release-24.3: release tooling: bundled backport of GHA-migration follow-ups#170820
Open
rail wants to merge 1 commit into
Open
Conversation
Contributor
|
Merging to
After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here |
|
Thanks for opening a backport. Before merging, please confirm that it falls into one of the following categories (select one):
Add a brief release justification to the PR description explaining your selection. Also, confirm that the change does not break backward compatibility and complies with all aspects of the backport policy. All backports must be reviewed by the TL and EM for the owning area. |
blathers-crl
Bot
added
backport
|
Your pull request contains more than 1000 changes. It is strongly encouraged to split big PRs into smaller chunks. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
Member
|
This change is |
rail
force-pushed
the
backport24.3-170348-170392-170657-170670-170686-170727-170765-170779
branch
from
fa3a3ca to
7a32bf4
Compare
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
force-pushed
the
backport24.3-170348-170392-170657-170670-170686-170727-170765-170779
branch
from
7a32bf4 to
3cb5d58
Compare
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
force-pushed
the
backport24.3-170348-170392-170657-170670-170686-170727-170765-170779
branch
from
3cb5d58 to
0e3ee63
Compare
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
force-pushed
the
backport24.3-170348-170392-170657-170670-170686-170727-170765-170779
branch
from
0e3ee63 to
9ce1c0c
Compare
rail
added a commit
to rail/cockroach
that referenced
this pull request
May 22, 2026
Bring release-24.1 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.1 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Mirrors the release-24.3 (cockroachdb#170820) and release-25.2 (cockroachdb#170813) backports: the legacy email/Jira release tooling that release-24.1 still carries is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits there are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.1 didn't carry it) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped from go.mod, go.sum, and DEPS.bzl. Branch-specific adjustments (release-24.1 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.1. (pkg/build/info.go itself is unchanged here because release-24.1 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.1's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.1). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.1 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.1 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.1 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts kept at 24.1 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
Bring release-24.3 in line with release-26.1's release-tooling stack so the new GitHub Actions release pipeline can drive 24.3 patch releases. This bundles the eight release-26.1 PRs listed below: cockroachdb#170348 release: migrate release pipelines from TeamCity to GitHub Actions cockroachdb#170392 build,release: forward IS_PRODUCTION_REPO into the release binary cockroachdb#170657 release: fix two prod release-workflow bugs cockroachdb#170670 release: bump release-notes API client timeout to 2 minutes cockroachdb#170686 release: fix two more prod release-workflow auth bugs cockroachdb#170727 release/sentry: use 'gcloud storage cp' to download artifact cockroachdb#170765 release: follow-ups to the pick-sha + cloud-rollout flow cockroachdb#170779 release: route build/publish notify to #release-ops by ID-vs-name Like the release-25.2 backport (cockroachdb#170813), the 8 commits don't cherry-pick cleanly onto release-24.3 because the legacy email/Jira release tooling (blockers.go, github.go, jira.go, metadata.go, orchestration.go, set_cockroach_version.go, their tests and templates) was removed before release-25.4 was cut. The release-tooling code is replaced wholesale with the post-PR state from release-26.1 (tip 97b3f3e): - pkg/cmd/release/ entire library lifted from release-26.1 tip; legacy email-tooling Go files, templates, and testdata deleted to match. - .github/workflows/release-{branch-cut,build-and-sign,pick-sha, publish}.yml added. - build/github/release-*.sh wrapper scripts added. - Shared TeamCity-era scripts (build/release/teamcity-*.sh, build/teamcity-bazel-support.sh, build/teamcity-common-support.sh, build/teamcity/internal/cockroach/release/{process,publish}/*.sh, build/teamcity/internal/release/process/build-cockroach-release-*.sh) lifted from release-26.1; the migration's edits here are additive WIF-auth branches gated on CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCity code paths still work. - cockroachdb/version added as a new dep (release-24.3 didn't have it at all) at the May 2025 