Remove VPC endpoint operations as requested

Co-Authored-By: peterbendel@neon.tech <peterbendel@neon.tech>
Fix Python formatting issues
2026-05-21 07:00:38 +00:00 · 2025-03-19 09:16:03 +00:00 · 2025-03-19 09:11:59 +00:00 · 2025-03-19 09:07:42 +00:00
370 changed files with 5555 additions and 8801 deletions
--- a/.github/actionlint.yml
+++ b/.github/actionlint.yml
@@ -8,7 +8,6 @@ self-hosted-runner:
    - small-arm64
    - us-east-2
 config-variables:
-  - AWS_ECR_REGION
  - AZURE_DEV_CLIENT_ID
  - AZURE_DEV_REGISTRY_NAME
  - AZURE_DEV_SUBSCRIPTION_ID
@@ -16,25 +15,23 @@ config-variables:
  - AZURE_PROD_REGISTRY_NAME
  - AZURE_PROD_SUBSCRIPTION_ID
  - AZURE_TENANT_ID
-  - BENCHMARK_INGEST_TARGET_PROJECTID
-  - BENCHMARK_LARGE_OLTP_PROJECTID
  - BENCHMARK_PROJECT_ID_PUB
  - BENCHMARK_PROJECT_ID_SUB
-  - DEV_AWS_OIDC_ROLE_ARN
-  - DEV_AWS_OIDC_ROLE_MANAGE_BENCHMARK_EC2_VMS_ARN
-  - HETZNER_CACHE_BUCKET
-  - HETZNER_CACHE_ENDPOINT
-  - HETZNER_CACHE_REGION
-  - NEON_DEV_AWS_ACCOUNT_ID
-  - NEON_PROD_AWS_ACCOUNT_ID
-  - PGREGRESS_PG16_PROJECT_ID
-  - PGREGRESS_PG17_PROJECT_ID
  - REMOTE_STORAGE_AZURE_CONTAINER
  - REMOTE_STORAGE_AZURE_REGION
-  - SLACK_CICD_CHANNEL_ID
-  - SLACK_ON_CALL_DEVPROD_STREAM
-  - SLACK_ON_CALL_QA_STAGING_STREAM
-  - SLACK_ON_CALL_STORAGE_STAGING_STREAM
-  - SLACK_RUST_CHANNEL_ID
-  - SLACK_STORAGE_CHANNEL_ID
  - SLACK_UPCOMING_RELEASE_CHANNEL_ID
+  - DEV_AWS_OIDC_ROLE_ARN
+  - BENCHMARK_INGEST_TARGET_PROJECTID
+  - PGREGRESS_PG16_PROJECT_ID
+  - PGREGRESS_PG17_PROJECT_ID
+  - SLACK_ON_CALL_QA_STAGING_STREAM
+  - DEV_AWS_OIDC_ROLE_MANAGE_BENCHMARK_EC2_VMS_ARN
+  - SLACK_ON_CALL_STORAGE_STAGING_STREAM
+  - SLACK_CICD_CHANNEL_ID
+  - SLACK_STORAGE_CHANNEL_ID
+  - NEON_DEV_AWS_ACCOUNT_ID
+  - NEON_PROD_AWS_ACCOUNT_ID
+  - AWS_ECR_REGION
+  - BENCHMARK_LARGE_OLTP_PROJECTID
+  - SLACK_ON_CALL_DEVPROD_STREAM
+  - SLACK_RUST_CHANNEL_ID
--- a/.github/workflows/_benchmarking_preparation.yml
+++ b/.github/workflows/_benchmarking_preparation.yml
@@ -8,9 +8,6 @@ defaults:
  run:
    shell: bash -euxo pipefail {0}

-permissions:
-  contents: read
-
 jobs:
  setup-databases:
    permissions:
@@ -37,11 +34,6 @@ jobs:
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
    - name: Set up Connection String
      id: set-up-prep-connstr
      run: |
@@ -66,10 +58,10 @@ jobs:

        echo "connstr=${CONNSTR}" >> $GITHUB_OUTPUT

-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
--- a/.github/workflows/_build-and-test-locally.yml
+++ b/.github/workflows/_build-and-test-locally.yml
@@ -37,9 +37,6 @@ env:
  RUST_BACKTRACE: 1
  COPT: '-Werror'

-permissions:
-  contents: read
-
 jobs:
  build-neon:
    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', inputs.arch == 'arm64' && 'large-arm64' || 'large')) }}
@@ -62,12 +59,7 @@ jobs:
      BUILD_TAG: ${{ inputs.build-tag }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true

@@ -128,49 +120,29 @@ jobs:

      - name: Cache postgres v14 build
        id: cache_pg_14
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/v14
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v14_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}

      - name: Cache postgres v15 build
        id: cache_pg_15
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/v15
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v15_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}

      - name: Cache postgres v16 build
        id: cache_pg_16
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/v16
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v16_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}

      - name: Cache postgres v17 build
        id: cache_pg_17
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/v17
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ inputs.build-type }}-pg-${{ steps.pg_v17_rev.outputs.pg_rev }}-bookworm-${{ hashFiles('Makefile', 'build-tools.Dockerfile') }}

@@ -249,7 +221,7 @@ jobs:
          fi

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: eu-central-1
          role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -358,12 +330,7 @@ jobs:
      fail-fast: false
      matrix: ${{ fromJSON(format('{{"include":{0}}}', inputs.test-cfg)) }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true

--- a/.github/workflows/_check-codestyle-python.yml
+++ b/.github/workflows/_check-codestyle-python.yml
@@ -12,9 +12,6 @@ defaults:
  run:
    shell: bash -euxo pipefail {0}

-permissions:
-  contents: read
-
 jobs:
  check-codestyle-python:
    runs-on: [ self-hosted, small ]
@@ -30,21 +27,10 @@ jobs:
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
+      - uses: actions/checkout@v4

-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Cache poetry deps
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+      - uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: ~/.cache/pypoetry/virtualenvs
          key: v2-${{ runner.os }}-${{ runner.arch }}-python-deps-bookworm-${{ hashFiles('poetry.lock') }}

--- a/.github/workflows/_check-codestyle-rust.yml
+++ b/.github/workflows/_check-codestyle-rust.yml
@@ -37,24 +37,14 @@ jobs:
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

      - name: Cache cargo deps
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: |
            ~/.cargo/registry
            !~/.cargo/registry/src
--- a/.github/workflows/_create-release-pr.yml
+++ b/.github/workflows/_create-release-pr.yml
@@ -20,9 +20,6 @@ defaults:
  run:
    shell: bash -euo pipefail {0}

-permissions:
-  contents: read
-
 jobs:
  create-release-branch:
    runs-on: ubuntu-22.04
@@ -31,12 +28,7 @@ jobs:
      contents: write # for `git push`

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4
      with:
        ref: ${{ inputs.source-branch }}
        fetch-depth: 0
--- a/.github/workflows/_meta.yml
+++ b/.github/workflows/_meta.yml
@@ -5,16 +5,10 @@ on:
      github-event-name:
        type: string
        required: true
-      github-event-json:
-        type: string
-        required: true
    outputs:
      build-tag:
        description: "Tag for the current workflow run"
        value: ${{ jobs.tags.outputs.build-tag }}
-      release-tag:
-        description: "Tag for the release if this is an RC PR run"
-        value: ${{ jobs.tags.outputs.release-tag }}
      previous-storage-release:
        description: "Tag of the last storage release"
        value: ${{ jobs.tags.outputs.storage }}
@@ -30,9 +24,6 @@ on:
      release-pr-run-id:
        description: "Only available if `run-kind in [storage-release, proxy-release, compute-release]`. Contains the run ID of the `Build and Test` workflow, assuming one with the current commit can be found."
        value: ${{ jobs.tags.outputs.release-pr-run-id }}
-      sha:
-        description: "github.event.pull_request.head.sha on release PRs, github.sha otherwise"
-        value: ${{ jobs.tags.outputs.sha }}

 permissions: {}

@@ -44,22 +35,19 @@ jobs:
  tags:
    runs-on: ubuntu-22.04
    outputs:
-      build-tag: ${{ steps.build-tag.outputs.build-tag }}
-      release-tag: ${{ steps.build-tag.outputs.release-tag }}
+      build-tag: ${{ steps.build-tag.outputs.tag }}
      compute: ${{ steps.previous-releases.outputs.compute }}
      proxy: ${{ steps.previous-releases.outputs.proxy }}
      storage: ${{ steps.previous-releases.outputs.storage }}
      run-kind: ${{ steps.run-kind.outputs.run-kind }}
      release-pr-run-id: ${{ steps.release-pr-run-id.outputs.release-pr-run-id }}
-      sha: ${{ steps.sha.outputs.sha }}
    permissions:
      contents: read
    steps:
      # Need `fetch-depth: 0` to count the number of commits in the branch
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+      - uses: actions/checkout@v4
        with:
-          egress-policy: audit
+          fetch-depth: 0

      - name: Get run kind
        id: run-kind
@@ -81,23 +69,6 @@ jobs:
        run: |
          echo "run-kind=$RUN_KIND" | tee -a $GITHUB_OUTPUT

-      - name: Get the right SHA
-        id: sha
-        env:
-          SHA: >
-            ${{
-              contains(fromJSON('["storage-rc-pr", "proxy-rc-pr", "compute-rc-pr"]'), steps.run-kind.outputs.run-kind)
-              && fromJSON(inputs.github-event-json).pull_request.head.sha
-              || github.sha
-            }}
-        run: |
-          echo "sha=$SHA" | tee -a $GITHUB_OUTPUT
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-          ref: ${{ steps.sha.outputs.sha }}
-
      - name: Get build tag
        id: build-tag
        env:
@@ -108,16 +79,16 @@ jobs:
        run: |
          case $RUN_KIND in
          push-main)
-            echo "build-tag=$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
+            echo "tag=$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
            ;;
          storage-release)
-            echo "build-tag=release-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
+            echo "tag=release-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
            ;;
          proxy-release)
-            echo "build-tag=release-proxy-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
+            echo "tag=release-proxy-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
            ;;
          compute-release)
-            echo "build-tag=release-compute-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
+            echo "tag=release-compute-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
            ;;
          pr|storage-rc-pr|compute-rc-pr|proxy-rc-pr)
            BUILD_AND_TEST_RUN_ID=$(gh api --paginate \
@@ -125,21 +96,10 @@ jobs:
              -H "X-GitHub-Api-Version: 2022-11-28" \
              "/repos/${GITHUB_REPOSITORY}/actions/runs?head_sha=${CURRENT_SHA}&branch=${CURRENT_BRANCH}" \
              | jq '[.workflow_runs[] | select(.name == "Build and Test")][0].id // ("Error: No matching workflow run found." | halt_error(1))')
-            echo "build-tag=$BUILD_AND_TEST_RUN_ID" | tee -a $GITHUB_OUTPUT
-            case $RUN_KIND in
-            storage-rc-pr)
-              echo "release-tag=release-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
-              ;;
-            proxy-rc-pr)
-              echo "release-tag=release-proxy-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
-              ;;
-            compute-rc-pr)
-              echo "release-tag=release-compute-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
-              ;;
-            esac
+            echo "tag=$BUILD_AND_TEST_RUN_ID" | tee -a $GITHUB_OUTPUT
            ;;
          workflow-dispatch)
-            echo "build-tag=$GITHUB_RUN_ID" | tee -a $GITHUB_OUTPUT
+            echo "tag=$GITHUB_RUN_ID" | tee -a $GITHUB_OUTPUT
            ;;
          *)
            echo "Unexpected RUN_KIND ('${RUN_KIND}'), failing to assign build-tag!"
@@ -163,7 +123,7 @@ jobs:
        if: ${{ contains(fromJSON('["storage-release", "compute-release", "proxy-release"]'), steps.run-kind.outputs.run-kind) }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CURRENT_SHA: ${{ github.sha }}
+          CURRENT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
        run: |
          RELEASE_PR_RUN_ID=$(gh api "/repos/${GITHUB_REPOSITORY}/actions/runs?head_sha=$CURRENT_SHA" | jq '[.workflow_runs[] | select(.name == "Build and Test") | select(.head_branch | test("^rc/release(-(proxy|compute))?/[0-9]{4}-[0-9]{2}-[0-9]{2}$"; "s"))] | first | .id // ("Failed to find Build and Test run from  RC PR!" | halt_error(1))')
          echo "release-pr-run-id=$RELEASE_PR_RUN_ID" | tee -a $GITHUB_OUTPUT
--- a/.github/workflows/_push-to-container-registry.yml
+++ b/.github/workflows/_push-to-container-registry.yml
@@ -49,12 +49,7 @@ jobs:
      id-token: write  # Required for aws/azure login
      packages: write  # required for pushing to GHCR
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          sparse-checkout: .github/scripts/push_with_image_map.py
          sparse-checkout-cone-mode: false
@@ -64,7 +59,7 @@ jobs:

      - name: Configure AWS credentials
        if: contains(inputs.image-map, 'amazonaws.com/')
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: "${{ inputs.aws-region }}"
          role-to-assume: "arn:aws:iam::${{ inputs.aws-account-id }}:role/${{ inputs.aws-role-to-assume }}"
@@ -72,7 +67,7 @@ jobs:

      - name: Login to ECR
        if: contains(inputs.image-map, 'amazonaws.com/')
-        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+        uses: aws-actions/amazon-ecr-login@v2
        with:
          registries: "${{ inputs.aws-account-id }}"

@@ -91,14 +86,14 @@ jobs:

      - name: Login to GHCR
        if: contains(inputs.image-map, 'ghcr.io/')
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log in to Docker Hub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -26,13 +26,8 @@ jobs:
    needs: [ check-permissions ]
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281 # v1.65.2
+      - uses: actions/checkout@v4
+      - uses: reviewdog/action-actionlint@v1
        env:
          # SC2046 - Quote this to prevent word splitting. - https://www.shellcheck.net/wiki/SC2046
          # SC2086 - Double quote to prevent globbing and word splitting. - https://www.shellcheck.net/wiki/SC2086
--- a/.github/workflows/approved-for-ci-run.yml
+++ b/.github/workflows/approved-for-ci-run.yml
@@ -47,11 +47,6 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run"

  create-or-update-pr-for-ci-run:
@@ -68,14 +63,9 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run"

-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          token: ${{ secrets.CI_ACCESS_TOKEN }}
@@ -163,11 +153,6 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Close PR and delete `ci-run/pr-${{ env.PR_NUMBER }}` branch
        run: |
          CLOSED="$(gh pr --repo ${GITHUB_REPOSITORY} list --head ${BRANCH} --json 'closed' --jq '.[].closed')"
--- a/.github/workflows/benchmarking.yml
+++ b/.github/workflows/benchmarking.yml
@@ -94,15 +94,10 @@ jobs:
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials # necessary on Azure runners
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -169,7 +164,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
@@ -202,15 +197,10 @@ jobs:
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -262,15 +252,10 @@ jobs:
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -329,7 +314,7 @@ jobs:
    # Post both success and failure to the Slack channel
    - name: Post to a Slack channel
      if: ${{ github.event.schedule && !cancelled() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06T9AMNDQQ" # on-call-compute-staging-stream
        slack-message: |
@@ -361,11 +346,6 @@ jobs:
      tpch-compare-matrix: ${{ steps.tpch-compare-matrix.outputs.matrix }}

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
    - name: Generate matrix for pgbench benchmark
      id: pgbench-compare-matrix
      run: |
@@ -485,15 +465,10 @@ jobs:
    timeout-minutes: 480

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -625,7 +600,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
@@ -674,15 +649,10 @@ jobs:
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -756,7 +726,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
@@ -808,15 +778,10 @@ jobs:
    timeout-minutes: 720

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -889,7 +854,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
@@ -934,15 +899,10 @@ jobs:
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -1019,7 +979,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
@@ -1058,15 +1018,10 @@ jobs:
      options: --init

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -1136,7 +1091,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
--- a/.github/workflows/build-build-tools-image.yml
+++ b/.github/workflows/build-build-tools-image.yml
@@ -53,14 +53,9 @@ jobs:
      packages: read

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
+      - uses: actions/checkout@v4

-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -113,36 +108,31 @@ jobs:
    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - uses: neondatabase/dev-actions/set-docker-config-dir@6094485bf440001c94a94a3f9e221e81ff6b6193
-      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/setup-buildx-action@v3
        with:
          cache-binary: false

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: cache.neon.build
          username: ${{ secrets.NEON_CI_DOCKERCACHE_USERNAME }}
          password: ${{ secrets.NEON_CI_DOCKERCACHE_PASSWORD }}

-      - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      - uses: docker/build-push-action@v6
        with:
          file: build-tools.Dockerfile
          context: .
@@ -164,17 +154,12 @@ jobs:
      packages: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/build-macos.yml
+++ b/.github/workflows/build-macos.yml
@@ -28,9 +28,6 @@ env:
 # - You can connect up to four levels of workflows
 # - You can call a maximum of 20 unique reusable workflows from a single workflow file.
 # https://docs.github.com/en/actions/sharing-automations/reusing-workflows#limitations
-permissions:
-  contents: read
-
 jobs:
  build-pgxn:
    if: |
@@ -49,13 +46,8 @@ jobs:
      # Hence keeping target/ (and general cache size) smaller
      BUILD_TYPE: release
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout main repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4

      - name: Set pg ${{ matrix.postgres-version }} for caching
        id: pg_rev
@@ -63,13 +55,8 @@ jobs:

      - name: Cache postgres ${{ matrix.postgres-version }} build
        id: cache_pg
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/${{ matrix.postgres-version }}
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-${{ matrix.postgres-version }}-${{ steps.pg_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}

@@ -120,13 +107,8 @@ jobs:
      # Hence keeping target/ (and general cache size) smaller
      BUILD_TYPE: release
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout main repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4

      - name: Set pg v17 for caching
        id: pg_rev
@@ -134,25 +116,15 @@ jobs:

      - name: Cache postgres v17 build
        id: cache_pg
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/v17
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-v17-${{ steps.pg_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}

      - name: Cache walproposer-lib
        id: cache_walproposer_lib
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/build/walproposer-lib
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-walproposer_lib-v17-${{ steps.pg_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}

@@ -193,13 +165,8 @@ jobs:
      # Hence keeping target/ (and general cache size) smaller
      BUILD_TYPE: release
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout main repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

@@ -218,57 +185,32 @@ jobs:

      - name: Cache postgres v14 build
        id: cache_pg
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/v14
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-v14-${{ steps.pg_rev_v14.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Cache postgres v15 build
        id: cache_pg_v15
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/v15
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-v15-${{ steps.pg_rev_v15.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Cache postgres v16 build
        id: cache_pg_v16
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/v16
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-v16-${{ steps.pg_rev_v16.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Cache postgres v17 build
        id: cache_pg_v17
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/v17
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-v17-${{ steps.pg_rev_v17.outputs.pg_rev }}-${{ hashFiles('Makefile') }}

      - name: Cache cargo deps (only for v17)
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: |
            ~/.cargo/registry
            !~/.cargo/registry/src
@@ -278,13 +220,8 @@ jobs:

      - name: Cache walproposer-lib
        id: cache_walproposer_lib
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: pg_install/build/walproposer-lib
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-walproposer_lib-v17-${{ steps.pg_rev_v17.outputs.pg_rev }}-${{ hashFiles('Makefile') }}

--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -37,11 +37,6 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Cancel previous e2e-tests runs for this PR
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
@@ -58,13 +53,8 @@ jobs:
      check-rust-dependencies: ${{ steps.files-changed.outputs.rust_dependencies }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

