghcr.io/neondatabase/vm-compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.arch }} \
+            -src=neondatabase/compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }} \
+            -dst=neondatabase/vm-compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.arch }} \
            -target-arch=linux/${{ matrix.arch }}

      - name: Pushing vm-compute-node image
        run: |
-          docker push ghcr.io/neondatabase/vm-compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.arch }}
+          docker push neondatabase/vm-compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-${{ matrix.arch }}

  vm-compute-node-image:
    needs: [ vm-compute-node-image-arch, meta ]
    if: ${{ contains(fromJSON('["push-main", "pr", "compute-rc-pr"]'), needs.meta.outputs.run-kind) }}
-    permissions:
-      packages: write
    runs-on: ubuntu-22.04
    strategy:
      matrix:
@@ -866,22 +758,16 @@ jobs:
          - pg: v16
          - pg: v17
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      - uses: docker/login-action@v3
        with:
-          egress-policy: audit
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

      - name: Create multi-arch compute-node image
        run: |
-          docker buildx imagetools create -t ghcr.io/neondatabase/vm-compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }} \
-                                             ghcr.io/neondatabase/vm-compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-amd64 \
-                                             ghcr.io/neondatabase/vm-compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-arm64
+          docker buildx imagetools create -t neondatabase/vm-compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }} \
+                                             neondatabase/vm-compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-amd64 \
+                                             neondatabase/vm-compute-node-${{ matrix.version.pg }}:${{ needs.meta.outputs.build-tag }}-arm64


  test-images:
@@ -899,33 +785,18 @@ jobs:
        arch: [ x64, arm64 ]
        pg_version: [v16, v17]

-    permissions:
-      packages: read
-
-    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'small-arm64' || 'small')) }}
+    runs-on: ${{ fromJson(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'small-arm64' || 'small')) }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - uses: neondatabase/dev-actions/set-docker-config-dir@6094485bf440001c94a94a3f9e221e81ff6b6193
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # `ghcr.io/neondatabase/neon` contains multiple binaries, all of them use the same input for the version into the same version formatting library.
+      # `neondatabase/neon` contains multiple binaries, all of them use the same input for the version into the same version formatting library.
      # Pick pageserver as currently the only binary with extra "version" features printed in the string to verify.
      # Regular pageserver version string looks like
      #   Neon page server git-env:32d14403bd6ab4f4520a94cbfd81a6acef7a526c failpoints: true, features: []
@@ -936,7 +807,7 @@ jobs:
        shell: bash # ensure no set -e for better error messages
        if: ${{ contains(fromJSON('["push-main", "pr", "storage-rc-pr", "proxy-rc-pr"]'), needs.meta.outputs.run-kind) }}
        run: |
-          pageserver_version=$(docker run --rm ghcr.io/neondatabase/neon:${{ needs.meta.outputs.build-tag }} "/bin/sh" "-c" "/usr/local/bin/pageserver --version")
+          pageserver_version=$(docker run --rm neondatabase/neon:${{ needs.meta.outputs.build-tag }} "/bin/sh" "-c" "/usr/local/bin/pageserver --version")

          echo "Pageserver version string: $pageserver_version"

@@ -1010,12 +881,7 @@ jobs:
      compute-dev: ${{ steps.generate.outputs.compute-dev }}
      compute-prod: ${{ steps.generate.outputs.compute-prod }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          sparse-checkout: .github/scripts/generate_image_maps.py
          sparse-checkout-cone-mode: false
@@ -1026,7 +892,7 @@ jobs:
        env:
          SOURCE_TAG: >-
            ${{
-              contains(fromJSON('["storage-release", "compute-release", "proxy-release"]'), needs.meta.outputs.run-kind)
+              contains(fromJson('["storage-release", "compute-release", "proxy-release"]'), needs.meta.outputs.run-kind)
              && needs.meta.outputs.release-pr-run-id
              || needs.meta.outputs.build-tag
            }}
@@ -1112,21 +978,18 @@ jobs:
      acr-registry-name: ${{ vars.AZURE_PROD_REGISTRY_NAME }}
    secrets: inherit

-  push-neon-test-extensions-image-dockerhub:
+  push-neon-test-extensions-image-ghcr:
    if: ${{ contains(fromJSON('["push-main", "pr", "compute-rc-pr"]'), needs.meta.outputs.run-kind) }}
    needs: [ meta, compute-node-image ]
    uses: ./.github/workflows/_push-to-container-registry.yml
-    permissions:
-      packages: write
-      id-token: write
    with:
      image-map: |
        {
-          "ghcr.io/neondatabase/neon-test-extensions-v16:${{ needs.meta.outputs.build-tag }}": [
-            "docker.io/neondatabase/neon-test-extensions-v16:${{ needs.meta.outputs.build-tag }}"
+          "docker.io/neondatabase/neon-test-extensions-v16:${{ needs.meta.outputs.build-tag }}": [
+            "ghcr.io/neondatabase/neon-test-extensions-v16:${{ needs.meta.outputs.build-tag }}"
          ],
-          "ghcr.io/neondatabase/neon-test-extensions-v17:${{ needs.meta.outputs.build-tag }}": [
-            "docker.io/neondatabase/neon-test-extensions-v17:${{ needs.meta.outputs.build-tag }}"
+          "docker.io/neondatabase/neon-test-extensions-v17:${{ needs.meta.outputs.build-tag }}": [
+            "ghcr.io/neondatabase/neon-test-extensions-v17:${{ needs.meta.outputs.build-tag }}"
          ]
        }
    secrets: inherit
@@ -1135,17 +998,14 @@ jobs:
    if: ${{ needs.meta.outputs.run-kind == 'push-main' }}
    needs: [ meta, compute-node-image ]
    uses: ./.github/workflows/_push-to-container-registry.yml
-    permissions:
-      packages: write
-      id-token: write
    with:
      image-map: |
        {
-          "ghcr.io/neondatabase/neon-test-extensions-v16:${{ needs.meta.outputs.build-tag }}": [
+          "docker.io/neondatabase/neon-test-extensions-v16:${{ needs.meta.outputs.build-tag }}": [
            "docker.io/neondatabase/neon-test-extensions-v16:latest",
            "ghcr.io/neondatabase/neon-test-extensions-v16:latest"
          ],
-          "ghcr.io/neondatabase/neon-test-extensions-v17:${{ needs.meta.outputs.build-tag }}": [
+          "docker.io/neondatabase/neon-test-extensions-v17:${{ needs.meta.outputs.build-tag }}": [
            "docker.io/neondatabase/neon-test-extensions-v17:latest",
            "ghcr.io/neondatabase/neon-test-extensions-v17:latest"
          ]
@@ -1154,19 +1014,16 @@ jobs:

  add-release-tag-to-neon-test-extensions-image:
    if: ${{ needs.meta.outputs.run-kind == 'compute-release' }}
-    needs: [ meta ]
+    needs: [ meta, compute-node-image ]
    uses: ./.github/workflows/_push-to-container-registry.yml
-    permissions:
-      packages: write
-      id-token: write
    with:
      image-map: |
        {
-          "ghcr.io/neondatabase/neon-test-extensions-v16:${{ needs.meta.outputs.release-pr-run-id }}": [
+          "docker.io/neondatabase/neon-test-extensions-v16:${{ needs.meta.outputs.release-pr-run-id }}": [
            "docker.io/neondatabase/neon-test-extensions-v16:${{ needs.meta.outputs.build-tag }}",
            "ghcr.io/neondatabase/neon-test-extensions-v16:${{ needs.meta.outputs.build-tag }}"
          ],
-          "ghcr.io/neondatabase/neon-test-extensions-v17:${{ needs.meta.outputs.release-pr-run-id }}": [
+          "docker.io/neondatabase/neon-test-extensions-v17:${{ needs.meta.outputs.release-pr-run-id }}": [
            "docker.io/neondatabase/neon-test-extensions-v17:${{ needs.meta.outputs.build-tag }}",
            "ghcr.io/neondatabase/neon-test-extensions-v17:${{ needs.meta.outputs.build-tag }}"
          ]
@@ -1183,11 +1040,6 @@ jobs:
      contents: write
      pull-requests: write
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Set PR's status to pending and request a remote CI test
        run: |
          COMMIT_SHA=${{ github.event.pull_request.head.sha || github.sha }}
@@ -1269,16 +1121,11 @@ jobs:
    runs-on: [ self-hosted, small ]
    container: ${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/ansible:latest
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - name: Create git tag and GitHub release
        if: ${{ contains(fromJSON('["storage-release", "proxy-release", "compute-release"]'), needs.meta.outputs.run-kind) }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@v7
        env:
          TAG: "${{ needs.meta.outputs.build-tag }}"
          BRANCH: "${{ github.ref_name }}"
@@ -1426,13 +1273,8 @@ jobs:
    if: github.ref_name == 'release' && needs.deploy.result != 'success' && always()
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Post release-deploy failure to team-storage slack channel
-        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        uses: slackapi/slack-github-action@v2
        with:
          method: chat.postMessage
          token: ${{ secrets.SLACK_BOT_TOKEN }}
@@ -1453,12 +1295,7 @@ jobs:

    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      - uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: eu-central-1
          role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -1546,20 +1383,15 @@ jobs:
    steps:
      # The list of possible results:
      # https://docs.github.com/en/actions/learn-github-actions/contexts#needs-context
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Fail the job if any of the dependencies do not succeed
        run: exit 1
        if: |
          contains(needs.*.result, 'failure')
          || contains(needs.*.result, 'cancelled')
-          || (needs.check-dependencies-rust.result == 'skipped' && needs.files-changed.outputs.check-rust-dependencies == 'true' && needs.meta.outputs.run-kind == 'pr')
-          || (needs.build-and-test-locally.result == 'skipped' && needs.meta.outputs.run-kind == 'pr')
-          || (needs.check-codestyle-python.result == 'skipped' && needs.meta.outputs.run-kind == 'pr')
-          || (needs.check-codestyle-rust.result == 'skipped' && needs.meta.outputs.run-kind == 'pr')
+          || (needs.check-dependencies-rust.result == 'skipped' && needs.files-changed.outputs.check-rust-dependencies == 'true')
+          || needs.build-and-test-locally.result == 'skipped'
+          || needs.check-codestyle-python.result == 'skipped'
+          || needs.check-codestyle-rust.result == 'skipped'
          || needs.files-changed.result == 'skipped'
          || (needs.push-compute-image-dev.result == 'skipped' && contains(fromJSON('["push-main", "pr", "compute-release", "compute-rc-pr"]'), needs.meta.outputs.run-kind))
          || (needs.push-neon-image-dev.result == 'skipped' && contains(fromJSON('["push-main", "pr", "storage-release", "storage-rc-pr", "proxy-release", "proxy-rc-pr"]'), needs.meta.outputs.run-kind))
--- a/.github/workflows/build_and_test_with_sanitizers.yml
+++ b/.github/workflows/build_and_test_with_sanitizers.yml
@@ -33,12 +33,7 @@ jobs:

    steps:
      # Need `fetch-depth: 0` to count the number of commits in the branch
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

@@ -99,17 +94,12 @@ jobs:
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - name: Create Allure report
        if: ${{ !cancelled() }}
@@ -121,7 +111,7 @@ jobs:
        env:
          REGRESS_TEST_RESULT_CONNSTR_NEW: ${{ secrets.REGRESS_TEST_RESULT_CONNSTR_NEW }}

-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - uses: actions/github-script@v7
        if: ${{ !cancelled() }}
        with:
          # Retry script for 5XX server errors: https://github.com/actions/github-script#retries
--- a/.github/workflows/cargo-deny.yml
+++ b/.github/workflows/cargo-deny.yml
@@ -9,9 +9,6 @@ on:
  schedule:
    - cron: '0 10 * * *'

-permissions:
-  contents: read
-
 jobs:
  cargo-deny:
    strategy:
@@ -27,24 +24,16 @@ jobs:

    runs-on: [self-hosted, small]

-    permissions:
-      packages: read
-
    container:
-      image: ${{ inputs.build-tools-image || 'ghcr.io/neondatabase/build-tools:pinned' }}
+      image: ${{ inputs.build-tools-image || 'neondatabase/build-tools:pinned' }}
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          ref: ${{ matrix.ref }}

@@ -56,7 +45,7 @@ jobs:

      - name: Post to a Slack channel
        if: ${{ github.event_name == 'schedule' && failure() }}
-        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        uses: slackapi/slack-github-action@v2
        with:
          method: chat.postMessage
          token: ${{ secrets.SLACK_BOT_TOKEN }}
--- a/.github/workflows/check-permissions.yml
+++ b/.github/workflows/check-permissions.yml
@@ -18,11 +18,6 @@ jobs:
  check-permissions:
    runs-on: ubuntu-22.04
    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@v2
-      with:
-        egress-policy: audit
-
    - name: Disallow CI runs on PRs from forks
      if: |
        inputs.github-event-name  == 'pull_request' &&
--- a/.github/workflows/cleanup-caches-by-a-branch.yml
+++ b/.github/workflows/cleanup-caches-by-a-branch.yml
@@ -11,11 +11,6 @@ jobs:
  cleanup:
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
      - name: Cleanup
        run: |
          gh extension install actions/gh-actions-cache
--- a/.github/workflows/cloud-regress.yml
+++ b/.github/workflows/cloud-regress.yml
@@ -37,19 +37,14 @@ jobs:

    runs-on: us-east-2
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true

@@ -126,7 +121,7 @@ jobs:

      - name: Post to a Slack channel
        if: ${{ github.event.schedule && failure() }}
-        uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+        uses: slackapi/slack-github-action@v1
        with:
          channel-id: ${{ vars.SLACK_ON_CALL_QA_STAGING_STREAM }}
          slack-message: |
--- a/.github/workflows/fast-forward.yml
+++ b/.github/workflows/fast-forward.yml
@@ -13,11 +13,6 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
      - name: Remove fast-forward label to PR
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
--- a/.github/workflows/force-test-extensions-upgrade.yml
+++ b/.github/workflows/force-test-extensions-upgrade.yml
@@ -34,12 +34,7 @@ jobs:
    runs-on: small

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: false

@@ -72,7 +67,7 @@ jobs:

      - name: Post to the Slack channel
        if: ${{ github.event.schedule && failure() }}
-        uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+        uses: slackapi/slack-github-action@v1
        with:
          channel-id: ${{ vars.SLACK_ON_CALL_QA_STAGING_STREAM }}
          slack-message: |
--- a/.github/workflows/ingest_benchmark.yml
+++ b/.github/workflows/ingest_benchmark.yml
@@ -23,9 +23,6 @@ concurrency:
  group: ingest-bench-workflow
  cancel-in-progress: true

-permissions:
-  contents: read
-
 jobs:
  ingest:
    strategy:
@@ -70,23 +67,18 @@ jobs:
      PGCOPYDB_LIB_PATH: /pgcopydb/lib
    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init
    timeout-minutes: 1440

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials # necessary to download artefacts
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
--- a/.github/workflows/label-for-external-users.yml
+++ b/.github/workflows/label-for-external-users.yml
@@ -27,11 +27,6 @@ jobs:
      is-member: ${{ steps.check-user.outputs.is-member }}

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@v2
-      with:
-        egress-policy: audit
-
    - name: Check whether `${{ github.actor }}` is a member of `${{ github.repository_owner }}`
      id: check-user
      env:
@@ -74,11 +69,6 @@ jobs:
      issues: write        # for `gh issue edit`

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@v2
-      with:
-        egress-policy: audit
-
    - name: Add `${{ env.LABEL }}` label
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/large_oltp_benchmark.yml
+++ b/.github/workflows/large_oltp_benchmark.yml
@@ -2,8 +2,8 @@ name: large oltp benchmark

 on:
  # uncomment to run on push for debugging your PR
-  #push:
-  #  branches: [ bodobolero/synthetic_oltp_workload ]
+  push:
+    branches: [ bodobolero/synthetic_oltp_workload ]

  schedule:
    # * is a special character in YAML so you have to quote this string
@@ -12,7 +12,7 @@ on:
    #          │ │  ┌───────────── day of the month (1 - 31)
    #          │ │  │ ┌───────────── month (1 - 12 or JAN-DEC)
    #          │ │  │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
-    - cron:   '0 15 * * 0,2,4' # run on Sunday, Tuesday, Thursday at 3 PM UTC
+    - cron:   '0 15 * * *' # run once a day, timezone is utc, avoid conflict with other benchmarks
  workflow_dispatch: # adds ability to run this manually

 defaults:
@@ -22,10 +22,7 @@ defaults:
 concurrency:
  # Allow only one workflow globally because we need dedicated resources which only exist once
  group: large-oltp-bench-workflow
-  cancel-in-progress: false
-
-permissions:
-  contents: read
+  cancel-in-progress: true

 jobs:
  oltp:
@@ -34,9 +31,9 @@ jobs:
      matrix:
        include:
          - target: new_branch 
-            custom_scripts: insert_webhooks.sql@200 select_any_webhook_with_skew.sql@300 select_recent_webhook.sql@397 select_prefetch_webhook.sql@3 IUD_one_transaction.sql@100
+            custom_scripts: insert_webhooks.sql@2 select_any_webhook_with_skew.sql@4 select_recent_webhook.sql@4 
          - target: reuse_branch 
-            custom_scripts: insert_webhooks.sql@200 select_any_webhook_with_skew.sql@300 select_recent_webhook.sql@397 select_prefetch_webhook.sql@3 IUD_one_transaction.sql@100
+            custom_scripts: insert_webhooks.sql@2 select_any_webhook_with_skew.sql@4 select_recent_webhook.sql@4 
      max-parallel: 1 # we want to run each stripe size sequentially to be able to compare the results
    permissions:
      contents: write
@@ -49,31 +46,25 @@ jobs:
      PG_VERSION: 16 # pre-determined by pre-determined project
      TEST_OUTPUT: /tmp/test_output
      BUILD_TYPE: remote
+      SAVE_PERF_REPORT: ${{ github.ref_name == 'main' }}
      PLATFORM: ${{ matrix.target }}

    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

-    # Increase timeout to 2 days, default timeout is 6h - database maintenance can take a long time
-    # (normally 1h pgbench, 3h vacuum analyze 3.5h re-index) x 2 = 15h, leave some buffer for regressions
-    # in one run vacuum didn't finish within 12 hours
-    timeout-minutes: 2880
+    # Increase timeout to 8h, default timeout is 6h
+    timeout-minutes: 480

