ci: add replay-jenkins-build script and presubmit job

[wuhuizuo]

This pull request improves the documentation and CI workflow for Jenkins pipeline changes, and refactors the Prow job configuration to support better pre-PR validation and replay testing. The main focus is to ensure that changes to pipelines/**/*.groovy files are thoroughly validated both locally and in presubmit jobs, and to clarify the process for contributors. Additionally, the Prow job YAML files are refactored for maintainability.

Documentation enhancements:

• Added a new section in docs/contributing.md recommending local static and replay checks for Jenkins pipeline changes, with command examples and links to further documentation.
• Expanded docs/guides/CI.md with detailed instructions on pre-PR verification, including static validation, replay testing, and how to use Prow jobs for Jenkins pipeline changes.

CI and Prow job improvements:

• Added a new optional presubmit job pull-replay-jenkins-pipelines in prow-jobs/pingcap-qe/ci/presubmits.yaml to automate replay validation of changed pipeline files, including job configuration, environment variables, and usage of secrets.
• Refactored Prow job YAML to use a global labels anchor for consistency and maintainability, updating all job definitions accordingly.
• Minor restructuring in prow-jobs/tikv/pd/common-presubmits.yaml to clarify section separation and maintain consistency.

[ti-chi-bot]

I have already done a preliminary review for you, and I hope to help you do a better job.

Summary

This pull request introduces a script (replay-jenkins-build.sh) for replaying Jenkins pipeline builds, enhances documentation for pre-PR checks, and updates CI configurations with new Prow jobs for validating pipeline changes. The approach is well-structured, focusing on automation, maintainability improvements, and detailed instructions for contributors. Overall, the changes are functional and comprehensive but could benefit from minor improvements in error handling and clarity in certain areas.

---

Critical Issues

• File: .ci/replay-jenkins-build.sh, Line: 391
  Issue: The submit_replay function does not validate the success or failure of the replay submission. If the Jenkins API fails or returns an unexpected response, the script may proceed without detecting the issue.
  Why: This can lead to silent failures, especially if Jenkins rejects the replay request.
  Suggested Fix: Add explicit error handling to check the status code and response content of the api_post_script_text call:

  local response
  response="$(api_post_script_text "$groovy_file")"
  if [[ -z "$response" ]]; then
      fatal "Failed to submit replay. No response from Jenkins API."
  fi

• File: .ci/replay-jenkins-build.sh, Line: 479
  Issue: The wait_queue_to_build_url method does not handle edge cases where the Jenkins queue item endlessly stays in the queue due to configuration or resource constraints.
  Why: This could result in the script hanging indefinitely, especially if the job cannot be executed due to Jenkins resource limits or misconfiguration.
  Suggested Fix: Add a timeout mechanism with clearer error messages:

  if (( now - started > timeout_sec )); then
      fatal "Timeout waiting for queue item to start. Ensure Jenkins has sufficient resources or validate job configurations."
  fi

---

Code Improvements

• File: .ci/replay-jenkins-build.sh, Line: 101
  Issue: The function script_to_job_path assumes a strict directory structure for pipeline files without fallback handling or validation for unexpected paths.
  Why: This could break if the directory structure is modified or if contributors use non-standard paths.
  Suggested Fix: Add fallback validation and a helpful error message:

  if [[ "$rel" != pipelines/* ]]; then
      fatal "Unexpected script path structure: ${script_file}. Verify pipeline file locations."
  fi

• File: .ci/replay-jenkins-build.sh, Line: 599
  Issue: The script uses jq for parsing JSON responses but lacks fallback handling if jq fails to parse or is unavailable.
  Why: On systems where jq is misconfigured or unavailable, the script would fail unexpectedly.
  Suggested Fix: Add a check for jq functionality and fallback to manual parsing if necessary:

  require_bin jq || fatal "jq is required for JSON parsing. Please install it before running the script."

