GH-49686: [C++][FlightRPC][ODBC][Release] Create signing script for Windows FlightSQL ODBC build#49788
GH-49686: [C++][FlightRPC][ODBC][Release] Create signing script for Windows FlightSQL ODBC build#49788amoeba wants to merge 22 commits intoapache:mainfrom
Conversation
amoeba
requested review from
assignUser,
jonkeane,
kou and
raulcd
as code owners
| echo "[4/9] Removing unsigned DLL from GitHub Release..." | ||
| gh release delete-asset "${tag}" \ | ||
| --repo "${GITHUB_REPOSITORY}" \ | ||
| --yes \ | ||
| "${dll_unsigned}" |
There was a problem hiding this comment.
Why do we need to remove unsigned DLL?
There was a problem hiding this comment.
Just to reduce confusion and artifact usage, we don't need to. I don't know if I have a principled reason either way. If we did jsign signing entirely in CI, we'd probably build the unsigned DLL, sign it, and only upload the signed version. Happy to change this though.
There was a problem hiding this comment.
I see.
How about keeping the unsigned DLL while we use this workflow (building the unsigned DLL in CI, signing the unsigned DLL on local and uploading the signed DLL from local) so that we may be able to debug something or retry signing when the signed DLL has any problem.
There was a problem hiding this comment.
I like that idea. I removed the step in ac39888.
| run_url=$(gh workflow run cpp_extra.yml \ | ||
| --repo "${GITHUB_REPOSITORY}" \ | ||
| --ref "${tag}" \ | ||
| --field odbc_release_step=true 2>&1 | grep -oE 'https://[^ ]+') | ||
| run_id=${run_url##*/} # Extract the run ID from the URL (the part after the last slash) |
There was a problem hiding this comment.
How about using --json and --jq like we did in
arrow/dev/release/utils-watch-gh-workflow.sh
Lines 37 to 43 in 6dd07b1
There was a problem hiding this comment.
workflow run doesn't have a --json output arg and the command just prints,
[4/9] Triggering odbc_release_step in cpp_extra.yml workflow...
✓ Created workflow_dispatch event for cpp_extra.yml at AMOEBA-arrow-99.9.9-rc0
https://github.com/amoeba/arrow/actions/runs/24583481107
To see the created workflow run, try: gh run view 24583481107
To see runs for this workflow, try: gh run list --workflow="cpp_extra.yml"
Doing it this way isn't ideal but it seems slightly better than the alternative which would be to use gh run list with the right filters and assume the first result is the correct run. I guess that's a pretty safe assumption.
Do you have a preference?
There was a problem hiding this comment.
Oh, sorry. I misunderstood the used command...
Doing it this way isn't ideal but it seems slightly better than the alternative which would be to use
gh run listwith the right filters and assume the first result is the correct run. I guess that's a pretty safe assumption.Do you have a preference?
If it works, I prefer it. Parsing free format text may be fragile. gh workflow run output format may be changed.
If it doesn't work, let's parsing free format text.
There was a problem hiding this comment.
That's a good point. I think we can use utils-watch-gha-workflow.sh for this then. It already includes --interval.
There was a problem hiding this comment.
Pull request overview
Adds release automation scripts under dev/release/ to support Windows FlightSQL ODBC artifact signing and GitHub Release/RC verification steps as part of the Arrow release process.
Changes:
- Add a new
07-flightsqlodbc-upload.shscript intended to download, sign, and re-upload the FlightSQL ODBC DLL/MSI to the RC GitHub Release. - Add
08-publish-gh-release.shto publish (undraft) an RC GitHub Release. - Add
09-binary-verify.shto rerun theverify_rc.ymlworkflow for an RC tag.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| dev/release/07-flightsqlodbc-upload.sh | New local signing + upload workflow for FlightSQL ODBC Windows DLL/MSI artifacts. |
| dev/release/08-publish-gh-release.sh | New script to mark the RC GitHub Release as non-draft. |
| dev/release/09-binary-verify.sh | New script to rerun the GitHub Actions RC verification workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Sutou Kouhei <kou@cozmixng.org>
github-actions
bot
added
awaiting change review
|
The pre-commit failure in https://github.com/apache/arrow/actions/runs/24610839359/job/71964834631?pr=49788#step:5:192 looks like it's caused by an unrelated issue. The fs package recently made a breaking change and it now requires libuv-dev. I'm going to test a fix in ff033b6 but will revert it and put it into another PR. See #49594 for more context. |
This reverts commit ff033b6.
|
Thanks for the review @kou. I think I've addressed everything so this is ready for another review. |
…kage (#49791) ### Rationale for this change Pre-commit in CI just started to fail trying to install the R `fs` package. See https://github.com/apache/arrow/actions/runs/24610839359. I think we didn't see this until now because we were using cached pre-commit and a recent PR of mine just invalidated the cache incidentally. See also #49594. The `fs` package recently made a change that requires we install libuv development headers to install it. ### What changes are included in this PR? - Updates dev.yml to Install libuv1-dev ### Are these changes tested? Yes. See my other PR: #49788 (comment). ### Are there any user-facing changes? No. Authored-by: Bryce Mecum <petridish@gmail.com> Signed-off-by: Bryce Mecum <petridish@gmail.com>
github-actions
bot
added
awaiting changes
| if [ -z "${ESIGNER_STOREPASS:-}" ]; then | ||
| echo "ERROR: ESIGNER_STOREPASS is not set" >&2 | ||
| exit 1 | ||
| fi | ||
| if [ -z "${ESIGNER_KEYPASS:-}" ]; then | ||
| echo "ERROR: ESIGNER_KEYPASS is not set" >&2 | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
Could you move them after utils-env.sh?
| ?^dev/release/05-binary-upload\.sh$| | ||
| ?^dev/release/08-binary-verify\.sh$| | ||
| ?^dev/release/07-flightsqlodbc-upload\.sh$| | ||
| ?^dev/release/09-binary-verify\.sh$| |
There was a problem hiding this comment.
Could you also add 08-publishgh-release.sh if it doesn't have any lint failures?
If it has any lint failures, it's out of scope of this PR.
Could you also add 07-flightsqlodbc-upload.sh to
Lines 365 to 383 in 7190a7c
There was a problem hiding this comment.
I checked 08-publishgh-release.sh locally, and it has one failure. I'll file a separate PR.
I added the script to the shfmt step in fa646fc.
github-actions
bot
added
awaiting merge
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 6 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Rationale for this change
We need a script for the release manager to run during the release to locally sign the Windows artifacts for the FlightSQL ODBC driver.
Ref: #49404
What changes are included in this PR?
07-flightsql-odbc-upload.shAre these changes tested?
Not 100% but I've tested each step separately. I tested on my fork using fake tags and releases.
Are there any user-facing changes?
No.