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials # necessary to download artefacts
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -98,45 +89,29 @@ jobs:
    - name: Set up Connection String
      id: set-up-connstr
      run: |
-        case "${{ matrix.target }}" in
-          new_branch)
-          CONNSTR=${{ steps.create-neon-branch-oltp-target.outputs.dsn }}
-          ;;
-          reuse_branch)
-          CONNSTR=${{ secrets.BENCHMARK_LARGE_OLTP_REUSE_CONNSTR }}
-          ;;
-          *)
-          echo >&2 "Unknown target=${{ matrix.target }}"
-          exit 1
-          ;;
-        esac
+          case "${{ matrix.target }}" in
+              new_branch)
+              CONNSTR=${{ steps.create-neon-branch-oltp-target.outputs.dsn }}
+              ;;
+              reuse_branch)
+              CONNSTR=${{ secrets.BENCHMARK_LARGE_OLTP_REUSE_CONNSTR }}
+              ;;
+              *)
+              echo >&2 "Unknown target=${{ matrix.target }}"
+              exit 1
+              ;;
+          esac

-        CONNSTR_WITHOUT_POOLER="${CONNSTR//-pooler/}"
+          echo "connstr=${CONNSTR}" >> $GITHUB_OUTPUT

-        echo "connstr=${CONNSTR}" >> $GITHUB_OUTPUT
-        echo "connstr_without_pooler=${CONNSTR_WITHOUT_POOLER}" >> $GITHUB_OUTPUT
-
-    - name: Delete rows from prior runs in reuse branch
-      if: ${{ matrix.target == 'reuse_branch' }}
-      env:
-          BENCHMARK_CONNSTR: ${{ steps.set-up-connstr.outputs.connstr_without_pooler }}
-          PG_CONFIG: /tmp/neon/pg_install/v16/bin/pg_config
-          PSQL: /tmp/neon/pg_install/v16/bin/psql
-          PG_16_LIB_PATH: /tmp/neon/pg_install/v16/lib
-      run: |
-        echo "$(date '+%Y-%m-%d %H:%M:%S') - Deleting rows in table webhook.incoming_webhooks from prior runs"
-        export LD_LIBRARY_PATH=${PG_16_LIB_PATH}
-        ${PSQL} "${BENCHMARK_CONNSTR}" -c "SET statement_timeout = 0; DELETE FROM webhook.incoming_webhooks WHERE created_at > '2025-02-27 23:59:59+00';"
-        echo "$(date '+%Y-%m-%d %H:%M:%S') - Finished deleting rows in table webhook.incoming_webhooks from prior runs"
-
-    - name: Benchmark pgbench with custom-scripts 
+    - name: Benchmark pgbench with custom-scripts
      uses: ./.github/actions/run-python-test-set
      with:
        build_type: ${{ env.BUILD_TYPE }}
        test_selection: performance
        run_in_parallel: false
-        save_perf_report: true
-        extra_params: -m remote_cluster --timeout 7200 -k test_perf_oltp_large_tenant_pgbench
+        save_perf_report: ${{ env.SAVE_PERF_REPORT }}
+        extra_params: -m remote_cluster --timeout 21600 -k test_perf_oltp_large_tenant
        pg_version: ${{ env.PG_VERSION }}
        aws-oicd-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
      env:
@@ -144,21 +119,6 @@ jobs:
        VIP_VAP_ACCESS_TOKEN: "${{ secrets.VIP_VAP_ACCESS_TOKEN }}"
        PERF_TEST_RESULT_CONNSTR: "${{ secrets.PERF_TEST_RESULT_CONNSTR }}"

-    - name: Benchmark database maintenance
-      uses: ./.github/actions/run-python-test-set
-      with:
-        build_type: ${{ env.BUILD_TYPE }}
-        test_selection: performance
-        run_in_parallel: false
-        save_perf_report: true
-        extra_params: -m remote_cluster --timeout 172800 -k test_perf_oltp_large_tenant_maintenance
-        pg_version: ${{ env.PG_VERSION }}
-        aws-oicd-role-arn: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
-      env:
-        BENCHMARK_CONNSTR: ${{ steps.set-up-connstr.outputs.connstr_without_pooler }}
-        VIP_VAP_ACCESS_TOKEN: "${{ secrets.VIP_VAP_ACCESS_TOKEN }}"
-        PERF_TEST_RESULT_CONNSTR: "${{ secrets.PERF_TEST_RESULT_CONNSTR }}"
-
    - name: Delete Neon Branch for large tenant
      if: ${{ always() && matrix.target == 'new_branch' }}
      uses: ./.github/actions/neon-branch-delete
@@ -167,13 +127,6 @@ jobs:
        branch_id: ${{ steps.create-neon-branch-oltp-target.outputs.branch_id }}
        api_key: ${{ secrets.NEON_STAGING_API_KEY }}

-    - name: Configure AWS credentials # again because prior steps could have exceeded 5 hours
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
-      with:
-        aws-region: eu-central-1
-        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
-        role-duration-seconds: 18000 # 5 hours
-
    - name: Create Allure report
      id: create-allure-report
      if: ${{ !cancelled() }}
@@ -183,7 +136,7 @@ jobs:
  
    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
--- a/.github/workflows/lint-release-pr.yml
+++ b/.github/workflows/lint-release-pr.yml
@@ -7,20 +7,12 @@ on:
      - release-proxy
      - release-compute

-permissions:
-  contents: read
-
 jobs:
  lint-release-pr:
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout PR branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Fetch full history for git operations
          ref: ${{ github.event.pull_request.head.ref }}
--- a/.github/workflows/neon_extra_builds.yml
+++ b/.github/workflows/neon_extra_builds.yml
@@ -42,13 +42,8 @@ jobs:
      rebuild_everything: ${{ steps.files_changed.outputs.rebuild_neon_extra || steps.files_changed.outputs.rebuild_macos }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

@@ -76,8 +71,8 @@ jobs:
    uses: ./.github/workflows/build-macos.yml
    with:
      pg_versions: ${{ needs.files-changed.outputs.postgres_changes }}
-      rebuild_rust_code: ${{ fromJSON(needs.files-changed.outputs.rebuild_rust_code) }}
-      rebuild_everything: ${{ fromJSON(needs.files-changed.outputs.rebuild_everything) }}
+      rebuild_rust_code: ${{ fromJson(needs.files-changed.outputs.rebuild_rust_code) }}
+      rebuild_everything: ${{ fromJson(needs.files-changed.outputs.rebuild_everything) }}

  gather-rust-build-stats:
    needs: [ check-permissions, build-build-tools-image, files-changed ]
@@ -95,8 +90,8 @@ jobs:
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init

    env:
@@ -106,13 +101,8 @@ jobs:
      CARGO_INCREMENTAL: 0

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

@@ -127,7 +117,7 @@ jobs:
        run: cargo build --all --release --timings -j$(nproc)

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: eu-central-1
          role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -144,7 +134,7 @@ jobs:
          echo "report-url=${REPORT_URL}" >> $GITHUB_OUTPUT

      - name: Publish build stats report
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@v7
        env:
          REPORT_URL: ${{ steps.upload-stats.outputs.report-url }}
          SHA: ${{ github.event.pull_request.head.sha || github.sha }}
--- a/.github/workflows/periodic_pagebench.yml
+++ b/.github/workflows/periodic_pagebench.yml
@@ -25,9 +25,6 @@ concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: false

-permissions:
-  contents: read
-
 jobs:
  trigger_bench_on_ec2_machine_in_eu_central_1:
    permissions:
@@ -37,10 +34,10 @@ jobs:
      pull-requests: write
    runs-on: [ self-hosted, small ]
    container:
-      image: ghcr.io/neondatabase/build-tools:pinned-bookworm
+      image: neondatabase/build-tools:pinned-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init
    timeout-minutes: 360  # Set the timeout to 6 hours
    env:
@@ -51,18 +48,13 @@ jobs:
    steps:
    # we don't need the neon source code because we run everything remotely
    # however we still need the local github actions to run the allure step below
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Show my own (github runner) external IP address - usefull for IP allowlisting
      run: curl https://ifconfig.me

    - name: Assume AWS OIDC role that allows to manage (start/stop/describe... EC machine)
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_MANAGE_BENCHMARK_EC2_VMS_ARN }}
@@ -151,7 +143,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: "Periodic pagebench testing on dedicated hardware: ${{ job.status }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
@@ -169,7 +161,7 @@ jobs:

    - name: Assume AWS OIDC role that allows to manage (start/stop/describe... EC machine)
      if: always() && steps.poll_step.outputs.too_many_runs != 'true'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_MANAGE_BENCHMARK_EC2_VMS_ARN }}
--- a/.github/workflows/pg-clients.yml
+++ b/.github/workflows/pg-clients.yml
@@ -53,8 +53,8 @@ jobs:
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init --user root
    services:
      clickhouse:
@@ -88,12 +88,7 @@ jobs:
        ports:
          - 8083:8083
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - name: Download Neon artifact
        uses: ./.github/actions/download
@@ -143,7 +138,7 @@ jobs:

      - name: Post to a Slack channel
        if: github.event.schedule && failure()
-        uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+        uses: slackapi/slack-github-action@v1
        with:
          channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
          slack-message: |
@@ -158,17 +153,12 @@ jobs:
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}-bookworm
      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
+        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init --user root

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Download Neon artifact
      uses: ./.github/actions/download
@@ -216,7 +206,7 @@ jobs:

    - name: Post to a Slack channel
      if: github.event.schedule && failure()
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
--- a/.github/workflows/pin-build-tools-image.yml
+++ b/.github/workflows/pin-build-tools-image.yml
@@ -40,19 +40,14 @@ jobs:
      skip: ${{ steps.check-manifests.outputs.skip }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
      - name: Check if we really need to pin the image
        id: check-manifests
        env:
          FROM_TAG: ${{ inputs.from-tag }}
          TO_TAG: pinned
        run: |
-          docker manifest inspect "ghcr.io/neondatabase/build-tools:${FROM_TAG}" > "${FROM_TAG}.json"
-          docker manifest inspect "ghcr.io/neondatabase/build-tools:${TO_TAG}"   > "${TO_TAG}.json"
+          docker manifest inspect "docker.io/neondatabase/build-tools:${FROM_TAG}" > "${FROM_TAG}.json"
+          docker manifest inspect "docker.io/neondatabase/build-tools:${TO_TAG}"   > "${TO_TAG}.json"

          if diff "${FROM_TAG}.json" "${TO_TAG}.json"; then
            skip=true
@@ -76,13 +71,13 @@ jobs:
    with:
      image-map: |
        {
-          "ghcr.io/neondatabase/build-tools:${{ inputs.from-tag }}-bullseye": [
+          "docker.io/neondatabase/build-tools:${{ inputs.from-tag }}-bullseye": [
            "docker.io/neondatabase/build-tools:pinned-bullseye",
            "ghcr.io/neondatabase/build-tools:pinned-bullseye",
            "${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/build-tools:pinned-bullseye",
            "${{ vars.AZURE_DEV_REGISTRY_NAME }}.azurecr.io/neondatabase/build-tools:pinned-bullseye"
          ],
-          "ghcr.io/neondatabase/build-tools:${{ inputs.from-tag }}-bookworm": [
+          "docker.io/neondatabase/build-tools:${{ inputs.from-tag }}-bookworm": [
            "docker.io/neondatabase/build-tools:pinned-bookworm",
            "docker.io/neondatabase/build-tools:pinned",
            "ghcr.io/neondatabase/build-tools:pinned-bookworm",
--- a/.github/workflows/pre-merge-checks.yml
+++ b/.github/workflows/pre-merge-checks.yml
@@ -19,22 +19,15 @@ permissions: {}
 jobs:
  meta:
    runs-on: ubuntu-22.04
-    permissions:
-      contents: read
    outputs:
      python-changed: ${{ steps.python-src.outputs.any_changed }}
      rust-changed: ${{ steps.rust-src.outputs.any_changed }}
      branch: ${{ steps.group-metadata.outputs.branch }}
      pr-number: ${{ steps.group-metadata.outputs.pr-number }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
+      - uses: actions/checkout@v4

-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
+      - uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf # v45.0.4
        id: python-src
        with:
          files: |
@@ -45,7 +38,7 @@ jobs:
            poetry.lock
            pyproject.toml

-      - uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
+      - uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf # v45.0.4
        id: rust-src
        with:
          files: |
@@ -79,9 +72,6 @@ jobs:
      || needs.meta.outputs.python-changed == 'true'
      || needs.meta.outputs.rust-changed == 'true'
    needs: [ meta ]
-    permissions:
-      contents: read
-      packages: write
    uses: ./.github/workflows/build-build-tools-image.yml
    with:
      # Build only one combination to save time
@@ -92,9 +82,6 @@ jobs:
  check-codestyle-python:
    if: needs.meta.outputs.python-changed == 'true'
    needs: [ meta, build-build-tools-image ]
-    permissions:
-      contents: read
-      packages: read
    uses: ./.github/workflows/_check-codestyle-python.yml
    with:
      # `-bookworm-x64` suffix should match the combination in `build-build-tools-image`
@@ -104,9 +91,6 @@ jobs:
  check-codestyle-rust:
    if: needs.meta.outputs.rust-changed == 'true'
    needs: [ meta, build-build-tools-image ]
-    permissions:
-      contents: read
-      packages: read
    uses: ./.github/workflows/_check-codestyle-rust.yml
    with:
      # `-bookworm-x64` suffix should match the combination in `build-build-tools-image`
@@ -130,13 +114,8 @@ jobs:
      - check-codestyle-rust
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Create fake `neon-cloud-e2e` check
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@v7
        with:
          # Retry script for 5XX server errors: https://github.com/actions/github-script#retries
          retries: 5
@@ -169,7 +148,7 @@ jobs:
          ${{
            always()
            && github.event_name == 'merge_group'
-            && contains(fromJSON('["release", "release-proxy", "release-compute"]'), needs.meta.outputs.branch)
+            && contains(fromJson('["release", "release-proxy", "release-compute"]'), github.base_ref)
          }}
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
--- a/.github/workflows/regenerate-pg-setting.yml
+++ b/.github/workflows/regenerate-pg-setting.yml
@@ -23,13 +23,8 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Add comment
-        uses: thollander/actions-comment-pull-request@65f9e5c9a1f2cd378bd74b2e057c9736982a8e74 # v3
+        uses: thollander/actions-comment-pull-request@v3
        with:
          comment-tag: ${{ github.job }}
          pr-number: ${{ github.event.number }}
--- a/.github/workflows/release-notify.yml
+++ b/.github/workflows/release-notify.yml
@@ -22,12 +22,7 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: neondatabase/dev-actions/release-pr-notify@483a843f2a8bcfbdc4c69d27630528a3ddc4e14b # main
+      - uses: neondatabase/dev-actions/release-pr-notify@main
        with:
          slack-token: ${{ secrets.SLACK_BOT_TOKEN }}
          slack-channel-id: ${{ vars.SLACK_UPCOMING_RELEASE_CHANNEL_ID || 'C05QQ9J1BRC' }} # if not set, then `#test-release-notifications`
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,7 +3,7 @@ name: Create Release Branch
 on:
  schedule:
    # It should be kept in sync with if-condition in jobs
-    - cron: '0 6 * * TUE' # Proxy release
+    - cron: '0 6 * * THU' # Proxy release
    - cron: '0 6 * * FRI' # Storage release
    - cron: '0 7 * * FRI' # Compute release
  workflow_dispatch:
@@ -43,7 +43,7 @@ jobs:
      ci-access-token: ${{ secrets.CI_ACCESS_TOKEN }}

  create-proxy-release-branch:
-    if: ${{ github.event.schedule == '0 6 * * TUE' || inputs.create-proxy-release-branch }}
+    if: ${{ github.event.schedule == '0 6 * * THU' || inputs.create-proxy-release-branch }}

    permissions:
      contents: write
--- a/.github/workflows/report-workflow-stats-batch.yml
+++ b/.github/workflows/report-workflow-stats-batch.yml
@@ -6,9 +6,6 @@ on:
    - cron: '25 0 * * *'
    - cron: '25 1 * * 6'

-permissions:
-  contents: read
-
 jobs:
  gh-workflow-stats-batch-2h:
    name: GitHub Workflow Stats Batch 2 hours
@@ -17,13 +14,8 @@ jobs:
    permissions:
      actions: read
    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
    - name: Export Workflow Run for the past 2 hours
-      uses: neondatabase/gh-workflow-stats-action@4c998b25ab5cc6588b52a610b749531f6a566b6b # v0.2.1
+      uses: neondatabase/gh-workflow-stats-action@v0.2.1
      with:
        db_uri: ${{ secrets.GH_REPORT_STATS_DB_RW_CONNSTR }}
        db_table: "gh_workflow_stats_neon"
@@ -37,13 +29,8 @@ jobs:
    permissions:
      actions: read
    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
    - name: Export Workflow Run for the past 48 hours
-      uses: neondatabase/gh-workflow-stats-action@4c998b25ab5cc6588b52a610b749531f6a566b6b # v0.2.1
+      uses: neondatabase/gh-workflow-stats-action@v0.2.1
      with:
        db_uri: ${{ secrets.GH_REPORT_STATS_DB_RW_CONNSTR }}
        db_table: "gh_workflow_stats_neon"
@@ -57,13 +44,8 @@ jobs:
    permissions:
      actions: read
    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
    - name: Export Workflow Run for the past 30 days
-      uses: neondatabase/gh-workflow-stats-action@4c998b25ab5cc6588b52a610b749531f6a566b6b # v0.2.1
+      uses: neondatabase/gh-workflow-stats-action@v0.2.1
      with:
        db_uri: ${{ secrets.GH_REPORT_STATS_DB_RW_CONNSTR }}
        db_table: "gh_workflow_stats_neon"
--- a/.github/workflows/trigger-e2e-tests.yml
+++ b/.github/workflows/trigger-e2e-tests.yml
@@ -31,11 +31,6 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
      - name: Cancel previous e2e-tests runs for this PR
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
@@ -68,11 +63,6 @@ jobs:
          || needs.meta.outputs.build-tag
        }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
      - name: Wait for `push-{neon,compute}-image-dev` job to finish
        # It's important to have a timeout here, the script in the step can run infinitely
        timeout-minutes: 60
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -167,6 +167,45 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"

+[[package]]
+name = "asn1-rs"
+version = "0.6.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror 1.0.69",
+ "time",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.100",
+ "synstructure",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.100",
+]
+
 [[package]]
 name = "assert-json-diff"
 version = "2.0.2"
@@ -1774,6 +1813,20 @@ dependencies = [
 "zeroize",
 ]

