release-26.1: release: fix two more prod release-workflow auth bugs#170686
Merged
trunk-io[bot] merged 1 commit intoMay 20, 2026
Merged
Conversation
Two more independent auth failures in the prod release pipeline.
1. macOS signing impersonated a service account that does not exist.
RELEASE_SIGNING_SERVICE_ACCOUNT in release-build-and-sign.yml pointed
at release-signing@releases-prod, whose Gaia ID does not resolve.
Fetching Apple signing secrets from Secret Manager failed with 404
("Gaia id not found"). Point the prod arm at
gha-releases@releases-prod.iam.gserviceaccount.com, the consolidated
prod identity already used by the other release workflows.
2. The IBM docker build fetched cockroach tarballs from GCS using
gsutil, which does not honor the WIF credentials file that
google-github-actions/auth writes. gsutil fell back to the runner
VM's metadata service account and got a 403 from the release-staged
bucket. Switch the two gs:// downloads in
build-cockroach-release-docker.sh to 'gcloud storage cp', which
reads CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE / GOOGLE_APPLICATION_CREDENTIALS
and uses the impersonated identity as intended.
Epic: none
Release note: None
Contributor
|
😎 Merged directly without going through the merge queue, as the queue was empty and the PR was up to date with the target branch - details. |
|
Thanks for opening a backport. Before merging, please confirm that the change does not break backwards compatibility and otherwise complies with the backport policy. Include a brief release justification in the PR description explaining why the backport is appropriate. All backports must be reviewed by the TL for the owning area. While the stricter LTS policy does not yet apply, please exercise judgment and consider gating non-critical changes behind a disabled-by-default feature flag when appropriate. |
blathers-crl
Bot
added
backport
Member
|
This change is |
rickystewart
approved these changes
May 20, 2026
This was referenced May 22, 2026
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-25.2 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 25.2 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name The 8 source PRs do not cherry-pick cleanly onto release-25.2 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. Rather than hand-merging hundreds of hunks, the release-tooling code is replaced wholesale with the post-PR state from release-26.1: * pkg/cmd/release/ entire library lifted from release-26.1 tip (97b3f3e); legacy email-tooling files deleted to match. * .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. * build/github/release-*.sh wrapper scripts added. * Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/*.sh) lifted from release-26.1; the migration's changes here are additive (new WIF auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE) and the legacy TeamCity code paths still work. * cockroachdb/version bumped from the March 2025 pin to the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. The bump renames IsCustomOrNightlyBuild to IsCustomOrAdhocBuild on the *Version receiver; the one caller in pkg/build/info.go is updated. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-25.2 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 25.2 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name The 8 source PRs do not cherry-pick cleanly onto release-25.2 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. Rather than hand-merging hundreds of hunks, the release-tooling code is replaced wholesale with the post-PR state from release-26.1: * pkg/cmd/release/ entire library lifted from release-26.1 tip (97b3f3e); legacy email-tooling files deleted to match. * .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. * build/github/release-*.sh wrapper scripts added. * Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/*.sh) lifted from release-26.1; the migration's changes here are additive (new WIF auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE) and the legacy TeamCity code paths still work. * cockroachdb/version bumped from the March 2025 pin to the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. The bump renames IsCustomOrNightlyBuild to IsCustomOrAdhocBuild on the *Version receiver; the one caller in pkg/build/info.go is updated. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
This was referenced May 22, 2026
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 23, 2026
Bring release-23.2 in line with release-24.1's release-tooling stack so the new GitHub Actions release pipeline can drive 23.2 patch releases. This bundles the eight release-26.1 PRs already backported to 24.1 (cockroachdb#170348, cockroachdb#170392, cockroachdb#170657, cockroachdb#170670, cockroachdb#170686, cockroachdb#170727, cockroachdb#170765, cockroachdb#170779). Mirrors the release-24.1 (cockroachdb#170823) recipe: legacy email/Jira release tooling that release-23.2 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e). Trimmed for release-23.2's scope — these workflows / scripts were intentionally dropped because the corresponding pipeline isn't run on this branch: - IBM build/sign infrastructure (build-per-platform-ibm, build-docker-ibm, ibm-signing, release-sign-ibm.sh): release-23.2 does not ship IBM / linux-s390x builds. - Cloud-only image (publish-cloud-only, cloud-rollout, release-cloud-only.sh, release-cloud-rollout.sh, build-cockroach-release-cloud-only.sh): no cloud-only image build/publish on this branch. - RAFA rollout (create-rafa-prs, release-publish-rafa-prs.sh): release-23.2 doesn't open RAFA PRs. Other adjustments mirror the 24.1 backport: - cockroachdb/version added as a new dep at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github/v61, plus transitive bumps of cockroachdb/errors v1.11.3, getsentry/sentry-go v0.27.0, google/go-cmp v0.6.0, and stretchr/testify v1.10.0. - Orphaned deps dropped: andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo. DEPS.bzl + distdir_files.bzl updated. - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint (release-23.2's cockroach doesn't emit "FIPS enabled: true"). - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel. - linux-s390x dropped from matrices. - build-cockroach-release-per-platform.sh reverted to publish-provisional-artifacts and restores --build-arg fips_enabled=1. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 23, 2026
Bring release-23.2 in line with release-24.1's release-tooling stack so the new GitHub Actions release pipeline can drive 23.2 patch releases. This bundles the eight release-26.1 PRs already backported to 24.1 (cockroachdb#170348, cockroachdb#170392, cockroachdb#170657, cockroachdb#170670, cockroachdb#170686, cockroachdb#170727, cockroachdb#170765, cockroachdb#170779). Mirrors the release-24.1 (cockroachdb#170823) recipe: legacy email/Jira release tooling that release-23.2 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e). Trimmed for release-23.2's scope — these workflows / scripts were intentionally dropped because the corresponding pipeline isn't run on this branch: - IBM build/sign infrastructure (build-per-platform-ibm, build-docker-ibm, ibm-signing, release-sign-ibm.sh): release-23.2 does not ship IBM / linux-s390x builds. - Cloud-only image (publish-cloud-only, cloud-rollout, release-cloud-only.sh, release-cloud-rollout.sh, build-cockroach-release-cloud-only.sh): no cloud-only image build/publish on this branch. - RAFA rollout (create-rafa-prs, release-publish-rafa-prs.sh): release-23.2 doesn't open RAFA PRs. Other adjustments mirror the 24.1 backport: - cockroachdb/version added as a new dep at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github/v61, plus transitive bumps of cockroachdb/errors v1.11.3, getsentry/sentry-go v0.27.0, google/go-cmp v0.6.0, and stretchr/testify v1.10.0. - Orphaned deps dropped: andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo. DEPS.bzl + distdir_files.bzl updated. - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint (release-23.2's cockroach doesn't emit "FIPS enabled: true"). - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel. - linux-s390x dropped from matrices. - build-cockroach-release-per-platform.sh reverted to publish-provisional-artifacts and restores --build-arg fips_enabled=1. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #170673.
/cc @cockroachdb/release
Two more independent auth failures in the prod release pipeline.
macOS signing impersonated a service account that does not exist. RELEASE_SIGNING_SERVICE_ACCOUNT in release-build-and-sign.yml pointed at release-signing@releases-prod, whose Gaia ID does not resolve. Fetching Apple signing secrets from Secret Manager failed with 404 ("Gaia id not found"). Point the prod arm at gha-releases@releases-prod.iam.gserviceaccount.com, the consolidated prod identity already used by the other release workflows.
The IBM docker build fetched cockroach tarballs from GCS using gsutil, which does not honor the WIF credentials file that google-github-actions/auth writes. gsutil fell back to the runner VM's metadata service account and got a 403 from the release-staged bucket. Switch the two gs:// downloads in build-cockroach-release-docker.sh to 'gcloud storage cp', which reads CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE / GOOGLE_APPLICATION_CREDENTIALS and uses the impersonated identity as intended.
Epic: none
Release note: None
Release justification: release workflow auth fix