---

Best Practices

• File: .ci/replay-jenkins-build.sh, Line: 15
  Issue: The script lacks comments explaining key functions like discover_changed_scripts and submit_replay.
  Why: These functions have complex logic that could confuse new contributors.
  Suggested Fix: Add brief comments above each function:

  # Discover changed pipeline scripts between two Git SHAs
  discover_changed_scripts() {
      ...
  }

• File: docs/contributing.md, Line: 10
  Issue: The documentation suggests using JENKINS_USER and JENKINS_TOKEN but does not explain how to obtain these credentials securely.
  Why: This could lead to misuse or security risks if credentials are shared improperly.
  Suggested Fix: Include a note on obtaining and securely storing credentials:

  Note: Obtain `JENKINS_USER` and `JENKINS_TOKEN` from your Jenkins account and store them securely using environment variables or secret management tools.

• File: prow-jobs/pingcap-qe/ci/presubmits.yaml, Line: 8
  Issue: The pull-replay-jenkins-pipelines job does not document its purpose clearly in the YAML file.
  Why: Future maintainers might struggle to understand its intent without referring to external documentation.
  Suggested Fix: Add a descriptive comment:

  # This presubmit job replays Jenkins pipeline builds for changed pipeline files in a PR.

---

Additional Notes

Overall, the PR is impactful and well-organized. Addressing the above issues will further improve robustness, maintainability, and clarity for contributors and maintainers.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the CI/CD workflow by introducing a dedicated script and an optional Prow presubmit job for automated replay testing of Jenkins pipeline changes. It also provides updated documentation to guide developers through the process of validating their pipeline modifications locally and within the CI system, aiming to improve the reliability and consistency of pipeline development and deployment.

Highlights

• New Jenkins Pipeline Replay Script: A new Bash script, .ci/replay-jenkins-build.sh, has been added to enable replaying Jenkins pipeline builds. This script supports both single script replay and auto-replay of all changed Groovy files in a PR, facilitating local validation.
• Automated Replay Presubmit Job: An optional Prow presubmit job, pull-replay-jenkins-pipelines, has been introduced. This job automates the replay validation of changed Jenkins pipeline files in a CI environment, triggered manually via PR comments.
• Enhanced Documentation for CI Workflow: The docs/contributing.md and docs/guides/CI.md files have been updated to provide comprehensive guidance on pre-PR verification for Jenkins pipeline changes, including static validation, local replay testing, and how to utilize the new Prow job.
• Prow Job Configuration Refactoring: Prow job YAML files have been refactored to utilize a global labels anchor, improving consistency and maintainability across job definitions.

Changelog

• .ci/replay-jenkins-build.sh
  • Added a new script to enable replaying Jenkins pipeline builds.
• docs/contributing.md
  • Updated to include recommended local checks for Jenkins pipeline changes.
• docs/guides/CI.md
  • Expanded with detailed instructions for pre-PR verification of Jenkins pipeline changes.
• prow-jobs/pingcap-qe/ci/presubmits.yaml
  • Introduced a new optional presubmit job for Jenkins pipeline replay.
  • Refactored job labels to use a global anchor.
• prow-jobs/tikv/pd/common-presubmits.yaml
  • Restructured comments within the file.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a valuable replay-jenkins-build.sh script and an associated Prow job to facilitate testing of Jenkins pipeline changes. The accompanying documentation updates are clear and helpful. The overall changes improve the CI/CD workflow for pipeline development. I've identified a few areas for improvement in the new script to enhance its maintainability and a violation of CI best practices regarding dependency management. My detailed comments are below.

[ti-chi-bot]

I have already done a preliminary review for you, and I hope to help you do a better job.

Summary

This PR introduces a replay-jenkins-build.sh script to facilitate automated replay testing for Jenkins pipeline changes. It also updates documentation for contributors and adds a new optional presubmit job (pull-replay-jenkins-pipelines) to Prow for improved CI validation. The implementation delivers a robust mechanism for replay validation, clear documentation, and enhanced presubmit job configuration for maintainability. Code quality is generally strong, though there are areas where edge cases and error handling can be improved.