+[[package]]
+name = "der-parser"
+version = "9.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553"
+dependencies = [
+ "asn1-rs",
+ "displaydoc",
+ "nom",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
 [[package]]
 name = "der_derive"
 version = "0.7.3"
@@ -2809,7 +2862,6 @@ name = "http-utils"
 version = "0.1.0"
 dependencies = [
 "anyhow",
- "arc-swap",
 "bytes",
 "camino",
 "fail",
@@ -2822,7 +2874,6 @@ dependencies = [
 "pprof",
 "regex",
 "routerify",
- "rustls 0.23.18",
 "rustls-pemfile 2.1.1",
 "serde",
 "serde_json",
@@ -3993,6 +4044,15 @@ dependencies = [
 "memchr",
 ]

+[[package]]
+name = "oid-registry"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9"
+dependencies = [
+ "asn1-rs",
+]
+
 [[package]]
 name = "once_cell"
 version = "1.20.2"
@@ -5167,7 +5227,7 @@ dependencies = [
 "uuid",
 "walkdir",
 "workspace_hack",
- "x509-cert",
+ "x509-parser",
 "zerocopy",
 ]

@@ -5788,6 +5848,15 @@ dependencies = [
 "semver",
 ]

+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom",
+]
+
 [[package]]
 name = "rustix"
 version = "0.38.41"
@@ -6607,7 +6676,6 @@ version = "0.1.0"
 dependencies = [
 "anyhow",
 "bytes",
- "camino",
 "chrono",
 "clap",
 "clashmap",
@@ -6651,7 +6719,6 @@ dependencies = [
 "tokio",
 "tokio-postgres",
 "tokio-postgres-rustls",
- "tokio-rustls 0.26.0",
 "tokio-util",
 "tracing",
 "utils",
@@ -8373,6 +8440,7 @@ dependencies = [
 "der 0.7.8",
 "deranged",
 "digest",
+ "displaydoc",
 "ecdsa 0.16.9",
 "either",
 "elliptic-curve 0.13.8",
@@ -8500,6 +8568,23 @@ dependencies = [
 "zeroize",
 ]

+[[package]]
+name = "x509-parser"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69"
+dependencies = [
+ "asn1-rs",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom",
+ "oid-registry",
+ "rusticata-macros",
+ "thiserror 1.0.69",
+ "time",
+]
+
 [[package]]
 name = "xattr"
 version = "1.0.0"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -215,10 +215,10 @@ urlencoding = "2.1"
 uuid = { version = "1.6.1", features = ["v4", "v7", "serde"] }
 walkdir = "2.3.2"
 rustls-native-certs = "0.8"
+x509-parser = "0.16"
 whoami = "1.5.1"
 zerocopy = { version = "0.7", features = ["derive"] }
 json-structural-diff = { version = "0.2.0" }
-x509-cert = { version = "0.2.5" }

 ## TODO replace this with tracing
 env_logger = "0.11"
--- a/2
+++ b/2
@@ -2,7 +2,7 @@
 ### The image itself is mainly used as a container for the binaries and for starting e2e tests with custom parameters.
 ### By default, the binaries inside the image have some mock parameters and can start, but are not intended to be used
 ### inside this image in the real deployments.
-ARG REPOSITORY=ghcr.io/neondatabase
+ARG REPOSITORY=neondatabase
 ARG IMAGE=build-tools
 ARG TAG=pinned
 ARG DEFAULT_PG_VERSION=17
--- a/compute/compute-node.Dockerfile
+++ b/compute/compute-node.Dockerfile
@@ -77,7 +77,7 @@
 # build_and_test.yml github workflow for how that's done.

 ARG PG_VERSION
-ARG REPOSITORY=ghcr.io/neondatabase
+ARG REPOSITORY=neondatabase
 ARG IMAGE=build-tools
 ARG TAG=pinned
 ARG BUILD_TAG
--- a/compute/patches/pgvector.patch
+++ b/compute/patches/pgvector.patch
@@ -15,7 +15,7 @@ index 7a4b88c..56678af 100644
 HEADERS = src/halfvec.h src/sparsevec.h src/vector.h
 
 diff --git a/src/hnswbuild.c b/src/hnswbuild.c
-index b667478..dc95d89 100644
+index b667478..fc1897c 100644
 --- a/src/hnswbuild.c
 +++ b/src/hnswbuild.c
@@ -843,9 +843,17 @@ HnswParallelBuildMain(dsm_segment *seg, shm_toc *toc)
@@ -36,7 +36,7 @@ index b667478..dc95d89 100644
 	/* Close relations within worker */
 	index_close(indexRel, indexLockmode);
 	table_close(heapRel, heapLockmode);
-@@ -1100,12 +1108,39 @@ BuildIndex(Relation heap, Relation index, IndexInfo *indexInfo,
+@@ -1100,12 +1108,38 @@ BuildIndex(Relation heap, Relation index, IndexInfo *indexInfo,
 	SeedRandom(42);
 #endif
 
@@ -62,11 +62,10 @@ index b667478..dc95d89 100644
 +#else
 +			RelFileNode rlocator = RelationGetSmgr(index)->smgr_rnode.node;
 +#endif
-+			if (set_lwlsn_block_range_hook)
-+				set_lwlsn_block_range_hook(XactLastRecEnd, rlocator,
-+										   MAIN_FORKNUM, 0, RelationGetNumberOfBlocks(index));
-+			if (set_lwlsn_relation_hook)
-+				set_lwlsn_relation_hook(XactLastRecEnd, rlocator, MAIN_FORKNUM);
+
+			SetLastWrittenLSNForBlockRange(XactLastRecEnd, rlocator,
+									   MAIN_FORKNUM, 0, RelationGetNumberOfBlocks(index));
+			SetLastWrittenLSNForRelation(XactLastRecEnd, rlocator, MAIN_FORKNUM);
 +		}
 +#endif
 +	}
--- a/compute/patches/rum.patch
+++ b/compute/patches/rum.patch
@@ -1,5 +1,11 @@
+commit 68f3b3b0d594f08aacc4a082ee210749ed5677eb
+Author: Anastasia Lubennikova <anastasia@neon.tech>
+Date:   Mon Jul 15 12:31:56 2024 +0100
+
+    Neon: fix unlogged index build patch
+
 diff --git a/src/ruminsert.c b/src/ruminsert.c
-index 255e616..7a2240f 100644
+index e8b209d..e89bf2a 100644
 --- a/src/ruminsert.c
 +++ b/src/ruminsert.c
@@ -628,6 +628,10 @@ rumbuild(Relation heap, Relation index, struct IndexInfo *indexInfo)
@@ -24,7 +30,7 @@ index 255e616..7a2240f 100644
 	/*
 	 * Write index to xlog
 	 */
-@@ -713,6 +721,22 @@ rumbuild(Relation heap, Relation index, struct IndexInfo *indexInfo)
+@@ -713,6 +721,21 @@ rumbuild(Relation heap, Relation index, struct IndexInfo *indexInfo)
 		UnlockReleaseBuffer(buffer);
 	}
 
@@ -35,10 +41,9 @@ index 255e616..7a2240f 100644
 +#else
 +		RelFileNode rlocator = RelationGetSmgr(index)->smgr_rnode.node;
 +#endif
-+		if (set_lwlsn_block_range_hook)
-+			set_lwlsn_block_range_hook(XactLastRecEnd, rlocator, MAIN_FORKNUM, 0, RelationGetNumberOfBlocks(index));
-+		if (set_lwlsn_relation_hook)
-+			set_lwlsn_relation_hook(XactLastRecEnd, rlocator, MAIN_FORKNUM);
+
+		SetLastWrittenLSNForBlockRange(XactLastRecEnd, rlocator, MAIN_FORKNUM, 0, RelationGetNumberOfBlocks(index));
+		SetLastWrittenLSNForRelation(XactLastRecEnd, rlocator, MAIN_FORKNUM);
 +
 +		smgr_end_unlogged_build(index->rd_smgr);
 +	}
--- a/compute/vm-image-spec-bookworm.yaml
+++ b/compute/vm-image-spec-bookworm.yaml
@@ -39,13 +39,6 @@ commands:
    user: nobody
    sysvInitAction: respawn
    shell: '/bin/sql_exporter -config.file=/etc/sql_exporter_autoscaling.yml -web.listen-address=:9499'
-  # Rsyslog by default creates a unix socket under /dev/log . That's where Postgres sends logs also.
-  # We run syslog with postgres user so it can't create /dev/log. Instead we configure rsyslog to
-  # use a different path for the socket. The symlink actually points to our custom path.
-  - name: rsyslogd-socket-symlink
-    user: root
-    sysvInitAction: sysinit
-    shell: "ln -s /var/db/postgres/rsyslogpipe /dev/log"
  - name: rsyslogd
    user: postgres
    sysvInitAction: respawn
@@ -84,9 +77,6 @@ files:
 # compute_ctl will rewrite this file with the actual configuration, if needed.
  - filename: compute_rsyslog.conf
    content: |
-      # Syslock.Name specifies a non-default pipe location that is writeable for the postgres user.
-      module(load="imuxsock" SysSock.Name="/var/db/postgres/rsyslogpipe") # provides support for local system logging
-
      *.*    /dev/null
      $IncludeConfig /etc/rsyslog.d/*.conf
 build: |
--- a/compute/vm-image-spec-bullseye.yaml
+++ b/compute/vm-image-spec-bullseye.yaml
@@ -39,13 +39,6 @@ commands:
    user: nobody
    sysvInitAction: respawn
    shell: '/bin/sql_exporter -config.file=/etc/sql_exporter_autoscaling.yml -web.listen-address=:9499'
-  # Rsyslog by default creates a unix socket under /dev/log . That's where Postgres sends logs also.
-  # We run syslog with postgres user so it can't create /dev/log. Instead we configure rsyslog to
-  # use a different path for the socket. The symlink actually points to our custom path.
-  - name: rsyslogd-socket-symlink
-    user: root
-    sysvInitAction: sysinit
-    shell: "ln -s /var/db/postgres/rsyslogpipe /dev/log"
  - name: rsyslogd
    user: postgres
    sysvInitAction: respawn
@@ -84,9 +77,6 @@ files:
 # compute_ctl will rewrite this file with the actual configuration, if needed.
  - filename: compute_rsyslog.conf
    content: |
-      # Syslock.Name specifies a non-default pipe location that is writeable for the postgres user.
-      module(load="imuxsock" SysSock.Name="/var/db/postgres/rsyslogpipe") # provides support for local system logging
-
      *.*    /dev/null
      $IncludeConfig /etc/rsyslog.d/*.conf
 build: |
--- a/compute_tools/Cargo.toml
+++ b/compute_tools/Cargo.toml
@@ -61,7 +61,7 @@ thiserror.workspace = true
 url.workspace = true
 uuid.workspace = true
 walkdir.workspace = true
-x509-cert.workspace = true
+x509-cert = { version = "0.2.5" }

 postgres_initdb.workspace = true
 compute_api.workspace = true
--- a/compute_tools/src/bin/fast_import.rs
+++ b/compute_tools/src/bin/fast_import.rs
@@ -31,7 +31,6 @@ use camino::{Utf8Path, Utf8PathBuf};
 use clap::{Parser, Subcommand};
 use compute_tools::extension_server::{PostgresMajorVersion, get_pg_version};
 use nix::unistd::Pid;
-use std::ops::Not;
 use tracing::{Instrument, error, info, info_span, warn};
 use utils::fs_ext::is_directory_empty;

@@ -45,7 +44,7 @@ mod s3_uri;
 const PG_WAIT_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(600);
 const PG_WAIT_RETRY_INTERVAL: std::time::Duration = std::time::Duration::from_millis(300);

-#[derive(Subcommand, Debug, Clone, serde::Serialize)]
+#[derive(Subcommand, Debug)]
 enum Command {
    /// Runs local postgres (neon binary), restores into it,
    /// uploads pgdata to s3 to be consumed by pageservers
@@ -85,15 +84,6 @@ enum Command {
    },
 }

-impl Command {
-    fn as_str(&self) -> &'static str {
-        match self {
-            Command::Pgdata { .. } => "pgdata",
-            Command::DumpRestore { .. } => "dump-restore",
-        }
-    }
-}
-
 #[derive(clap::Parser)]
 struct Args {
    #[clap(long, env = "NEON_IMPORTER_WORKDIR")]
@@ -447,7 +437,7 @@ async fn run_dump_restore(

 #[allow(clippy::too_many_arguments)]
 async fn cmd_pgdata(
-    s3_client: Option<&aws_sdk_s3::Client>,
+    s3_client: Option<aws_sdk_s3::Client>,
    kms_client: Option<aws_sdk_kms::Client>,
    maybe_s3_prefix: Option<s3_uri::S3Uri>,
    maybe_spec: Option<Spec>,
@@ -516,14 +506,14 @@ async fn cmd_pgdata(
    if let Some(s3_prefix) = maybe_s3_prefix {
        info!("upload pgdata");
        aws_s3_sync::upload_dir_recursive(
-            s3_client.unwrap(),
+            s3_client.as_ref().unwrap(),
            Utf8Path::new(&pgdata_dir),
            &s3_prefix.append("/pgdata/"),
        )
        .await
        .context("sync dump directory to destination")?;

-        info!("write pgdata status to s3");
+        info!("write status");
        {
            let status_dir = workdir.join("status");
            std::fs::create_dir(&status_dir).context("create status directory")?;
@@ -560,15 +550,13 @@ async fn cmd_dumprestore(
                    &key_id,
                    spec.source_connstring_ciphertext_base64,
                )
-                .await
-                .context("decrypt source connection string")?;
+                .await?;

                let dest = if let Some(dest_ciphertext) =
                    spec.destination_connstring_ciphertext_base64
                {
                    decode_connstring(kms_client.as_ref().unwrap(), &key_id, dest_ciphertext)
-                        .await
-                        .context("decrypt destination connection string")?
+                        .await?
                } else {
                    bail!(
                        "destination connection string must be provided in spec for dump_restore command"
@@ -613,18 +601,7 @@ pub(crate) async fn main() -> anyhow::Result<()> {

    // Initialize AWS clients only if s3_prefix is specified
    let (s3_client, kms_client) = if args.s3_prefix.is_some() {
-        // Create AWS config with enhanced retry settings
-        let config = aws_config::defaults(BehaviorVersion::v2024_03_28())
-            .retry_config(
-                aws_config::retry::RetryConfig::standard()
-                    .with_max_attempts(5) // Retry up to 5 times
-                    .with_initial_backoff(std::time::Duration::from_millis(200)) // Start with 200ms delay
-                    .with_max_backoff(std::time::Duration::from_secs(5)), // Cap at 5 seconds
-            )
-            .load()
-            .await;
-
-        // Create clients from the config with enhanced retry settings
+        let config = aws_config::load_defaults(BehaviorVersion::v2024_03_28()).await;
        let s3_client = aws_sdk_s3::Client::new(&config);
        let kms = aws_sdk_kms::Client::new(&config);
        (Some(s3_client), Some(kms))
@@ -632,108 +609,79 @@ pub(crate) async fn main() -> anyhow::Result<()> {
        (None, None)
    };

-    // Capture everything from spec assignment onwards to handle errors
-    let res = async {
-        let spec: Option<Spec> = if let Some(s3_prefix) = &args.s3_prefix {
-            let spec_key = s3_prefix.append("/spec.json");
-            let object = s3_client
-                .as_ref()
-                .unwrap()
-                .get_object()
-                .bucket(&spec_key.bucket)
-                .key(spec_key.key)
-                .send()
-                .await
-                .context("get spec from s3")?
-                .body
-                .collect()
-                .await
-                .context("download spec body")?;
-            serde_json::from_slice(&object.into_bytes()).context("parse spec as json")?
-        } else {
-            None
-        };
+    let spec: Option<Spec> = if let Some(s3_prefix) = &args.s3_prefix {
+        let spec_key = s3_prefix.append("/spec.json");
+        let object = s3_client
+            .as_ref()
+            .unwrap()
+            .get_object()
+            .bucket(&spec_key.bucket)
+            .key(spec_key.key)
+            .send()
+            .await
+            .context("get spec from s3")?
+            .body
+            .collect()
+            .await
+            .context("download spec body")?;
+        serde_json::from_slice(&object.into_bytes()).context("parse spec as json")?
+    } else {
+        None
+    };

-        match tokio::fs::create_dir(&args.working_directory).await {
-            Ok(()) => {}
-            Err(e) if e.kind() == std::io::ErrorKind::AlreadyExists => {
-                if !is_directory_empty(&args.working_directory)
-                    .await
-                    .context("check if working directory is empty")?
-                {
-                    bail!("working directory is not empty");
-                } else {
-                    // ok
-                }
+    match tokio::fs::create_dir(&args.working_directory).await {
+        Ok(()) => {}
+        Err(e) if e.kind() == std::io::ErrorKind::AlreadyExists => {
+            if !is_directory_empty(&args.working_directory)
+                .await
+                .context("check if working directory is empty")?
+            {
+                bail!("working directory is not empty");
+            } else {
+                // ok
            }
-            Err(e) => return Err(anyhow::Error::new(e).context("create working directory")),
        }
+        Err(e) => return Err(anyhow::Error::new(e).context("create working directory")),
+    }

-        match args.command.clone() {
-            Command::Pgdata {
+    match args.command {
+        Command::Pgdata {
+            source_connection_string,
+            interactive,
+            pg_port,
+            num_cpus,
+            memory_mb,
+        } => {
+            cmd_pgdata(
+                s3_client,
+                kms_client,
+                args.s3_prefix,
+                spec,
                source_connection_string,
                interactive,
                pg_port,
+                args.working_directory,
+                args.pg_bin_dir,
+                args.pg_lib_dir,
                num_cpus,
                memory_mb,
-            } => {
-                cmd_pgdata(
-                    s3_client.as_ref(),
-                    kms_client,
-                    args.s3_prefix.clone(),
-                    spec,
-                    source_connection_string,
-                    interactive,
-                    pg_port,
-                    args.working_directory.clone(),
-                    args.pg_bin_dir,
-                    args.pg_lib_dir,
-                    num_cpus,
-                    memory_mb,
-                )
-                .await
-            }
-            Command::DumpRestore {
+            )
+            .await?;
+        }
+        Command::DumpRestore {
+            source_connection_string,
+            destination_connection_string,
+        } => {
+            cmd_dumprestore(
+                kms_client,
+                spec,
                source_connection_string,
                destination_connection_string,
-            } => {
-                cmd_dumprestore(
-                    kms_client,
-                    spec,
-                    source_connection_string,
-                    destination_connection_string,
-                    args.working_directory.clone(),
-                    args.pg_bin_dir,
-                    args.pg_lib_dir,
-                )
-                .await
-            }
-        }
-    }
-    .await;
-
-    if let Some(s3_prefix) = args.s3_prefix {
-        info!("write job status to s3");
-        {
-            let status_dir = args.working_directory.join("status");
-            if std::fs::exists(&status_dir)?.not() {
-                std::fs::create_dir(&status_dir).context("create status directory")?;
-            }
-            let status_file = status_dir.join("fast_import");
-            let res_obj = match res {
-                Ok(_) => serde_json::json!({"command": args.command.as_str(), "done": true}),
-                Err(err) => {
-                    serde_json::json!({"command": args.command.as_str(), "done": false, "error": err.to_string()})
-                }
-            };
-            std::fs::write(&status_file, res_obj.to_string()).context("write status file")?;
-            aws_s3_sync::upload_dir_recursive(
-                s3_client.as_ref().unwrap(),
-                &status_dir,
-                &s3_prefix.append("/status/"),
+                args.working_directory,
+                args.pg_bin_dir,
+                args.pg_lib_dir,
            )
-            .await
-            .context("sync status directory to destination")?;
+            .await?;
        }
    }

--- a/compute_tools/src/compute.rs
+++ b/compute_tools/src/compute.rs
@@ -1,6 +1,6 @@
 use std::collections::HashMap;
 use std::os::unix::fs::{PermissionsExt, symlink};
-use std::path::{Path, PathBuf};
+use std::path::Path;
 use std::process::{Command, Stdio};
 use std::str::FromStr;
 use std::sync::atomic::{AtomicU32, Ordering};
@@ -37,10 +37,7 @@ use crate::logger::startup_context_from_env;
 use crate::lsn_lease::launch_lsn_lease_bg_task_for_static;
 use crate::monitor::launch_monitor;
 use crate::pg_helpers::*;
-use crate::rsyslog::{
-    PostgresLogsRsyslogConfig, configure_audit_rsyslog, configure_postgres_logs_export,
-    launch_pgaudit_gc,
-};
+use crate::rsyslog::{configure_audit_rsyslog, launch_pgaudit_gc};
 use crate::spec::*;
 use crate::swap::resize_swap;
 use crate::sync_sk::{check_if_synced, ping_safekeeper};
@@ -153,11 +150,6 @@ pub struct ComputeState {
    pub startup_span: Option<tracing::span::Span>,

    pub metrics: ComputeMetrics,
-
-    /// current audit log level
-    /// to know if it is already configured, or we need to set up audit
-    /// when compute receives a new spec
-    pub audit_log_level: ComputeAudit,
 }

 impl ComputeState {
@@ -170,7 +162,6 @@ impl ComputeState {
            pspec: None,
            startup_span: None,
            metrics: ComputeMetrics::default(),
-            audit_log_level: ComputeAudit::default(),
        }
    }

@@ -626,26 +617,21 @@ impl ComputeNode {
            });
        }

-        // If extended compute audit is enabled configure and start rsyslog
-        if pspec.spec.audit_log_level == ComputeAudit::Hipaa {
-            let log_directory_path = self.get_audit_log_dir().to_string_lossy().to_string();
-            configure_audit_rsyslog(&log_directory_path, pspec.spec.audit_log_level.as_str())?;
+        // Configure and start rsyslog if necessary
+        if let ComputeAudit::Hipaa = pspec.spec.audit_log_level {
+            let remote_endpoint = std::env::var("AUDIT_LOGGING_ENDPOINT").unwrap_or("".to_string());
+            if remote_endpoint.is_empty() {
+                anyhow::bail!("AUDIT_LOGGING_ENDPOINT is empty");
+            }
+
+            let log_directory_path = Path::new(&self.params.pgdata).join("log");
+            let log_directory_path = log_directory_path.to_string_lossy().to_string();
+            configure_audit_rsyslog(log_directory_path.clone(), "hipaa", &remote_endpoint)?;

            // Launch a background task to clean up the audit logs
            launch_pgaudit_gc(log_directory_path);
        }

-        // Configure and start rsyslog for Postgres logs export
-        if self.has_feature(ComputeFeature::PostgresLogsExport) {
-            if let Some(ref project_id) = pspec.spec.cluster.cluster_id {
-                let host = PostgresLogsRsyslogConfig::default_host(project_id);
-                let conf = PostgresLogsRsyslogConfig::new(Some(&host));
-                configure_postgres_logs_export(conf)?;
-            } else {
-                warn!("not configuring rsyslog for Postgres logs export: project ID is missing")
-            }
-        }
-
        // Launch remaining service threads
        let _monitor_handle = launch_monitor(self);
        let _configurator_handle = launch_configurator(self);
@@ -684,11 +670,6 @@ impl ComputeNode {
            });
        }

-        // after all the configuration is done
-        // preserve the information about the current audit log level
-        // so that we don't relaunch rsyslog on every spec change
-        self.set_audit_log_level(pspec.spec.audit_log_level);
-
        // All done!
        let startup_end_time = Utc::now();
        let metrics = {
@@ -843,19 +824,6 @@ impl ComputeNode {
        self.state.lock().unwrap().status
    }

-    pub fn set_audit_log_level(&self, audit_log_level: ComputeAudit) {
-        let mut state = self.state.lock().unwrap();
-        state.audit_log_level = audit_log_level;
-    }
-
-    pub fn get_audit_log_level(&self) -> ComputeAudit {
-        self.state.lock().unwrap().audit_log_level
-    }
-
-    pub fn get_audit_log_dir(&self) -> PathBuf {
-        Path::new(&self.params.pgdata).join("log")
-    }
-
    pub fn get_timeline_id(&self) -> Option<TimelineId> {
        self.state
            .lock()
@@ -896,14 +864,6 @@ impl ComputeNode {
            info!("Storage auth token not set");
        }

-        config.application_name("compute_ctl");
-        if let Some(spec) = &compute_state.pspec {
-            config.options(&format!(
-                "-c neon.compute_mode={}",
-                spec.spec.mode.to_type_str()
-            ));
-        }
-
        // Connect to pageserver
        let mut client = config.connect(NoTls)?;
        let pageserver_connect_micros = start_time.elapsed().as_micros() as u64;
@@ -1566,29 +1526,6 @@ impl ComputeNode {
            });
        }

-        // If extended compute audit is enabled configure and start rsyslog
-        // We check that the audit_log_level changed compared to the previous spec and skip this step if not.
-        let audit_log_level = self.get_audit_log_level();
-
-        if spec.audit_log_level == ComputeAudit::Hipaa && audit_log_level != spec.audit_log_level {
-            info!(
-                "Configuring audit logging because audit_log_level changed from {:?} to {:?}",
-                audit_log_level, spec.audit_log_level
-            );
-
-            let log_directory_path = self.get_audit_log_dir().to_string_lossy().to_string();
-            configure_audit_rsyslog(&log_directory_path, spec.audit_log_level.as_str())?;
-
-            // Launch a background task to clean up the audit logs
-            // If rsyslog was already configured, we don't need to start this process again.
-            match audit_log_level {
-                ComputeAudit::Disabled | ComputeAudit::Log => {
-                    launch_pgaudit_gc(log_directory_path);
-                }
-                _ => {}
-            }
-        }
-
        // Write new config
        let pgdata_path = Path::new(&self.params.pgdata);
        config::write_postgres_conf(
@@ -1598,14 +1535,7 @@ impl ComputeNode {
            &self.compute_ctl_config.tls,
        )?;

-        // Override the skip_catalog_updates flag
-        // if we need to install new extensions
-        //
-        // Check that audit_log_level changed compared to the previous spec and skip this step if not.
-        // All operations are idempotent, so this is just a performance optimization.
-        let force_catalog_updates = audit_log_level != spec.audit_log_level;
-
-        if !spec.skip_pg_catalog_updates || force_catalog_updates {
+        if !spec.skip_pg_catalog_updates {
            let max_concurrent_connections = spec.reconfigure_concurrency;
            // Temporarily reset max_cluster_size in config
            // to avoid the possibility of hitting the limit, while we are reconfiguring:
@@ -1630,11 +1560,6 @@ impl ComputeNode {

        self.pg_reload_conf()?;

-        // after all the configuration is done
-        // preserve the information about the current audit log level
-        // so that we don't relaunch rsyslog on every spec change
-        self.set_audit_log_level(spec.audit_log_level);
-
        let unknown_op = "unknown".to_string();
        let op_id = spec.operation_uuid.as_ref().unwrap_or(&unknown_op);
        info!(
--- a/compute_tools/src/config.rs
+++ b/compute_tools/src/config.rs
@@ -7,7 +7,7 @@ use std::io::prelude::*;
 use std::path::Path;

 use compute_api::responses::TlsConfig;
-use compute_api::spec::{ComputeAudit, ComputeFeature, ComputeMode, ComputeSpec, GenericOption};
+use compute_api::spec::{ComputeAudit, ComputeMode, ComputeSpec, GenericOption};

 use crate::pg_helpers::{
    GenericOptionExt, GenericOptionsSearch, PgOptionsSerialize, escape_conf_value,
@@ -117,7 +117,6 @@ pub fn write_postgres_conf(
        writeln!(file, "lc_numeric='C.UTF-8'")?;
    }

-    writeln!(file, "neon.compute_mode={}", spec.mode.to_type_str())?;
    match spec.mode {
        ComputeMode::Primary => {}
        ComputeMode::Static(lsn) => {
@@ -159,90 +158,53 @@ pub fn write_postgres_conf(
        writeln!(file, "# Managed by compute_ctl: end")?;
    }

-    // If base audit logging is enabled, configure it.
-    // In this setup, the audit log will be written to the standard postgresql log.
-    //
-    // If compliance audit logging is enabled, configure pgaudit.
+    // If audit logging is enabled, configure pgaudit.
    //
    // Note, that this is called after the settings from spec are written.
    // This way we always override the settings from the spec
    // and don't allow the user or the control plane admin to change them.
-    match spec.audit_log_level {
-        ComputeAudit::Disabled => {}
-        ComputeAudit::Log => {
-            writeln!(file, "# Managed by compute_ctl base audit settings: start")?;
-            writeln!(file, "pgaudit.log='ddl,role'")?;
-            // Disable logging of catalog queries to reduce the noise
-            writeln!(file, "pgaudit.log_catalog=off")?;
+    if let ComputeAudit::Hipaa = spec.audit_log_level {
+        writeln!(file, "# Managed by compute_ctl audit settings: begin")?;
+        // This log level is very verbose
+        // but this is necessary for HIPAA compliance.
+        // Exclude 'misc' category, because it doesn't contain anythig relevant.
+        writeln!(file, "pgaudit.log='all, -misc'")?;
+        writeln!(file, "pgaudit.log_parameter=on")?;
+        // Disable logging of catalog queries
+        // The catalog doesn't contain sensitive data, so we don't need to audit it.
+        writeln!(file, "pgaudit.log_catalog=off")?;
+        // Set log rotation to 5 minutes
+        // TODO: tune this after performance testing
+        writeln!(file, "pgaudit.log_rotation_age=5")?;

-            if let Some(libs) = spec.cluster.settings.find("shared_preload_libraries") {
-                let mut extra_shared_preload_libraries = String::new();
-                if !libs.contains("pgaudit") {
-                    extra_shared_preload_libraries.push_str(",pgaudit");
-                }
-                writeln!(
-                    file,
-                    "shared_preload_libraries='{}{}'",
-                    libs, extra_shared_preload_libraries
-                )?;
-            } else {
-                // Typically, this should be unreacheable,
-                // because we always set at least some shared_preload_libraries in the spec
-                // but let's handle it explicitly anyway.
-                writeln!(file, "shared_preload_libraries='neon,pgaudit'")?;
+        // Add audit shared_preload_libraries, if they are not present.
+        //
+        // The caller who sets the flag is responsible for ensuring that the necessary
+        // shared_preload_libraries are present in the compute image,
+        // otherwise the compute start will fail.
+        if let Some(libs) = spec.cluster.settings.find("shared_preload_libraries") {
+            let mut extra_shared_preload_libraries = String::new();
+            if !libs.contains("pgaudit") {
+                extra_shared_preload_libraries.push_str(",pgaudit");
            }
-            writeln!(file, "# Managed by compute_ctl base audit settings: end")?;
-        }
-        ComputeAudit::Hipaa => {
-            writeln!(
-                file,
-                "# Managed by compute_ctl compliance audit settings: begin"
-            )?;
-            // This log level is very verbose
-            // but this is necessary for HIPAA compliance.
-            // Exclude 'misc' category, because it doesn't contain anything relevant.
-            writeln!(file, "pgaudit.log='all, -misc'")?;
-            // Log parameters for all queries
-            writeln!(file, "pgaudit.log_parameter=on")?;
-            // Disable logging of catalog queries
-            // The catalog doesn't contain sensitive data, so we don't need to audit it.
-            writeln!(file, "pgaudit.log_catalog=off")?;
-            // Set log rotation to 5 minutes
-            // TODO: tune this after performance testing
-            writeln!(file, "pgaudit.log_rotation_age=5")?;
-
-            // Add audit shared_preload_libraries, if they are not present.
-            //
-            // The caller who sets the flag is responsible for ensuring that the necessary
-            // shared_preload_libraries are present in the compute image,
-            // otherwise the compute start will fail.
-            if let Some(libs) = spec.cluster.settings.find("shared_preload_libraries") {
-                let mut extra_shared_preload_libraries = String::new();
-                if !libs.contains("pgaudit") {
-                    extra_shared_preload_libraries.push_str(",pgaudit");
-                }
-                if !libs.contains("pgauditlogtofile") {
-                    extra_shared_preload_libraries.push_str(",pgauditlogtofile");
-                }
-                writeln!(
-                    file,
-                    "shared_preload_libraries='{}{}'",
-                    libs, extra_shared_preload_libraries
-                )?;
-            } else {
-                // Typically, this should be unreacheable,
-                // because we always set at least some shared_preload_libraries in the spec
-                // but let's handle it explicitly anyway.
-                writeln!(
-                    file,
-                    "shared_preload_libraries='neon,pgaudit,pgauditlogtofile'"
-                )?;
+            if !libs.contains("pgauditlogtofile") {
+                extra_shared_preload_libraries.push_str(",pgauditlogtofile");
            }
            writeln!(
                file,
-                "# Managed by compute_ctl compliance audit settings: end"
+                "shared_preload_libraries='{}{}'",
+                libs, extra_shared_preload_libraries
+            )?;
+        } else {
+            // Typically, this should be unreacheable,
+            // because we always set at least some shared_preload_libraries in the spec
+            // but let's handle it explicitly anyway.
+            writeln!(
+                file,
+                "shared_preload_libraries='neon,pgaudit,pgauditlogtofile'"
            )?;
        }
+        writeln!(file, "# Managed by compute_ctl audit settings: end")?;
    }

    writeln!(file, "neon.extension_server_port={}", extension_server_port)?;
@@ -254,12 +216,6 @@ pub fn write_postgres_conf(
        writeln!(file, "neon.disable_logical_replication_subscribers=false")?;
    }

-    // We need Postgres to send logs to rsyslog so that we can forward them
-    // further to customers' log aggregation systems.
-    if spec.features.contains(&ComputeFeature::PostgresLogsExport) {
-        writeln!(file, "log_destination='stderr,syslog'")?;
-    }
-
    // This is essential to keep this line at the end of the file,
    // because it is intended to override any settings above.
    writeln!(file, "include_if_exists = 'compute_ctl_temp_override.conf'")?;
--- a/compute_tools/src/config_template/compute_audit_rsyslog_template.conf
+++ b/compute_tools/src/config_template/compute_audit_rsyslog_template.conf
@@ -8,4 +8,4 @@ input(type="imfile" File="{log_directory}/*.log" Tag="{tag}" Severity="info" Fac
 global(workDirectory="/var/log/rsyslog")

 # Forward logs to remote syslog server
-*.* @@{remote_endpoint}
+*.* @@{remote_endpoint}
--- a/compute_tools/src/config_template/compute_rsyslog_postgres_export_template.conf
+++ b/compute_tools/src/config_template/compute_rsyslog_postgres_export_template.conf
@@ -1,10 +0,0 @@
-# Program name comes from postgres' syslog_facility configuration: https://www.postgresql.org/docs/current/runtime-config-logging.html#GUC-SYSLOG-IDENT
-# Default value is 'postgres'.
-if $programname == 'postgres' then {{
-    # Forward Postgres logs to telemetry otel collector
-    action(type="omfwd" target="{logs_export_target}" port="{logs_export_port}" protocol="tcp"
-           template="RSYSLOG_SyslogProtocol23Format"
-           action.resumeRetryCount="3"
-           queue.type="linkedList" queue.size="1000")
-    stop
-}}
--- a/compute_tools/src/http/openapi_spec.yaml
+++ b/compute_tools/src/http/openapi_spec.yaml
@@ -306,36 +306,6 @@ paths:
              schema:
                $ref: "#/components/schemas/GenericError"

-  /configure_telemetry:
-    post:
-      tags:
-        - Configure
-      summary: Configure rsyslog
-      description: |
-        This API endpoint configures rsyslog to forward Postgres logs
-        to a specified otel collector.
-      operationId: configureTelemetry
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              properties:
-                logs_export_host:
-                  type: string
-                  description: |
-                    Hostname and the port of the otel collector. Leave empty to disable logs forwarding.
-                    Example: config-shy-breeze-123-collector-monitoring.neon-telemetry.svc.cluster.local:54526
-      responses:
-        204:
-          description: "Telemetry configured successfully"
-        500:
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/GenericError"
-
 components:
  securitySchemes:
    JWT:
--- a/compute_tools/src/http/routes/configure.rs
+++ b/compute_tools/src/http/routes/configure.rs
@@ -1,11 +1,9 @@
 use std::sync::Arc;

-use axum::body::Body;
 use axum::extract::State;
 use axum::response::Response;
-use compute_api::requests::{ConfigurationRequest, ConfigureTelemetryRequest};
+use compute_api::requests::ConfigurationRequest;
 use compute_api::responses::{ComputeStatus, ComputeStatusResponse};
-use compute_api::spec::ComputeFeature;
 use http::StatusCode;
 use tokio::task;
 use tracing::info;
@@ -13,7 +11,6 @@ use tracing::info;
 use crate::compute::{ComputeNode, ParsedSpec};
 use crate::http::JsonResponse;
 use crate::http::extract::Json;
-use crate::rsyslog::{PostgresLogsRsyslogConfig, configure_postgres_logs_export};

 // Accept spec in JSON format and request compute configuration. If anything
 // goes wrong after we set the compute status to `ConfigurationPending` and
@@ -95,25 +92,3 @@ pub(in crate::http) async fn configure(

