release-26.1: migrate release pipelines from TeamCity to GitHub Actions#170348
Merged
trunk-io[bot] merged 1 commit intoMay 14, 2026
Merged
Conversation
Contributor
|
😎 Merged successfully - details. |
|
Thanks for opening a backport. Before merging, please confirm that the change does not break backwards compatibility and otherwise complies with the backport policy. Include a brief release justification in the PR description explaining why the backport is appropriate. All backports must be reviewed by the TL for the owning area. While the stricter LTS policy does not yet apply, please exercise judgment and consider gating non-critical changes behind a disabled-by-default feature flag when appropriate. |
blathers-crl
Bot
added
backport
|
Your pull request contains more than 1000 changes. It is strongly encouraged to split big PRs into smaller chunks. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
Member
|
This change is |
celiala
approved these changes
May 14, 2026
Backport 1/1 commits from cockroachdb#170298 on behalf of @rail. ---- Move the release build/sign, publish, branch-cut, and pick-SHA pipelines from TeamCity-driven workflows to GitHub Actions, while preserving the existing TC shell scripts as the underlying build steps. New GitHub Actions workflows under .github/workflows/: - release-build-and-sign.yml — per-platform builds (linux amd64/arm64, s390x, FIPS, darwin amd64/arm64, windows), Docker multi-arch image builds, macOS notarization, IBM/GPG signing, sentry release upload, and Slack notification. Concurrency-grouped, per-job timeouts, all third-party actions pinned to commit SHAs, secrets fetched from GCP Secret Manager via WIF (no GitHub repo secrets), umask-restricted on-disk secret materialization. rcodesign installed from a SHA-pinned upstream binary into $RUNNER_TEMP/bin (no cargo, no sudo). - release-publish.yml — promotes staged artifacts to DockerHub, the Red Hat container catalog, and opens RAFA cloud-rollout PRs. A single approve-publish job hosts the release-ops environment so the reviewer clicks approve once per dispatch and every downstream publish job inherits the gate transitively. - release-branch-cut.yml — cuts staging branches, files Jira tickets (ADF-rendered), creates the backport label, and posts to Slack. - release-pick-sha.yml — picks a release SHA, writes it back to the Jira ticket, dispatches release-build-and-sign, and notifies the docs release-notes API. Both build-and-sign and publish accept a comma-separated skip_jobs input (validated by a first-stage validate-skip-jobs job) so an operator can re-dispatch after a partial infra failure without re- running already-successful jobs. Downstream jobs honor a 'skipped' upstream as success-equivalent only when the upstream is explicitly in skip_jobs, so cascade-skips from real failures don't masquerade as successful resumes. Companion build/github/release-*.sh wrappers translate GHA env conventions to the existing build/teamcity/internal/release/... scripts, which gain conditional WIF auth and dev-vs-prod GCS / Artifact Registry project selection so they can be invoked from either driver. TC code paths in every shared script are untouched. Branch-cut and pick-SHA additionally build and run their release binary inside the bazel docker container (via run_bazel) so the host runner doesn't need a bazel/Go toolchain installed. The wrappers forward GITHUB_REPOSITORY into the container so the binary's defaultRepo() helper picks up the dispatching repo instead of falling back to cockroachdb/cockroach. A new pkg/cmd/release Go CLI drives the branch-cut and pick-SHA workflows. It includes Jira (REST v3 + ADF), GitHub, Slack, and docs release-notes API clients, with unit tests for the SHA-pick and branch-cut commands. All HTTP clients are bounded by named per-call timeouts via httputil.NewClientWithTimeout so a wedged upstream API can't hang the cron run. update-versions takes --cockroach-repo and --github-username flags so the push targets aren't bound to specific literals; the dry-run override fires on isProductionRepo() rather than matching a hardcoded repo name, so a future prod-repo rename is a zero-line code change in the binary. Per-ticket summary logs in the branch-cut runner are dry-run-aware so a rehearsal run doesn't claim to have cut a branch it skipped. Prod-vs-non-prod side effects (Slack channel selection, customer- facing publish jobs) are gated on the IS_PRODUCTION_REPO repository variable. WIF provider/SA/GCP project selection is gated on a separate USE_PROD_GCP variable so a staging-prod repo can exercise the prod control-flow paths against the dev GCP project — operators set both on the real prod repo, only IS_PRODUCTION_REPO on a rehearsal fork. Forks default to dry-run automatically and cross-repo abuse is still blocked at the WIF attribute_condition. Per-job dispatch refs are restricted to master, release-*-rc, and staging-v* via if: allow-lists, with the release-ops environment's deployment-branches policy as the authoritative gate behind the single approve-publish job. Release-26.1 adaptations not in the upstream PR: - build-linux and build-per-platform-ibm in release-build-and-sign.yml gain docker/setup-buildx-action and docker/setup-qemu-action steps because the per-platform build script still does an in-job arm64 docker build on this branch (master moved that to the separate build-docker job). Without QEMU binfmt handlers the arm64 RUN steps abort with 'exec format error'. - build-cockroach-release-cloud-only.sh drops the pre-WIF unconditional gcr_staged_credentials assignments in the upper if/else block; the WIF-aware block below already handles them, and leaving the unconditionals in place trips set -u under WIF where GCS_CREDENTIALS_PROD/DEV are unset. Release justification: release automation changes Epic: none Release note: None
rail
force-pushed
the
rail/backport-release-26.1-170298
branch
from
a6a8b03 to
bda563a
Compare
|
Detected infrastructure failure on trunk-merge branch (matched: self-hosted runner lost communication with the server). Automatically resubmitting to merge queue (attempt 1 of 2). (run link) |
|
/trunk merge |
|
Detected infrastructure failure on trunk-merge branch (matched: self-hosted runner lost communication with the server). Automatically resubmitting to merge queue (attempt 2 of 2). (run link) |
|
/trunk merge |