---

Critical Issues

1. Error Handling in Replay Submission (.ci/replay-jenkins-build.sh, line 620):

   • Problem: If the submit_replay() function fails, the script exits without providing actionable feedback for debugging.
   • Why it’s an issue: Users will face difficulty identifying the root cause of a failure, especially when interacting with Jenkins APIs.
   • Suggested Fix:
     Add detailed error logs to fatal() calls within submit_replay() related sections:

     fatal "Replay submission failed: Unable to submit replay for build ${build_url}. Check script file and authentication."

2. Authentication Requirement (.ci/replay-jenkins-build.sh, line 467):

   • Problem: The script requires both JENKINS_USER and JENKINS_TOKEN for submission but does not validate their presence early in all relevant paths.
   • Why it’s an issue: Missing validation could lead to runtime failures in submit_replay() or other dependent functions.
   • Suggested Fix:
     Validate JENKINS_USER and JENKINS_TOKEN explicitly in validate_inputs():

     if [[ "$AUTO_CHANGED" != "true" && "$DRY_RUN" != "true" ]]; then
         [[ -n "$JENKINS_USER" && -n "$JENKINS_TOKEN" ]] || fatal "JENKINS_USER and JENKINS_TOKEN are required for replay submit."
     fi

---

Code Improvements

1. Edge Case for Empty JENKINS_URL (.ci/replay-jenkins-build.sh, line 607):

   • Problem: The default JENKINS_URL is set to a hardcoded value, but an empty environment variable could overwrite it without warning.
   • Suggested Fix: Add a fallback mechanism to ensure JENKINS_URL is never empty:

     JENKINS_URL="${JENKINS_URL:-https://do.pingcap.net/jenkins}"
     [[ -n "$JENKINS_URL" ]] || fatal "JENKINS_URL cannot be empty."

2. Performance Optimization for Changed Script Discovery (.ci/replay-jenkins-build.sh, line 171):

   • Problem: Using git diff | rg to discover script changes could be inefficient for large repos.
   • Suggested Fix: Use git diff --diff-filter=d to exclude deleted files upfront:

     git diff --diff-filter=d --name-only "$base_sha" "$head_sha" | rg '^pipelines/.*\.groovy$' || true

3. Refactor Excessive Nested Conditionals (.ci/replay-jenkins-build.sh, lines 419–620):

   • Problem: The replay_one() function contains deeply nested conditionals, making it harder to read and maintain.
   • Suggested Fix: Break down the function into smaller helper functions, e.g., get_build_url() and validate_script_file().

---

Best Practices

1. Documentation for Environment Variables (docs/contributing.md, line 13):

   • Problem: The description of JENKINS_USER and JENKINS_TOKEN in the replay instructions is insufficient for users unfamiliar with Jenkins API.
   • Suggested Fix: Expand the documentation to clarify how to generate a Jenkins API token and where to configure it.

2. Testing Coverage for Edge Cases (prow-jobs/pingcap-qe/ci/presubmits.yaml, line 12):

   • Problem: The new presubmit job lacks explicit error handling for scenarios like missing credentials or non-existent pipeline files.
   • Suggested Fix: Add a test case to ensure the job gracefully exits for these edge cases, logging actionable errors.

3. Naming Convention in YAML Anchors (prow-jobs/pingcap-qe/ci/presubmits.yaml, line 1):

   • Problem: The anchor name labels is generic and may lead to confusion if reused in unrelated contexts.
   • Suggested Fix: Use a more descriptive name:

     labels: &jenkins-qe-labels

4. Command Validation (.ci/replay-jenkins-build.sh, line 91):

   • Problem: The require_bin() function doesn’t provide fallback instructions if a required binary is missing.
   • Suggested Fix: Extend error messages to include installation instructions:

     fatal "missing required command: ${bin}. Please install ${bin} using your package manager."

---

These changes will improve robustness, maintainability, and user experience while ensuring the functionality remains secure and performant.

[wuhuizuo]

/approve

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wuhuizuo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wuhuizuo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment