release-25.2: release tooling: bundled backport of GHA-migration follow-ups#170813
Open
rail wants to merge 1 commit into
Open
Conversation
|
Thanks for opening a backport. Before merging, please confirm that it falls into one of the following categories (select one):
Add a brief release justification to the PR description explaining your selection. Also, confirm that the change does not break backward compatibility and complies with all aspects of the backport policy. All backports must be reviewed by the TL and EM for the owning area. |
Contributor
|
Merging to
After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here |
blathers-crl
Bot
added
backport
|
Your pull request contains more than 1000 changes. It is strongly encouraged to split big PRs into smaller chunks. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
Member
|
This change is |
rail
force-pushed
the
backport25.2-170348-170392-170657-170670-170686-170727-170765-170779
branch
from
140e81b to
f4152d0
Compare
Bring release-25.2 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 25.2 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name The 8 source PRs do not cherry-pick cleanly onto release-25.2 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. Rather than hand-merging hundreds of hunks, the release-tooling code is replaced wholesale with the post-PR state from release-26.1: * pkg/cmd/release/ entire library lifted from release-26.1 tip (97b3f3e); legacy email-tooling files deleted to match. * .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. * build/github/release-*.sh wrapper scripts added. * Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/*.sh) lifted from release-26.1; the migration's changes here are additive (new WIF auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE) and the legacy TeamCity code paths still work. * cockroachdb/version bumped from the March 2025 pin to the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. The bump renames IsCustomOrNightlyBuild to IsCustomOrAdhocBuild on the *Version receiver; the one caller in pkg/build/info.go is updated. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
force-pushed
the
backport25.2-170348-170392-170657-170670-170686-170727-170765-170779
branch
from
f4152d0 to
2a6d46d
Compare
This was referenced May 22, 2026
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of 8 release-26.1 PRs onto release-25.2 so the new GitHub
Actions release pipeline can drive 25.2 patch releases on behalf of @rail:
Unlike the release-25.4 backport (#170804), the 8 commits do not
cherry-pick cleanly onto release-25.2 — the legacy email/Jira release
tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go,
set_cockroach_version.go, their tests and templates) was removed before
release-25.4 was cut, so the migration PR introduces a
pick_sha.gothat collides with release-25.2's pre-existing one. Rather than
hand-merging hundreds of hunks, the release-tooling code is replaced
wholesale with the post-PR state from release-26.1 (tip 97b3f3e):
pkg/cmd/release/library + sentry tool lifted from release-26.1;the legacy email-tooling Go files, templates, and testdata deleted
to match release-25.4's already-pruned shape.
.github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.ymladded.build/github/release-*.shwrapper scripts added.build/release/teamcity-*.sh,build/teamcity-bazel-support.sh,build/teamcity-common-support.sh,build/teamcity/internal/cockroach/release/{process,publish}/*.sh,build/teamcity/internal/release/process/build-cockroach-release-*.sh)lifted from release-26.1; the migration's edits here are additive
WIF-auth branches gated on
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE,so the legacy TeamCity code paths still work.
cockroachdb/versionbumped from the March 2025 pin to the May 2025pin so the new
pkg/cmd/releasecan useversion.IncPreRelease/IncPatch. The bump renamesIsCustomOrNightlyBuildtoIsCustomOrAdhocBuildon the*Versionreceiver; the one caller inpkg/build/info.gois updated.Branch-specific adjustments (release-25.2 differs from release-26.1 in
ways the 26.1 versions of these scripts didn't anticipate):
verify_docker_imagereverted to detect FIPS via Go version + OpenSSLfingerprint. The 26.1 version grep's for a
FIPS enabled: truelinethat requires the
crypto/fips140-based check inpkg/build/info.gointroduced post-25.2; release-25.2's cockroach binary does not emit it.
TEAMCITY_BUILD_PROPERTIES_FILEmount removed fromrun_bazel— themigration added it on master for a reason that doesn't apply on 25.2,
where the var isn't set in the TC environment.
run_bazel_fipsleft removed (no callers on release-25.2).build-linux/build-per-platform-ibmmatrices,
release-sign-ibm.sh's iteration, and the cloud-onlycomment. release-25.2 does not build s390x. IBM build/sign jobs are
kept (they're the no-telemetry linux variants, not s390x-only).
build-cockroach-release-per-platform.shreverted topublish-provisional-artifacts -provisional -release— release-25.2predates the
publish-artifactsrename +releasesubcommand split.build-cockroach-release-per-platform.shrestores the--build-arg fips_enabled=1branch for the FIPS docker image; therelease-25.2
build/deploy/Dockerfilegates FIPS package installationon this arg.
make-and-publish-*TC-only nightly scripts reverted to 25.2originals — they aren't on the GHA call path.
Release justification: release-tooling backport for GHA migration.
Epic: none
Release note: None