@@ -80,7 +70,6 @@ jobs:
    uses: ./.github/workflows/_meta.yml
    with:
      github-event-name: ${{ github.event_name }}
-      github-event-json: ${{ toJSON(github.event) }}

  build-build-tools-image:
    needs: [ check-permissions ]
@@ -108,13 +97,8 @@ jobs:
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4

      - name: Check Jsonnet code formatting
        run: |
@@ -126,17 +110,12 @@ jobs:
    needs: [ check-permissions ]
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+      - uses: dorny/paths-filter@v3
        id: check-if-submodules-changed
        with:
          filters: |
@@ -145,7 +124,7 @@ jobs:

      - name: Check vendor/postgres-v14 submodule reference
        if: steps.check-if-submodules-changed.outputs.vendor == 'true'
-        uses: jtmullen/submodule-branch-check-action@ab0d3a69278e3fa0a2d4f3be3199d2514b676e13 # v1.3.0
+        uses: jtmullen/submodule-branch-check-action@v1
        with:
          path: "vendor/postgres-v14"
          fetch_depth: "50"
@@ -154,7 +133,7 @@ jobs:

      - name: Check vendor/postgres-v15 submodule reference
        if: steps.check-if-submodules-changed.outputs.vendor == 'true'
-        uses: jtmullen/submodule-branch-check-action@ab0d3a69278e3fa0a2d4f3be3199d2514b676e13 # v1.3.0
+        uses: jtmullen/submodule-branch-check-action@v1
        with:
          path: "vendor/postgres-v15"
          fetch_depth: "50"
@@ -163,7 +142,7 @@ jobs:

      - name: Check vendor/postgres-v16 submodule reference
        if: steps.check-if-submodules-changed.outputs.vendor == 'true'
-        uses: jtmullen/submodule-branch-check-action@ab0d3a69278e3fa0a2d4f3be3199d2514b676e13 # v1.3.0
+        uses: jtmullen/submodule-branch-check-action@v1
        with:
          path: "vendor/postgres-v16"
          fetch_depth: "50"
@@ -172,7 +151,7 @@ jobs:

      - name: Check vendor/postgres-v17 submodule reference
        if: steps.check-if-submodules-changed.outputs.vendor == 'true'
-        uses: jtmullen/submodule-branch-check-action@ab0d3a69278e3fa0a2d4f3be3199d2514b676e13 # v1.3.0
+        uses: jtmullen/submodule-branch-check-action@v1
        with:
          path: "vendor/postgres-v17"
          fetch_depth: "50"
@@ -240,22 +219,12 @@ jobs:
        password: ${{ secrets.GITHUB_TOKEN }}
      options: --init
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4

      - name: Cache poetry deps
-        uses: tespkg/actions-cache@b7bf5fcc2f98a52ac6080eb0fd282c2f752074b1  # v1.8.0
+        uses: actions/cache@v4
        with:
-          endpoint: ${{ vars.HETZNER_CACHE_REGION }}.${{ vars.HETZNER_CACHE_ENDPOINT }}
-          bucket: ${{ vars.HETZNER_CACHE_BUCKET }}
-          accessKey: ${{ secrets.HETZNER_CACHE_ACCESS_KEY }}
-          secretKey: ${{ secrets.HETZNER_CACHE_SECRET_KEY }}
-          use-fallback: false
          path: ~/.cache/pypoetry/virtualenvs
          key: v2-${{ runner.os }}-${{ runner.arch }}-python-deps-bookworm-${{ hashFiles('poetry.lock') }}

@@ -296,13 +265,8 @@ jobs:
        pytest_split_group: [ 1, 2, 3, 4, 5 ]
        build_type: [ release ]
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4

      - name: Pytest benchmarks
        uses: ./.github/actions/run-python-test-set
@@ -330,12 +294,7 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+    - uses: slackapi/slack-github-action@v2
      with:
        method: chat.postMessage
        token: ${{ secrets.SLACK_BOT_TOKEN }}
@@ -366,12 +325,7 @@ jobs:
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - name: Create Allure report
        if: ${{ !cancelled() }}
@@ -383,7 +337,7 @@ jobs:
        env:
          REGRESS_TEST_RESULT_CONNSTR_NEW: ${{ secrets.REGRESS_TEST_RESULT_CONNSTR_NEW }}

-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - uses: actions/github-script@v7
        if: ${{ !cancelled() }}
        with:
          # Retry script for 5XX server errors: https://github.com/actions/github-script#retries
@@ -431,12 +385,7 @@ jobs:
        coverage-json: ${{ steps.upload-coverage-report-new.outputs.summary-json }}
    steps:
      # Need `fetch-depth: 0` for differential coverage (to get diff between two commits)
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true
          fetch-depth: 0
@@ -507,7 +456,7 @@ jobs:
          REPORT_URL=https://${BUCKET}.s3.amazonaws.com/code-coverage/${COMMIT_SHA}/lcov/summary.json
          echo "summary-json=${REPORT_URL}" >> $GITHUB_OUTPUT

-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - uses: actions/github-script@v7
        env:
          REPORT_URL_NEW: ${{ steps.upload-coverage-report-new.outputs.report-url }}
          COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
@@ -546,7 +495,6 @@ jobs:
    uses: ./.github/workflows/trigger-e2e-tests.yml
    with:
      github-event-name: ${{ github.event_name }}
-      github-event-json: ${{ toJSON(github.event) }}
    secrets: inherit

  neon-image-arch:
@@ -562,39 +510,33 @@ jobs:
      packages: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true
-          ref: ${{ needs.meta.outputs.sha }}

      - uses: neondatabase/dev-actions/set-docker-config-dir@6094485bf440001c94a94a3f9e221e81ff6b6193
-      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/setup-buildx-action@v3
        with:
          cache-binary: false

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: cache.neon.build
          username: ${{ secrets.NEON_CI_DOCKERCACHE_USERNAME }}
          password: ${{ secrets.NEON_CI_DOCKERCACHE_PASSWORD }}

-      - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      - uses: docker/build-push-action@v6
        with:
          context: .
          # ARM-specific flags are recommended for Graviton ≥ 2, these flags are also supported by Ampere Altra (Azure)
@@ -602,7 +544,7 @@ jobs:
          build-args: |
            ADDITIONAL_RUSTFLAGS=${{ matrix.arch == 'arm64' && '-Ctarget-feature=+lse -Ctarget-cpu=neoverse-n1' || '' }}
            GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
-            BUILD_TAG=${{ needs.meta.outputs.release-tag || needs.meta.outputs.build-tag }}
+            BUILD_TAG=${{ needs.meta.outputs.build-tag }}
            TAG=${{ needs.build-build-tools-image.outputs.image-tag }}-bookworm
            DEBIAN_VERSION=bookworm
          provenance: false
@@ -625,12 +567,7 @@ jobs:
      packages: write

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -672,18 +609,12 @@ jobs:
    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'large-arm64' || 'large')) }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true
-          ref: ${{ needs.meta.outputs.sha }}

      - uses: neondatabase/dev-actions/set-docker-config-dir@6094485bf440001c94a94a3f9e221e81ff6b6193
-      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/setup-buildx-action@v3
        with:
          cache-binary: false
          # Disable parallelism for docker buildkit.
@@ -692,31 +623,31 @@ jobs:
            [worker.oci]
              max-parallelism = 1

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: cache.neon.build
          username: ${{ secrets.NEON_CI_DOCKERCACHE_USERNAME }}
          password: ${{ secrets.NEON_CI_DOCKERCACHE_PASSWORD }}

      - name: Build compute-node image
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@v6
        with:
          context: .
          build-args: |
            GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
            PG_VERSION=${{ matrix.version.pg }}
-            BUILD_TAG=${{ needs.meta.outputs.release-tag || needs.meta.outputs.build-tag }}
+            BUILD_TAG=${{ needs.meta.outputs.build-tag }}
            TAG=${{ needs.build-build-tools-image.outputs.image-tag }}-${{ matrix.version.debian }}
            DEBIAN_VERSION=${{ matrix.version.debian }}
          provenance: false
@@ -730,13 +661,13 @@ jobs:

      - name: Build neon extensions test image
        if: matrix.version.pg >= 'v16'
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@v6
        with:
          context: .
          build-args: |
            GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
            PG_VERSION=${{ matrix.version.pg }}
-            BUILD_TAG=${{ needs.meta.outputs.release-tag || needs.meta.outputs.build-tag }}
+            BUILD_TAG=${{ needs.meta.outputs.build-tag }}
            TAG=${{ needs.build-build-tools-image.outputs.image-tag }}-${{ matrix.version.debian }}
            DEBIAN_VERSION=${{ matrix.version.debian }}
          provenance: false
@@ -772,12 +703,7 @@ jobs:
            debian: bookworm

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -822,12 +748,7 @@ jobs:
      VM_BUILDER_VERSION: v0.42.2

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - name: Downloading vm-builder
        run: |
@@ -835,7 +756,7 @@ jobs:
          chmod +x vm-builder

      - uses: neondatabase/dev-actions/set-docker-config-dir@6094485bf440001c94a94a3f9e221e81ff6b6193
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -875,12 +796,7 @@ jobs:
          - pg: v16
          - pg: v17
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -914,21 +830,16 @@ jobs:
    runs-on: ${{ fromJSON(format('["self-hosted", "{0}"]', matrix.arch == 'arm64' && 'small-arm64' || 'small')) }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - uses: neondatabase/dev-actions/set-docker-config-dir@6094485bf440001c94a94a3f9e221e81ff6b6193

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}

-      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -1019,12 +930,7 @@ jobs:
      compute-dev: ${{ steps.generate.outputs.compute-dev }}
      compute-prod: ${{ steps.generate.outputs.compute-prod }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          sparse-checkout: .github/scripts/generate_image_maps.py
          sparse-checkout-cone-mode: false
@@ -1192,11 +1098,6 @@ jobs:
      contents: write
      pull-requests: write
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Set PR's status to pending and request a remote CI test
        run: |
          COMMIT_SHA=${{ github.event.pull_request.head.sha || github.sha }}
@@ -1278,16 +1179,11 @@ jobs:
    runs-on: [ self-hosted, small ]
    container: ${{ vars.NEON_DEV_AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_ECR_REGION }}.amazonaws.com/ansible:latest
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - name: Create git tag and GitHub release
        if: ${{ contains(fromJSON('["storage-release", "proxy-release", "compute-release"]'), needs.meta.outputs.run-kind) }}
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@v7
        env:
          TAG: "${{ needs.meta.outputs.build-tag }}"
          BRANCH: "${{ github.ref_name }}"
@@ -1435,13 +1331,8 @@ jobs:
    if: github.ref_name == 'release' && needs.deploy.result != 'success' && always()
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Post release-deploy failure to team-storage slack channel
-        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        uses: slackapi/slack-github-action@v2
        with:
          method: chat.postMessage
          token: ${{ secrets.SLACK_BOT_TOKEN }}
@@ -1462,12 +1353,7 @@ jobs:

    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      - uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: eu-central-1
          role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -1555,11 +1441,6 @@ jobs:
    steps:
      # The list of possible results:
      # https://docs.github.com/en/actions/learn-github-actions/contexts#needs-context
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Fail the job if any of the dependencies do not succeed
        run: exit 1
        if: |
--- a/.github/workflows/build_and_test_with_sanitizers.yml
+++ b/.github/workflows/build_and_test_with_sanitizers.yml
@@ -33,12 +33,7 @@ jobs:

    steps:
      # Need `fetch-depth: 0` to count the number of commits in the branch
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

@@ -104,12 +99,7 @@ jobs:
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - name: Create Allure report
        if: ${{ !cancelled() }}
@@ -121,7 +111,7 @@ jobs:
        env:
          REGRESS_TEST_RESULT_CONNSTR_NEW: ${{ secrets.REGRESS_TEST_RESULT_CONNSTR_NEW }}

-      - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      - uses: actions/github-script@v7
        if: ${{ !cancelled() }}
        with:
          # Retry script for 5XX server errors: https://github.com/actions/github-script#retries
--- a/.github/workflows/cargo-deny.yml
+++ b/.github/workflows/cargo-deny.yml
@@ -9,9 +9,6 @@ on:
  schedule:
    - cron: '0 10 * * *'

-permissions:
-  contents: read
-
 jobs:
  cargo-deny:
    strategy:
@@ -38,13 +35,8 @@ jobs:
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          ref: ${{ matrix.ref }}

@@ -56,7 +48,7 @@ jobs:

      - name: Post to a Slack channel
        if: ${{ github.event_name == 'schedule' && failure() }}
-        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
+        uses: slackapi/slack-github-action@v2
        with:
          method: chat.postMessage
          token: ${{ secrets.SLACK_BOT_TOKEN }}
--- a/.github/workflows/check-permissions.yml
+++ b/.github/workflows/check-permissions.yml
@@ -18,11 +18,6 @@ jobs:
  check-permissions:
    runs-on: ubuntu-22.04
    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@v2
-      with:
-        egress-policy: audit
-
    - name: Disallow CI runs on PRs from forks
      if: |
        inputs.github-event-name  == 'pull_request' &&
--- a/.github/workflows/cleanup-caches-by-a-branch.yml
+++ b/.github/workflows/cleanup-caches-by-a-branch.yml
@@ -11,11 +11,6 @@ jobs:
  cleanup:
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
      - name: Cleanup
        run: |
          gh extension install actions/gh-actions-cache
--- a/.github/workflows/cloud-regress.yml
+++ b/.github/workflows/cloud-regress.yml
@@ -44,12 +44,7 @@ jobs:
      options: --init

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: true

@@ -126,7 +121,7 @@ jobs:

      - name: Post to a Slack channel
        if: ${{ github.event.schedule && failure() }}
-        uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+        uses: slackapi/slack-github-action@v1
        with:
          channel-id: ${{ vars.SLACK_ON_CALL_QA_STAGING_STREAM }}
          slack-message: |
--- a/.github/workflows/fast-forward.yml
+++ b/.github/workflows/fast-forward.yml
@@ -13,11 +13,6 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
      - name: Remove fast-forward label to PR
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
--- a/.github/workflows/force-test-extensions-upgrade.yml
+++ b/.github/workflows/force-test-extensions-upgrade.yml
@@ -34,12 +34,7 @@ jobs:
    runs-on: small

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4
        with:
          submodules: false

@@ -72,7 +67,7 @@ jobs:

      - name: Post to the Slack channel
        if: ${{ github.event.schedule && failure() }}
-        uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+        uses: slackapi/slack-github-action@v1
        with:
          channel-id: ${{ vars.SLACK_ON_CALL_QA_STAGING_STREAM }}
          slack-message: |
--- a/.github/workflows/ingest_benchmark.yml
+++ b/.github/workflows/ingest_benchmark.yml
@@ -23,9 +23,6 @@ concurrency:
  group: ingest-bench-workflow
  cancel-in-progress: true

-permissions:
-  contents: read
-
 jobs:
  ingest:
    strategy:
@@ -78,15 +75,10 @@ jobs:
    timeout-minutes: 1440

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials # necessary to download artefacts
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
--- a/.github/workflows/label-for-external-users.yml
+++ b/.github/workflows/label-for-external-users.yml
@@ -27,11 +27,6 @@ jobs:
      is-member: ${{ steps.check-user.outputs.is-member }}

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@v2
-      with:
-        egress-policy: audit
-
    - name: Check whether `${{ github.actor }}` is a member of `${{ github.repository_owner }}`
      id: check-user
      env:
@@ -74,11 +69,6 @@ jobs:
      issues: write        # for `gh issue edit`

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@v2
-      with:
-        egress-policy: audit
-
    - name: Add `${{ env.LABEL }}` label
      env:
        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/large_oltp_benchmark.yml
+++ b/.github/workflows/large_oltp_benchmark.yml
@@ -24,9 +24,6 @@ concurrency:
  group: large-oltp-bench-workflow
  cancel-in-progress: false

-permissions:
-  contents: read
-
 jobs:
  oltp:
    strategy:
@@ -65,15 +62,10 @@ jobs:
    timeout-minutes: 2880

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Configure AWS credentials # necessary to download artefacts
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -168,7 +160,7 @@ jobs:
        api_key: ${{ secrets.NEON_STAGING_API_KEY }}

    - name: Configure AWS credentials # again because prior steps could have exceeded 5 hours
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -183,7 +175,7 @@ jobs:
  
    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
--- a/.github/workflows/lint-release-pr.yml
+++ b/.github/workflows/lint-release-pr.yml
@@ -7,20 +7,12 @@ on:
      - release-proxy
      - release-compute

-permissions:
-  contents: read
-
 jobs:
  lint-release-pr:
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout PR branch
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Fetch full history for git operations
          ref: ${{ github.event.pull_request.head.ref }}
--- a/.github/workflows/neon_extra_builds.yml
+++ b/.github/workflows/neon_extra_builds.yml
@@ -42,13 +42,8 @@ jobs:
      rebuild_everything: ${{ steps.files_changed.outputs.rebuild_neon_extra || steps.files_changed.outputs.rebuild_macos }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

@@ -106,13 +101,8 @@ jobs:
      CARGO_INCREMENTAL: 0

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@v4
        with:
          submodules: true

@@ -127,7 +117,7 @@ jobs:
        run: cargo build --all --release --timings -j$(nproc)

      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: eu-central-1
          role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_ARN }}
@@ -144,7 +134,7 @@ jobs:
          echo "report-url=${REPORT_URL}" >> $GITHUB_OUTPUT

      - name: Publish build stats report
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@v7
        env:
          REPORT_URL: ${{ steps.upload-stats.outputs.report-url }}
          SHA: ${{ github.event.pull_request.head.sha || github.sha }}
--- a/.github/workflows/periodic_pagebench.yml
+++ b/.github/workflows/periodic_pagebench.yml
@@ -25,9 +25,6 @@ concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: false

-permissions:
-  contents: read
-
 jobs:
  trigger_bench_on_ec2_machine_in_eu_central_1:
    permissions:
@@ -51,18 +48,13 @@ jobs:
    steps:
    # we don't need the neon source code because we run everything remotely
    # however we still need the local github actions to run the allure step below
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Show my own (github runner) external IP address - usefull for IP allowlisting
      run: curl https://ifconfig.me

    - name: Assume AWS OIDC role that allows to manage (start/stop/describe... EC machine)
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_MANAGE_BENCHMARK_EC2_VMS_ARN }}
@@ -151,7 +143,7 @@ jobs:

    - name: Post to a Slack channel
      if: ${{ github.event.schedule && failure() }}
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: "Periodic pagebench testing on dedicated hardware: ${{ job.status }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
@@ -169,7 +161,7 @@ jobs:

    - name: Assume AWS OIDC role that allows to manage (start/stop/describe... EC machine)
      if: always() && steps.poll_step.outputs.too_many_runs != 'true'
-      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+      uses: aws-actions/configure-aws-credentials@v4
      with:
        aws-region: eu-central-1
        role-to-assume: ${{ vars.DEV_AWS_OIDC_ROLE_MANAGE_BENCHMARK_EC2_VMS_ARN }}
--- a/.github/workflows/pg-clients.yml
+++ b/.github/workflows/pg-clients.yml
@@ -88,12 +88,7 @@ jobs:
        ports:
          - 8083:8083
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - name: Download Neon artifact
        uses: ./.github/actions/download
@@ -143,7 +138,7 @@ jobs:

      - name: Post to a Slack channel
        if: github.event.schedule && failure()
-        uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+        uses: slackapi/slack-github-action@v1
        with:
          channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
          slack-message: |
@@ -163,12 +158,7 @@ jobs:
      options: --init --user root

    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@v4

    - name: Download Neon artifact
      uses: ./.github/actions/download
@@ -216,7 +206,7 @@ jobs:

    - name: Post to a Slack channel
      if: github.event.schedule && failure()
-      uses: slackapi/slack-github-action@fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3 # v1.27.1
+      uses: slackapi/slack-github-action@v1
      with:
        channel-id: "C06KHQVQ7U3" # on-call-qa-staging-stream
        slack-message: |
--- a/.github/workflows/pin-build-tools-image.yml
+++ b/.github/workflows/pin-build-tools-image.yml
@@ -40,11 +40,6 @@ jobs:
      skip: ${{ steps.check-manifests.outputs.skip }}

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
      - name: Check if we really need to pin the image
        id: check-manifests
        env:
--- a/.github/workflows/pre-merge-checks.yml
+++ b/.github/workflows/pre-merge-checks.yml
@@ -27,12 +27,7 @@ jobs:
      branch: ${{ steps.group-metadata.outputs.branch }}
      pr-number: ${{ steps.group-metadata.outputs.pr-number }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@v4

      - uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1 # v45.0.1
        id: python-src
@@ -130,13 +125,8 @@ jobs:
      - check-codestyle-rust
    runs-on: ubuntu-22.04
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Create fake `neon-cloud-e2e` check
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@v7
        with:
          # Retry script for 5XX server errors: https://github.com/actions/github-script#retries
          retries: 5
--- a/.github/workflows/regenerate-pg-setting.yml
+++ b/.github/workflows/regenerate-pg-setting.yml
@@ -23,13 +23,8 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
      - name: Add comment
-        uses: thollander/actions-comment-pull-request@65f9e5c9a1f2cd378bd74b2e057c9736982a8e74 # v3
+        uses: thollander/actions-comment-pull-request@v3
        with:
          comment-tag: ${{ github.job }}
          pr-number: ${{ github.event.number }}
--- a/.github/workflows/release-notify.yml
+++ b/.github/workflows/release-notify.yml
@@ -22,12 +22,7 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - uses: neondatabase/dev-actions/release-pr-notify@483a843f2a8bcfbdc4c69d27630528a3ddc4e14b # main
+      - uses: neondatabase/dev-actions/release-pr-notify@main
        with:
          slack-token: ${{ secrets.SLACK_BOT_TOKEN }}
          slack-channel-id: ${{ vars.SLACK_UPCOMING_RELEASE_CHANNEL_ID || 'C05QQ9J1BRC' }} # if not set, then `#test-release-notifications`
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,7 +3,7 @@ name: Create Release Branch
 on:
  schedule:
    # It should be kept in sync with if-condition in jobs
-    - cron: '0 6 * * TUE' # Proxy release
+    - cron: '0 6 * * THU' # Proxy release
    - cron: '0 6 * * FRI' # Storage release
    - cron: '0 7 * * FRI' # Compute release
  workflow_dispatch:
@@ -43,7 +43,7 @@ jobs:
      ci-access-token: ${{ secrets.CI_ACCESS_TOKEN }}

  create-proxy-release-branch:
-    if: ${{ github.event.schedule == '0 6 * * TUE' || inputs.create-proxy-release-branch }}
+    if: ${{ github.event.schedule == '0 6 * * THU' || inputs.create-proxy-release-branch }}

    permissions:
      contents: write
--- a/.github/workflows/report-workflow-stats-batch.yml
+++ b/.github/workflows/report-workflow-stats-batch.yml
@@ -6,9 +6,6 @@ on:
    - cron: '25 0 * * *'
    - cron: '25 1 * * 6'

-permissions:
-  contents: read
-
 jobs:
  gh-workflow-stats-batch-2h:
    name: GitHub Workflow Stats Batch 2 hours
@@ -17,13 +14,8 @@ jobs:
    permissions:
      actions: read
    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
    - name: Export Workflow Run for the past 2 hours
-      uses: neondatabase/gh-workflow-stats-action@701b1f202666d0b82e67b4d387e909af2b920127 # v0.2.2
+      uses: neondatabase/gh-workflow-stats-action@v0.2.1
      with:
        db_uri: ${{ secrets.GH_REPORT_STATS_DB_RW_CONNSTR }}
        db_table: "gh_workflow_stats_neon"
@@ -37,13 +29,8 @@ jobs:
    permissions:
      actions: read
    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
    - name: Export Workflow Run for the past 48 hours
-      uses: neondatabase/gh-workflow-stats-action@701b1f202666d0b82e67b4d387e909af2b920127 # v0.2.2
+      uses: neondatabase/gh-workflow-stats-action@v0.2.1
      with:
        db_uri: ${{ secrets.GH_REPORT_STATS_DB_RW_CONNSTR }}
        db_table: "gh_workflow_stats_neon"
@@ -57,13 +44,8 @@ jobs:
    permissions:
      actions: read
    steps:
-    - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-      with:
-        egress-policy: audit
-
    - name: Export Workflow Run for the past 30 days
-      uses: neondatabase/gh-workflow-stats-action@701b1f202666d0b82e67b4d387e909af2b920127 # v0.2.2
+      uses: neondatabase/gh-workflow-stats-action@v0.2.1
      with:
        db_uri: ${{ secrets.GH_REPORT_STATS_DB_RW_CONNSTR }}
        db_table: "gh_workflow_stats_neon"
--- a/.github/workflows/trigger-e2e-tests.yml
+++ b/.github/workflows/trigger-e2e-tests.yml
@@ -9,9 +9,6 @@ on:
      github-event-name:
        type: string
        required: true
-      github-event-json:
-        type: string
-        required: true

 defaults:
  run:
@@ -34,11 +31,6 @@ jobs:
    runs-on: ubuntu-22.04

    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
      - name: Cancel previous e2e-tests runs for this PR
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
@@ -51,7 +43,6 @@ jobs:
    uses: ./.github/workflows/_meta.yml
    with:
      github-event-name: ${{ inputs.github-event-name || github.event_name }}
-      github-event-json: ${{ inputs.github-event-json || toJSON(github.event) }}

  trigger-e2e-tests:
    needs: [ meta ]
@@ -72,11 +63,6 @@ jobs:
          || needs.meta.outputs.build-tag
        }}
    steps:
-      - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
      - name: Wait for `push-{neon,compute}-image-dev` job to finish
        # It's important to have a timeout here, the script in the step can run infinitely
        timeout-minutes: 60
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -148,9 +148,9 @@ dependencies = [

 [[package]]
 name = "arc-swap"
-version = "1.7.1"
+version = "1.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69f7f8c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457"
+checksum = "bddcadddf5e9015d310179a59bb28c4d4b9920ad0f11e8e14dbadf654890c9a6"

 [[package]]
 name = "archery"
@@ -2809,7 +2809,6 @@ name = "http-utils"
 version = "0.1.0"
 dependencies = [
 "anyhow",
- "arc-swap",
 "bytes",
 "camino",
 "fail",
@@ -2822,7 +2821,6 @@ dependencies = [
 "pprof",
 "regex",
 "routerify",
- "rustls 0.23.18",
 "rustls-pemfile 2.1.1",
 "serde",
 "serde_json",
@@ -3861,10 +3859,11 @@ dependencies = [

 [[package]]
 name = "num-bigint"
-version = "0.4.6"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+checksum = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
 dependencies = [
+ "autocfg",
 "num-integer",
 "num-traits",
 ]
@@ -3913,10 +3912,11 @@ dependencies = [

 [[package]]
 name = "num-integer"
-version = "0.1.46"
+version = "0.1.45"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f"
+checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
 dependencies = [
+ "autocfg",
 "num-traits",
 ]

@@ -3945,9 +3945,9 @@ dependencies = [

 [[package]]
 name = "num-traits"
-version = "0.2.19"
+version = "0.2.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
 dependencies = [
 "autocfg",
 "libm",
@@ -5360,25 +5360,26 @@ dependencies = [

 [[package]]
 name = "redis"
-version = "0.29.2"
+version = "0.25.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b110459d6e323b7cda23980c46c77157601199c9da6241552b284cd565a7a133"
+checksum = "71d64e978fd98a0e6b105d066ba4889a7301fca65aeac850a877d8797343feeb"
 dependencies = [
- "arc-swap",
+ "async-trait",
 "bytes",
 "combine",
 "futures-util",
 "itoa",
- "num-bigint",
 "percent-encoding",
 "pin-project-lite",
- "rustls 0.23.18",
- "rustls-native-certs 0.8.0",
+ "rustls 0.22.4",
+ "rustls-native-certs 0.7.0",
+ "rustls-pemfile 2.1.1",
+ "rustls-pki-types",
 "ryu",
 "sha1_smol",
 "socket2",
 "tokio",
- "tokio-rustls 0.26.0",
+ "tokio-rustls 0.25.0",
 "tokio-util",
 "url",
 ]
@@ -6604,7 +6605,6 @@ version = "0.1.0"
 dependencies = [
 "anyhow",
 "bytes",
- "camino",
 "chrono",
 "clap",
 "clashmap",
@@ -6648,7 +6648,6 @@ dependencies = [
 "tokio",
 "tokio-postgres",
 "tokio-postgres-rustls",
- "tokio-rustls 0.26.0",
 "tokio-util",
 "tracing",
 "utils",
@@ -7214,14 +7213,15 @@ dependencies = [
 "bytes",
 "fallible-iterator",
 "futures-util",
+ "log",
 "parking_lot 0.12.1",
+ "phf",
 "pin-project-lite",
 "postgres-protocol2",
 "postgres-types2",
 "serde",
 "tokio",
 "tokio-util",
- "tracing",
 ]

 [[package]]
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -50,7 +50,7 @@ license = "Apache-2.0"
 [workspace.dependencies]
 ahash = "0.8"
 anyhow = { version = "1.0", features = ["backtrace"] }
-arc-swap = "1.7"
+arc-swap = "1.6"
 async-compression = { version = "0.4.0", features = ["tokio", "gzip", "zstd"] }
 atomic-take = "1.1.0"
 flate2 = "1.0.26"
@@ -130,7 +130,7 @@ nix = { version = "0.27", features = ["dir", "fs", "process", "socket", "signal"
 # on compute startup metrics (start_postgres_ms), >= 25% degradation.
 notify = "6.0.0"
 num_cpus = "1.15"
-num-traits = "0.2.19"
+num-traits = "0.2.15"
 once_cell = "1.13"
 opentelemetry = "0.27"
 opentelemetry_sdk = "0.27"
@@ -146,7 +146,7 @@ procfs = "0.16"
 prometheus = {version = "0.13", default-features=false, features = ["process"]} # removes protobuf dependency
 prost = "0.13"
 rand = "0.8"
-redis = { version = "0.29.2", features = ["tokio-rustls-comp", "keep-alive"] }
+redis = { version = "0.25.2", features = ["tokio-rustls-comp", "keep-alive"] }
 regex = "1.10.2"
 reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] }
 reqwest-tracing = { version = "0.5", features = ["opentelemetry_0_27"] }
--- a/compute/compute-node.Dockerfile
+++ b/compute/compute-node.Dockerfile
@@ -1916,30 +1916,26 @@ RUN apt update && \
      ;; \
    esac && \
    apt install --no-install-recommends -y \
-        ca-certificates \
        gdb \
-        iproute2 \
+        liblz4-1 \
+        libreadline8 \
        libboost-iostreams1.74.0 \
        libboost-regex1.74.0 \
        libboost-serialization1.74.0 \
        libboost-system1.74.0 \
-        libcurl4 \
-        libevent-2.1-7 \
-        libgeos-c1v5 \
-        liblz4-1 \
        libossp-uuid16 \
+        libgeos-c1v5 \
        libprotobuf-c1 \
-        libreadline8 \
        libsfcgal1 \
        libxml2 \
        libxslt1.1 \
        libzstd1 \
+        libcurl4 \
+        libevent-2.1-7 \
        locales \
-        lsof \
        procps \
+        ca-certificates \
        rsyslog \
-        screen \
-        tcpdump \
        $VERSION_INSTALLS && \
    apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
    localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
--- a/compute/patches/pgvector.patch
+++ b/compute/patches/pgvector.patch
@@ -15,7 +15,7 @@ index 7a4b88c..56678af 100644
 HEADERS = src/halfvec.h src/sparsevec.h src/vector.h
 
 diff --git a/src/hnswbuild.c b/src/hnswbuild.c
-index b667478..dc95d89 100644
+index b667478..fc1897c 100644
 --- a/src/hnswbuild.c
 +++ b/src/hnswbuild.c
@@ -843,9 +843,17 @@ HnswParallelBuildMain(dsm_segment *seg, shm_toc *toc)
@@ -36,7 +36,7 @@ index b667478..dc95d89 100644
 	/* Close relations within worker */
 	index_close(indexRel, indexLockmode);
 	table_close(heapRel, heapLockmode);
-@@ -1100,12 +1108,39 @@ BuildIndex(Relation heap, Relation index, IndexInfo *indexInfo,
+@@ -1100,12 +1108,38 @@ BuildIndex(Relation heap, Relation index, IndexInfo *indexInfo,
 	SeedRandom(42);
 #endif
 
@@ -62,11 +62,10 @@ index b667478..dc95d89 100644
 +#else
 +			RelFileNode rlocator = RelationGetSmgr(index)->smgr_rnode.node;
 +#endif
-+			if (set_lwlsn_block_range_hook)
-+				set_lwlsn_block_range_hook(XactLastRecEnd, rlocator,
-+										   MAIN_FORKNUM, 0, RelationGetNumberOfBlocks(index));
-+			if (set_lwlsn_relation_hook)
-+				set_lwlsn_relation_hook(XactLastRecEnd, rlocator, MAIN_FORKNUM);
+
+			SetLastWrittenLSNForBlockRange(XactLastRecEnd, rlocator,
+									   MAIN_FORKNUM, 0, RelationGetNumberOfBlocks(index));
+			SetLastWrittenLSNForRelation(XactLastRecEnd, rlocator, MAIN_FORKNUM);
 +		}
 +#endif
 +	}
--- a/compute/patches/rum.patch
+++ b/compute/patches/rum.patch
@@ -1,5 +1,11 @@
+commit 68f3b3b0d594f08aacc4a082ee210749ed5677eb
+Author: Anastasia Lubennikova <anastasia@neon.tech>
+Date:   Mon Jul 15 12:31:56 2024 +0100
+
+    Neon: fix unlogged index build patch
+
 diff --git a/src/ruminsert.c b/src/ruminsert.c
-index 255e616..7a2240f 100644
+index e8b209d..e89bf2a 100644
 --- a/src/ruminsert.c
 +++ b/src/ruminsert.c
@@ -628,6 +628,10 @@ rumbuild(Relation heap, Relation index, struct IndexInfo *indexInfo)
@@ -24,7 +30,7 @@ index 255e616..7a2240f 100644
 	/*
 	 * Write index to xlog
 	 */
-@@ -713,6 +721,22 @@ rumbuild(Relation heap, Relation index, struct IndexInfo *indexInfo)
+@@ -713,6 +721,21 @@ rumbuild(Relation heap, Relation index, struct IndexInfo *indexInfo)
 		UnlockReleaseBuffer(buffer);
 	}
 
@@ -35,10 +41,9 @@ index 255e616..7a2240f 100644
 +#else
 +		RelFileNode rlocator = RelationGetSmgr(index)->smgr_rnode.node;
 +#endif
-+		if (set_lwlsn_block_range_hook)
-+			set_lwlsn_block_range_hook(XactLastRecEnd, rlocator, MAIN_FORKNUM, 0, RelationGetNumberOfBlocks(index));
-+		if (set_lwlsn_relation_hook)
-+			set_lwlsn_relation_hook(XactLastRecEnd, rlocator, MAIN_FORKNUM);
+
+		SetLastWrittenLSNForBlockRange(XactLastRecEnd, rlocator, MAIN_FORKNUM, 0, RelationGetNumberOfBlocks(index));
+		SetLastWrittenLSNForRelation(XactLastRecEnd, rlocator, MAIN_FORKNUM);
 +
 +		smgr_end_unlogged_build(index->rd_smgr);
 +	}
--- a/compute_tools/src/bin/compute_ctl.rs
+++ b/compute_tools/src/bin/compute_ctl.rs
@@ -45,9 +45,7 @@ use anyhow::{Context, Result};
 use clap::Parser;
 use compute_api::responses::ComputeCtlConfig;
 use compute_api::spec::ComputeSpec;
-use compute_tools::compute::{
-    BUILD_TAG, ComputeNode, ComputeNodeParams, forward_termination_signal,
-};
+use compute_tools::compute::{ComputeNode, ComputeNodeParams, forward_termination_signal};
 use compute_tools::extension_server::get_pg_version_string;
 use compute_tools::logger::*;
 use compute_tools::params::*;
@@ -59,6 +57,10 @@ use tracing::{error, info};
 use url::Url;
 use utils::failpoint_support;

+// this is an arbitrary build tag. Fine as a default / for testing purposes
+// in-case of not-set environment var
+const BUILD_TAG_DEFAULT: &str = "latest";
+
 // Compatibility hack: if the control plane specified any remote-ext-config
 // use the default value for extension storage proxy gateway.
 // Remove this once the control plane is updated to pass the gateway URL
@@ -145,7 +147,7 @@ fn main() -> Result<()> {
        .build()?;
    let _rt_guard = runtime.enter();

-    runtime.block_on(init())?;
+    let build_tag = runtime.block_on(init())?;

    // enable core dumping for all child processes
    setrlimit(Resource::CORE, rlimit::INFINITY, rlimit::INFINITY)?;
@@ -172,6 +174,8 @@ fn main() -> Result<()> {
            cgroup: cli.cgroup,
            #[cfg(target_os = "linux")]
            vm_monitor_addr: cli.vm_monitor_addr,
+            build_tag,
+
            live_config_allowed: cli_spec.live_config_allowed,
        },
        cli_spec.spec,
@@ -185,7 +189,7 @@ fn main() -> Result<()> {
    deinit_and_exit(exit_code);
 }

-async fn init() -> Result<()> {
+async fn init() -> Result<String> {
    init_tracing_and_logging(DEFAULT_LOG_LEVEL).await?;

    let mut signals = Signals::new([SIGINT, SIGTERM, SIGQUIT])?;
@@ -195,9 +199,12 @@ async fn init() -> Result<()> {
        }
    });

-    info!("compute build_tag: {}", &BUILD_TAG.to_string());
+    let build_tag = option_env!("BUILD_TAG")
+        .unwrap_or(BUILD_TAG_DEFAULT)
+        .to_string();
+    info!("build_tag: {build_tag}");

-    Ok(())
+    Ok(build_tag)
 }

 fn try_spec_from_cli(cli: &Cli) -> Result<CliSpecParams> {
--- a/compute_tools/src/bin/fast_import.rs
+++ b/compute_tools/src/bin/fast_import.rs
@@ -31,7 +31,6 @@ use camino::{Utf8Path, Utf8PathBuf};
 use clap::{Parser, Subcommand};
 use compute_tools::extension_server::{PostgresMajorVersion, get_pg_version};
 use nix::unistd::Pid;
-use std::ops::Not;
 use tracing::{Instrument, error, info, info_span, warn};
 use utils::fs_ext::is_directory_empty;

@@ -45,7 +44,7 @@ mod s3_uri;
 const PG_WAIT_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(600);
 const PG_WAIT_RETRY_INTERVAL: std::time::Duration = std::time::Duration::from_millis(300);

-#[derive(Subcommand, Debug, Clone, serde::Serialize)]
+#[derive(Subcommand, Debug)]
 enum Command {
    /// Runs local postgres (neon binary), restores into it,
    /// uploads pgdata to s3 to be consumed by pageservers
@@ -85,15 +84,6 @@ enum Command {
    },
 }

-impl Command {
-    fn as_str(&self) -> &'static str {
-        match self {
-            Command::Pgdata { .. } => "pgdata",
-            Command::DumpRestore { .. } => "dump-restore",
-        }
-    }
-}
-
 #[derive(clap::Parser)]
 struct Args {
    #[clap(long, env = "NEON_IMPORTER_WORKDIR")]
@@ -447,7 +437,7 @@ async fn run_dump_restore(