This was referenced May 22, 2026
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-25.2 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 25.2 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name The 8 source PRs do not cherry-pick cleanly onto release-25.2 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. Rather than hand-merging hundreds of hunks, the release-tooling code is replaced wholesale with the post-PR state from release-26.1: * pkg/cmd/release/ entire library lifted from release-26.1 tip (97b3f3e); legacy email-tooling files deleted to match. * .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. * build/github/release-*.sh wrapper scripts added. * Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/*.sh) lifted from release-26.1; the migration's changes here are additive (new WIF auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE) and the legacy TeamCity code paths still work. * cockroachdb/version bumped from the March 2025 pin to the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. The bump renames IsCustomOrNightlyBuild to IsCustomOrAdhocBuild on the *Version receiver; the one caller in pkg/build/info.go is updated. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-25.2 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 25.2 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name The 8 source PRs do not cherry-pick cleanly onto release-25.2 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. Rather than hand-merging hundreds of hunks, the release-tooling code is replaced wholesale with the post-PR state from release-26.1: * pkg/cmd/release/ entire library lifted from release-26.1 tip (97b3f3e); legacy email-tooling files deleted to match. * .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. * build/github/release-*.sh wrapper scripts added. * Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/*.sh) lifted from release-26.1; the migration's changes here are additive (new WIF auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE) and the legacy TeamCity code paths still work. * cockroachdb/version bumped from the March 2025 pin to the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. The bump renames IsCustomOrNightlyBuild to IsCustomOrAdhocBuild on the *Version receiver; the one caller in pkg/build/info.go is updated. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
This was referenced May 22, 2026
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 23, 2026
Bring release-23.2 in line with release-24.1's release-tooling stack so the new GitHub Actions release pipeline can drive 23.2 patch releases. This bundles the eight release-26.1 PRs already backported to 24.1 (cockroachdb#170348, cockroachdb#170392, cockroachdb#170657, cockroachdb#170670, cockroachdb#170686, cockroachdb#170727, cockroachdb#170765, cockroachdb#170779). Mirrors the release-24.1 (cockroachdb#170823) recipe: legacy email/Jira release tooling that release-23.2 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e). Trimmed for release-23.2's scope — these workflows / scripts were intentionally dropped because the corresponding pipeline isn't run on this branch: - IBM build/sign infrastructure (build-per-platform-ibm, build-docker-ibm, ibm-signing, release-sign-ibm.sh): release-23.2 does not ship IBM / linux-s390x builds. - Cloud-only image (publish-cloud-only, cloud-rollout, release-cloud-only.sh, release-cloud-rollout.sh, build-cockroach-release-cloud-only.sh): no cloud-only image build/publish on this branch. - RAFA rollout (create-rafa-prs, release-publish-rafa-prs.sh): release-23.2 doesn't open RAFA PRs. Other adjustments mirror the 24.1 backport: - cockroachdb/version added as a new dep at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github/v61, plus transitive bumps of cockroachdb/errors v1.11.3, getsentry/sentry-go v0.27.0, google/go-cmp v0.6.0, and stretchr/testify v1.10.0. - Orphaned deps dropped: andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo. DEPS.bzl + distdir_files.bzl updated. - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint (release-23.2's cockroach doesn't emit "FIPS enabled: true"). - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel. - linux-s390x dropped from matrices. - build-cockroach-release-per-platform.sh reverted to publish-provisional-artifacts and restores --build-arg fips_enabled=1. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 23, 2026
Bring release-23.2 in line with release-24.1's release-tooling stack so the new GitHub Actions release pipeline can drive 23.2 patch releases. This bundles the eight release-26.1 PRs already backported to 24.1 (cockroachdb#170348, cockroachdb#170392, cockroachdb#170657, cockroachdb#170670, cockroachdb#170686, cockroachdb#170727, cockroachdb#170765, cockroachdb#170779). Mirrors the release-24.1 (cockroachdb#170823) recipe: legacy email/Jira release tooling that release-23.2 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e). Trimmed for release-23.2's scope — these workflows / scripts were intentionally dropped because the corresponding pipeline isn't run on this branch: - IBM build/sign infrastructure (build-per-platform-ibm, build-docker-ibm, ibm-signing, release-sign-ibm.sh): release-23.2 does not ship IBM / linux-s390x builds. - Cloud-only image (publish-cloud-only, cloud-rollout, release-cloud-only.sh, release-cloud-rollout.sh, build-cockroach-release-cloud-only.sh): no cloud-only image build/publish on this branch. - RAFA rollout (create-rafa-prs, release-publish-rafa-prs.sh): release-23.2 doesn't open RAFA PRs. Other adjustments mirror the 24.1 backport: - cockroachdb/version added as a new dep at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github/v61, plus transitive bumps of cockroachdb/errors v1.11.3, getsentry/sentry-go v0.27.0, google/go-cmp v0.6.0, and stretchr/testify v1.10.0. - Orphaned deps dropped: andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo. DEPS.bzl + distdir_files.bzl updated. - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint (release-23.2's cockroach doesn't emit "FIPS enabled: true"). - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel. - linux-s390x dropped from matrices. - build-cockroach-release-per-platform.sh reverted to publish-provisional-artifacts and restores --build-arg fips_enabled=1. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #170298 on behalf of @rail.
