From c0878ac9e6a6e2d3fa98af101c26f2cc8dbacff0 Mon Sep 17 00:00:00 2001
From: reivilibre <oliverw@element.io>
Date: Fri, 15 Aug 2025 13:32:05 +0100
Subject: [PATCH] Fix portdb CI by hardcoding the new pg_dump restrict key that
 was added due to CVE-2025-8714. (#18824)

Links:
- https://www.postgresql.org/support/security/CVE-2025-8714/
-
https://github.com/postgres/postgres/commit/71ea0d6795438f95f4ee6e35867058c44b270d51

---------

Signed-off-by: Olivier 'reivilibre <oliverw@matrix.org>
---
 .ci/scripts/test_synapse_port_db.sh | 6 +++---
 changelog.d/18824.misc              | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)
 create mode 100644 changelog.d/18824.misc

diff --git a/.ci/scripts/test_synapse_port_db.sh b/.ci/scripts/test_synapse_port_db.sh
index 8cc41d3dc..3816e0324 100755
--- a/.ci/scripts/test_synapse_port_db.sh
+++ b/.ci/scripts/test_synapse_port_db.sh
@@ -61,7 +61,7 @@ poetry run update_synapse_database --database-config .ci/postgres-config-unporte
 echo "+++ Comparing ported schema with unported schema"
 # Ignore the tables that portdb creates. (Should it tidy them up when the porting is completed?)
 psql synapse -c "DROP TABLE port_from_sqlite3;"
-pg_dump --format=plain --schema-only --no-tablespaces --no-acl --no-owner synapse_unported > unported.sql
-pg_dump --format=plain --schema-only --no-tablespaces --no-acl --no-owner synapse          >   ported.sql
+pg_dump --format=plain --schema-only --no-tablespaces --no-acl --no-owner --restrict-key=TESTING synapse_unported > unported.sql
+pg_dump --format=plain --schema-only --no-tablespaces --no-acl --no-owner --restrict-key=TESTING synapse          >   ported.sql
 # By default, `diff` returns zero if there are no changes and nonzero otherwise
-diff -u unported.sql ported.sql | tee schema_diff
\ No newline at end of file
+diff -u unported.sql ported.sql | tee schema_diff
diff --git a/changelog.d/18824.misc b/changelog.d/18824.misc
new file mode 100644
index 000000000..cf401c53c
--- /dev/null
+++ b/changelog.d/18824.misc
@@ -0,0 +1 @@
+Fix portdb CI by hardcoding the new pg_dump restrict key that was added due to CVE-2025-8714.
\ No newline at end of file