 #[allow(clippy::too_many_arguments)]
 async fn cmd_pgdata(
-    s3_client: Option<&aws_sdk_s3::Client>,
+    s3_client: Option<aws_sdk_s3::Client>,
    kms_client: Option<aws_sdk_kms::Client>,
    maybe_s3_prefix: Option<s3_uri::S3Uri>,
    maybe_spec: Option<Spec>,
@@ -516,14 +506,14 @@ async fn cmd_pgdata(
    if let Some(s3_prefix) = maybe_s3_prefix {
        info!("upload pgdata");
        aws_s3_sync::upload_dir_recursive(
-            s3_client.unwrap(),
+            s3_client.as_ref().unwrap(),
            Utf8Path::new(&pgdata_dir),
            &s3_prefix.append("/pgdata/"),
        )
        .await
        .context("sync dump directory to destination")?;

-        info!("write pgdata status to s3");
+        info!("write status");
        {
            let status_dir = workdir.join("status");
            std::fs::create_dir(&status_dir).context("create status directory")?;
@@ -560,15 +550,13 @@ async fn cmd_dumprestore(
                    &key_id,
                    spec.source_connstring_ciphertext_base64,
                )
-                .await
-                .context("decrypt source connection string")?;
+                .await?;

                let dest = if let Some(dest_ciphertext) =
                    spec.destination_connstring_ciphertext_base64
                {
                    decode_connstring(kms_client.as_ref().unwrap(), &key_id, dest_ciphertext)
-                        .await
-                        .context("decrypt destination connection string")?
+                        .await?
                } else {
                    bail!(
                        "destination connection string must be provided in spec for dump_restore command"
@@ -613,18 +601,7 @@ pub(crate) async fn main() -> anyhow::Result<()> {

    // Initialize AWS clients only if s3_prefix is specified
    let (s3_client, kms_client) = if args.s3_prefix.is_some() {
-        // Create AWS config with enhanced retry settings
-        let config = aws_config::defaults(BehaviorVersion::v2024_03_28())
-            .retry_config(
-                aws_config::retry::RetryConfig::standard()
-                    .with_max_attempts(5) // Retry up to 5 times
-                    .with_initial_backoff(std::time::Duration::from_millis(200)) // Start with 200ms delay
-                    .with_max_backoff(std::time::Duration::from_secs(5)), // Cap at 5 seconds
-            )
-            .load()
-            .await;
-
-        // Create clients from the config with enhanced retry settings
+        let config = aws_config::load_defaults(BehaviorVersion::v2024_03_28()).await;
        let s3_client = aws_sdk_s3::Client::new(&config);
        let kms = aws_sdk_kms::Client::new(&config);
        (Some(s3_client), Some(kms))
@@ -632,108 +609,79 @@ pub(crate) async fn main() -> anyhow::Result<()> {
        (None, None)
    };

-    // Capture everything from spec assignment onwards to handle errors
-    let res = async {
-        let spec: Option<Spec> = if let Some(s3_prefix) = &args.s3_prefix {
-            let spec_key = s3_prefix.append("/spec.json");
-            let object = s3_client
-                .as_ref()
-                .unwrap()
-                .get_object()
-                .bucket(&spec_key.bucket)
-                .key(spec_key.key)
-                .send()
-                .await
-                .context("get spec from s3")?
-                .body
-                .collect()
-                .await
-                .context("download spec body")?;
-            serde_json::from_slice(&object.into_bytes()).context("parse spec as json")?
-        } else {
-            None
-        };
+    let spec: Option<Spec> = if let Some(s3_prefix) = &args.s3_prefix {
+        let spec_key = s3_prefix.append("/spec.json");
+        let object = s3_client
+            .as_ref()
+            .unwrap()
+            .get_object()
+            .bucket(&spec_key.bucket)
+            .key(spec_key.key)
+            .send()
+            .await
+            .context("get spec from s3")?
+            .body
+            .collect()
+            .await
+            .context("download spec body")?;
+        serde_json::from_slice(&object.into_bytes()).context("parse spec as json")?
+    } else {
+        None
+    };

-        match tokio::fs::create_dir(&args.working_directory).await {
-            Ok(()) => {}
-            Err(e) if e.kind() == std::io::ErrorKind::AlreadyExists => {
-                if !is_directory_empty(&args.working_directory)
-                    .await
-                    .context("check if working directory is empty")?
-                {
-                    bail!("working directory is not empty");
-                } else {
-                    // ok
-                }
+    match tokio::fs::create_dir(&args.working_directory).await {
+        Ok(()) => {}
+        Err(e) if e.kind() == std::io::ErrorKind::AlreadyExists => {
+            if !is_directory_empty(&args.working_directory)
+                .await
+                .context("check if working directory is empty")?
+            {
+                bail!("working directory is not empty");
+            } else {
+                // ok
            }
-            Err(e) => return Err(anyhow::Error::new(e).context("create working directory")),
        }
+        Err(e) => return Err(anyhow::Error::new(e).context("create working directory")),
+    }

-        match args.command.clone() {
-            Command::Pgdata {
+    match args.command {
+        Command::Pgdata {
+            source_connection_string,
+            interactive,
+            pg_port,
+            num_cpus,
+            memory_mb,
+        } => {
+            cmd_pgdata(
+                s3_client,
+                kms_client,
+                args.s3_prefix,
+                spec,
                source_connection_string,
                interactive,
                pg_port,
+                args.working_directory,
+                args.pg_bin_dir,
+                args.pg_lib_dir,
                num_cpus,
                memory_mb,
-            } => {
-                cmd_pgdata(
-                    s3_client.as_ref(),
-                    kms_client,
-                    args.s3_prefix.clone(),
-                    spec,
-                    source_connection_string,
-                    interactive,
-                    pg_port,
-                    args.working_directory.clone(),
-                    args.pg_bin_dir,
-                    args.pg_lib_dir,
-                    num_cpus,
-                    memory_mb,
-                )
-                .await
-            }
-            Command::DumpRestore {
+            )
+            .await?;
+        }
+        Command::DumpRestore {
+            source_connection_string,
+            destination_connection_string,
+        } => {
+            cmd_dumprestore(
+                kms_client,
+                spec,
                source_connection_string,
                destination_connection_string,
-            } => {
-                cmd_dumprestore(
-                    kms_client,
-                    spec,
-                    source_connection_string,
-                    destination_connection_string,
-                    args.working_directory.clone(),
-                    args.pg_bin_dir,
-                    args.pg_lib_dir,
-                )
-                .await
-            }
-        }
-    }
-    .await;
-
-    if let Some(s3_prefix) = args.s3_prefix {
-        info!("write job status to s3");
-        {
-            let status_dir = args.working_directory.join("status");
-            if std::fs::exists(&status_dir)?.not() {
-                std::fs::create_dir(&status_dir).context("create status directory")?;
-            }
-            let status_file = status_dir.join("fast_import");
-            let res_obj = match res {
-                Ok(_) => serde_json::json!({"command": args.command.as_str(), "done": true}),
-                Err(err) => {
-                    serde_json::json!({"command": args.command.as_str(), "done": false, "error": err.to_string()})
-                }
-            };
-            std::fs::write(&status_file, res_obj.to_string()).context("write status file")?;
-            aws_s3_sync::upload_dir_recursive(
-                s3_client.as_ref().unwrap(),
-                &status_dir,
-                &s3_prefix.append("/status/"),
+                args.working_directory,
+                args.pg_bin_dir,
+                args.pg_lib_dir,
            )
-            .await
-            .context("sync status directory to destination")?;
+            .await?;
        }
    }

--- a/compute_tools/src/compute.rs
+++ b/compute_tools/src/compute.rs
@@ -20,7 +20,6 @@ use futures::future::join_all;
 use futures::stream::FuturesUnordered;
 use nix::sys::signal::{Signal, kill};
 use nix::unistd::Pid;
-use once_cell::sync::Lazy;
 use postgres;
 use postgres::NoTls;
 use postgres::error::SqlState;
@@ -36,7 +35,6 @@ use crate::disk_quota::set_disk_quota;
 use crate::installed_extensions::get_installed_extensions;
 use crate::logger::startup_context_from_env;
 use crate::lsn_lease::launch_lsn_lease_bg_task_for_static;
-use crate::metrics::COMPUTE_CTL_UP;
 use crate::monitor::launch_monitor;
 use crate::pg_helpers::*;
 use crate::rsyslog::{
@@ -51,17 +49,6 @@ use crate::{config, extension_server, local_proxy};

 pub static SYNC_SAFEKEEPERS_PID: AtomicU32 = AtomicU32::new(0);
 pub static PG_PID: AtomicU32 = AtomicU32::new(0);
-// This is an arbitrary build tag. Fine as a default / for testing purposes
-// in-case of not-set environment var
-const BUILD_TAG_DEFAULT: &str = "latest";
-/// Build tag/version of the compute node binaries/image. It's tricky and ugly
-/// to pass it everywhere as a part of `ComputeNodeParams`, so we use a
-/// global static variable.
-pub static BUILD_TAG: Lazy<String> = Lazy::new(|| {
-    option_env!("BUILD_TAG")
-        .unwrap_or(BUILD_TAG_DEFAULT)
-        .to_string()
-});

 /// Static configuration params that don't change after startup. These mostly
 /// come from the CLI args, or are derived from them.
@@ -85,6 +72,7 @@ pub struct ComputeNodeParams {
    pub pgdata: String,
    pub pgbin: String,
    pub pgversion: String,
+    pub build_tag: String,

    /// The port that the compute's external HTTP server listens on
    pub external_http_port: u16,
@@ -185,11 +173,6 @@ impl ComputeState {
        info!("Changing compute status from {} to {}", prev, status);
        self.status = status;
        state_changed.notify_all();
-
-        COMPUTE_CTL_UP.reset();
-        COMPUTE_CTL_UP
-            .with_label_values(&[&BUILD_TAG, format!("{}", status).as_str()])
-            .set(1);
    }

    pub fn set_failed_status(&mut self, err: anyhow::Error, state_changed: &Condvar) {
@@ -369,19 +352,13 @@ impl ComputeNode {
        }
        .launch(&this);

-        // The internal HTTP server is needed for a further activation by control plane
-        // if compute was started for a pool, so we have to start server before hanging
-        // waiting for a spec.
+        // The internal HTTP server could be launched later, but there isn't much
+        // sense in waiting.
        crate::http::server::Server::Internal {
            port: this.params.internal_http_port,
        }
        .launch(&this);

-        // HTTP server is running, so we can officially declare compute_ctl as 'up'
-        COMPUTE_CTL_UP
-            .with_label_values(&[&BUILD_TAG, ComputeStatus::Empty.to_string().as_str()])
-            .set(1);
-
        // If we got a spec from the CLI already, use that. Otherwise wait for the
        // control plane to pass it to us with a /configure HTTP request
        let pspec = if let Some(cli_spec) = cli_spec {
@@ -901,14 +878,6 @@ impl ComputeNode {
            info!("Storage auth token not set");
        }

-        config.application_name("compute_ctl");
-        if let Some(spec) = &compute_state.pspec {
-            config.options(&format!(
-                "-c neon.compute_mode={}",
-                spec.spec.mode.to_type_str()
-            ));
-        }
-
        // Connect to pageserver
        let mut client = config.connect(NoTls)?;
        let pageserver_connect_micros = start_time.elapsed().as_micros() as u64;
@@ -2055,8 +2024,12 @@ LIMIT 100",

        let mut download_tasks = Vec::new();
        for library in &libs_vec {
-            let (ext_name, ext_path) =
-                remote_extensions.get_ext(library, true, &BUILD_TAG, &self.params.pgversion)?;
+            let (ext_name, ext_path) = remote_extensions.get_ext(
+                library,
+                true,
+                &self.params.build_tag,
+                &self.params.pgversion,
+            )?;
            download_tasks.push(self.download_extension(ext_name, ext_path));
        }
        let results = join_all(download_tasks).await;
--- a/compute_tools/src/config.rs
+++ b/compute_tools/src/config.rs
@@ -117,7 +117,6 @@ pub fn write_postgres_conf(
        writeln!(file, "lc_numeric='C.UTF-8'")?;
    }

-    writeln!(file, "neon.compute_mode={}", spec.mode.to_type_str())?;
    match spec.mode {
        ComputeMode::Primary => {}
        ComputeMode::Static(lsn) => {
--- a/compute_tools/src/http/routes/extension_server.rs
+++ b/compute_tools/src/http/routes/extension_server.rs
@@ -5,7 +5,7 @@ use axum::response::{IntoResponse, Response};
 use http::StatusCode;
 use serde::Deserialize;

-use crate::compute::{BUILD_TAG, ComputeNode};
+use crate::compute::ComputeNode;
 use crate::http::JsonResponse;
 use crate::http::extract::{Path, Query};

@@ -47,7 +47,7 @@ pub(in crate::http) async fn download_extension(
        remote_extensions.get_ext(
            &filename,
            ext_server_params.is_library,
-            &BUILD_TAG,
+            &compute.params.build_tag,
            &compute.params.pgversion,
        )
    };
--- a/compute_tools/src/metrics.rs
+++ b/compute_tools/src/metrics.rs
@@ -1,8 +1,7 @@
 use metrics::core::{AtomicF64, Collector, GenericGauge};
 use metrics::proto::MetricFamily;
 use metrics::{
-    IntCounterVec, IntGaugeVec, UIntGaugeVec, register_gauge, register_int_counter_vec,
-    register_int_gauge_vec, register_uint_gauge_vec,
+    IntCounterVec, UIntGaugeVec, register_gauge, register_int_counter_vec, register_uint_gauge_vec,
 };
 use once_cell::sync::Lazy;

@@ -71,19 +70,8 @@ pub(crate) static AUDIT_LOG_DIR_SIZE: Lazy<GenericGauge<AtomicF64>> = Lazy::new(
    .expect("failed to define a metric")
 });

-// Report that `compute_ctl` is up and what's the current compute status.
-pub(crate) static COMPUTE_CTL_UP: Lazy<IntGaugeVec> = Lazy::new(|| {
-    register_int_gauge_vec!(
-        "compute_ctl_up",
-        "Whether compute_ctl is running",
-        &["build_tag", "status"]
-    )
-    .expect("failed to define a metric")
-});
-
 pub fn collect() -> Vec<MetricFamily> {
-    let mut metrics = COMPUTE_CTL_UP.collect();
-    metrics.extend(INSTALLED_EXTENSIONS.collect());
+    let mut metrics = INSTALLED_EXTENSIONS.collect();
    metrics.extend(CPLANE_REQUESTS_TOTAL.collect());
    metrics.extend(REMOTE_EXT_REQUESTS_TOTAL.collect());
    metrics.extend(DB_MIGRATION_FAILED.collect());
--- a/compute_tools/src/spec_apply.rs
+++ b/compute_tools/src/spec_apply.rs
@@ -75,12 +75,15 @@ impl ComputeNode {

            if spec.drop_subscriptions_before_start {
                let timeline_id = self.get_timeline_id().context("timeline_id must be set")?;
+                let query = format!("select 1 from neon.drop_subscriptions_done where timeline_id = '{}'", timeline_id);

                info!("Checking if drop subscription operation was already performed for timeline_id: {}", timeline_id);

-                drop_subscriptions_done = match
-                    client.query("select 1 from neon.drop_subscriptions_done where timeline_id = $1", &[&timeline_id.to_string()]).await {
-                    Ok(result) => !result.is_empty(),
+                drop_subscriptions_done =  match
+                    client.simple_query(&query).await {
+                    Ok(result) => {
+                        matches!(&result[0], postgres::SimpleQueryMessage::Row(_))
+                    },
                    Err(e) =>
                    {
                        match e.code() {
--- a/control_plane/src/local_env.rs
+++ b/control_plane/src/local_env.rs
@@ -165,11 +165,8 @@ pub struct NeonStorageControllerConf {
    /// Database url used when running multiple storage controller instances
    pub database_url: Option<SocketAddr>,

-    /// Thresholds for auto-splitting a tenant into shards.
+    /// Threshold for auto-splitting a tenant into shards
    pub split_threshold: Option<u64>,
-    pub max_split_shards: Option<u8>,
-    pub initial_split_threshold: Option<u64>,
-    pub initial_split_shards: Option<u8>,

    pub max_secondary_lag_bytes: Option<u64>,

@@ -184,8 +181,6 @@ pub struct NeonStorageControllerConf {
    pub timelines_onto_safekeepers: bool,

    pub use_https_safekeeper_api: bool,
-
-    pub use_local_compute_notifications: bool,
 }

 impl NeonStorageControllerConf {
@@ -206,16 +201,12 @@ impl Default for NeonStorageControllerConf {
            start_as_candidate: false,
            database_url: None,
            split_threshold: None,
-            max_split_shards: None,
-            initial_split_threshold: None,
-            initial_split_shards: None,
            max_secondary_lag_bytes: None,
            heartbeat_interval: Self::DEFAULT_HEARTBEAT_INTERVAL,
            long_reconcile_threshold: None,
            use_https_pageserver_api: false,
            timelines_onto_safekeepers: false,
            use_https_safekeeper_api: false,
-            use_local_compute_notifications: true,
        }
    }
 }
--- a/control_plane/src/pageserver.rs
+++ b/control_plane/src/pageserver.rs
@@ -51,19 +51,11 @@ impl PageServerNode {
            parse_host_port(&conf.listen_pg_addr).expect("Unable to parse listen_pg_addr");
        let port = port.unwrap_or(5432);

-        let ssl_ca_certs = env.ssl_ca_cert_path().map(|ssl_ca_file| {
+        let ssl_ca_cert = env.ssl_ca_cert_path().map(|ssl_ca_file| {
            let buf = std::fs::read(ssl_ca_file).expect("SSL root CA file should exist");
-            Certificate::from_pem_bundle(&buf).expect("SSL CA file should be valid")
+            Certificate::from_pem(&buf).expect("CA certificate should be valid")
        });

-        let mut http_client = reqwest::Client::builder();
-        for ssl_ca_cert in ssl_ca_certs.unwrap_or_default() {
-            http_client = http_client.add_root_certificate(ssl_ca_cert);
-        }
-        let http_client = http_client
-            .build()
-            .expect("Client constructs with no errors");
-
        let endpoint = if env.storage_controller.use_https_pageserver_api {
            format!(
                "https://{}",
@@ -80,7 +72,6 @@ impl PageServerNode {
            conf: conf.clone(),
            env: env.clone(),
            http_client: mgmt_api::Client::new(
-                http_client,
                endpoint,
                {
                    match conf.http_auth_type {
@@ -92,7 +83,9 @@ impl PageServerNode {
                    }
                }
                .as_deref(),
-            ),
+                ssl_ca_cert,
+            )
+            .expect("Client constructs with no errors"),
        }
    }

@@ -149,10 +142,6 @@ impl PageServerNode {
            overrides.push("auth_validation_public_key_path='../auth_public_key.pem'".to_owned());
        }

-        if let Some(ssl_ca_file) = self.env.ssl_ca_cert_path() {
-            overrides.push(format!("ssl_ca_file='{}'", ssl_ca_file.to_str().unwrap()));
-        }
-
        // Apply the user-provided overrides
        overrides.push({
            let mut doc =
@@ -428,6 +417,11 @@ impl PageServerNode {
                .map(|x| x.parse::<usize>())
                .transpose()
                .context("Failed to parse 'l0_flush_delay_threshold' as an integer")?,
+            l0_flush_wait_upload: settings
+                .remove("l0_flush_wait_upload")
+                .map(|x| x.parse::<bool>())
+                .transpose()
+                .context("Failed to parse 'l0_flush_wait_upload' as a boolean")?,
            l0_flush_stall_threshold: settings
                .remove("l0_flush_stall_threshold")
                .map(|x| x.parse::<usize>())
--- a/control_plane/src/storage_controller.rs
+++ b/control_plane/src/storage_controller.rs
@@ -1,5 +1,6 @@
 use std::ffi::OsStr;
 use std::fs;
+use std::net::SocketAddr;
 use std::path::PathBuf;
 use std::process::ExitStatus;
 use std::str::FromStr;
@@ -17,7 +18,7 @@ use pageserver_api::models::{TenantConfigRequest, TimelineCreateRequest, Timelin
 use pageserver_api::shard::TenantShardId;
 use pageserver_client::mgmt_api::ResponseErrorMessageExt;
 use postgres_backend::AuthType;
-use reqwest::{Certificate, Method};
+use reqwest::Method;
 use serde::de::DeserializeOwned;
 use serde::{Deserialize, Serialize};
 use tokio::process::Command;
@@ -37,9 +38,9 @@ pub struct StorageController {
    client: reqwest::Client,
    config: NeonStorageControllerConf,

-    // The listen port is learned when starting the storage controller,
+    // The listen addresses is learned when starting the storage controller,
    // hence the use of OnceLock to init it at the right time.
-    listen_port: OnceLock<u16>,
+    listen: OnceLock<SocketAddr>,
 }

 const COMMAND: &str = "storage_controller";
@@ -143,26 +144,15 @@ impl StorageController {
            }
        };

-        let ssl_ca_certs = env.ssl_ca_cert_path().map(|ssl_ca_file| {
-            let buf = std::fs::read(ssl_ca_file).expect("SSL CA file should exist");
-            Certificate::from_pem_bundle(&buf).expect("SSL CA file should be valid")
-        });
-
-        let mut http_client = reqwest::Client::builder();
-        for ssl_ca_cert in ssl_ca_certs.unwrap_or_default() {
-            http_client = http_client.add_root_certificate(ssl_ca_cert);
-        }
-        let http_client = http_client
-            .build()
-            .expect("HTTP client should construct with no error");
-
        Self {
            env: env.clone(),
            private_key,
            public_key,
-            client: http_client,
+            client: reqwest::ClientBuilder::new()
+                .build()
+                .expect("Failed to construct http client"),
            config: env.storage_controller.clone(),
-            listen_port: OnceLock::default(),
+            listen: OnceLock::default(),
        }
    }

@@ -347,34 +337,34 @@ impl StorageController {
            }
        }

-        if self.env.generate_local_ssl_certs {
-            self.env.generate_ssl_cert(
-                &instance_dir.join("server.crt"),
-                &instance_dir.join("server.key"),
-            )?;
-        }
+        let (listen, postgres_port) = {
+            if let Some(base_port) = start_args.base_port {
+                (
+                    format!("127.0.0.1:{base_port}"),
+                    self.config
+                        .database_url
+                        .expect("--base-port requires NeonStorageControllerConf::database_url")
+                        .port(),
+                )
+            } else {
+                let listen_url = self.env.control_plane_api.clone();

-        let listen_url = &self.env.control_plane_api;
+                let listen = format!(
+                    "{}:{}",
+                    listen_url.host_str().unwrap(),
+                    listen_url.port().unwrap()
+                );

-        let scheme = listen_url.scheme();
-        let host = listen_url.host_str().unwrap();
-
-        let (listen_port, postgres_port) = if let Some(base_port) = start_args.base_port {
-            (
-                base_port,
-                self.config
-                    .database_url
-                    .expect("--base-port requires NeonStorageControllerConf::database_url")
-                    .port(),
-            )
-        } else {
-            let port = listen_url.port().unwrap();
-            (port, port + 1)
+                (listen, listen_url.port().unwrap() + 1)
+            }
        };

-        self.listen_port
-            .set(listen_port)
-            .expect("StorageController::listen_port is only set here");
+        let socket_addr = listen
+            .parse()
+            .expect("listen address is a valid socket address");
+        self.listen
+            .set(socket_addr)
+            .expect("StorageController::listen is only set here");

        // Do we remove the pid file on stop?
        let pg_started = self.is_postgres_running().await?;
@@ -510,15 +500,20 @@ impl StorageController {
        drop(client);
        conn.await??;

-        let addr = format!("{}:{}", host, listen_port);
+        let listen = self
+            .listen
+            .get()
+            .expect("cell is set earlier in this function");
        let address_for_peers = Uri::builder()
-            .scheme(scheme)
-            .authority(addr.clone())
+            .scheme("http")
+            .authority(format!("{}:{}", listen.ip(), listen.port()))
            .path_and_query("")
            .build()
            .unwrap();

        let mut args = vec![
+            "-l",
+            &listen.to_string(),
            "--dev",
            "--database-url",
            &database_url,
@@ -535,14 +530,6 @@ impl StorageController {
        .map(|s| s.to_string())
        .collect::<Vec<_>>();

-        match scheme {
-            "http" => args.extend(["--listen".to_string(), addr]),
-            "https" => args.extend(["--listen-https".to_string(), addr]),
-            _ => {
-                panic!("Unexpected url scheme in control_plane_api: {scheme}");
-            }
-        }
-
        if self.config.start_as_candidate {
            args.push("--start-as-candidate".to_string());
        }
@@ -555,10 +542,6 @@ impl StorageController {
            args.push("--use-https-safekeeper-api".to_string());
        }

-        if self.config.use_local_compute_notifications {
-            args.push("--use-local-compute-notifications".to_string());
-        }
-
        if let Some(ssl_ca_file) = self.env.ssl_ca_cert_path() {
            args.push(format!("--ssl-ca-file={}", ssl_ca_file.to_str().unwrap()));
        }
@@ -587,20 +570,6 @@ impl StorageController {
            args.push(format!("--split-threshold={split_threshold}"))
        }

-        if let Some(max_split_shards) = self.config.max_split_shards.as_ref() {
-            args.push(format!("--max-split-shards={max_split_shards}"))
-        }
-
-        if let Some(initial_split_threshold) = self.config.initial_split_threshold.as_ref() {
-            args.push(format!(
-                "--initial-split-threshold={initial_split_threshold}"
-            ))
-        }
-
-        if let Some(initial_split_shards) = self.config.initial_split_shards.as_ref() {
-            args.push(format!("--initial-split-shards={initial_split_shards}"))
-        }
-
        if let Some(lag) = self.config.max_secondary_lag_bytes.as_ref() {
            args.push(format!("--max-secondary-lag-bytes={lag}"))
        }
@@ -621,8 +590,6 @@ impl StorageController {
            args.push("--timelines-onto-safekeepers".to_string());
        }

-        println!("Starting storage controller");
-
        background_process::start_process(
            COMMAND,
            &instance_dir,
@@ -749,26 +716,30 @@ impl StorageController {
    {
        // In the special case of the `storage_controller start` subcommand, we wish
        // to use the API endpoint of the newly started storage controller in order
-        // to pass the readiness check. In this scenario [`Self::listen_port`] will
-        // be set (see [`Self::start`]).
+        // to pass the readiness check. In this scenario [`Self::listen`] will be set
+        // (see [`Self::start`]).
        //
        // Otherwise, we infer the storage controller api endpoint from the configured
        // control plane API.
-        let port = if let Some(port) = self.listen_port.get() {
-            *port
+        let url = if let Some(socket_addr) = self.listen.get() {
+            Url::from_str(&format!(
+                "http://{}:{}/{path}",
+                socket_addr.ip().to_canonical(),
+                socket_addr.port()
+            ))
+            .unwrap()
        } else {
-            self.env.control_plane_api.port().unwrap()
+            // The configured URL has the /upcall path prefix for pageservers to use: we will strip that out
+            // for general purpose API access.
+            let listen_url = self.env.control_plane_api.clone();
+            Url::from_str(&format!(
+                "http://{}:{}/{path}",
+                listen_url.host_str().unwrap(),
+                listen_url.port().unwrap()
+            ))
+            .unwrap()
        };

-        // The configured URL has the /upcall path prefix for pageservers to use: we will strip that out
-        // for general purpose API access.
-        let url = Url::from_str(&format!(
-            "{}://{}:{port}/{path}",
-            self.env.control_plane_api.scheme(),
-            self.env.control_plane_api.host_str().unwrap(),
-        ))
-        .unwrap();
-
        let mut builder = self.client.request(method, url);
        if let Some(body) = body {
            builder = builder.json(&body)
--- a/control_plane/storcon_cli/src/main.rs
+++ b/control_plane/storcon_cli/src/main.rs
@@ -20,7 +20,7 @@ use pageserver_api::models::{
 };
 use pageserver_api::shard::{ShardStripeSize, TenantShardId};
 use pageserver_client::mgmt_api::{self};
-use reqwest::{Certificate, Method, StatusCode, Url};
+use reqwest::{Method, StatusCode, Url};
 use storage_controller_client::control_api::Client;
 use utils::id::{NodeId, TenantId, TimelineId};

@@ -274,7 +274,7 @@ struct Cli {
    jwt: Option<String>,

    #[arg(long)]
-    /// Trusted root CA certificates to use in https APIs.
+    /// Trusted root CA certificate to use in https APIs.
    ssl_ca_file: Option<PathBuf>,

    #[command(subcommand)]
@@ -387,23 +387,17 @@ async fn main() -> anyhow::Result<()> {

    let storcon_client = Client::new(cli.api.clone(), cli.jwt.clone());

-    let ssl_ca_certs = match &cli.ssl_ca_file {
+    let ssl_ca_cert = match &cli.ssl_ca_file {
        Some(ssl_ca_file) => {
            let buf = tokio::fs::read(ssl_ca_file).await?;
-            Certificate::from_pem_bundle(&buf)?
+            Some(reqwest::Certificate::from_pem(&buf)?)
        }
-        None => Vec::new(),
+        None => None,
    };

-    let mut http_client = reqwest::Client::builder();
-    for ssl_ca_cert in ssl_ca_certs {
-        http_client = http_client.add_root_certificate(ssl_ca_cert);
-    }
-    let http_client = http_client.build()?;
-
    let mut trimmed = cli.api.to_string();
    trimmed.pop();
-    let vps_client = mgmt_api::Client::new(http_client, trimmed, cli.jwt.as_deref());
+    let vps_client = mgmt_api::Client::new(trimmed, cli.jwt.as_deref(), ssl_ca_cert)?;

    match cli.command {
        Command::NodeRegister {
--- a/docker-compose/compute_wrapper/shell/compute.sh
+++ b/docker-compose/compute_wrapper/shell/compute.sh
@@ -67,14 +67,6 @@ else
  fi
 fi

-if [[ ${PG_VERSION} -ge 17 ]]; then
-  ulid_extension=pgx_ulid
-else
-  ulid_extension=ulid
-fi
-echo "Adding pgx_ulid"
-shared_libraries=$(jq -r '.cluster.settings[] | select(.name=="shared_preload_libraries").value' ${SPEC_FILE})
-sed -i "s/${shared_libraries}/${shared_libraries},${ulid_extension}/" ${SPEC_FILE}
 echo "Overwrite tenant id and timeline id in spec file"
 sed -i "s/TENANT_ID/${tenant_id}/" ${SPEC_FILE}
 sed -i "s/TIMELINE_ID/${timeline_id}/" ${SPEC_FILE}
--- a/docker-compose/docker_compose_test.sh
+++ b/docker-compose/docker_compose_test.sh
@@ -69,7 +69,7 @@ for pg_version in ${TEST_VERSION_ONLY-14 15 16 17}; do
        cat ../compute/patches/contrib_pg${pg_version}.patch | docker exec -i $TEST_CONTAINER_NAME bash -c "(cd /postgres && patch -p1)"
        # We are running tests now
        rm -f testout.txt testout_contrib.txt
-        docker exec -e USE_PGXS=1 -e SKIP=timescaledb-src,rdkit-src,postgis-src,pg_jsonschema-src,kq_imcx-src,wal2json_2_5-src,rag_jina_reranker_v1_tiny_en-src,rag_bge_small_en_v15-src \
+        docker exec -e USE_PGXS=1 -e SKIP=timescaledb-src,rdkit-src,postgis-src,pgx_ulid-src,pg_tiktoken-src,pg_jsonschema-src,kq_imcx-src,wal2json_2_5-src \
        $TEST_CONTAINER_NAME /run-tests.sh /ext-src | tee testout.txt && EXT_SUCCESS=1 || EXT_SUCCESS=0
        docker exec -e SKIP=start-scripts,postgres_fdw,ltree_plpython,jsonb_plpython,jsonb_plperl,hstore_plpython,hstore_plperl,dblink,bool_plperl \
        $TEST_CONTAINER_NAME /run-tests.sh /postgres/contrib | tee testout_contrib.txt && CONTRIB_SUCCESS=1 || CONTRIB_SUCCESS=0
--- a/docker-compose/ext-src/pg_tiktoken-src/Makefile
+++ b/docker-compose/ext-src/pg_tiktoken-src/Makefile
@@ -1,8 +0,0 @@
-PG_CONFIG ?= pg_config
-PG_REGRESS = $(shell dirname $$($(PG_CONFIG) --pgxs))/../../src/test/regress/pg_regress
-REGRESS = pg_tiktoken
-
-installcheck: regression-test
-
-regression-test:
-	$(PG_REGRESS) --inputdir=. --outputdir=. --dbname=contrib_regression $(REGRESS)
--- a/docker-compose/ext-src/pg_tiktoken-src/expected/pg_tiktoken.out
+++ b/docker-compose/ext-src/pg_tiktoken-src/expected/pg_tiktoken.out
@@ -1,53 +0,0 @@
-- Load the extension
-CREATE EXTENSION IF NOT EXISTS pg_tiktoken;
-- Test encoding function
-SELECT tiktoken_encode('cl100k_base', 'Hello world!');
- tiktoken_encode 
-----------------
- {9906,1917,0}
-(1 row)
-
-- Test token count function
-SELECT tiktoken_count('cl100k_base', 'Hello world!');
- tiktoken_count 
----------------
-              3
-(1 row)
-
-- Test encoding function with a different model
-SELECT tiktoken_encode('r50k_base', 'PostgreSQL is amazing!');
-     tiktoken_encode     
-------------------------
- {6307,47701,318,4998,0}
-(1 row)
-
-- Test token count function with the same model
-SELECT tiktoken_count('r50k_base', 'PostgreSQL is amazing!');
- tiktoken_count 
----------------
-              5
-(1 row)
-
-- Edge cases: Empty string
-SELECT tiktoken_encode('cl100k_base', '');
- tiktoken_encode 
-----------------
- {}
-(1 row)
-
-SELECT tiktoken_count('cl100k_base', '');
- tiktoken_count 
----------------
-              0
-(1 row)
-
-- Edge cases: Long text
-SELECT tiktoken_count('cl100k_base', repeat('word ', 100));
- tiktoken_count 
----------------
-            101
-(1 row)
-
-- Edge case: Invalid encoding
-SELECT tiktoken_encode('invalid_model', 'Test') AS should_fail;
-ERROR:  'invalid_model': unknown model or encoder
--- a/docker-compose/ext-src/pg_tiktoken-src/sql/pg_tiktoken.sql
+++ b/docker-compose/ext-src/pg_tiktoken-src/sql/pg_tiktoken.sql
@@ -1,24 +0,0 @@
-- Load the extension
-CREATE EXTENSION IF NOT EXISTS pg_tiktoken;
-
-- Test encoding function
-SELECT tiktoken_encode('cl100k_base', 'Hello world!');
-
-- Test token count function
-SELECT tiktoken_count('cl100k_base', 'Hello world!');
-
-- Test encoding function with a different model
-SELECT tiktoken_encode('r50k_base', 'PostgreSQL is amazing!');
-
-- Test token count function with the same model
-SELECT tiktoken_count('r50k_base', 'PostgreSQL is amazing!');
-
-- Edge cases: Empty string
-SELECT tiktoken_encode('cl100k_base', '');
-SELECT tiktoken_count('cl100k_base', '');
-
-- Edge cases: Long text
-SELECT tiktoken_count('cl100k_base', repeat('word ', 100));
-
-- Edge case: Invalid encoding
-SELECT tiktoken_encode('invalid_model', 'Test') AS should_fail;
--- a/docker-compose/ext-src/pgrag-src/Makefile
+++ b/docker-compose/ext-src/pgrag-src/Makefile
@@ -1,10 +0,0 @@
-EXTENSION = rag
-MODULE_big = rag
-OBJS = $(patsubst %.rs,%.o,$(wildcard src/*.rs))
-
-REGRESS = basic_functions text_processing api_keys chunking_functions document_processing embedding_api_functions voyageai_functions
-REGRESS_OPTS = --load-extension=vector --load-extension=rag
-
-PG_CONFIG = pg_config
-PGXS := $(shell $(PG_CONFIG) --pgxs)
-include $(PGXS)
--- a/docker-compose/ext-src/pgrag-src/expected/api_keys.out
+++ b/docker-compose/ext-src/pgrag-src/expected/api_keys.out
@@ -1,49 +0,0 @@
-- API key function tests
-SELECT rag.anthropic_set_api_key('test_key');
- anthropic_set_api_key 
-----------------------
- 
-(1 row)
-
-SELECT rag.anthropic_get_api_key();
- anthropic_get_api_key 
-----------------------
- test_key
-(1 row)
-
-SELECT rag.openai_set_api_key('test_key');
- openai_set_api_key 
--------------------
- 
-(1 row)
-
-SELECT rag.openai_get_api_key();
- openai_get_api_key 
--------------------
- test_key
-(1 row)
-
-SELECT rag.fireworks_set_api_key('test_key');
- fireworks_set_api_key 
-----------------------
- 
-(1 row)
-
-SELECT rag.fireworks_get_api_key();
- fireworks_get_api_key 
-----------------------
- test_key
-(1 row)
-
-SELECT rag.voyageai_set_api_key('test_key');
- voyageai_set_api_key 
----------------------
- 
-(1 row)
-
-SELECT rag.voyageai_get_api_key();
- voyageai_get_api_key 
----------------------
- test_key
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/basic_functions.out
+++ b/docker-compose/ext-src/pgrag-src/expected/basic_functions.out
@@ -1,13 +0,0 @@
-- Basic function tests
-SELECT rag.markdown_from_html('<p>Hello</p>');
- markdown_from_html 
--------------------
- Hello
-(1 row)
-
-SELECT array_length(rag.chunks_by_character_count('the cat sat on the mat', 10, 5), 1);
- array_length 
--------------
-            3
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/chunking_functions.out
+++ b/docker-compose/ext-src/pgrag-src/expected/chunking_functions.out
@@ -1,31 +0,0 @@
-- Chunking function tests
-SELECT rag.chunks_by_character_count('the cat sat on the mat', 10, 5);
-       chunks_by_character_count       
---------------------------------------
- {"the cat","cat sat on","on the mat"}
-(1 row)
-
-SELECT rag.chunks_by_character_count('Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.', 20, 10);
-                                                                                     chunks_by_character_count                                                                                      
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- {"Lorem ipsum dolor","dolor sit amet,","amet, consectetur","adipiscing elit.","Sed do eiusmod","do eiusmod tempor","tempor incididunt ut","ut labore et dolore","et dolore magna","magna aliqua."}
-(1 row)
-
-SELECT (rag.chunks_by_character_count('the cat', 10, 0))[1];
- chunks_by_character_count 
---------------------------
- the cat
-(1 row)
-
-SELECT rag.chunks_by_character_count('', 10, 5);
- chunks_by_character_count 
---------------------------
- {}
-(1 row)
-
-SELECT rag.chunks_by_character_count('a b c d e f g h i j k l m n o p', 5, 2);
-                    chunks_by_character_count                    
-----------------------------------------------------------------
- {"a b c","c d e","e f g","g h i","i j k","k l m","m n o","o p"}
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/document_processing.out
+++ b/docker-compose/ext-src/pgrag-src/expected/document_processing.out
@@ -1,56 +0,0 @@
-- HTML to Markdown conversion tests
-SELECT rag.markdown_from_html('<p>Hello</p>');
- markdown_from_html 
--------------------
- Hello
-(1 row)
-
-SELECT rag.markdown_from_html('<p>Hello <i>world</i></p>');
- markdown_from_html 
--------------------
- Hello _world_
-(1 row)
-
-SELECT rag.markdown_from_html('<h1>Title</h1><p>Paragraph</p>');
- markdown_from_html 
--------------------
- # Title           +
-                   +
- Paragraph
-(1 row)
-
-SELECT rag.markdown_from_html('<ul><li>Item 1</li><li>Item 2</li></ul>');
- markdown_from_html 
--------------------
- *   Item 1        +
- *   Item 2
-(1 row)
-
-SELECT rag.markdown_from_html('<a href="https://example.com">Link</a>');
-     markdown_from_html      
-----------------------------
- [Link](https://example.com)
-(1 row)
-
-- Note: text_from_pdf and text_from_docx require binary input which is harder to test in regression tests
-- We'll test that the functions exist and have the right signature
-SELECT 'text_from_pdf_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'text_from_pdf'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-      test_name       | result 
----------------------+--------
- text_from_pdf_exists | t
-(1 row)
-
-SELECT 'text_from_docx_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'text_from_docx'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-       test_name       | result 
-----------------------+--------
- text_from_docx_exists | t
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/embedding_api_functions.out
+++ b/docker-compose/ext-src/pgrag-src/expected/embedding_api_functions.out
@@ -1,103 +0,0 @@
-- Test embedding functions exist with correct signatures
-- OpenAI embedding functions
-SELECT 'openai_text_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-          test_name           | result 
------------------------------+--------
- openai_text_embedding_exists | t
-(1 row)
-
-SELECT 'openai_text_embedding_3_small_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_3_small'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-              test_name               | result 
--------------------------------------+--------
- openai_text_embedding_3_small_exists | t
-(1 row)
-
-SELECT 'openai_text_embedding_3_large_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_3_large'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-              test_name               | result 
--------------------------------------+--------
- openai_text_embedding_3_large_exists | t
-(1 row)
-
-SELECT 'openai_text_embedding_ada_002_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_ada_002'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-              test_name               | result 
--------------------------------------+--------
- openai_text_embedding_ada_002_exists | t
-(1 row)
-
-- Fireworks embedding functions
-SELECT 'fireworks_nomic_embed_text_v1_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_nomic_embed_text_v1'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-              test_name               | result 
--------------------------------------+--------
- fireworks_nomic_embed_text_v1_exists | t
-(1 row)
-
-SELECT 'fireworks_nomic_embed_text_v15_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_nomic_embed_text_v15'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-               test_name               | result 
---------------------------------------+--------
- fireworks_nomic_embed_text_v15_exists | t
-(1 row)
-
-SELECT 'fireworks_text_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-            test_name            | result 
---------------------------------+--------
- fireworks_text_embedding_exists | t
-(1 row)
-
-SELECT 'fireworks_text_embedding_thenlper_gte_base_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_thenlper_gte_base'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-                     test_name                     | result 
---------------------------------------------------+--------
- fireworks_text_embedding_thenlper_gte_base_exists | t
-(1 row)
-
-SELECT 'fireworks_text_embedding_thenlper_gte_large_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_thenlper_gte_large'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-                     test_name                      | result 
----------------------------------------------------+--------
- fireworks_text_embedding_thenlper_gte_large_exists | t
-(1 row)
-
-SELECT 'fireworks_text_embedding_whereisai_uae_large_v1_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_whereisai_uae_large_v1'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-                       test_name                        | result 
--------------------------------------------------------+--------
- fireworks_text_embedding_whereisai_uae_large_v1_exists | t
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/embedding_functions.out
+++ b/docker-compose/ext-src/pgrag-src/expected/embedding_functions.out
@@ -1,9 +0,0 @@
-BEGIN
-CREATE EXTENSION IF NOT EXISTS vector;
-DROP EXTENSION IF EXISTS rag CASCADE;
-CREATE EXTENSION rag CASCADE;
-test_name|result
-openai_embedding_dimensions_test|t
-test_name|result
-fireworks_embedding_dimensions_test|t
-COMMIT
--- a/docker-compose/ext-src/pgrag-src/expected/text_processing.out
+++ b/docker-compose/ext-src/pgrag-src/expected/text_processing.out
@@ -1,13 +0,0 @@
-- Text processing function tests
-SELECT rag.markdown_from_html('<p>Hello <i>world</i></p>');
- markdown_from_html 
--------------------
- Hello _world_
-(1 row)
-
-SELECT rag.chunks_by_character_count('the cat sat on the mat', 10, 5);
-       chunks_by_character_count       
---------------------------------------
- {"the cat","cat sat on","on the mat"}
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/expected/voyageai_functions.out
+++ b/docker-compose/ext-src/pgrag-src/expected/voyageai_functions.out
@@ -1,141 +0,0 @@
-- Test VoyageAI API key functions
-SELECT 'voyageai_api_key_test' AS test_name, 
-       (SELECT rag.voyageai_set_api_key('test_key') IS NULL) AS result;
-       test_name       | result 
-----------------------+--------
- voyageai_api_key_test | t
-(1 row)
-
-SELECT 'voyageai_get_api_key_test' AS test_name,
-       (SELECT rag.voyageai_get_api_key() = 'test_key') AS result;
-         test_name         | result 
---------------------------+--------
- voyageai_get_api_key_test | t
-(1 row)
-
-- Test VoyageAI embedding functions exist
-SELECT 'voyageai_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-         test_name         | result 
---------------------------+--------
- voyageai_embedding_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_3_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_3'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-          test_name          | result 
-----------------------------+--------
- voyageai_embedding_3_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_3_lite_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_3_lite'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-            test_name             | result 
----------------------------------+--------
- voyageai_embedding_3_lite_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_code_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_code_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-            test_name             | result 
----------------------------------+--------
- voyageai_embedding_code_2_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_finance_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_finance_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-              test_name              | result 
-------------------------------------+--------
- voyageai_embedding_finance_2_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_law_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_law_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-            test_name            | result 
---------------------------------+--------
- voyageai_embedding_law_2_exists | t
-(1 row)
-
-SELECT 'voyageai_embedding_multilingual_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_multilingual_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-                test_name                 | result 
------------------------------------------+--------
- voyageai_embedding_multilingual_2_exists | t
-(1 row)
-
-- Test VoyageAI reranking functions exist
-SELECT 'voyageai_rerank_distance_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_distance'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-            test_name            | result 
---------------------------------+--------
- voyageai_rerank_distance_exists | t
-(1 row)
-
-SELECT 'voyageai_rerank_score_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_score'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-          test_name           | result 
------------------------------+--------
- voyageai_rerank_score_exists | t
-(1 row)
-
-- Test VoyageAI function signatures
-SELECT 'voyageai_embedding_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs = 3;
-          test_name           | result 
------------------------------+--------
- voyageai_embedding_signature | t
-(1 row)
-
-SELECT 'voyageai_rerank_distance_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_distance'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs IN (3, 4);
-             test_name              | result 
------------------------------------+--------
- voyageai_rerank_distance_signature | t
-(1 row)
-
-SELECT 'voyageai_rerank_score_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_score'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs IN (3, 4);
-            test_name            | result 
---------------------------------+--------
- voyageai_rerank_score_signature | t
-(1 row)
-
--- a/docker-compose/ext-src/pgrag-src/sql/api_keys.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/api_keys.sql
@@ -1,16 +0,0 @@
-- API key function tests
-SELECT rag.anthropic_set_api_key('test_key');
-
-SELECT rag.anthropic_get_api_key();
-
-SELECT rag.openai_set_api_key('test_key');
-
-SELECT rag.openai_get_api_key();
-
-SELECT rag.fireworks_set_api_key('test_key');
-
-SELECT rag.fireworks_get_api_key();
-
-SELECT rag.voyageai_set_api_key('test_key');
-
-SELECT rag.voyageai_get_api_key();
--- a/docker-compose/ext-src/pgrag-src/sql/basic_functions.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/basic_functions.sql
@@ -1,4 +0,0 @@
-- Basic function tests
-SELECT rag.markdown_from_html('<p>Hello</p>');
-
-SELECT array_length(rag.chunks_by_character_count('the cat sat on the mat', 10, 5), 1);
--- a/docker-compose/ext-src/pgrag-src/sql/chunking_functions.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/chunking_functions.sql
@@ -1,11 +0,0 @@
-- Chunking function tests
-SELECT rag.chunks_by_character_count('the cat sat on the mat', 10, 5);
-
-SELECT rag.chunks_by_character_count('Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.', 20, 10);
-
-SELECT (rag.chunks_by_character_count('the cat', 10, 0))[1];
-
-SELECT rag.chunks_by_character_count('', 10, 5);
-
-SELECT rag.chunks_by_character_count('a b c d e f g h i j k l m n o p', 5, 2);
-
--- a/docker-compose/ext-src/pgrag-src/sql/document_processing.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/document_processing.sql
@@ -1,24 +0,0 @@
-- HTML to Markdown conversion tests
-SELECT rag.markdown_from_html('<p>Hello</p>');
-
-SELECT rag.markdown_from_html('<p>Hello <i>world</i></p>');
-
-SELECT rag.markdown_from_html('<h1>Title</h1><p>Paragraph</p>');
-
-SELECT rag.markdown_from_html('<ul><li>Item 1</li><li>Item 2</li></ul>');
-
-SELECT rag.markdown_from_html('<a href="https://example.com">Link</a>');
-
-- Note: text_from_pdf and text_from_docx require binary input which is harder to test in regression tests
-- We'll test that the functions exist and have the right signature
-SELECT 'text_from_pdf_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'text_from_pdf'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'text_from_docx_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'text_from_docx'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
--- a/docker-compose/ext-src/pgrag-src/sql/embedding_api_functions.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/embedding_api_functions.sql
@@ -1,62 +0,0 @@
-- Test embedding functions exist with correct signatures
-- OpenAI embedding functions
-SELECT 'openai_text_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'openai_text_embedding_3_small_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_3_small'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'openai_text_embedding_3_large_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_3_large'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'openai_text_embedding_ada_002_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'openai_text_embedding_ada_002'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-- Fireworks embedding functions
-SELECT 'fireworks_nomic_embed_text_v1_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_nomic_embed_text_v1'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'fireworks_nomic_embed_text_v15_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_nomic_embed_text_v15'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'fireworks_text_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'fireworks_text_embedding_thenlper_gte_base_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_thenlper_gte_base'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'fireworks_text_embedding_thenlper_gte_large_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_thenlper_gte_large'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'fireworks_text_embedding_whereisai_uae_large_v1_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'fireworks_text_embedding_whereisai_uae_large_v1'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
--- a/docker-compose/ext-src/pgrag-src/sql/text_processing.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/text_processing.sql
@@ -1,4 +0,0 @@
-- Text processing function tests
-SELECT rag.markdown_from_html('<p>Hello <i>world</i></p>');
-
-SELECT rag.chunks_by_character_count('the cat sat on the mat', 10, 5);
--- a/docker-compose/ext-src/pgrag-src/sql/voyageai_functions.sql
+++ b/docker-compose/ext-src/pgrag-src/sql/voyageai_functions.sql
@@ -1,84 +0,0 @@
-- Test VoyageAI API key functions
-SELECT 'voyageai_api_key_test' AS test_name, 
-       (SELECT rag.voyageai_set_api_key('test_key') IS NULL) AS result;
-
-SELECT 'voyageai_get_api_key_test' AS test_name,
-       (SELECT rag.voyageai_get_api_key() = 'test_key') AS result;
-
-- Test VoyageAI embedding functions exist
-SELECT 'voyageai_embedding_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_3_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_3'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_3_lite_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_3_lite'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_code_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_code_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_finance_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_finance_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_law_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_law_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_embedding_multilingual_2_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding_multilingual_2'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-- Test VoyageAI reranking functions exist
-SELECT 'voyageai_rerank_distance_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_distance'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-SELECT 'voyageai_rerank_score_exists' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_score'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag');
-
-- Test VoyageAI function signatures
-SELECT 'voyageai_embedding_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_embedding'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs = 3;
-
-SELECT 'voyageai_rerank_distance_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_distance'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs IN (3, 4);
-
-SELECT 'voyageai_rerank_score_signature' AS test_name,
-       count(*) > 0 AS result
-FROM pg_proc
-WHERE proname = 'voyageai_rerank_score'
-  AND pronamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'rag')
-  AND pronargs IN (3, 4);
--- a/docker-compose/ext-src/pgx_ulid-src/Makefile
+++ b/docker-compose/ext-src/pgx_ulid-src/Makefile
@@ -1,16 +0,0 @@
-EXTENSION = pgx_ulid
-
-PGFILEDESC = "pgx_ulid - ULID type for PostgreSQL"
-
-PG_CONFIG ?= pg_config
-PGXS := $(shell $(PG_CONFIG) --pgxs)
-PG_MAJOR_VERSION := $(word 2, $(subst ., , $(shell $(PG_CONFIG) --version)))
-ifeq ($(shell test $(PG_MAJOR_VERSION) -lt 17; echo $$?),0)
-  REGRESS_OPTS = --load-extension=ulid
-  REGRESS = 00_ulid_generation 01_ulid_conversions 03_ulid_errors
-else
-  REGRESS_OPTS = --load-extension=pgx_ulid
-  REGRESS = 00_ulid_generation 01_ulid_conversions 02_ulid_conversions 03_ulid_errors
-endif
-
-include $(PGXS)
--- a/docker-compose/ext-src/pgx_ulid-src/expected/00_ulid_generation.out
+++ b/docker-compose/ext-src/pgx_ulid-src/expected/00_ulid_generation.out
@@ -1,60 +0,0 @@
-- Test basic ULID generation
-- Test gen_ulid() function
-SELECT 'gen_ulid() returns a non-null value' as test_name,
-       gen_ulid() IS NOT NULL as result;
-              test_name              | result 
-------------------------------------+--------
- gen_ulid() returns a non-null value | t
-(1 row)
-
-- Test that multiple calls to gen_ulid() return different values
-SELECT 'gen_ulid() returns unique values' as test_name,
-       gen_ulid() != gen_ulid() as result;
-            test_name             | result 
----------------------------------+--------
- gen_ulid() returns unique values | t
-(1 row)
-
-- Test that gen_ulid() returns a value with the correct format
-SELECT 'gen_ulid() returns correctly formatted value' as test_name,
-       length(gen_ulid()::text) = 26 as result;
-                  test_name                   | result 
----------------------------------------------+--------
- gen_ulid() returns correctly formatted value | t
-(1 row)
-
-- Test monotonic ULID generation
-SELECT 'gen_monotonic_ulid() returns a non-null value' as test_name,
-       gen_monotonic_ulid() IS NOT NULL as result;
-                   test_name                   | result 
-----------------------------------------------+--------
- gen_monotonic_ulid() returns a non-null value | t
-(1 row)
-
-- Test that multiple calls to gen_monotonic_ulid() return different values
-SELECT 'gen_monotonic_ulid() returns unique values' as test_name,
-       gen_monotonic_ulid() != gen_monotonic_ulid() as result;
-                 test_name                  | result 
--------------------------------------------+--------
- gen_monotonic_ulid() returns unique values | t
-(1 row)
-
-- Test that gen_monotonic_ulid() returns a value with the correct format
-SELECT 'gen_monotonic_ulid() returns correctly formatted value' as test_name,
-       length(gen_monotonic_ulid()::text) = 26 as result;
-                       test_name                        | result 
--------------------------------------------------------+--------
- gen_monotonic_ulid() returns correctly formatted value | t
-(1 row)
-
-- Test that monotonic ULIDs are ordered correctly
-SELECT 'gen_monotonic_ulid() returns ordered values' as test_name,
-       u1 < u2 as result
-FROM (
-    SELECT gen_monotonic_ulid() as u1, gen_monotonic_ulid() as u2
-) subq;
-                  test_name                  | result 
---------------------------------------------+--------
- gen_monotonic_ulid() returns ordered values | t
-(1 row)
-
--- a/docker-compose/ext-src/pgx_ulid-src/expected/01_ulid_conversions.out
+++ b/docker-compose/ext-src/pgx_ulid-src/expected/01_ulid_conversions.out
@@ -1,55 +0,0 @@
-- Create a test ULID value
-CREATE TEMP TABLE test_ulids AS
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSYV'::ulid as test_ulid;
-- Test conversion to text
-SELECT 'ulid to text conversion' as test_name,
-       test_ulid::text = '01GV5PA9EQG7D82Q3Y4PKBZSYV' as result
-FROM test_ulids;
-        test_name        | result 
-------------------------+--------
- ulid to text conversion | t
-(1 row)
-
-- Test conversion to UUID
-SELECT 'ulid to UUID conversion' as test_name,
-       test_ulid::uuid::text = '0186cb65-25d7-81da-815c-7e25a6bfe7db' as result
-FROM test_ulids;
-        test_name        | result 
-------------------------+--------
- ulid to UUID conversion | t
-(1 row)
-
-- Test conversion to bytea
-SELECT 'ulid to bytea conversion' as test_name,
-       length(test_ulid::bytea) = 16 as result
-FROM test_ulids;
-        test_name         | result 
--------------------------+--------
- ulid to bytea conversion | t
-(1 row)
-
-- Test conversion to timestamp
-SELECT 'ulid to timestamp conversion' as test_name,
-       to_char(test_ulid::timestamp, 'YYYY-MM-DD HH24:MI:SS.MS') = '2023-03-10 04:00:49.111' as result
-FROM test_ulids;
-          test_name           | result 
------------------------------+--------
- ulid to timestamp conversion | t
-(1 row)
-
-- Test conversion from UUID
-SELECT 'UUID to ulid conversion' as test_name,
-       '0186cb65-25d7-81da-815c-7e25a6bfe7db'::uuid::ulid::text = '01GV5PA9EQG7D82Q3Y4PKBZSYV' as result;
-        test_name        | result 
-------------------------+--------
- UUID to ulid conversion | t
-(1 row)
-
-- Test conversion from timestamp
-SELECT 'timestamp to ulid conversion' as test_name,
-       '2023-03-10 12:00:49.111'::timestamp::ulid::text = '01GV5PA9EQ0000000000000000' as result;
-          test_name           | result 
------------------------------+--------
- timestamp to ulid conversion | t
-(1 row)
-
--- a/docker-compose/ext-src/pgx_ulid-src/expected/02_ulid_conversions.out
+++ b/docker-compose/ext-src/pgx_ulid-src/expected/02_ulid_conversions.out
@@ -1,8 +0,0 @@
-- Test conversion from timestamptz
-SELECT 'timestamptz to ulid conversion' as test_name,
-       '2023-03-10 04:00:49.111'::timestamptz::ulid::text = '01GV5PA9EQ0000000000000000' as result;
-           test_name            | result 
--------------------------------+--------
- timestamptz to ulid conversion | t
-(1 row)
-
--- a/docker-compose/ext-src/pgx_ulid-src/expected/03_ulid_errors.out
+++ b/docker-compose/ext-src/pgx_ulid-src/expected/03_ulid_errors.out
@@ -1,19 +0,0 @@
-- Test ULID error handling
-- Test invalid ULID string (too short)
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSY'::ulid;
-ERROR:  invalid input syntax for type ulid: "01GV5PA9EQG7D82Q3Y4PKBZSY": invalid length
-LINE 1: SELECT '01GV5PA9EQG7D82Q3Y4PKBZSY'::ulid;
-               ^
-- Test invalid ULID string (invalid character)
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSYU'::ulid;
-ERROR:  invalid input syntax for type ulid: "01GV5PA9EQG7D82Q3Y4PKBZSYU": invalid character
-LINE 1: SELECT '01GV5PA9EQG7D82Q3Y4PKBZSYU'::ulid;
-               ^
-- Test NULL handling
-SELECT 'NULL to ulid conversion returns NULL' as test_name,
-       NULL::ulid IS NULL as result;
-              test_name               | result 
--------------------------------------+--------
- NULL to ulid conversion returns NULL | t
-(1 row)
-
--- a/docker-compose/ext-src/pgx_ulid-src/sql/00_ulid_generation.sql
+++ b/docker-compose/ext-src/pgx_ulid-src/sql/00_ulid_generation.sql
@@ -1,32 +0,0 @@
-- Test basic ULID generation
-
-- Test gen_ulid() function
-SELECT 'gen_ulid() returns a non-null value' as test_name,
-       gen_ulid() IS NOT NULL as result;
-
-- Test that multiple calls to gen_ulid() return different values
-SELECT 'gen_ulid() returns unique values' as test_name,
-       gen_ulid() != gen_ulid() as result;
-
-- Test that gen_ulid() returns a value with the correct format
-SELECT 'gen_ulid() returns correctly formatted value' as test_name,
-       length(gen_ulid()::text) = 26 as result;
-
-- Test monotonic ULID generation
-SELECT 'gen_monotonic_ulid() returns a non-null value' as test_name,
-       gen_monotonic_ulid() IS NOT NULL as result;
-
-- Test that multiple calls to gen_monotonic_ulid() return different values
-SELECT 'gen_monotonic_ulid() returns unique values' as test_name,
-       gen_monotonic_ulid() != gen_monotonic_ulid() as result;
-
-- Test that gen_monotonic_ulid() returns a value with the correct format
-SELECT 'gen_monotonic_ulid() returns correctly formatted value' as test_name,
-       length(gen_monotonic_ulid()::text) = 26 as result;
-
-- Test that monotonic ULIDs are ordered correctly
-SELECT 'gen_monotonic_ulid() returns ordered values' as test_name,
-       u1 < u2 as result
-FROM (
-    SELECT gen_monotonic_ulid() as u1, gen_monotonic_ulid() as u2
-) subq;
--- a/docker-compose/ext-src/pgx_ulid-src/sql/01_ulid_conversions.sql
+++ b/docker-compose/ext-src/pgx_ulid-src/sql/01_ulid_conversions.sql
@@ -1,32 +0,0 @@
-- Create a test ULID value
-CREATE TEMP TABLE test_ulids AS
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSYV'::ulid as test_ulid;
-
-- Test conversion to text
-SELECT 'ulid to text conversion' as test_name,
-       test_ulid::text = '01GV5PA9EQG7D82Q3Y4PKBZSYV' as result
-FROM test_ulids;
-
-- Test conversion to UUID
-SELECT 'ulid to UUID conversion' as test_name,
-       test_ulid::uuid::text = '0186cb65-25d7-81da-815c-7e25a6bfe7db' as result
-FROM test_ulids;
-
-- Test conversion to bytea
-SELECT 'ulid to bytea conversion' as test_name,
-       length(test_ulid::bytea) = 16 as result
-FROM test_ulids;
-
-- Test conversion to timestamp
-SELECT 'ulid to timestamp conversion' as test_name,
-       to_char(test_ulid::timestamp, 'YYYY-MM-DD HH24:MI:SS.MS') = '2023-03-10 04:00:49.111' as result
-FROM test_ulids;
-
-- Test conversion from UUID
-SELECT 'UUID to ulid conversion' as test_name,
-       '0186cb65-25d7-81da-815c-7e25a6bfe7db'::uuid::ulid::text = '01GV5PA9EQG7D82Q3Y4PKBZSYV' as result;
-
-- Test conversion from timestamp
-SELECT 'timestamp to ulid conversion' as test_name,
-       '2023-03-10 12:00:49.111'::timestamp::ulid::text = '01GV5PA9EQ0000000000000000' as result;
-
--- a/docker-compose/ext-src/pgx_ulid-src/sql/02_ulid_conversions.sql
+++ b/docker-compose/ext-src/pgx_ulid-src/sql/02_ulid_conversions.sql
@@ -1,3 +0,0 @@
-- Test conversion from timestamptz
-SELECT 'timestamptz to ulid conversion' as test_name,
-       '2023-03-10 04:00:49.111'::timestamptz::ulid::text = '01GV5PA9EQ0000000000000000' as result;
--- a/docker-compose/ext-src/pgx_ulid-src/sql/03_ulid_errors.sql
+++ b/docker-compose/ext-src/pgx_ulid-src/sql/03_ulid_errors.sql
@@ -1,12 +0,0 @@
-- Test ULID error handling
-
-- Test invalid ULID string (too short)
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSY'::ulid;
-
-- Test invalid ULID string (invalid character)
-SELECT '01GV5PA9EQG7D82Q3Y4PKBZSYU'::ulid;
-
-- Test NULL handling
-SELECT 'NULL to ulid conversion returns NULL' as test_name,
-       NULL::ulid IS NULL as result;
-
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/Makefile
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/Makefile
@@ -1,10 +0,0 @@
-EXTENSION = rag_bge_small_en_v15
-MODULE_big = rag_bge_small_en_v15
-OBJS = $(patsubst %.rs,%.o,$(wildcard src/*.rs))
-
-REGRESS = basic_functions embedding_functions basic_functions_enhanced embedding_functions_enhanced
-REGRESS_OPTS = --load-extension=vector --load-extension=rag_bge_small_en_v15
-
-PG_CONFIG = pg_config
-PGXS := $(shell $(PG_CONFIG) --pgxs)
-include $(PGXS)
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/basic_functions.out
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/basic_functions.out
@@ -1,7 +0,0 @@
-- Basic function tests
-SELECT rag_bge_small_en_v15.chunks_by_token_count('the cat sat on the mat', 3, 2);
-                 chunks_by_token_count                  
--------------------------------------------------------
- {"the cat sat","cat sat on","sat on the","on the mat"}
-(1 row)
-
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/basic_functions_enhanced.out
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/basic_functions_enhanced.out
@@ -1,31 +0,0 @@
-- Basic function tests for chunks_by_token_count
-SELECT rag_bge_small_en_v15.chunks_by_token_count('the cat sat on the mat', 3, 2);
-                 chunks_by_token_count                  
--------------------------------------------------------
- {"the cat sat","cat sat on","sat on the","on the mat"}
-(1 row)
-
-SELECT rag_bge_small_en_v15.chunks_by_token_count('Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.', 5, 2);
-                                                                              chunks_by_token_count                                                                              
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
- {"Lorem ipsum","ipsum dolor sit","sit amet,",consectetur,"adipiscing elit",elit.,"Sed do","do eiusmod",tempor,"incididunt ut","ut labore et","et dolore magna","magna aliqua."}
-(1 row)
-
-SELECT (rag_bge_small_en_v15.chunks_by_token_count('the cat', 5, 0))[1];
- chunks_by_token_count 
-----------------------
- the cat
-(1 row)
-
-SELECT rag_bge_small_en_v15.chunks_by_token_count('', 5, 2);
- chunks_by_token_count 
-----------------------
- {}
-(1 row)
-
-SELECT rag_bge_small_en_v15.chunks_by_token_count('a b c d e f g h i j k l m n o p', 3, 1);
-                      chunks_by_token_count                      
-----------------------------------------------------------------
- {"a b c","c d e","e f g","g h i","i j k","k l m","m n o","o p"}
-(1 row)
-
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/embedding_functions.out
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/embedding_functions.out
@@ -1,15 +0,0 @@
-- Embedding function tests
-SELECT 'embedding_for_passage_test' AS test_name, 
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('the cat sat on the mat')) > 0 AS result;
-         test_name          | result 
----------------------------+--------
- embedding_for_passage_test | t
-(1 row)
-
-SELECT 'embedding_for_query_test' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('the cat sat on the mat')) > 0 AS result;
-        test_name         | result 
--------------------------+--------
- embedding_for_query_test | t
-(1 row)
-
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/embedding_functions_enhanced.out
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/expected/embedding_functions_enhanced.out
@@ -1,52 +0,0 @@
-- Embedding function tests
-SELECT 'embedding_for_passage_test_1' AS test_name, 
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('the cat sat on the mat')) > 0 AS result;
-          test_name           | result 
------------------------------+--------
- embedding_for_passage_test_1 | t
-(1 row)
-
-SELECT 'embedding_for_passage_test_2' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('Lorem ipsum dolor sit amet')) > 0 AS result;
-          test_name           | result 
------------------------------+--------
- embedding_for_passage_test_2 | t
-(1 row)
-
-SELECT 'embedding_for_passage_test_3' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('')) > 0 AS result;
-          test_name           | result 
------------------------------+--------
- embedding_for_passage_test_3 | t
-(1 row)
-
-SELECT 'embedding_for_query_test_1' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('the cat sat on the mat')) > 0 AS result;
-         test_name          | result 
----------------------------+--------
- embedding_for_query_test_1 | t
-(1 row)
-
-SELECT 'embedding_for_query_test_2' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('Lorem ipsum dolor sit amet')) > 0 AS result;
-         test_name          | result 
----------------------------+--------
- embedding_for_query_test_2 | t
-(1 row)
-
-SELECT 'embedding_for_query_test_3' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('')) > 0 AS result;
-         test_name          | result 
----------------------------+--------
- embedding_for_query_test_3 | t
-(1 row)
-
-- Test that passage and query embeddings have the same dimensions
-SELECT 'embedding_dimensions_match' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('test')) = 
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('test')) AS result;
-         test_name          | result 
----------------------------+--------
- embedding_dimensions_match | t
-(1 row)
-
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/sql/basic_functions.sql
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/sql/basic_functions.sql
@@ -1,2 +0,0 @@
-- Basic function tests
-SELECT rag_bge_small_en_v15.chunks_by_token_count('the cat sat on the mat', 3, 2);
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/sql/basic_functions_enhanced.sql
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/sql/basic_functions_enhanced.sql
@@ -1,10 +0,0 @@
-- Basic function tests for chunks_by_token_count
-SELECT rag_bge_small_en_v15.chunks_by_token_count('the cat sat on the mat', 3, 2);
-
-SELECT rag_bge_small_en_v15.chunks_by_token_count('Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.', 5, 2);
-
-SELECT (rag_bge_small_en_v15.chunks_by_token_count('the cat', 5, 0))[1];
-
-SELECT rag_bge_small_en_v15.chunks_by_token_count('', 5, 2);
-
-SELECT rag_bge_small_en_v15.chunks_by_token_count('a b c d e f g h i j k l m n o p', 3, 1);
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/sql/embedding_functions.sql
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/sql/embedding_functions.sql
@@ -1,6 +0,0 @@
-- Embedding function tests
-SELECT 'embedding_for_passage_test' AS test_name, 
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('the cat sat on the mat')) > 0 AS result;
-
-SELECT 'embedding_for_query_test' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('the cat sat on the mat')) > 0 AS result;
--- a/docker-compose/ext-src/rag_bge_small_en_v15-src/sql/embedding_functions_enhanced.sql
+++ b/docker-compose/ext-src/rag_bge_small_en_v15-src/sql/embedding_functions_enhanced.sql
@@ -1,23 +0,0 @@
-- Embedding function tests
-SELECT 'embedding_for_passage_test_1' AS test_name, 
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('the cat sat on the mat')) > 0 AS result;
-
-SELECT 'embedding_for_passage_test_2' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('Lorem ipsum dolor sit amet')) > 0 AS result;
-
-SELECT 'embedding_for_passage_test_3' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('')) > 0 AS result;
-
-SELECT 'embedding_for_query_test_1' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('the cat sat on the mat')) > 0 AS result;
-
-SELECT 'embedding_for_query_test_2' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('Lorem ipsum dolor sit amet')) > 0 AS result;
-
-SELECT 'embedding_for_query_test_3' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('')) > 0 AS result;
-
-- Test that passage and query embeddings have the same dimensions
-SELECT 'embedding_dimensions_match' AS test_name,
-       vector_dims(rag_bge_small_en_v15.embedding_for_passage('test')) = 
-       vector_dims(rag_bge_small_en_v15.embedding_for_query('test')) AS result;
--- a/docker-compose/ext-src/rag_jina_reranker_v1_tiny_en-src/Makefile
+++ b/docker-compose/ext-src/rag_jina_reranker_v1_tiny_en-src/Makefile
@@ -1,10 +0,0 @@
-EXTENSION = rag_jina_reranker_v1_tiny_en
-MODULE_big = rag_jina_reranker_v1_tiny_en
-OBJS = $(patsubst %.rs,%.o,$(wildcard src/*.rs))
-
-REGRESS = reranking_functions reranking_functions_enhanced
-REGRESS_OPTS = --load-extension=vector --load-extension=rag_jina_reranker_v1_tiny_en
-
-PG_CONFIG = pg_config
-PGXS := $(shell $(PG_CONFIG) --pgxs)
-include $(PGXS)
--- a/docker-compose/ext-src/rag_jina_reranker_v1_tiny_en-src/expected/reranking_functions.out
+++ b/docker-compose/ext-src/rag_jina_reranker_v1_tiny_en-src/expected/reranking_functions.out
@@ -1,25 +0,0 @@
-- Reranking function tests
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('the cat sat on the mat', 'the baboon played with the balloon');
- rerank_distance 
-----------------
-       0.8989152
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('the cat sat on the mat', ARRAY['the baboon played with the balloon', 'the tanks fired at the buildings']);
-    rerank_distance    
-----------------------
- {0.8989152,1.3018152}
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('the cat sat on the mat', 'the baboon played with the balloon');
- rerank_score 
--------------
-   -0.8989152
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('the cat sat on the mat', ARRAY['the baboon played with the balloon', 'the tanks fired at the buildings']);
-      rerank_score       
-------------------------
- {-0.8989152,-1.3018152}
-(1 row)
-
--- a/docker-compose/ext-src/rag_jina_reranker_v1_tiny_en-src/expected/reranking_functions_enhanced.out
+++ b/docker-compose/ext-src/rag_jina_reranker_v1_tiny_en-src/expected/reranking_functions_enhanced.out
@@ -1,92 +0,0 @@
-- Reranking function tests - single passage
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('the cat sat on the mat', 'the baboon played with the balloon');
- rerank_distance 
-----------------
-       0.8989152
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('the cat sat on the mat', 'the tanks fired at the buildings');
- rerank_distance 
-----------------
-       1.3018152
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('query about cats', 'information about felines');
- rerank_distance 
-----------------
-       1.3133051
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('', 'empty query test');
- rerank_distance 
-----------------
-       0.7075559
-(1 row)
-
-- Reranking function tests - array of passages
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('the cat sat on the mat',
-    ARRAY['the baboon played with the balloon', 'the tanks fired at the buildings']);
-    rerank_distance    
-----------------------
- {0.8989152,1.3018152}
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('query about programming',
-    ARRAY['Python is a programming language', 'Java is also a programming language', 'SQL is used for databases']);
-          rerank_distance           
------------------------------------
- {0.16591403,0.33475375,0.10132827}
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('empty array test', ARRAY[]::text[]);
- rerank_distance 
-----------------
- {}
-(1 row)
-
-- Reranking score function tests - single passage
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('the cat sat on the mat', 'the baboon played with the balloon');
- rerank_score 
--------------
-   -0.8989152
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('the cat sat on the mat', 'the tanks fired at the buildings');
- rerank_score 
--------------
-   -1.3018152
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('query about cats', 'information about felines');
- rerank_score 
--------------
-   -1.3133051
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('', 'empty query test');
- rerank_score 
--------------
-   -0.7075559
-(1 row)
-
-- Reranking score function tests - array of passages
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('the cat sat on the mat',
-    ARRAY['the baboon played with the balloon', 'the tanks fired at the buildings']);
-      rerank_score       
-------------------------
- {-0.8989152,-1.3018152}
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('query about programming',
-    ARRAY['Python is a programming language', 'Java is also a programming language', 'SQL is used for databases']);
-             rerank_score              
---------------------------------------
- {-0.16591403,-0.33475375,-0.10132827}
-(1 row)
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('empty array test', ARRAY[]::text[]);
- rerank_score 
--------------
- {}
-(1 row)
-
--- a/docker-compose/ext-src/rag_jina_reranker_v1_tiny_en-src/sql/reranking_functions.sql
+++ b/docker-compose/ext-src/rag_jina_reranker_v1_tiny_en-src/sql/reranking_functions.sql
@@ -1,8 +0,0 @@
-- Reranking function tests
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('the cat sat on the mat', 'the baboon played with the balloon');
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('the cat sat on the mat', ARRAY['the baboon played with the balloon', 'the tanks fired at the buildings']);
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('the cat sat on the mat', 'the baboon played with the balloon');
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('the cat sat on the mat', ARRAY['the baboon played with the balloon', 'the tanks fired at the buildings']);
--- a/docker-compose/ext-src/rag_jina_reranker_v1_tiny_en-src/sql/reranking_functions_enhanced.sql
+++ b/docker-compose/ext-src/rag_jina_reranker_v1_tiny_en-src/sql/reranking_functions_enhanced.sql
@@ -1,35 +0,0 @@
-- Reranking function tests - single passage
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('the cat sat on the mat', 'the baboon played with the balloon');
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('the cat sat on the mat', 'the tanks fired at the buildings');
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('query about cats', 'information about felines');
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('', 'empty query test');
-
-- Reranking function tests - array of passages
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('the cat sat on the mat',
-    ARRAY['the baboon played with the balloon', 'the tanks fired at the buildings']);
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('query about programming',
-    ARRAY['Python is a programming language', 'Java is also a programming language', 'SQL is used for databases']);
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_distance('empty array test', ARRAY[]::text[]);
-
-- Reranking score function tests - single passage
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('the cat sat on the mat', 'the baboon played with the balloon');
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('the cat sat on the mat', 'the tanks fired at the buildings');
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('query about cats', 'information about felines');
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('', 'empty query test');
-
-- Reranking score function tests - array of passages
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('the cat sat on the mat',
-    ARRAY['the baboon played with the balloon', 'the tanks fired at the buildings']);
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('query about programming',
-    ARRAY['Python is a programming language', 'Java is also a programming language', 'SQL is used for databases']);
-
-SELECT rag_jina_reranker_v1_tiny_en.rerank_score('empty array test', ARRAY[]::text[]);
--- a/docs/rfcs/2025-02-14-storage-controller.md
+++ b/docs/rfcs/2025-02-14-storage-controller.md
@@ -1,196 +0,0 @@
-
-## Summary
-
-This is a retrospective RFC to document the design of the `storage-controller` service.
-
-This service manages the physical mapping of Tenants and Timelines to Pageservers and Safekeepers.  It
-acts as the API for "storage" as an abstract concept: enabling other parts of the system to reason
-about things like creating/deleting tenants and timelines without having to understand exactly which
-pageserver and safekeeper to communicate, or any subtle rules about how to orchestrate these things.
-
-The storage controller was implemented in the first half of 2024 as an essential part
-of storage sharding, especially [shard splitting](032-shard-splitting.md).
-
-It initially managed only pageservers, but has extended in 2025 to also manage safekeepers.  In
-some places you may seen unqualified references to 'nodes' -- those are pageservers.
-
-## Design Choices
-
-### Durability
-
-We rely on an external postgres for all durable state.  No local storage is used.
-
-We avoid any unnecessary I/O to durable storage.  For example:
- most tracking of in-flight changes to the system is done in-memory rather than recording progress/steps in a database
- When migrating tenant shards between pageservers we only touch the database to increment generation numbers,
-  we do not persist the total state of a tenant shard.
-
-Being frugal with database I/O has two benefits:
- It avoids the database becoming a practical scaling bottleneck (we expect in-memory scale issues to be hit
-  before we hit e.g. transactions-per-second issues)
- It reduces cost when using a cloud database service to run the controller's postgres database.
-
-The trade-off is that there is a "bootstrapping" problem: a controller can't be deployed in isolation, one
-must first have some existing database system.  In practice, we expect that Neon is deployed in one of the
-following ways:
- into a cloud which has a postgres service that can be used to run the controller
- into a mature on-prem environment that has existing facilities for running databases
- into a test/dev environment where a simple one-node vanilla postgres installation is sufficient
-
-### Consensus
-
-The controller does _not_ implement any strong consensus mechanism of its own.  Instead:
- Where strong consistency is required (for example, for pageserver generation numbers), this
-  responsibility is delegated to a transaction in our postgres database.
- Highly available deploys are done using a simple in-database record of what controller instances
-  are available, distinguished by timestamps, rather than having controllers directly negotiate a leader.
-
-Avoiding strong consensus among controller processes is a cost saving (we avoid running three controllers
-all the time), and simplifies implementation (we do not have to phrase all configuration changes as e.g raft
-transactions).
-
-The trade-off is that under some circumstances a controller with partial network isolation can cause availability
-issues in the cluster, by making changes to pageserver state that might disagree with what the "true" active
-controller is trying to do.  The impact of this is bounded by our `controllers` database table, that enables
-a rogue node to eventually realise that it is not the leader and step down.  If a rogue node can't reach
-the database, then it implicitly stops making progress.  A rogue controller cannot durably damage the system
-because pageserver data and safekeeper configs are protected by generation numbers that are only updated
-via postgres transactions (i.e. no controller "trusts itself" to independently make decisions about generations).
-
-### Scale
-
-We design for high but not unlimited scale.  The memory footprint of each tenant shard is small (~8kB), so
-it is realistic to scale up to a million attached shards on a server with modest resources.  Tenants in
-a detached state (i.e. not active on pageservers) do not need to be managed by storage controller, and can
-be relegated from memory to the database.
-
-Typically, a tenant shard is updated about once a week, when we do a deploy.  During deploys, we relocate
-a few thousand tenants from each pageserver while it is restarted, so it is extremely rare for the controller
-to have to do O(N) work (on all shards at once).
-
-There are places where we do O(N) work:
- On normal startup, when loading from the database into memory
- On unclean startup (with no handover of observed state from a previous controller), where we will
-  scan all shards on all pageservers.
-
-It is important that these locations are written efficiently.  At high scale we should still expect runtimes
-of the order tens of seconds to complete a storage controller start.
-
-When the practical scale limit of a single storage controller is reached, just deploy another one with its
-own pageservers & safekeepers: each controller+its storage servers should be thought of as a logical cluster
-or "cell" of storage.
-
-# High Level Design
-
-The storage controller is an in-memory system (i.e. state for all attached
-tenants is held in memory _as well as_ being represented in durable postgres storage).
-
-## Infrastructure
-
-The storage controller is an async rust binary using tokio.
-
-The storage controller is built around the `Service` type.  This implements
-all the entry points for the outside world's interaction with the controller (HTTP handlers are mostly thin wrappers of service functions),
-and holds most in-memory state (e.g. the list of tenant shards).
-
-The state is held in a `ServiceInner` wrapped in a RwLock.  This monolithic
-lock is used to simplify reasoning about code that mutates state: each function that takes a write lock may be thought of as a serializable transaction on the in-memory state.  This lock is clearly a bottleneck, but
-nevertheless is scalable to managing millions of tenants.
-
-Persistent state is held in a postgres database, and we use the `diesel` crate to provide database client functionality.  All database access is wrapped in the `Persistence` type -- this makes it easy to understand which
-code is touching the database.  The database is only used when necessary, i.e. for state that cannot be recovered another way.  For example, we do not store the secondary pageserver locations of tenant shards in the database, rather we learn these at startup from running pageservers, and/or make scheduling decisions to fill in the gaps.  This adds some complexity, but massively reduces the load on the database, and enables running the storage controller with a very cheap postgres instance.
-
-## Pageserver tenant scheduling & reconciliation
-
-### Intent & observed state
-
-Each tenant shard is represented by type `TenantShard`, which has an 'intent' and 'observed' state.  Setting the
-intent state is called _scheduling_, and doing remote I/O to make observed
-state match intent state is called _reconciliation_.
-
-The `Scheduler` type is responsible for making choices about the intent
-state, such as choosing a pageserver for a new tenant shard, or assigning
-a replacement pageserver when the original one fails.
-
-The observed state is updated after tenant reconciliation (see below), and
-has the concept of a `None` state for a pageserver, indicating unknown state.  This is used to ensure that we can safely clean up after we start
-but do not finish a remote call to a pageserver, or if a pageserver restarts and we are uncertain of its state.
-
-### Tenant Reconciliation
-
-The `Reconciler` type is responsible for updating pageservers to achieve
-the intent state.  It is instantiated when `Service` determines that a shard requires reconciliation, and owned by a background tokio task that
-runs it to completion.  Reconciler does not have access to the `Service` state: it is populated with a snapshot of relevant information when constructed, and submits is results to a channel that `Service` consumes
-to update the tenant shard's observed state.
-
-The Reconciler does have access to the database, but only uses it for
-a single purpose: updating shards' generation numbers immediately before
-attaching them to a pageserver.
-
-Operations that change a tenant's scheduling will spawn a reconciler if
-necessary, and there is also a background loop which checks every shard
-for the need to reconcile -- this background loop ensures eventual progress
-if some earlier reconciliations failed for some reason.
-
-The reconciler has a general purpose code path which will attach/detach from pageservers as necessary, and a special case path for live migrations.  The live migration case is more common in practice, and is taken whenever the current observed state indicates that we have a healthy attached location to migrate from.  This implements live migration as described in the earlier [live migration RFC](028-pageserver-migration.md).
-
-### Scheduling optimisation
-
-During the periodic background reconciliation loop, the controller also
-performance _scheduling optimization_.  This is the process of looking for
-shards that are in sub-optimal locations, and moving them.
-
-Typically, this means:
- Shards attached outside their preferred AZ (e.g. after a node failure), to migrate them back to their preferred AZ
- Shards attached on the same pageserver as some other shards in the same
-  tenant, to migrate them elsewhere (e.g. after a shard split)
-
-Scheduling optimisation is a multi-step process to ensure graceful cutovers, e.g. by creating new secondary location, waiting for it to
-warm up, then cutting over.  This is not done as an explicit queue
-of operations, but rather by iteratively calling the optimisation
-function, which will recognise each intervening state as something
-that can generate the next optimisation.
-
-### Pageserver heartbeats and failure
-
-The `Heartbeater` type is responsible for detecting when a pageserver
-becomes unavailable.  This is fed back into `Service` for action: when
-a pageserver is marked unavailable, tenant shards on that pageserver are
-rescheduled and Reconcilers are spawned to cut them over to their new location.
-
-## Pageserver timeline CRUD operations
-
-By CRUD operations, we mean creating and deleting timelines.  The authoritative storage for which timelines exist on the pageserver
-is in S3, and is governed by the pageserver's system of generation
-numbers.  Because a shard can be attached to multiple pageservers
-concurrently, we need to handle this when doing timeline CRUD operations:
- A timeline operation is only persistent if _after_ the ack from a pageserver, that pageserver's generation is still the latest.
- For deletions in particular, they are only persistent if _all_ attached
-  locations have acked the deletion operation, since if only the latest one
-  has acked then the timeline could still return from the dead if some old-generation attachment writes an index for it.
-
-## Zero-downtime controller deployments
-
-When two storage controllers run at the same time, they coordinate via
-the database to establish one leader, and the other controller may proxy
-requests to this leader
-
-See  [Storage controller restarts RFC](037-storage-controller-restarts.md).
-
-Note that this is not a strong consensus mechanism: the controller must also survive split-brain situations.  This is respected by code that
-e.g. increments version numbers, which uses database transactions that
-check the expected value before modifying it.  A split-brain situation can
-impact availability (e.g. if two controllers are fighting over where to
-attach a shard), but it should never impact durability and data integrity.
-
-## Graceful drain & fill of pageservers during deploys
-
-The storage controller has functionality for draining + filling pageservers
-while deploying new pageserver binaries, so that clients are not actively
-using a pageserver while it restarts.
-
-See [Graceful restarts RFC](033-storage-controller-drain-and-fill.md)
-
-## Safekeeper timeline scheduling
-
-This is currently under development, see  [Safekeeper dynamic membership change RFC](035-safekeeper-dynamic-membership-change.md).
--- a/libs/compute_api/src/spec.rs
+++ b/libs/compute_api/src/spec.rs
@@ -275,18 +275,6 @@ pub enum ComputeMode {
    Replica,
 }

-impl ComputeMode {
-    /// Convert the compute mode to a string that can be used to identify the type of compute,
-    /// which means that if it's a static compute, the LSN will not be included.
-    pub fn to_type_str(&self) -> &'static str {
-        match self {
-            ComputeMode::Primary => "primary",
-            ComputeMode::Static(_) => "static",
-            ComputeMode::Replica => "replica",
-        }
-    }
-}
-
 /// Log level for audit logging
 /// Disabled, log, hipaa
 /// Default is Disabled
--- a/libs/http-utils/Cargo.toml
+++ b/libs/http-utils/Cargo.toml
@@ -6,7 +6,6 @@ license.workspace = true

 [dependencies]
 anyhow.workspace = true
-arc-swap.workspace = true
 bytes.workspace = true
 camino.workspace = true
 fail.workspace = true
@@ -19,15 +18,14 @@ pprof.workspace = true
 regex.workspace = true
 routerify.workspace = true
 rustls-pemfile.workspace = true
-rustls.workspace = true
+serde.workspace = true
 serde_json.workspace = true
 serde_path_to_error.workspace = true
-serde.workspace = true
 thiserror.workspace = true
+tracing.workspace = true
+tokio.workspace = true
 tokio-rustls.workspace = true
 tokio-util.workspace = true
-tokio.workspace = true
-tracing.workspace = true
 url.workspace = true
 uuid.workspace = true

--- a/libs/http-utils/src/tls_certs.rs
+++ b/libs/http-utils/src/tls_certs.rs
@@ -1,124 +1,21 @@
-use std::{sync::Arc, time::Duration};
-
-use anyhow::Context;
-use arc_swap::ArcSwap;
 use camino::Utf8Path;
-use rustls::{
-    pki_types::{CertificateDer, PrivateKeyDer},
-    server::{ClientHello, ResolvesServerCert},
-    sign::CertifiedKey,
-};
+use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};

-pub async fn load_cert_chain(filename: &Utf8Path) -> anyhow::Result<Vec<CertificateDer<'static>>> {
-    let cert_data = tokio::fs::read(filename)
-        .await
-        .context(format!("failed reading certificate file {filename:?}"))?;
-    let mut reader = std::io::Cursor::new(&cert_data);
+pub fn load_cert_chain(filename: &Utf8Path) -> anyhow::Result<Vec<CertificateDer<'static>>> {
+    let file = std::fs::File::open(filename)?;
+    let mut reader = std::io::BufReader::new(file);

-    let cert_chain = rustls_pemfile::certs(&mut reader)
-        .collect::<Result<Vec<_>, _>>()
-        .context(format!("failed parsing certificate from file {filename:?}"))?;
-
-    Ok(cert_chain)
+    Ok(rustls_pemfile::certs(&mut reader).collect::<Result<Vec<_>, _>>()?)
 }

-pub async fn load_private_key(filename: &Utf8Path) -> anyhow::Result<PrivateKeyDer<'static>> {
-    let key_data = tokio::fs::read(filename)
-        .await
-        .context(format!("failed reading private key file {filename:?}"))?;
-    let mut reader = std::io::Cursor::new(&key_data);
+pub fn load_private_key(filename: &Utf8Path) -> anyhow::Result<PrivateKeyDer<'static>> {
+    let file = std::fs::File::open(filename)?;
+    let mut reader = std::io::BufReader::new(file);

-    let key = rustls_pemfile::private_key(&mut reader)
-        .context(format!("failed parsing private key from file {filename:?}"))?;
+    let key = rustls_pemfile::private_key(&mut reader)?;

    key.ok_or(anyhow::anyhow!(
        "no private key found in {}",
        filename.as_str(),
    ))
 }
-
-pub async fn load_certified_key(
-    key_filename: &Utf8Path,
-    cert_filename: &Utf8Path,
-) -> anyhow::Result<CertifiedKey> {
-    let cert_chain = load_cert_chain(cert_filename).await?;
-    let key = load_private_key(key_filename).await?;
-
-    let key = rustls::crypto::ring::default_provider()
-        .key_provider
-        .load_private_key(key)?;
-
-    let certified_key = CertifiedKey::new(cert_chain, key);
-    certified_key.keys_match()?;
-    Ok(certified_key)
-}
-
-/// Implementation of [`rustls::server::ResolvesServerCert`] which reloads certificates from
-/// the disk periodically.
-#[derive(Debug)]
-pub struct ReloadingCertificateResolver {
-    certified_key: ArcSwap<CertifiedKey>,
-}
-
-impl ReloadingCertificateResolver {
-    /// Creates a new Resolver by loading certificate and private key from FS and
-    /// creating tokio::task to reload them with provided reload_period.
-    pub async fn new(
-        key_filename: &Utf8Path,
-        cert_filename: &Utf8Path,
-        reload_period: Duration,
-    ) -> anyhow::Result<Arc<Self>> {
-        let this = Arc::new(Self {
-            certified_key: ArcSwap::from_pointee(
-                load_certified_key(key_filename, cert_filename).await?,
-            ),
-        });
-
-        tokio::spawn({
-            let weak_this = Arc::downgrade(&this);
-            let key_filename = key_filename.to_owned();
-            let cert_filename = cert_filename.to_owned();
-            async move {
-                let start = tokio::time::Instant::now() + reload_period;
-                let mut interval = tokio::time::interval_at(start, reload_period);
-                let mut last_reload_failed = false;
-                loop {
-                    interval.tick().await;
-                    let this = match weak_this.upgrade() {
-                        Some(this) => this,
-                        None => break, // Resolver has been destroyed, exit.
-                    };
-                    match load_certified_key(&key_filename, &cert_filename).await {
-                        Ok(new_certified_key) => {
-                            if new_certified_key.cert == this.certified_key.load().cert {
-                                tracing::debug!("Certificate has not changed since last reloading");
-                            } else {
-                                tracing::info!("Certificate has been reloaded");
-                                this.certified_key.store(Arc::new(new_certified_key));
-                            }
-                            last_reload_failed = false;
-                        }
-                        Err(err) => {
-                            // Note: Reloading certs may fail if it conflicts with the script updating
-                            // the files at the same time. Warn only if the error is persistent.
-                            if last_reload_failed {
-                                tracing::warn!("Error reloading certificate: {err:#}");
-                            } else {
-                                tracing::info!("Error reloading certificate: {err:#}");
-                            }
-                            last_reload_failed = true;
-                        }
-                    }
-                }
-            }
-        });
-
-        Ok(this)
-    }
-}
-
-impl ResolvesServerCert for ReloadingCertificateResolver {
-    fn resolve(&self, _client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
-        Some(self.certified_key.load_full())
-    }
-}
--- a/libs/pageserver_api/src/config.rs
+++ b/libs/pageserver_api/src/config.rs
@@ -61,9 +61,6 @@ pub struct ConfigToml {
    pub listen_https_addr: Option<String>,
    pub ssl_key_file: Utf8PathBuf,
    pub ssl_cert_file: Utf8PathBuf,
-    #[serde(with = "humantime_serde")]
-    pub ssl_cert_reload_period: Duration,
-    pub ssl_ca_file: Option<Utf8PathBuf>,
    pub availability_zone: Option<String>,
    #[serde(with = "humantime_serde")]
    pub wait_lsn_timeout: Duration,
@@ -243,7 +240,11 @@ impl Default for EvictionOrder {
 #[serde(transparent)]
 pub struct MaxVectoredReadBytes(pub NonZeroUsize);

-/// Tenant-level configuration values, used for various purposes.
+/// A tenant's calcuated configuration, which is the result of merging a
+/// tenant's TenantConfOpt with the global TenantConf from PageServerConf.
+///
+/// For storing and transmitting individual tenant's configuration, see
+/// TenantConfOpt.
 #[derive(Debug, Clone, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
 #[serde(deny_unknown_fields, default)]
 pub struct TenantConfigToml {
@@ -285,6 +286,12 @@ pub struct TenantConfigToml {
    /// Level0 delta layer threshold at which to stall layer flushes. Must be >compaction_threshold
    /// to avoid deadlock. 0 to disable. Disabled by default.
    pub l0_flush_stall_threshold: Option<usize>,
+    /// If true, Level0 delta layer flushes will wait for S3 upload before flushing the next
+    /// layer. This is a temporary backpressure mechanism which should be removed once
+    /// l0_flush_{delay,stall}_threshold is fully enabled.
+    ///
+    /// TODO: this is no longer enabled, remove it when the config option is no longer set.
+    pub l0_flush_wait_upload: bool,
    // Determines how much history is retained, to allow
    // branching and read replicas at an older point in time.
    // The unit is #of bytes of WAL.
@@ -436,8 +443,6 @@ impl Default for ConfigToml {
            listen_https_addr: (None),
            ssl_key_file: Utf8PathBuf::from(DEFAULT_SSL_KEY_FILE),
            ssl_cert_file: Utf8PathBuf::from(DEFAULT_SSL_CERT_FILE),
-            ssl_cert_reload_period: Duration::from_secs(60),
-            ssl_ca_file: None,
            availability_zone: (None),
            wait_lsn_timeout: (humantime::parse_duration(DEFAULT_WAIT_LSN_TIMEOUT)
                .expect("cannot parse default wait lsn timeout")),
@@ -573,6 +578,8 @@ pub mod tenant_conf_defaults {
    pub const DEFAULT_COMPACTION_ALGORITHM: crate::models::CompactionAlgorithm =
        crate::models::CompactionAlgorithm::Legacy;

+    pub const DEFAULT_L0_FLUSH_WAIT_UPLOAD: bool = false;
+
    pub const DEFAULT_GC_HORIZON: u64 = 64 * 1024 * 1024;

    // Large DEFAULT_GC_PERIOD is fine as long as PITR_INTERVAL is larger.
@@ -619,6 +626,7 @@ impl Default for TenantConfigToml {
            compaction_l0_semaphore: DEFAULT_COMPACTION_L0_SEMAPHORE,
            l0_flush_delay_threshold: None,
            l0_flush_stall_threshold: None,
+            l0_flush_wait_upload: DEFAULT_L0_FLUSH_WAIT_UPLOAD,
            gc_horizon: DEFAULT_GC_HORIZON,
            gc_period: humantime::parse_duration(DEFAULT_GC_PERIOD)
                .expect("cannot parse default gc period"),
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Devin AI	8edf6d326c	Remove VPC endpoint operations as requested Co-Authored-By: peterbendel@neon.tech <peterbendel@neon.tech>	2025-03-19 09:16:03 +00:00
Devin AI	1cae803c28	Fix Python formatting issues Co-Authored-By: peterbendel@neon.tech <peterbendel@neon.tech>	2025-03-19 09:11:59 +00:00
Devin AI	4360e0d4c7	Add missing APIs to neon_api.py fixture Co-Authored-By: peterbendel@neon.tech <peterbendel@neon.tech>	2025-03-19 09:07:42 +00:00