Move the release build/sign, publish, branch-cut, and pick-SHA pipelines
from TeamCity-driven workflows to GitHub Actions, while preserving the
existing TC shell scripts as the underlying build steps.
New GitHub Actions workflows under .github/workflows/:
s390x, FIPS, darwin amd64/arm64, windows), Docker multi-arch image
builds, macOS notarization, IBM/GPG signing, sentry release upload,
and Slack notification. Concurrency-grouped, per-job timeouts, all
third-party actions pinned to commit SHAs, secrets fetched from GCP
Secret Manager via WIF (no GitHub repo secrets), umask-restricted
on-disk secret materialization. rcodesign installed from a SHA-pinned
upstream binary into $RUNNER_TEMP/bin (no cargo, no sudo).
Red Hat container catalog, and opens RAFA cloud-rollout PRs. A
single approve-publish job hosts the release-ops environment so the
reviewer clicks approve once per dispatch and every downstream
publish job inherits the gate transitively.
(ADF-rendered), creates the backport label, and posts to Slack.
Jira ticket, dispatches release-build-and-sign, and notifies the
docs release-notes API.
Both build-and-sign and publish accept a comma-separated skip_jobs
input (validated by a first-stage validate-skip-jobs job) so an
operator can re-dispatch after a partial infra failure without re-
running already-successful jobs. Downstream jobs honor a 'skipped'
upstream as success-equivalent only when the upstream is explicitly
in skip_jobs, so cascade-skips from real failures don't masquerade as
successful resumes.
Companion build/github/release-*.sh wrappers translate GHA env
conventions to the existing build/teamcity/internal/release/...
scripts, which gain conditional WIF auth and dev-vs-prod GCS / Artifact
Registry project selection so they can be invoked from either driver.
TC code paths in every shared script are untouched. Branch-cut and
pick-SHA additionally build and run their release binary inside the
bazel docker container (via run_bazel) so the host runner doesn't
need a bazel/Go toolchain installed. The wrappers forward
GITHUB_REPOSITORY into the container so the binary's defaultRepo()
helper picks up the dispatching repo instead of falling back to
cockroachdb/cockroach.
A new pkg/cmd/release Go CLI drives the branch-cut and pick-SHA
workflows. It includes Jira (REST v3 + ADF), GitHub, Slack, and docs
release-notes API clients, with unit tests for the SHA-pick and
branch-cut commands. All HTTP clients are bounded by named per-call
timeouts via httputil.NewClientWithTimeout so a wedged upstream API
can't hang the cron run. update-versions takes --cockroach-repo and
--github-username flags so the push targets aren't bound to specific
literals; the dry-run override fires on isProductionRepo() rather
than matching a hardcoded repo name, so a future prod-repo rename is
a zero-line code change in the binary. Per-ticket summary logs in the
branch-cut runner are dry-run-aware so a rehearsal run doesn't claim
to have cut a branch it skipped.
Prod-vs-non-prod side effects (Slack channel selection, customer-
facing publish jobs) are gated on the IS_PRODUCTION_REPO repository
variable. WIF provider/SA/GCP project selection is gated on a separate
USE_PROD_GCP variable so a staging-prod repo can exercise the prod
control-flow paths against the dev GCP project — operators set both
on the real prod repo, only IS_PRODUCTION_REPO on a rehearsal fork.
Forks default to dry-run automatically and cross-repo abuse is still
blocked at the WIF attribute_condition.
Per-job dispatch refs are restricted to master, release--rc, and
staging-v via if: allow-lists, with the release-ops environment's
deployment-branches policy as the authoritative gate behind the
single approve-publish job.
Release-26.1 adaptations not in the upstream PR:
gain docker/setup-buildx-action and docker/setup-qemu-action steps
because the per-platform build script still does an in-job arm64
docker build on this branch (master moved that to the separate
build-docker job). Without QEMU binfmt handlers the arm64 RUN steps
abort with 'exec format error'.
gcr_staged_credentials assignments in the upper if/else block; the
WIF-aware block below already handles them, and leaving the
unconditionals in place trips set -u under WIF where
GCS_CREDENTIALS_PROD/DEV are unset.
Release justification: release automation changes
Epic: none
Release note: None