    JsonResponse::success(StatusCode::OK, body)
 }
-
-pub(in crate::http) async fn configure_telemetry(
-    State(compute): State<Arc<ComputeNode>>,
-    request: Json<ConfigureTelemetryRequest>,
-) -> Response {
-    if !compute.has_feature(ComputeFeature::PostgresLogsExport) {
-        return JsonResponse::error(
-            StatusCode::PRECONDITION_FAILED,
-            "Postgres logs export feature is not enabled".to_string(),
-        );
-    }
-
-    let conf = PostgresLogsRsyslogConfig::new(request.logs_export_host.as_deref());
-    if let Err(err) = configure_postgres_logs_export(conf) {
-        return JsonResponse::error(StatusCode::INTERNAL_SERVER_ERROR, err.to_string());
-    }
-
-    Response::builder()
-        .status(StatusCode::NO_CONTENT)
-        .body(Body::from(""))
-        .unwrap()
-}
--- a/compute_tools/src/http/server.rs
+++ b/compute_tools/src/http/server.rs
@@ -87,7 +87,6 @@ impl From<&Server> for Router<Arc<ComputeNode>> {
                let authenticated_router = Router::<Arc<ComputeNode>>::new()
                    .route("/check_writability", post(check_writability::is_writable))
                    .route("/configure", post(configure::configure))
-                    .route("/configure_telemetry", post(configure::configure_telemetry))
                    .route("/database_schema", get(database_schema::get_schema_dump))
                    .route("/dbs_and_roles", get(dbs_and_roles::get_catalog_objects))
                    .route("/insights", get(insights::get_insights))
--- a/compute_tools/src/pg_helpers.rs
+++ b/compute_tools/src/pg_helpers.rs
@@ -208,8 +208,8 @@ impl Escaping for PgIdent {
    /// Here we somewhat mimic the logic of Postgres' `pg_get_functiondef()`,
    /// <https://github.com/postgres/postgres/blob/8b49392b270b4ac0b9f5c210e2a503546841e832/src/backend/utils/adt/ruleutils.c#L2924>
    fn pg_quote_dollar(&self) -> (String, String) {
-        let mut tag: String = "x".to_string();
-        let mut outer_tag = "xx".to_string();
+        let mut tag: String = "".to_string();
+        let mut outer_tag = "x".to_string();

        // Find the first suitable tag that is not present in the string.
        // Postgres' max role/DB name length is 63 bytes, so even in the
--- a/compute_tools/src/rsyslog.rs
+++ b/compute_tools/src/rsyslog.rs
@@ -1,16 +1,12 @@
 use std::fs;
-use std::io::ErrorKind;
 use std::path::Path;
 use std::process::Command;
 use std::time::Duration;
 use std::{fs::OpenOptions, io::Write};

-use anyhow::{Context, Result, anyhow};
+use anyhow::{Context, Result};
 use tracing::{error, info, instrument, warn};

-const POSTGRES_LOGS_CONF_PATH: &str = "/etc/rsyslog.d/postgres_logs.conf";
-const AUDIT_LOGS_CONF_PATH: &str = "/etc/rsyslog.d/compute_audit_rsyslog.conf";
-
 fn get_rsyslog_pid() -> Option<String> {
    let output = Command::new("pgrep")
        .arg("rsyslogd")
@@ -49,43 +45,32 @@ fn restart_rsyslog() -> Result<()> {
    Ok(())
 }

-pub fn configure_audit_rsyslog(log_directory: &str, audit_log_level: &str) -> Result<()> {
-    let remote_endpoint = std::env::var("AUDIT_LOGGING_ENDPOINT")?;
-    if remote_endpoint.is_empty() {
-        return Err(anyhow!("AUDIT_LOGGING_ENDPOINT is not set"));
-    }
-
-    let old_config_content = match std::fs::read_to_string(AUDIT_LOGS_CONF_PATH) {
-        Ok(c) => c,
-        Err(err) if err.kind() == ErrorKind::NotFound => String::new(),
-        Err(err) => return Err(err.into()),
-    };
-
+pub fn configure_audit_rsyslog(
+    log_directory: String,
+    tag: &str,
+    remote_endpoint: &str,
+) -> Result<()> {
    let config_content: String = format!(
        include_str!("config_template/compute_audit_rsyslog_template.conf"),
        log_directory = log_directory,
-        tag = audit_log_level,
+        tag = tag,
        remote_endpoint = remote_endpoint
    );

-    if old_config_content == config_content {
-        info!("rsyslog configuration is up-to-date");
-        return Ok(());
-    }
-
    info!("rsyslog config_content: {}", config_content);

+    let rsyslog_conf_path = "/etc/rsyslog.d/compute_audit_rsyslog.conf";
    let mut file = OpenOptions::new()
        .create(true)
        .write(true)
        .truncate(true)
-        .open(AUDIT_LOGS_CONF_PATH)?;
+        .open(rsyslog_conf_path)?;

    file.write_all(config_content.as_bytes())?;

    info!(
        "rsyslog configuration file {} added successfully. Starting rsyslogd",
-        AUDIT_LOGS_CONF_PATH
+        rsyslog_conf_path
    );

    // start the service, using the configuration
@@ -94,95 +79,6 @@ pub fn configure_audit_rsyslog(log_directory: &str, audit_log_level: &str) -> Re
    Ok(())
 }

-/// Configuration for enabling Postgres logs forwarding from rsyslogd
-pub struct PostgresLogsRsyslogConfig<'a> {
-    pub host: Option<&'a str>,
-}
-
-impl<'a> PostgresLogsRsyslogConfig<'a> {
-    pub fn new(host: Option<&'a str>) -> Self {
-        Self { host }
-    }
-
-    pub fn build(&self) -> Result<String> {
-        match self.host {
-            Some(host) => {
-                if let Some((target, port)) = host.split_once(":") {
-                    Ok(format!(
-                        include_str!(
-                            "config_template/compute_rsyslog_postgres_export_template.conf"
-                        ),
-                        logs_export_target = target,
-                        logs_export_port = port,
-                    ))
-                } else {
-                    Err(anyhow!("Invalid host format for Postgres logs export"))
-                }
-            }
-            None => Ok("".to_string()),
-        }
-    }
-
-    fn current_config() -> Result<String> {
-        let config_content = match std::fs::read_to_string(POSTGRES_LOGS_CONF_PATH) {
-            Ok(c) => c,
-            Err(err) if err.kind() == ErrorKind::NotFound => String::new(),
-            Err(err) => return Err(err.into()),
-        };
-        Ok(config_content)
-    }
-
-    /// Returns the default host for otel collector that receives Postgres logs
-    pub fn default_host(project_id: &str) -> String {
-        format!(
-            "config-{}-collector.neon-telemetry.svc.cluster.local:10514",
-            project_id
-        )
-    }
-}
-
-pub fn configure_postgres_logs_export(conf: PostgresLogsRsyslogConfig) -> Result<()> {
-    let new_config = conf.build()?;
-    let current_config = PostgresLogsRsyslogConfig::current_config()?;
-
-    if new_config == current_config {
-        info!("postgres logs rsyslog configuration is up-to-date");
-        return Ok(());
-    }
-
-    // When new config is empty we can simply remove the configuration file.
-    if new_config.is_empty() {
-        info!("removing rsyslog config file: {}", POSTGRES_LOGS_CONF_PATH);
-        match std::fs::remove_file(POSTGRES_LOGS_CONF_PATH) {
-            Ok(_) => {}
-            Err(err) if err.kind() == ErrorKind::NotFound => {}
-            Err(err) => return Err(err.into()),
-        }
-        restart_rsyslog()?;
-        return Ok(());
-    }
-
-    info!(
-        "configuring rsyslog for postgres logs export to: {:?}",
-        conf.host
-    );
-
-    let mut file = OpenOptions::new()
-        .create(true)
-        .write(true)
-        .truncate(true)
-        .open(POSTGRES_LOGS_CONF_PATH)?;
-    file.write_all(new_config.as_bytes())?;
-
-    info!(
-        "rsyslog configuration file {} added successfully. Starting rsyslogd",
-        POSTGRES_LOGS_CONF_PATH
-    );
-
-    restart_rsyslog()?;
-    Ok(())
-}
-
 #[instrument(skip_all)]
 async fn pgaudit_gc_main_loop(log_directory: String) -> Result<()> {
    info!("running pgaudit GC main loop");
@@ -240,49 +136,3 @@ pub fn launch_pgaudit_gc(log_directory: String) {
        }
    });
 }
-
-#[cfg(test)]
-mod tests {
-    use crate::rsyslog::PostgresLogsRsyslogConfig;
-
-    #[test]
-    fn test_postgres_logs_config() {
-        {
-            // Verify empty config
-            let conf = PostgresLogsRsyslogConfig::new(None);
-            let res = conf.build();
-            assert!(res.is_ok());
-            let conf_str = res.unwrap();
-            assert_eq!(&conf_str, "");
-        }
-
-        {
-            // Verify config
-            let conf = PostgresLogsRsyslogConfig::new(Some("collector.cvc.local:514"));
-            let res = conf.build();
-            assert!(res.is_ok());
-            let conf_str = res.unwrap();
-            assert!(conf_str.contains("omfwd"));
-            assert!(conf_str.contains(r#"target="collector.cvc.local""#));
-            assert!(conf_str.contains(r#"port="514""#));
-        }
-
-        {
-            // Verify invalid config
-            let conf = PostgresLogsRsyslogConfig::new(Some("invalid"));
-            let res = conf.build();
-            assert!(res.is_err());
-        }
-
-        {
-            // Verify config with default host
-            let host = PostgresLogsRsyslogConfig::default_host("shy-breeze-123");
-            let conf = PostgresLogsRsyslogConfig::new(Some(&host));
-            let res = conf.build();
-            assert!(res.is_ok());
-            let conf_str = res.unwrap();
-            assert!(conf_str.contains(r#"shy-breeze-123"#));
-            assert!(conf_str.contains(r#"port="10514""#));
-        }
-    }
-}
--- a/compute_tools/src/spec.rs
+++ b/compute_tools/src/spec.rs
@@ -8,12 +8,13 @@ use compute_api::responses::{
 use compute_api::spec::ComputeSpec;
 use reqwest::StatusCode;
 use tokio_postgres::Client;
-use tracing::{error, info, instrument};
+use tracing::{error, info, instrument, warn};

 use crate::config;
 use crate::metrics::{CPLANE_REQUESTS_TOTAL, CPlaneRequestRPC, UNKNOWN_HTTP_STATUS};
 use crate::migration::MigrationRunner;
 use crate::params::PG_HBA_ALL_MD5;
+use crate::pg_helpers::*;

 // Do control plane request and return response if any. In case of error it
 // returns a bool flag indicating whether it makes sense to retry the request
@@ -211,3 +212,122 @@ pub async fn handle_migrations(client: &mut Client) -> Result<()> {

    Ok(())
 }
+
+/// Connect to the database as superuser and pre-create anon extension
+/// if it is present in shared_preload_libraries
+#[instrument(skip_all)]
+pub async fn handle_extension_anon(
+    spec: &ComputeSpec,
+    db_owner: &str,
+    db_client: &mut Client,
+    grants_only: bool,
+) -> Result<()> {
+    info!("handle extension anon");
+
+    if let Some(libs) = spec.cluster.settings.find("shared_preload_libraries") {
+        if libs.contains("anon") {
+            if !grants_only {
+                // check if extension is already initialized using anon.is_initialized()
+                let query = "SELECT anon.is_initialized()";
+                match db_client.query(query, &[]).await {
+                    Ok(rows) => {
+                        if !rows.is_empty() {
+                            let is_initialized: bool = rows[0].get(0);
+                            if is_initialized {
+                                info!("anon extension is already initialized");
+                                return Ok(());
+                            }
+                        }
+                    }
+                    Err(e) => {
+                        warn!(
+                            "anon extension is_installed check failed with expected error: {}",
+                            e
+                        );
+                    }
+                };
+
+                // Create anon extension if this compute needs it
+                // Users cannot create it themselves, because superuser is required.
+                let mut query = "CREATE EXTENSION IF NOT EXISTS anon CASCADE";
+                info!("creating anon extension with query: {}", query);
+                match db_client.query(query, &[]).await {
+                    Ok(_) => {}
+                    Err(e) => {
+                        error!("anon extension creation failed with error: {}", e);
+                        return Ok(());
+                    }
+                }
+
+                // check that extension is installed
+                query = "SELECT extname FROM pg_extension WHERE extname = 'anon'";
+                let rows = db_client.query(query, &[]).await?;
+                if rows.is_empty() {
+                    error!("anon extension is not installed");
+                    return Ok(());
+                }
+
+                // Initialize anon extension
+                // This also requires superuser privileges, so users cannot do it themselves.
+                query = "SELECT anon.init()";
+                match db_client.query(query, &[]).await {
+                    Ok(_) => {}
+                    Err(e) => {
+                        error!("anon.init() failed with error: {}", e);
+                        return Ok(());
+                    }
+                }
+            }
+
+            // check that extension is installed, if not bail early
+            let query = "SELECT extname FROM pg_extension WHERE extname = 'anon'";
+            match db_client.query(query, &[]).await {
+                Ok(rows) => {
+                    if rows.is_empty() {
+                        error!("anon extension is not installed");
+                        return Ok(());
+                    }
+                }
+                Err(e) => {
+                    error!("anon extension check failed with error: {}", e);
+                    return Ok(());
+                }
+            };
+
+            let query = format!("GRANT ALL ON SCHEMA anon TO {}", db_owner);
+            info!("granting anon extension permissions with query: {}", query);
+            db_client.simple_query(&query).await?;
+
+            // Grant permissions to db_owner to use anon extension functions
+            let query = format!("GRANT ALL ON ALL FUNCTIONS IN SCHEMA anon TO {}", db_owner);
+            info!("granting anon extension permissions with query: {}", query);
+            db_client.simple_query(&query).await?;
+
+            // This is needed, because some functions are defined as SECURITY DEFINER.
+            // In Postgres SECURITY DEFINER functions are executed with the privileges
+            // of the owner.
+            // In anon extension this it is needed to access some GUCs, which are only accessible to
+            // superuser. But we've patched postgres to allow db_owner to access them as well.
+            // So we need to change owner of these functions to db_owner.
+            let query = format!("
+                SELECT 'ALTER FUNCTION '||nsp.nspname||'.'||p.proname||'('||pg_get_function_identity_arguments(p.oid)||') OWNER TO {};'
+                from pg_proc p
+                join pg_namespace nsp ON p.pronamespace = nsp.oid
+                where nsp.nspname = 'anon';", db_owner);
+
+            info!("change anon extension functions owner to db owner");
+            db_client.simple_query(&query).await?;
+
+            //  affects views as well
+            let query = format!("GRANT ALL ON ALL TABLES IN SCHEMA anon TO {}", db_owner);
+            info!("granting anon extension permissions with query: {}", query);
+            db_client.simple_query(&query).await?;
+
+            let query = format!("GRANT ALL ON ALL SEQUENCES IN SCHEMA anon TO {}", db_owner);
+            info!("granting anon extension permissions with query: {}", query);
+            db_client.simple_query(&query).await?;
+        }
+    }
+
+    Ok(())
+}
--- a/compute_tools/src/spec_apply.rs
+++ b/compute_tools/src/spec_apply.rs
@@ -6,7 +6,7 @@ use std::sync::Arc;

 use anyhow::{Context, Result};
 use compute_api::responses::ComputeStatus;
-use compute_api::spec::{ComputeAudit, ComputeSpec, Database, PgIdent, Role};
+use compute_api::spec::{ComputeAudit, ComputeFeature, ComputeSpec, Database, PgIdent, Role};
 use futures::future::join_all;
 use tokio::sync::RwLock;
 use tokio_postgres::Client;
@@ -26,7 +26,7 @@ use crate::spec_apply::ApplySpecPhase::{
    RunInEachDatabase,
 };
 use crate::spec_apply::PerDatabasePhase::{
-    ChangeSchemaPerms, DeleteDBRoleReferences, DropLogicalSubscriptions,
+    ChangeSchemaPerms, DeleteDBRoleReferences, DropLogicalSubscriptions, HandleAnonExtension,
 };

 impl ComputeNode {
@@ -75,12 +75,15 @@ impl ComputeNode {

            if spec.drop_subscriptions_before_start {
                let timeline_id = self.get_timeline_id().context("timeline_id must be set")?;
+                let query = format!("select 1 from neon.drop_subscriptions_done where timeline_id = '{}'", timeline_id);

                info!("Checking if drop subscription operation was already performed for timeline_id: {}", timeline_id);

-                drop_subscriptions_done = match
-                    client.query("select 1 from neon.drop_subscriptions_done where timeline_id = $1", &[&timeline_id.to_string()]).await {
-                    Ok(result) => !result.is_empty(),
+                drop_subscriptions_done =  match
+                    client.simple_query(&query).await {
+                    Ok(result) => {
+                        matches!(&result[0], postgres::SimpleQueryMessage::Row(_))
+                    },
                    Err(e) =>
                    {
                        match e.code() {
@@ -235,6 +238,7 @@ impl ComputeNode {
                    let mut phases = vec![
                        DeleteDBRoleReferences,
                        ChangeSchemaPerms,
+                        HandleAnonExtension,
                    ];

                    if spec.drop_subscriptions_before_start && !drop_subscriptions_done {
@@ -283,10 +287,7 @@ impl ComputeNode {
                    phases.push(CreatePgauditlogtofileExtension);
                    phases.push(DisablePostgresDBPgAudit);
                }
-                ComputeAudit::Log => {
-                    phases.push(CreatePgauditExtension);
-                    phases.push(DisablePostgresDBPgAudit);
-                }
+                ComputeAudit::Log => { /* not implemented yet */ }
                ComputeAudit::Disabled => {}
            }

@@ -457,6 +458,7 @@ impl Debug for DB {
 pub enum PerDatabasePhase {
    DeleteDBRoleReferences,
    ChangeSchemaPerms,
+    HandleAnonExtension,
    /// This is a shared phase, used for both i) dropping dangling LR subscriptions
    /// before dropping the DB, and ii) dropping all subscriptions after creating
    /// a fresh branch.
@@ -1010,6 +1012,98 @@ async fn get_operations<'a>(
                    ]
                    .into_iter();