pin so the new pkg/cmd/release can use version.IncPreRelease / IncPatch. go-github v61 also added. Orphaned deps from the deleted legacy tooling (andygrunwald/go-jira, google/go-github/v42, indirect trivago/tgo and fatih/structs) dropped. DEPS.bzl regenerated accordingly. Branch-specific adjustments (release-24.3 differs from release-26.1): - verify_docker_image reverted to detect FIPS via Go version + OpenSSL fingerprint. The 26.1 version greps for a 'FIPS enabled: true' line that requires the crypto/fips140-based check in pkg/build/info.go introduced post-24.3; release-24.3's cockroach binary doesn't emit it. (pkg/build/info.go itself is unchanged on this branch because release-24.3 still uses the internal pkg/util/version package and never adopted the cockroachdb/version external module that introduced the IsCustomOrAdhocBuild rename.) - TEAMCITY_BUILD_PROPERTIES_FILE mount removed from run_bazel — release-24.3's TC environment doesn't set it. - run_bazel_fips left removed (no callers on release-24.3). - linux-s390x dropped from build-linux / build-per-platform-ibm matrices, release-sign-ibm.sh's iteration, the publish-staged platforms list, and the cloud-only comment. release-24.3 does not build s390x. IBM build/sign jobs are kept (no-telemetry linux variants, not s390x-only). - build-cockroach-release-per-platform.sh reverted to 'publish-provisional-artifacts -provisional -release' — release-24.3 predates the publish-artifacts rename + release subcommand split. - build-cockroach-release-per-platform.sh restores the '--build-arg fips_enabled=1' branch for the FIPS docker image; the release-24.3 build/deploy/Dockerfile gates FIPS package installation on this arg. - make-and-publish-* TC-only nightly scripts reverted to 24.3 originals — they aren't on the GHA call path. Release justification: release-tooling backport for GHA migration. Epic: none Release note: None
rail
force-pushed
the
backport24.3-170348-170392-170657-170670-170686-170727-170765-170779
branch
from
9ce1c0c to
e9de4e4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of 8 release-26.1 PRs onto release-24.3 so the new GitHub
Actions release pipeline can drive 24.3 patch releases on behalf of @rail:
Same wholesale-replacement strategy as the release-25.2 backport
(#170813). release-24.3 still carries the legacy email/Jira release
tooling, so the migration PR's
pick_sha.gocollides with thepre-existing one. Rather than hand-merging hundreds of hunks,
pkg/cmd/release/is replaced with the post-PR state fromrelease-26.1 (tip 97b3f3e), and the four GHA workflows plus
build/github/release-*.shwrappers are added. Shared TeamCity-erascripts (
build/release/teamcity-*.sh,build/teamcity-bazel- support.sh, the TCbuild-cockroach-release-*.shscripts that thenew pipeline calls into) are lifted from release-26.1 too — the
migration's edits there are additive WIF-auth branches gated on
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE, so the legacy TeamCitycode paths still work.
Dep changes:
cockroachdb/versionadded as a new dep at the May 2025 pin —release-24.3 didn't carry it at all.
go-github/v61also added.andygrunwald/go-jira,google/go-github/v42, indirecttrivago/tgoandfatih/structs.pkg/build/info.gois unchanged onthis branch because release-24.3 uses the internal
pkg/util/versionpackage and never adopted thecockroachdb/versionexternal module (so theIsCustomOrNightlyBuild→IsCustomOrAdhocBuildrename thatrelease-25.2's backport had to handle doesn't apply here).
Branch-specific adjustments (vs. the version copied from 26.1):
verify_docker_imagereverted to detect FIPS via Go version +OpenSSL fingerprint. The 26.1 version greps for a
FIPS enabled: trueline that requires thecrypto/fips140-based check inpkg/build/info.gointroduced post-24.3.TEAMCITY_BUILD_PROPERTIES_FILEmount removed fromrun_bazel—the var isn't set in release-24.3's TC environment.
run_bazel_fipsleft removed (no callers on release-24.3).build-linux/build-per-platform-ibmmatrices,
release-sign-ibm.sh's iteration, the publish-stagedplatforms list, and the cloud-only comment. release-24.3 does not
build s390x. IBM build/sign jobs are kept (no-telemetry linux
variants, not s390x-only).
build-cockroach-release-per-platform.shreverted topublish-provisional-artifacts -provisional -release— release-24.3predates the
publish-artifactsrename +releasesubcommand split.build-cockroach-release-per-platform.shrestores the--build-arg fips_enabled=1branch for the FIPS docker image; therelease-24.3
build/deploy/Dockerfilegates FIPS packageinstallation on this arg.
make-and-publish-*TC-only nightly scripts reverted to 24.3originals — they aren't on the GHA call path.
Release justification: release-tooling backport for GHA migration.
Epic: none
Release note: None