+                    Ok(Box::new(operations))
+                }
+                // TODO: remove this completely https://github.com/neondatabase/cloud/issues/22663
+                PerDatabasePhase::HandleAnonExtension => {
+                    // Only install Anon into user databases
+                    let db = match &db {
+                        DB::SystemDB => return Ok(Box::new(empty())),
+                        DB::UserDB(db) => db,
+                    };
+                    // Never install Anon when it's not enabled as feature
+                    if !spec.features.contains(&ComputeFeature::AnonExtension) {
+                        return Ok(Box::new(empty()));
+                    }
+
+                    // Only install Anon when it's added in preload libraries
+                    let opt_libs = spec.cluster.settings.find("shared_preload_libraries");
+
+                    let libs = match opt_libs {
+                        Some(libs) => libs,
+                        None => return Ok(Box::new(empty())),
+                    };
+
+                    if !libs.contains("anon") {
+                        return Ok(Box::new(empty()));
+                    }
+
+                    let db_owner = db.owner.pg_quote();
+
+                    let operations = vec![
+                        // Create anon extension if this compute needs it
+                        // Users cannot create it themselves, because superuser is required.
+                        Operation {
+                            query: String::from("CREATE EXTENSION IF NOT EXISTS anon CASCADE"),
+                            comment: Some(String::from("creating anon extension")),
+                        },
+                        // Initialize anon extension
+                        // This also requires superuser privileges, so users cannot do it themselves.
+                        Operation {
+                            query: String::from("SELECT anon.init()"),
+                            comment: Some(String::from("initializing anon extension data")),
+                        },
+                        Operation {
+                            query: format!("GRANT ALL ON SCHEMA anon TO {}", db_owner),
+                            comment: Some(String::from(
+                                "granting anon extension schema permissions",
+                            )),
+                        },
+                        Operation {
+                            query: format!(
+                                "GRANT ALL ON ALL FUNCTIONS IN SCHEMA anon TO {}",
+                                db_owner
+                            ),
+                            comment: Some(String::from(
+                                "granting anon extension schema functions permissions",
+                            )),
+                        },
+                        // We need this, because some functions are defined as SECURITY DEFINER.
+                        // In Postgres SECURITY DEFINER functions are executed with the privileges
+                        // of the owner.
+                        // In anon extension this it is needed to access some GUCs, which are only accessible to
+                        // superuser. But we've patched postgres to allow db_owner to access them as well.
+                        // So we need to change owner of these functions to db_owner.
+                        Operation {
+                            query: format!(
+                                include_str!("sql/anon_ext_fn_reassign.sql"),
+                                db_owner = db_owner,
+                            ),
+                            comment: Some(String::from(
+                                "change anon extension functions owner to database_owner",
+                            )),
+                        },
+                        Operation {
+                            query: format!(
+                                "GRANT ALL ON ALL TABLES IN SCHEMA anon TO {}",
+                                db_owner,
+                            ),
+                            comment: Some(String::from(
+                                "granting anon extension tables permissions",
+                            )),
+                        },
+                        Operation {
+                            query: format!(
+                                "GRANT ALL ON ALL SEQUENCES IN SCHEMA anon TO {}",
+                                db_owner,
+                            ),
+                            comment: Some(String::from(
+                                "granting anon extension sequences permissions",
+                            )),
+                        },
+                    ]
+                    .into_iter();
+
                    Ok(Box::new(operations))
                }
            }
--- a/compute_tools/src/sql/finalize_drop_subscriptions.sql
+++ b/compute_tools/src/sql/finalize_drop_subscriptions.sql
@@ -17,5 +17,5 @@ BEGIN
    INSERT INTO neon.drop_subscriptions_done VALUES (1, current_setting('neon.timeline_id'))
    ON CONFLICT (id) DO UPDATE
    SET timeline_id = current_setting('neon.timeline_id');
-END
+END;
 $$
--- a/compute_tools/src/tls.rs
+++ b/compute_tools/src/tls.rs
@@ -3,6 +3,7 @@ use std::{io::Write, os::unix::fs::OpenOptionsExt, path::Path, time::Duration};
 use anyhow::{Context, Result, bail};
 use compute_api::responses::TlsConfig;
 use ring::digest;
+use spki::ObjectIdentifier;
 use spki::der::{Decode, PemReader};
 use x509_cert::Certificate;

@@ -90,13 +91,13 @@ fn try_update_key_path_blocking(pg_data: &Path, tls_config: &TlsConfig) -> Resul
 }

 fn verify_key_cert(key: &str, cert: &str) -> Result<()> {
-    use x509_cert::der::oid::db::rfc5912::ECDSA_WITH_SHA_256;
+    const ECDSA_WITH_SHA256: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.4.3.2");

    let cert = Certificate::decode(&mut PemReader::new(cert.as_bytes()).context("pem reader")?)
        .context("decode cert")?;

    match cert.signature_algorithm.oid {
-        ECDSA_WITH_SHA_256 => {
+        ECDSA_WITH_SHA256 => {
            let key = p256::SecretKey::from_sec1_pem(key).context("parse key")?;

            let a = key.public_key().to_sec1_bytes();
--- a/compute_tools/tests/pg_helpers_tests.rs
+++ b/compute_tools/tests/pg_helpers_tests.rs
@@ -64,8 +64,7 @@ test.escaping = 'here''s a backslash \\ and a quote '' and a double-quote " hoor
    #[test]
    fn ident_pg_quote_dollar() {
        let test_cases = vec![
-            ("name", ("$x$name$x$", "xx")),
-            ("name$", ("$x$name$$x$", "xx")),
+            ("name", ("$$name$$", "x")),
            ("name$$", ("$x$name$$$x$", "xx")),
            ("name$$$", ("$x$name$$$$x$", "xx")),
            ("name$$$$", ("$x$name$$$$$x$", "xx")),
--- a/control_plane/src/local_env.rs
+++ b/control_plane/src/local_env.rs
@@ -165,11 +165,8 @@ pub struct NeonStorageControllerConf {
    /// Database url used when running multiple storage controller instances
    pub database_url: Option<SocketAddr>,

-    /// Thresholds for auto-splitting a tenant into shards.
+    /// Threshold for auto-splitting a tenant into shards
    pub split_threshold: Option<u64>,
-    pub max_split_shards: Option<u8>,
-    pub initial_split_threshold: Option<u64>,
-    pub initial_split_shards: Option<u8>,

    pub max_secondary_lag_bytes: Option<u64>,

@@ -204,9 +201,6 @@ impl Default for NeonStorageControllerConf {
            start_as_candidate: false,
            database_url: None,
            split_threshold: None,
-            max_split_shards: None,
-            initial_split_threshold: None,
-            initial_split_shards: None,
            max_secondary_lag_bytes: None,
            heartbeat_interval: Self::DEFAULT_HEARTBEAT_INTERVAL,
            long_reconcile_threshold: None,
--- a/control_plane/src/pageserver.rs
+++ b/control_plane/src/pageserver.rs
@@ -142,10 +142,6 @@ impl PageServerNode {
            overrides.push("auth_validation_public_key_path='../auth_public_key.pem'".to_owned());
        }

-        if let Some(ssl_ca_file) = self.env.ssl_ca_cert_path() {
-            overrides.push(format!("ssl_ca_file='{}'", ssl_ca_file.to_str().unwrap()));
-        }
-
        // Apply the user-provided overrides
        overrides.push({
            let mut doc =
--- a/control_plane/src/storage_controller.rs
+++ b/control_plane/src/storage_controller.rs
@@ -1,5 +1,6 @@
 use std::ffi::OsStr;
 use std::fs;
+use std::net::SocketAddr;
 use std::path::PathBuf;
 use std::process::ExitStatus;
 use std::str::FromStr;
@@ -37,9 +38,9 @@ pub struct StorageController {
    client: reqwest::Client,
    config: NeonStorageControllerConf,

-    // The listen port is learned when starting the storage controller,
+    // The listen addresses is learned when starting the storage controller,
    // hence the use of OnceLock to init it at the right time.
-    listen_port: OnceLock<u16>,
+    listen: OnceLock<SocketAddr>,
 }

 const COMMAND: &str = "storage_controller";
@@ -143,23 +144,15 @@ impl StorageController {
            }
        };

-        let mut http_client = reqwest::Client::builder();
-        if let Some(ssl_ca_file) = env.ssl_ca_cert_path() {
-            let buf = std::fs::read(ssl_ca_file).expect("SSL CA file should exist");
-            let cert = reqwest::Certificate::from_pem(&buf).expect("SSL CA file should be valid");
-            http_client = http_client.add_root_certificate(cert);
-        }
-        let http_client = http_client
-            .build()
-            .expect("HTTP client should construct with no error");
-
        Self {
            env: env.clone(),
            private_key,
            public_key,
-            client: http_client,
+            client: reqwest::ClientBuilder::new()
+                .build()
+                .expect("Failed to construct http client"),
            config: env.storage_controller.clone(),
-            listen_port: OnceLock::default(),
+            listen: OnceLock::default(),
        }
    }

@@ -344,34 +337,34 @@ impl StorageController {
            }
        }

-        if self.env.generate_local_ssl_certs {
-            self.env.generate_ssl_cert(
-                &instance_dir.join("server.crt"),
-                &instance_dir.join("server.key"),
-            )?;
-        }
+        let (listen, postgres_port) = {
+            if let Some(base_port) = start_args.base_port {
+                (
+                    format!("127.0.0.1:{base_port}"),
+                    self.config
+                        .database_url
+                        .expect("--base-port requires NeonStorageControllerConf::database_url")
+                        .port(),
+                )
+            } else {
+                let listen_url = self.env.control_plane_api.clone();

-        let listen_url = &self.env.control_plane_api;
+                let listen = format!(
+                    "{}:{}",
+                    listen_url.host_str().unwrap(),
+                    listen_url.port().unwrap()
+                );

-        let scheme = listen_url.scheme();
-        let host = listen_url.host_str().unwrap();
-
-        let (listen_port, postgres_port) = if let Some(base_port) = start_args.base_port {
-            (
-                base_port,
-                self.config
-                    .database_url
-                    .expect("--base-port requires NeonStorageControllerConf::database_url")
-                    .port(),
-            )
-        } else {
-            let port = listen_url.port().unwrap();
-            (port, port + 1)
+                (listen, listen_url.port().unwrap() + 1)
+            }
        };

-        self.listen_port
-            .set(listen_port)
-            .expect("StorageController::listen_port is only set here");
+        let socket_addr = listen
+            .parse()
+            .expect("listen address is a valid socket address");
+        self.listen
+            .set(socket_addr)
+            .expect("StorageController::listen is only set here");

        // Do we remove the pid file on stop?
        let pg_started = self.is_postgres_running().await?;
@@ -507,15 +500,20 @@ impl StorageController {
        drop(client);
        conn.await??;

-        let addr = format!("{}:{}", host, listen_port);
+        let listen = self
+            .listen
+            .get()
+            .expect("cell is set earlier in this function");
        let address_for_peers = Uri::builder()
-            .scheme(scheme)
-            .authority(addr.clone())
+            .scheme("http")
+            .authority(format!("{}:{}", listen.ip(), listen.port()))
            .path_and_query("")
            .build()
            .unwrap();

        let mut args = vec![
+            "-l",
+            &listen.to_string(),
            "--dev",
            "--database-url",
            &database_url,
@@ -532,14 +530,6 @@ impl StorageController {
        .map(|s| s.to_string())
        .collect::<Vec<_>>();

-        match scheme {
-            "http" => args.extend(["--listen".to_string(), addr]),
-            "https" => args.extend(["--listen-https".to_string(), addr]),
-            _ => {
-                panic!("Unexpected url scheme in control_plane_api: {scheme}");
-            }
-        }
-
        if self.config.start_as_candidate {
            args.push("--start-as-candidate".to_string());
        }
@@ -580,20 +570,6 @@ impl StorageController {
            args.push(format!("--split-threshold={split_threshold}"))
        }

-        if let Some(max_split_shards) = self.config.max_split_shards.as_ref() {
-            args.push(format!("--max-split-shards={max_split_shards}"))
-        }
-
-        if let Some(initial_split_threshold) = self.config.initial_split_threshold.as_ref() {
-            args.push(format!(
-                "--initial-split-threshold={initial_split_threshold}"
-            ))
-        }
-
-        if let Some(initial_split_shards) = self.config.initial_split_shards.as_ref() {
-            args.push(format!("--initial-split-shards={initial_split_shards}"))
-        }
-
        if let Some(lag) = self.config.max_secondary_lag_bytes.as_ref() {
            args.push(format!("--max-secondary-lag-bytes={lag}"))
        }
@@ -614,8 +590,6 @@ impl StorageController {
            args.push("--timelines-onto-safekeepers".to_string());
        }

-        println!("Starting storage controller");
-
        background_process::start_process(
            COMMAND,
            &instance_dir,
@@ -742,26 +716,30 @@ impl StorageController {
    {
        // In the special case of the `storage_controller start` subcommand, we wish
        // to use the API endpoint of the newly started storage controller in order
-        // to pass the readiness check. In this scenario [`Self::listen_port`] will
-        // be set (see [`Self::start`]).
+        // to pass the readiness check. In this scenario [`Self::listen`] will be set
+        // (see [`Self::start`]).
        //
        // Otherwise, we infer the storage controller api endpoint from the configured
        // control plane API.
-        let port = if let Some(port) = self.listen_port.get() {
-            *port
+        let url = if let Some(socket_addr) = self.listen.get() {
+            Url::from_str(&format!(
+                "http://{}:{}/{path}",
+                socket_addr.ip().to_canonical(),
+                socket_addr.port()
+            ))
+            .unwrap()
        } else {
-            self.env.control_plane_api.port().unwrap()
+            // The configured URL has the /upcall path prefix for pageservers to use: we will strip that out
+            // for general purpose API access.
+            let listen_url = self.env.control_plane_api.clone();
+            Url::from_str(&format!(
+                "http://{}:{}/{path}",
+                listen_url.host_str().unwrap(),
+                listen_url.port().unwrap()
+            ))
+            .unwrap()
        };

-        // The configured URL has the /upcall path prefix for pageservers to use: we will strip that out
-        // for general purpose API access.
-        let url = Url::from_str(&format!(
-            "{}://{}:{port}/{path}",
-            self.env.control_plane_api.scheme(),
-            self.env.control_plane_api.host_str().unwrap(),
-        ))
-        .unwrap();
-
        let mut builder = self.client.request(method, url);
        if let Some(body) = body {
            builder = builder.json(&body)
--- a/docker-compose/compute_wrapper/Dockerfile
+++ b/docker-compose/compute_wrapper/Dockerfile
@@ -1,4 +1,4 @@
-ARG REPOSITORY=ghcr.io/neondatabase
+ARG REPOSITORY=neondatabase
 ARG COMPUTE_IMAGE=compute-node-v14
 ARG TAG=latest

--- a/docker-compose/compute_wrapper/shell/compute.sh
+++ b/docker-compose/compute_wrapper/shell/compute.sh
@@ -67,14 +67,6 @@ else
  fi
 fi

-if [[ ${PG_VERSION} -ge 17 ]]; then
-  ulid_extension=pgx_ulid
-else
-  ulid_extension=ulid
-fi
-echo "Adding pgx_ulid"
-shared_libraries=$(jq -r '.cluster.settings[] | select(.name=="shared_preload_libraries").value' ${SPEC_FILE})
-sed -i "s/${shared_libraries}/${shared_libraries},${ulid_extension}/" ${SPEC_FILE}
 echo "Overwrite tenant id and timeline id in spec file"
 sed -i "s/TENANT_ID/${tenant_id}/" ${SPEC_FILE}
 sed -i "s/TIMELINE_ID/${timeline_id}/" ${SPEC_FILE}
--- a/docker-compose/docker-compose.yml
+++ b/docker-compose/docker-compose.yml
@@ -29,7 +29,7 @@ services:

  pageserver:
    restart: always
-    image: ${REPOSITORY:-ghcr.io/neondatabase}/neon:${TAG:-latest}
+    image: ${REPOSITORY:-neondatabase}/neon:${TAG:-latest}
    environment:
      - AWS_ACCESS_KEY_ID=minio
      - AWS_SECRET_ACCESS_KEY=password
@@ -45,7 +45,7 @@ services:

  safekeeper1:
    restart: always
-    image: ${REPOSITORY:-ghcr.io/neondatabase}/neon:${TAG:-latest}
+    image: ${REPOSITORY:-neondatabase}/neon:${TAG:-latest}
    environment:
      - SAFEKEEPER_ADVERTISE_URL=safekeeper1:5454
      - SAFEKEEPER_ID=1
@@ -75,7 +75,7 @@ services:

  safekeeper2:
    restart: always
-    image: ${REPOSITORY:-ghcr.io/neondatabase}/neon:${TAG:-latest}
+    image: ${REPOSITORY:-neondatabase}/neon:${TAG:-latest}
    environment:
      - SAFEKEEPER_ADVERTISE_URL=safekeeper2:5454
      - SAFEKEEPER_ID=2
@@ -105,7 +105,7 @@ services:

  safekeeper3:
    restart: always
-    image: ${REPOSITORY:-ghcr.io/neondatabase}/neon:${TAG:-latest}
+    image: ${REPOSITORY:-neondatabase}/neon:${TAG:-latest}
    environment:
      - SAFEKEEPER_ADVERTISE_URL=safekeeper3:5454
      - SAFEKEEPER_ID=3
@@ -135,7 +135,7 @@ services:

  storage_broker:
    restart: always
-    image: ${REPOSITORY:-ghcr.io/neondatabase}/neon:${TAG:-latest}
+    image: ${REPOSITORY:-neondatabase}/neon:${TAG:-latest}
    ports:
      - 50051:50051
    command:
@@ -147,7 +147,7 @@ services:
    build:
      context: ./compute_wrapper/
      args:
-        - REPOSITORY=${REPOSITORY:-ghcr.io/neondatabase}
+        - REPOSITORY=${REPOSITORY:-neondatabase}
        - COMPUTE_IMAGE=compute-node-v${PG_VERSION:-16}
        - TAG=${COMPUTE_TAG:-${TAG:-latest}}
        - http_proxy=${http_proxy:-}
@@ -186,7 +186,7 @@ services:

  neon-test-extensions:
    profiles: ["test-extensions"]
-    image: ${REPOSITORY:-ghcr.io/neondatabase}/neon-test-extensions-v${PG_TEST_VERSION:-16}:${TEST_EXTENSIONS_TAG:-${TAG:-latest}}
+    image: ${REPOSITORY:-neondatabase}/neon-test-extensions-v${PG_TEST_VERSION:-16}:${TEST_EXTENSIONS_TAG:-${TAG:-latest}}
    environment:
      - PGPASSWORD=cloud_admin
    entrypoint:
--- a/docker-compose/docker_compose_test.sh
+++ b/docker-compose/docker_compose_test.sh
@@ -69,7 +69,7 @@ for pg_version in ${TEST_VERSION_ONLY-14 15 16 17}; do
        cat ../compute/patches/contrib_pg${pg_version}.patch | docker exec -i $TEST_CONTAINER_NAME bash -c "(cd /postgres && patch -p1)"
        # We are running tests now
        rm -f testout.txt testout_contrib.txt
-        docker exec -e USE_PGXS=1 -e SKIP=timescaledb-src,rdkit-src,postgis-src,pg_jsonschema-src,kq_imcx-src,wal2json_2_5-src,rag_jina_reranker_v1_tiny_en-src,rag_bge_small_en_v15-src \
+        docker exec -e USE_PGXS=1 -e SKIP=timescaledb-src,rdkit-src,postgis-src,pgx_ulid-src,pg_tiktoken-src,pg_jsonschema-src,kq_imcx-src,wal2json_2_5-src \
        $TEST_CONTAINER_NAME /run-tests.sh /ext-src | tee testout.txt && EXT_SUCCESS=1 || EXT_SUCCESS=0
        docker exec -e SKIP=start-scripts,postgres_fdw,ltree_plpython,jsonb_plpython,jsonb_plperl,hstore_plpython,hstore_plperl,dblink,bool_plperl \
        $TEST_CONTAINER_NAME /run-tests.sh /postgres/contrib | tee testout_contrib.txt && CONTRIB_SUCCESS=1 || CONTRIB_SUCCESS=0
--- a/docker-compose/ext-src/pg_tiktoken-src/Makefile
+++ b/docker-compose/ext-src/pg_tiktoken-src/Makefile
@@ -1,8 +0,0 @@
-PG_CONFIG ?= pg_config
-PG_REGRESS = $(shell dirname $$($(PG_CONFIG) --pgxs))/../../src/test/regress/pg_regress
-REGRESS = pg_tiktoken
-
-installcheck: regression-test
-
-regression-test:
-	$(PG_REGRESS) --inputdir=. --outputdir=. --dbname=contrib_regression $(REGRESS)
--- a/docker-compose/ext-src/pg_tiktoken-src/expected/pg_tiktoken.out
+++ b/docker-compose/ext-src/pg_tiktoken-src/expected/pg_tiktoken.out
@@ -1,53 +0,0 @@
-- Load the extension
-CREATE EXTENSION IF NOT EXISTS pg_tiktoken;
-- Test encoding function
-SELECT tiktoken_encode('cl100k_base', 'Hello world!');
- tiktoken_encode 
-----------------
- {9906,1917,0}
-(1 row)
-
-- Test token count function
-SELECT tiktoken_count('cl100k_base', 'Hello world!');
- tiktoken_count 
----------------
-              3
-(1 row)
-
-- Test encoding function with a different model
-SELECT tiktoken_encode('r50k_base', 'PostgreSQL is amazing!');
-     tiktoken_encode     
-------------------------
- {6307,47701,318,4998,0}
-(1 row)
-
-- Test token count function with the same model
-SELECT tiktoken_count('r50k_base', 'PostgreSQL is amazing!');
- tiktoken_count 
----------------
-              5
-(1 row)
-
-- Edge cases: Empty string
-SELECT tiktoken_encode('cl100k_base', '');
- tiktoken_encode 
-----------------
- {}
-(1 row)
-
-SELECT tiktoken_count('cl100k_base', '');
- tiktoken_count 
----------------
-              0
-(1 row)
-
-- Edge cases: Long text
-SELECT tiktoken_count('cl100k_base', repeat('word ', 100));
- tiktoken_count 
----------------
-            101
-(1 row)
-
-- Edge case: Invalid encoding
-SELECT tiktoken_encode('invalid_model', 'Test') AS should_fail;
-ERROR:  'invalid_model': unknown model or encoder
--- a/docker-compose/ext-src/pg_tiktoken-src/sql/pg_tiktoken.sql
+++ b/docker-compose/ext-src/pg_tiktoken-src/sql/pg_tiktoken.sql
@@ -1,24 +0,0 @@
-- Load the extension
-CREATE EXTENSION IF NOT EXISTS pg_tiktoken;
-
-- Test encoding function
-SELECT tiktoken_encode('cl100k_base', 'Hello world!');
-
-- Test token count function
-SELECT tiktoken_count('cl100k_base', 'Hello world!');
-
-- Test encoding function with a different model
-SELECT tiktoken_encode('r50k_base', 'PostgreSQL is amazing!');
-
-- Test token count function with the same model
-SELECT tiktoken_count('r50k_base', 'PostgreSQL is amazing!');
-
-- Edge cases: Empty string
-SELECT tiktoken_encode('cl100k_base', '');
-SELECT tiktoken_count('cl100k_base', '');
-
-- Edge cases: Long text
-SELECT tiktoken_count('cl100k_base', repeat('word ', 100));
-
-- Edge case: Invalid encoding
-SELECT tiktoken_encode('invalid_model', 'Test') AS should_fail;
--- a/docker-compose/ext-src/pgrag-src/Makefile
+++ b/docker-compose/ext-src/pgrag-src/Makefile
@@ -1,10 +0,0 @@
-EXTENSION = rag
-MODULE_big = rag
-OBJS = $(patsubst %.rs,%.o,$(wildcard src/*.rs))
-
-REGRESS = basic_functions text_processing api_keys chunking_functions document_processing embedding_api_functions voyageai_functions
-REGRESS_OPTS = --load-extension=vector --load-extension=rag
-
-PG_CONFIG = pg_config
-PGXS := $(shell $(PG_CONFIG) --pgxs)
-include $(PGXS)
--- a/docker-compose/ext-src/pgrag-src/expected/api_keys.out
+++ b/docker-compose/ext-src/pgrag-src/expected/api_keys.out
@@ -1,49 +0,0 @@
-- API key function tests
-SELECT rag.anthropic_set_api_key('test_key');
- anthropic_set_api_key 
-----------------------
- 
-(1 row)
-
-SELECT rag.anthropic_get_api_key();
- anthropic_get_api_key 
-----------------------
- test_key
-(1 row)
-
-SELECT rag.openai_set_api_key('test_key');
- openai_set_api_key 
--------------------
- 
-(1 row)
-
-SELECT rag.openai_get_api_key();
- openai_get_api_key 
--------------------
- test_key
-(1 row)
-
-SELECT rag.fireworks_set_api_key('test_key');
- fireworks_set_api_key 
-----------------------
- 
-(1 row)
-
-SELECT rag.fireworks_get_api_key();
- fireworks_get_api_key 
-----------------------
- test_key
-(1 row)
-
-SELECT rag.voyageai_set_api_key('test_key');
- voyageai_set_api_key 
----------------------
- 
-(1 row)
-
-SELECT rag.voyageai_get_api_key();
- voyageai_get_api_key 
----------------------
- test_key
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/basic_functions.out
+++ b/docker-compose/ext-src/pgrag-src/expected/basic_functions.out
@@ -1,13 +0,0 @@
-- Basic function tests
-SELECT rag.markdown_from_html('<p>Hello</p>');
- markdown_from_html 
--------------------
- Hello
-(1 row)
-
-SELECT array_length(rag.chunks_by_character_count('the cat sat on the mat', 10, 5), 1);
- array_length 
--------------
-            3
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/chunking_functions.out
+++ b/docker-compose/ext-src/pgrag-src/expected/chunking_functions.out
@@ -1,31 +0,0 @@
-- Chunking function tests
-SELECT rag.chunks_by_character_count('the cat sat on the mat', 10, 5);
-       chunks_by_character_count       
---------------------------------------
- {"the cat","cat sat on","on the mat"}
-(1 row)
-
-SELECT rag.chunks_by_character_count('Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.', 20, 10);
-                                                                                     chunks_by_character_count                                                                                      
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- {"Lorem ipsum dolor","dolor sit amet,","amet, consectetur","adipiscing elit.","Sed do eiusmod","do eiusmod tempor","tempor incididunt ut","ut labore et dolore","et dolore magna","magna aliqua."}
-(1 row)
-
-SELECT (rag.chunks_by_character_count('the cat', 10, 0))[1];
- chunks_by_character_count 
---------------------------
- the cat
-(1 row)
-
-SELECT rag.chunks_by_character_count('', 10, 5);
- chunks_by_character_count 
---------------------------
- {}
-(1 row)
-
-SELECT rag.chunks_by_character_count('a b c d e f g h i j k l m n o p', 5, 2);
-                    chunks_by_character_count                    
-----------------------------------------------------------------
- {"a b c","c d e","e f g","g h i","i j k","k l m","m n o","o p"}
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/document_processing.out
+++ b/docker-compose/ext-src/pgrag-src/expected/document_processing.out
@@ -1,56 +0,0 @@
-- HTML to Markdown conversion tests
-SELECT rag.markdown_from_html('<p>Hello</p>');
- markdown_from_html 
--------------------
- Hello
-(1 row)
-
-SELECT rag.markdown_from_html('<p>Hello <i>world</i></p>');
- markdown_from_html 
--------------------
- Hello _world_
-(1 row)
-
-SELECT rag.markdown_from_html('<h1>Title</h1><p>Paragraph</p>');
- markdown_from_html 
--------------------
- # Title           +
-                   +
- Paragraph
-(1 row)
-
-SELECT rag.markdown_from_html('<ul><li>Item 1</li><li>Item 2</li></ul>');
- markdown_from_html 
--------------------
- *   Item 1        +
- *   Item 2
-(1 row)
-
-SELECT rag.markdown_from_html('<a href="https://example.com">Link</a>');
-     markdown_from_html      
-----------------------------
- [Link](https://example.com)
-(1 row)
-
-- Note: text_from_pdf and text_from_docx require binary input which is harder to test in regression tests
-- We'll test that the functions exist and have the right signature
-SELECT 'text_from_pdf_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'text_from_pdf'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-      test_name       | result 
----------------------+--------
- text_from_pdf_exists | t
-(1 row)
-
-SELECT 'text_from_docx_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'text_from_docx'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-       test_name       | result 
-----------------------+--------
- text_from_docx_exists | t
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/embedding_api_functions.out
+++ b/docker-compose/ext-src/pgrag-src/expected/embedding_api_functions.out
@@ -1,103 +0,0 @@
-- Test embedding functions exist with correct signatures
-- OpenAI embedding functions
-SELECT 'openai_text_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-          test_name           | result 
------------------------------+--------
- openai_text_embedding_exists | t
-(1 row)
-
-SELECT 'openai_text_embedding_3_small_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_3_small'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-              test_name               | result 
--------------------------------------+--------
- openai_text_embedding_3_small_exists | t
-(1 row)
-
-SELECT 'openai_text_embedding_3_large_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_3_large'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-              test_name               | result 
--------------------------------------+--------
- openai_text_embedding_3_large_exists | t
-(1 row)
-
-SELECT 'openai_text_embedding_ada_002_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_ada_002'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-              test_name               | result 
--------------------------------------+--------
- openai_text_embedding_ada_002_exists | t
-(1 row)
-
-- Fireworks embedding functions
-SELECT 'fireworks_nomic_embed_text_v1_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_nomic_embed_text_v1'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-              test_name               | result 
--------------------------------------+--------
- fireworks_nomic_embed_text_v1_exists | t
-(1 row)
-
-SELECT 'fireworks_nomic_embed_text_v15_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_nomic_embed_text_v15'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-               test_name               | result 
---------------------------------------+--------
- fireworks_nomic_embed_text_v15_exists | t
-(1 row)
-
-SELECT 'fireworks_text_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-            test_name            | result 
---------------------------------+--------
- fireworks_text_embedding_exists | t
-(1 row)
-
-SELECT 'fireworks_text_embedding_thenlper_gte_base_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_thenlper_gte_base'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-                     test_name                     | result 
---------------------------------------------------+--------
- fireworks_text_embedding_thenlper_gte_base_exists | t
-(1 row)
-
-SELECT 'fireworks_text_embedding_thenlper_gte_large_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_thenlper_gte_large'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-                     test_name                      | result 
----------------------------------------------------+--------
- fireworks_text_embedding_thenlper_gte_large_exists | t
-(1 row)
-
-SELECT 'fireworks_text_embedding_whereisai_uae_large_v1_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_whereisai_uae_large_v1'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-                       test_name                        | result 
--------------------------------------------------------+--------
- fireworks_text_embedding_whereisai_uae_large_v1_exists | t
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/embedding_functions.out
+++ b/docker-compose/ext-src/pgrag-src/expected/embedding_functions.out
@@ -1,9 +0,0 @@
-BEGIN
-CREATE EXTENSION IF NOT EXISTS vector;
-DROP EXTENSION IF EXISTS rag CASCADE;
-CREATE EXTENSION rag CASCADE;
-test_name|result
-openai_embedding_dimensions_test|t
-test_name|result
-fireworks_embedding_dimensions_test|t
-COMMIT
--- a/docker-compose/ext-src/pgrag-src/expected/text_processing.out
+++ b/docker-compose/ext-src/pgrag-src/expected/text_processing.out
@@ -1,13 +0,0 @@
-- Text processing function tests
-SELECT rag.markdown_from_html('<p>Hello <i>world</i></p>');
- markdown_from_html 
--------------------
- Hello _world_
-(1 row)
-
-SELECT rag.chunks_by_character_count('the cat sat on the mat', 10, 5);
-       chunks_by_character_count       
---------------------------------------
- {"the cat","cat sat on","on the mat"}
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/voyageai_functions.out
+++ b/docker-compose/ext-src/pgrag-src/expected/voyageai_functions.out
@@ -1,141 +0,0 @@
-- Test VoyageAI API key functions
-SELECT 'voyageai_api_key_test' AS test_name, 
-       (SELECT rag.voyageai_set_api_key('test_key') IS NULL) AS result;
-       test_name       | result 
-----------------------+--------
- voyageai_api_key_test | t
-(1 row)
-
-SELECT 'voyageai_get_api_key_test' AS test_name,
-       (SELECT rag.voyageai_get_api_key() = 'test_key') AS result;
-         test_name         | result 
---------------------------+--------
- voyageai_get_api_key_test | t
-(1 row)
-
-- Test VoyageAI embedding functions exist
-SELECT 'voyageai_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-         test_name         | result 
---------------------------+--------
- voyageai_embedding_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_3_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_3'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-          test_name          | result 
-----------------------------+--------
- voyageai_embedding_3_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_3_lite_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_3_lite'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-            test_name             | result 
----------------------------------+--------
- voyageai_embedding_3_lite_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_code_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_code_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-            test_name             | result 
----------------------------------+--------
- voyageai_embedding_code_2_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_finance_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_finance_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-              test_name              | result 
-------------------------------------+--------
- voyageai_embedding_finance_2_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_law_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_law_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-            test_name            | result 
---------------------------------+--------
- voyageai_embedding_law_2_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_multilingual_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_multilingual_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-                test_name                 | result 
------------------------------------------+--------
- voyageai_embedding_multilingual_2_exists | t
-(1 row)
-
-- Test VoyageAI reranking functions exist
-SELECT 'voyageai_rerank_distance_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_distance'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-            test_name            | result 
---------------------------------+--------
- voyageai_rerank_distance_exists | t
-(1 row)
-
-SELECT 'voyageai_rerank_score_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_score'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-          test_name           | result 
------------------------------+--------
- voyageai_rerank_score_exists | t
-(1 row)
-
-- Test VoyageAI function signatures
-SELECT 'voyageai_embedding_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs = 3;
-          test_name           | result 
------------------------------+--------
- voyageai_embedding_signature | t
-(1 row)
-
-SELECT 'voyageai_rerank_distance_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_distance'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs IN (3, 4);
-             test_name              | result 
------------------------------------+--------
- voyageai_rerank_distance_signature | t
-(1 row)
-
-SELECT 'voyageai_rerank_score_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_score'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs IN (3, 4);
-            test_name            | result 
---------------------------------+--------
- voyageai_rerank_score_signature | t
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/sql/api_keys.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/api_keys.sql
@@ -1,16 +0,0 @@
-- API key function tests
-SELECT rag.anthropic_set_api_key('test_key');
-
-SELECT rag.anthropic_get_api_key();
-
-SELECT rag.openai_set_api_key('test_key');
-
-SELECT rag.openai_get_api_key();
-
-SELECT rag.fireworks_set_api_key('test_key');
-
-SELECT rag.fireworks_get_api_key();
-
-SELECT rag.voyageai_set_api_key('test_key');
-
-SELECT rag.voyageai_get_api_key();
--- a/docker-compose/ext-src/pgrag-src/sql/basic_functions.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/basic_functions.sql
@@ -1,4 +0,0 @@
-- Basic function tests
-SELECT rag.markdown_from_html('<p>Hello</p>');
-
-SELECT array_length(rag.chunks_by_character_count('the cat sat on the mat', 10, 5), 1);
--- a/docker-compose/ext-src/pgrag-src/sql/chunking_functions.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/chunking_functions.sql
@@ -1,11 +0,0 @@
-- Chunking function tests
-SELECT rag.chunks_by_character_count('the cat sat on the mat', 10, 5);
-
-SELECT rag.chunks_by_character_count('Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.', 20, 10);
-
-SELECT (rag.chunks_by_character_count('the cat', 10, 0))[1];
-
-SELECT rag.chunks_by_character_count('', 10, 5);
-
-SELECT rag.chunks_by_character_count('a b c d e f g h i j k l m n o p', 5, 2);
-
--- a/docker-compose/ext-src/pgrag-src/sql/document_processing.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/document_processing.sql
@@ -1,24 +0,0 @@
-- HTML to Markdown conversion tests
-SELECT rag.markdown_from_html('<p>Hello</p>');
-
-SELECT rag.markdown_from_html('<p>Hello <i>world</i></p>');
-
-SELECT rag.markdown_from_html('<h1>Title</h1><p>Paragraph</p>');
-
-SELECT rag.markdown_from_html('<ul><li>Item 1</li><li>Item 2</li></ul>');
-
-SELECT rag.markdown_from_html('<a href="https://example.com">Link</a>');
-
-- Note: text_from_pdf and text_from_docx require binary input which is harder to test in regression tests
-- We'll test that the functions exist and have the right signature
-SELECT 'text_from_pdf_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'text_from_pdf'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'text_from_docx_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'text_from_docx'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
--- a/docker-compose/ext-src/pgrag-src/sql/embedding_api_functions.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/embedding_api_functions.sql
@@ -1,62 +0,0 @@
-- Test embedding functions exist with correct signatures
-- OpenAI embedding functions
-SELECT 'openai_text_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'openai_text_embedding_3_small_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_3_small'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'openai_text_embedding_3_large_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_3_large'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'openai_text_embedding_ada_002_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_ada_002'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-- Fireworks embedding functions
-SELECT 'fireworks_nomic_embed_text_v1_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_nomic_embed_text_v1'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'fireworks_nomic_embed_text_v15_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_nomic_embed_text_v15'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'fireworks_text_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'fireworks_text_embedding_thenlper_gte_base_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_thenlper_gte_base'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'fireworks_text_embedding_thenlper_gte_large_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_thenlper_gte_large'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'fireworks_text_embedding_whereisai_uae_large_v1_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_whereisai_uae_large_v1'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
--- a/docker-compose/ext-src/pgrag-src/sql/text_processing.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/text_processing.sql
@@ -1,4 +0,0 @@
-- Text processing function tests
-SELECT rag.markdown_from_html('<p>Hello <i>world</i></p>');
-
-SELECT rag.chunks_by_character_count('the cat sat on the mat', 10, 5);
--- a/docker-compose/ext-src/pgrag-src/sql/voyageai_functions.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/voyageai_functions.sql
@@ -1,84 +0,0 @@
-- Test VoyageAI API key functions
-SELECT 'voyageai_api_key_test' AS test_name, 
-       (SELECT rag.voyageai_set_api_key('test_key') IS NULL) AS result;
-
-SELECT 'voyageai_get_api_key_test' AS test_name,
-       (SELECT rag.voyageai_get_api_key() = 'test_key') AS result;
-
-- Test VoyageAI embedding functions exist
-SELECT 'voyageai_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_3_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_3'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_3_lite_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_3_lite'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_code_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_code_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_finance_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_finance_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_law_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_law_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_multilingual_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_multilingual_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-- Test VoyageAI reranking functions exist
-SELECT 'voyageai_rerank_distance_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_distance'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_rerank_score_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_score'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-- Test VoyageAI function signatures
-SELECT 'voyageai_embedding_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs = 3;
-
-SELECT 'voyageai_rerank_distance_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_distance'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs IN (3, 4);
-
-SELECT 'voyageai_rerank_score_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_score'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs IN (3, 4);
--- a/docker-compose/ext-src/pgx_ulid-src/Makefile
+++ b/docker-compose/ext-src/pgx_ulid-src/Makefile
@@ -1,16 +0,0 @@
-EXTENSION = pgx_ulid
-
-PGFILEDESC = "pgx_ulid - ULID type for PostgreSQL"
-
-PG_CONFIG ?= pg_config
-PGXS := $(shell $(PG_CONFIG) --pgxs)
-PG_MAJOR_VERSION := $(word 2, $(subst ., , $(shell $(PG_CONFIG) --version)))
-ifeq ($(shell test $(PG_MAJOR_VERSION) -lt 17; echo $$?),0)
-  REGRESS_OPTS = --load-extension=ulid
-  REGRESS = 00_ulid_generation 01_ulid_conversions 03_ulid_errors
-else
-  REGRESS_OPTS = --load-extension=pgx_ulid
-  REGRESS = 00_ulid_generation 01_ulid_conversions 02_ulid_conversions 03_ulid_errors
-endif
-
-include $(PGXS)
--- a/docker-compose/ext-src/pgx_ulid-src/expected/00_ulid_generation.out
+++ b/docker-compose/ext-src/pgx_ulid-src/expected/00_ulid_generation.out
@@ -1,60 +0,0 @@
-- Test basic ULID generation
-- Test gen_ulid() function
-SELECT 'gen_ulid() returns a non-null value' as test_name,
-       gen_ulid() IS NOT NULL as result;
-              test_name              | result 
-------------------------------------+--------
- gen_ulid() returns a non-null value | t
-(1 row)
-
-- Test that multiple calls to gen_ulid() return different values
-SELECT 'gen_ulid() returns unique values' as test_name,
-       gen_ulid() != gen_ulid() as result;
-            test_name             | result 
----------------------------------+--------
- gen_ulid() returns unique values | t
-(1 row)
-
-- Test that gen_ulid() returns a value with the correct format
-SELECT 'gen_ulid() returns correctly formatted value' as test_name,
-       length(gen_ulid()::text) = 26 as result;
-                  test_name                   | result 
----------------------------------------------+--------
- gen_ulid() returns correctly formatted value | t
-(1 row)
-
-- Test monotonic ULID generation
-SELECT 'gen_monotonic_ulid() returns a non-null value' as test_name,
-       gen_monotonic_ulid() IS NOT NULL as result;
-                   test_name                   | result 
-----------------------------------------------+--------
- gen_monotonic_ulid() returns a non-null value | t
-(1 row)
-
-- Test that multiple calls to gen_monotonic_ulid() return different values
-SELECT 'gen_monotonic_ulid() returns unique values' as test_name,
-       gen_monotonic_ulid() != gen_monotonic_ulid() as result;
-                 test_name                  | result 
--------------------------------------------+--------
- gen_monotonic_ulid() returns unique values | t
-(1 row)
-
-- Test that gen_monotonic_ulid() returns a value with the correct format
-SELECT 'gen_monotonic_ulid() returns correctly formatted value' as test_name,
-       length(gen_monotonic_ulid()::text) = 26 as result;
-                       test_name                        | result 
--------------------------------------------------------+--------
- gen_monotonic_ulid() returns correctly formatted value | t
-(1 row)
-
-- Test that monotonic ULIDs are ordered correctly
-SELECT 'gen_monotonic_ulid() returns ordered values' as test_name,
-       u1 < u2 as result
-FROM (
-    SELECT gen_monotonic_ulid() as u1, gen_monotonic_ulid() as u2
-) subq;
-                  test_name                  | result 
---------------------------------------------+--------
- gen_monotonic_ulid() returns ordered values | t
-(1 row)
-
--- a/docker-compose/ext-src/pgx_ulid-src/expected/01_ulid_conversions.out
+++ b/docker-compose/ext-src/pgx_ulid-src/expected/01_ulid_conversions.out
@@ -1,55 +0,0 @@
-- Create a test ULID value
-CREATE TEMP TABLE test_ulids AS
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSYV'::ulid as test_ulid;
-- Test conversion to text
-SELECT 'ulid to text conversion' as test_name,
-       test_ulid::text = '01GV5PA9EQG7D82Q3Y4PKBZSYV' as result
-FROM test_ulids;
-        test_name        | result 
-------------------------+--------
- ulid to text conversion | t
-(1 row)
-
-- Test conversion to UUID
-SELECT 'ulid to UUID conversion' as test_name,
-       test_ulid::uuid::text = '0186cb65-25d7-81da-815c-7e25a6bfe7db' as result
-FROM test_ulids;
-        test_name        | result 
-------------------------+--------
- ulid to UUID conversion | t
-(1 row)
-
-- Test conversion to bytea
-SELECT 'ulid to bytea conversion' as test_name,
-       length(test_ulid::bytea) = 16 as result
-FROM test_ulids;
-        test_name         | result 
--------------------------+--------
- ulid to bytea conversion | t
-(1 row)
-
-- Test conversion to timestamp
-SELECT 'ulid to timestamp conversion' as test_name,
-       to_char(test_ulid::timestamp, 'YYYY-MM-DD HH24:MI:SS.MS') = '2023-03-10 04:00:49.111' as result
-FROM test_ulids;
-          test_name           | result 
------------------------------+--------
- ulid to timestamp conversion | t
-(1 row)
-
-- Test conversion from UUID
-SELECT 'UUID to ulid conversion' as test_name,
-       '0186cb65-25d7-81da-815c-7e25a6bfe7db'::uuid::ulid::text = '01GV5PA9EQG7D82Q3Y4PKBZSYV' as result;
-        test_name        | result 
-------------------------+--------
- UUID to ulid conversion | t
-(1 row)
-
-- Test conversion from timestamp
-SELECT 'timestamp to ulid conversion' as test_name,
-       '2023-03-10 12:00:49.111'::timestamp::ulid::text = '01GV5PA9EQ0000000000000000' as result;
-          test_name           | result 
------------------------------+--------
- timestamp to ulid conversion | t
-(1 row)
-
--- a/docker-compose/ext-src/pgx_ulid-src/expected/02_ulid_conversions.out
+++ b/docker-compose/ext-src/pgx_ulid-src/expected/02_ulid_conversions.out
@@ -1,8 +0,0 @@
-- Test conversion from timestamptz
-SELECT 'timestamptz to ulid conversion' as test_name,
-       '2023-03-10 04:00:49.111'::timestamptz::ulid::text = '01GV5PA9EQ0000000000000000' as result;
-           test_name            | result 
--------------------------------+--------
- timestamptz to ulid conversion | t
-(1 row)
-
--- a/docker-compose/ext-src/pgx_ulid-src/expected/03_ulid_errors.out
+++ b/docker-compose/ext-src/pgx_ulid-src/expected/03_ulid_errors.out
@@ -1,19 +0,0 @@
-- Test ULID error handling
-- Test invalid ULID string (too short)
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSY'::ulid;
-ERROR:  invalid input syntax for type ulid: "01GV5PA9EQG7D82Q3Y4PKBZSY": invalid length
-LINE 1: SELECT '01GV5PA9EQG7D82Q3Y4PKBZSY'::ulid;
-               ^
-- Test invalid ULID string (invalid character)
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSYU'::ulid;
-ERROR:  invalid input syntax for type ulid: "01GV5PA9EQG7D82Q3Y4PKBZSYU": invalid character
-LINE 1: SELECT '01GV5PA9EQG7D82Q3Y4PKBZSYU'::ulid;
-               ^
-- Test NULL handling
-SELECT 'NULL to ulid conversion returns NULL' as test_name,
-       NULL::ulid IS NULL as result;
-              test_name               | result 
--------------------------------------+--------
- NULL to ulid conversion returns NULL | t
-(1 row)
-
--- a/docker-compose/ext-src/pgx_ulid-src/sql/00_ulid_generation.sql
+++ b/docker-compose/ext-src/pgx_ulid-src/sql/00_ulid_generation.sql
@@ -1,32 +0,0 @@
-- Test basic ULID generation
-
-- Test gen_ulid() function
-SELECT 'gen_ulid() returns a non-null value' as test_name,
-       gen_ulid() IS NOT NULL as result;
-
-- Test that multiple calls to gen_ulid() return different values
-SELECT 'gen_ulid() returns unique values' as test_name,
-       gen_ulid() != gen_ulid() as result;
-
-- Test that gen_ulid() returns a value with the correct format
-SELECT 'gen_ulid() returns correctly formatted value' as test_name,
-       length(gen_ulid()::text) = 26 as result;
-
-- Test monotonic ULID generation
-SELECT 'gen_monotonic_ulid() returns a non-null value' as test_name,
-       gen_monotonic_ulid() IS NOT NULL as result;
-
-- Test that multiple calls to gen_monotonic_ulid() return different values
-SELECT 'gen_monotonic_ulid() returns unique values' as test_name,
-       gen_monotonic_ulid() != gen_monotonic_ulid() as result;
-
-- Test that gen_monotonic_ulid() returns a value with the correct format
-SELECT 'gen_monotonic_ulid() returns correctly formatted value' as test_name,
-       length(gen_monotonic_ulid()::text) = 26 as result;
-
-- Test that monotonic ULIDs are ordered correctly
-SELECT 'gen_monotonic_ulid() returns ordered values' as test_name,
-       u1 < u2 as result
-FROM (
-    SELECT gen_monotonic_ulid() as u1, gen_monotonic_ulid() as u2
-) subq;
--- a/docker-compose/ext-src/pgx_ulid-src/sql/01_ulid_conversions.sql
+++ b/docker-compose/ext-src/pgx_ulid-src/sql/01_ulid_conversions.sql
@@ -1,32 +0,0 @@
-- Create a test ULID value
-CREATE TEMP TABLE test_ulids AS
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSYV'::ulid as test_ulid;
-
-- Test conversion to text
-SELECT 'ulid to text conversion' as test_name,
-       test_ulid::text = '01GV5PA9EQG7D82Q3Y4PKBZSYV' as result
-FROM test_ulids;
-
-- Test conversion to UUID
-SELECT 'ulid to UUID conversion' as test_name,
-       test_ulid::uuid::text = '0186cb65-25d7-81da-815c-7e25a6bfe7db' as result
-FROM test_ulids;
-
-- Test conversion to bytea
-SELECT 'ulid to bytea conversion' as test_name,
-       length(test_ulid::bytea) = 16 as result
-FROM test_ulids;
-
-- Test conversion to timestamp
-SELECT 'ulid to timestamp conversion' as test_name,
-       to_char(test_ulid::timestamp, 'YYYY-MM-DD HH24:MI:SS.MS') = '2023-03-10 04:00:49.111' as result
-FROM test_ulids;
-
-- Test conversion from UUID
-SELECT 'UUID to ulid conversion' as test_name,
-       '0186cb65-25d7-81da-815c-7e25a6bfe7db'::uuid::ulid::text = '01GV5PA9EQG7D82Q3Y4PKBZSYV' as result;
-
-- Test conversion from timestamp
-SELECT 'timestamp to ulid conversion' as test_name,
-       '2023-03-10 12:00:49.111'::timestamp::ulid::text = '01GV5PA9EQ0000000000000000' as result;
-
--- a/docker-compose/ext-src/pgx_ulid-src/sql/02_ulid_conversions.sql
+++ b/docker-compose/ext-src/pgx_ulid-src/sql/02_ulid_conversions.sql
@@ -1,3 +0,0 @@
-- Test conversion from timestamptz
-SELECT 'timestamptz to ulid conversion' as test_name,
-       '2023-03-10 04:00:49.111'::timestamptz::ulid::text = '01GV5PA9EQ0000000000000000' as result;
--- a/docker-compose/ext-src/pgx_ulid-src/sql/03_ulid_errors.sql
+++ b/docker-compose/ext-src/pgx_ulid-src/sql/03_ulid_errors.sql
@@ -1,12 +0,0 @@
-- Test ULID error handling
-
-- Test invalid ULID string (too short)
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSY'::ulid;
-
-- Test invalid ULID string (invalid character)
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSYU'::ulid;
-
-- Test NULL handling
-SELECT 'NULL to ulid conversion returns NULL' as test_name,
-       NULL::ulid IS NULL as result;
-
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/Makefile
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/Makefile
@@ -1,10 +0,0 @@
-EXTENSION = rag_bge_small_en_v15
-MODULE_big = rag_bge_small_en_v15
-OBJS = $(patsubst %.rs,%.o,$(wildcard src/*.rs))
-
-REGRESS = basic_functions embedding_functions basic_functions_enhanced embedding_functions_enhanced
-REGRESS_OPTS = --load-extension=vector --load-extension=rag_bge_small_en_v15
-
-PG_CONFIG = pg_config
-PGXS := $(shell $(PG_CONFIG) --pgxs)
-include $(PGXS)
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/basic_functions.out
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/basic_functions.out
@@ -1,7 +0,0 @@
-- Basic function tests
-SELECT rag_bge_small_en_v15.chunks_by_token_count('the cat sat on the mat', 3, 2);
-                 chunks_by_token_count                  
--------------------------------------------------------
- {"the cat sat","cat sat on","sat on the","on the mat"}
-(1 row)
-
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/basic_functions_enhanced.out
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/basic_functions_enhanced.out
@@ -1,31 +0,0 @@
-- Basic function tests for chunks_by_token_count
-SELECT rag_bge_small_en_v15.chunks_by_token_count('the cat sat on the mat', 3, 2);
-                 chunks_by_token_count                  
--------------------------------------------------------
- {"the cat sat","cat sat on","sat on the","on the mat"}
-(1 row)
-
-SELECT rag_bge_small_en_v15.chunks_by_token_count('Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.', 5, 2);
-                                                                              chunks_by_token_count                                                                              
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- {"Lorem ipsum","ipsum dolor sit","sit amet,",consectetur,"adipiscing elit",elit.,"Sed do","do eiusmod",tempor,"incididunt ut","ut labore et","et dolore magna","magna aliqua."}
-(1 row)
-
-SELECT (rag_bge_small_en_v15.chunks_by_token_count('the cat', 5, 0))[1];
- chunks_by_token_count 
-----------------------
- the cat
-(1 row)
-
-SELECT rag_bge_small_en_v15.chunks_by_token_count('', 5, 2);
- chunks_by_token_count 
-----------------------
- {}
-(1 row)
-
-SELECT rag_bge_small_en_v15.chunks_by_token_count('a b c d e f g h i j k l m n o p', 3, 1);
-                      chunks_by_token_count                      
-----------------------------------------------------------------
- {"a b c","c d e","e f g","g h i","i j k","k l m","m n o","o p"}
-(1 row)
-
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/embedding_functions.out
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/embedding_functions.out
@@ -1,15 +0,0 @@
-- Embedding function tests
-SELECT 'embedding_for_passage_test' AS test_name, 
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('the cat sat on the mat')) > 0 AS result;
-         test_name          | result 
----------------------------+--------
- embedding_for_passage_test | t
-(1 row)
-
-SELECT 'embedding_for_query_test' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('the cat sat on the mat')) > 0 AS result;
-        test_name         | result 
--------------------------+--------
- embedding_for_query_test | t
-(1 row)
-
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/embedding_functions_enhanced.out
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/embedding_functions_enhanced.out
@@ -1,52 +0,0 @@
-- Embedding function tests
-SELECT 'embedding_for_passage_test_1' AS test_name, 
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('the cat sat on the mat')) > 0 AS result;
-          test_name           | result 
------------------------------+--------
- embedding_for_passage_test_1 | t
-(1 row)
-
-SELECT 'embedding_for_passage_test_2' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('Lorem ipsum dolor sit amet')) > 0 AS result;
-          test_name           | result 
------------------------------+--------
- embedding_for_passage_test_2 | t
-(1 row)
-
-SELECT 'embedding_for_passage_test_3' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('')) > 0 AS result;
-          test_name           | result 
------------------------------+--------
- embedding_for_passage_test_3 | t
-(1 row)
-
-SELECT 'embedding_for_query_test_1' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('the cat sat on the mat')) > 0 AS result;
-         test_name          | result 
----------------------------+--------
- embedding_for_query_test_1 | t
-(1 row)
-
-SELECT 'embedding_for_query_test_2' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('Lorem ipsum dolor sit amet')) > 0 AS result;
-         test_name          | result 
----------------------------+--------
- embedding_for_query_test_2 | t
-(1 row)
-
-SELECT 'embedding_for_query_test_3' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('')) > 0 AS result;
-         test_name          | result 
----------------------------+--------
- embedding_for_query_test_3 | t
-(1 row)
-
-- Test that passage and query embeddings have the same dimensions
-SELECT 'embedding_dimensions_match' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('test')) = 
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('test')) AS result;
-         test_name          | result 
----------------------------+--------
- embedding_dimensions_match | t
-(1 row)
-
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/sql/basic_functions.sql
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/sql/basic_functions.sql
@@ -1,2 +0,0 @@
-- Basic function tests
-SELECT rag_bge_small_en_v15.chunks_by_token_count('the cat sat on the mat', 3, 2);
--- a/Show More
+++ b/Show More