Copilot commented on code in PR #49788: URL: https://github.com/apache/arrow/pull/49788#discussion_r3105086459
########## dev/release/07-flightsqlodbc-upload.sh: ########## @@ -0,0 +1,190 @@ +#!/usr/bin/env bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# FlightSQL ODBC Release Signing Script +# +# This script handles the signing of FlightSQL ODBC Windows binaries and MSI +# installer. It requires jsign to be configured with ASF code signing +# credentials. Keep reading below: +# +# Required environment variables: +# +# ESIGNER_STOREPASS - The ssl.com credentials in "username|password" format +# ESIGNER_KEYPASS - The ssl.com eSigner secret code (not the PIN) +# +# How to get ESIGNER_KEYPASS: +# +# 1. Log into ssl.com +# 2. In your Dashboard, under "invitations", click the link under the order. Or +# go to Orders, find the order, expand the order, and click "certificate +# details" +# 3. Enter your PIN to get your OTP. This is ESIGNER_KEYPASS. +# +# If you don't have access, see https://infra.apache.org/code-signing-use.html. + +set -e +set -u +set -o pipefail + +SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +if [ "$#" -ne 2 ]; then + echo "Usage: $0 <version> <rc-num>" + exit 1 +fi + +if [ -z "${ESIGNER_STOREPASS:-}" ]; then + echo "ERROR: ESIGNER_STOREPASS is not set" >&2 + exit 1 +fi +if [ -z "${ESIGNER_KEYPASS:-}" ]; then + echo "ERROR: ESIGNER_KEYPASS is not set" >&2 + exit 1 +fi + +. "${SOURCE_DIR}/utils-env.sh" + +version=$1 +rc=$2 + +version_with_rc="${version}-rc${rc}" +tag="apache-arrow-${version_with_rc}" + +dll_unsigned="arrow_flight_sql_odbc_unsigned.dll" +dll_signed="arrow_flight_sql_odbc.dll" + +: "${GITHUB_REPOSITORY:=apache/arrow}" + +: ${PHASE_DEFAULT=1} +: ${PHASE_SIGN_DLL=${PHASE_DEFAULT}} +: ${PHASE_BUILD_MSI=${PHASE_DEFAULT}} +: ${PHASE_SIGN_MSI=${PHASE_DEFAULT}} + +if [ ${PHASE_SIGN_DLL} -eq 0 ] && [ ${PHASE_BUILD_MSI} -eq 0 ] && [ ${PHASE_SIGN_MSI} -eq 0 ]; then + echo "No phases specified. Exiting." + exit 1 +fi + +# Utility function to use jsign to check if a file is signed or not +is_signed() { + local file="$1" + local output + local exit_code + output=$(jsign extract --format PEM "${file}" 2>&1) + exit_code=$? + # jsign writes a PEM file even though it also prints to stdout. Clean up after + # it. Use -f since so it still runs on unsigned files without error. + rm -f "${file}.sig.pem" + + return ${exit_code} +} Review Comment: `is_signed()` uses `output=$(jsign extract ...)` while `set -e` is enabled. If the file is unsigned, `jsign extract` will return non-zero and the whole script will exit before `exit_code=$?` / cleanup runs, so the “unsigned vs signed” checks can’t work. Consider temporarily disabling `-e` inside the function (or using an `if jsign extract ...; then ...` pattern) and always running the cleanup. ########## dev/release/07-flightsqlodbc-upload.sh: ########## @@ -0,0 +1,190 @@ +#!/usr/bin/env bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# FlightSQL ODBC Release Signing Script +# +# This script handles the signing of FlightSQL ODBC Windows binaries and MSI +# installer. It requires jsign to be configured with ASF code signing +# credentials. Keep reading below: +# +# Required environment variables: +# +# ESIGNER_STOREPASS - The ssl.com credentials in "username|password" format +# ESIGNER_KEYPASS - The ssl.com eSigner secret code (not the PIN) +# +# How to get ESIGNER_KEYPASS: +# +# 1. Log into ssl.com +# 2. In your Dashboard, under "invitations", click the link under the order. Or +# go to Orders, find the order, expand the order, and click "certificate +# details" +# 3. Enter your PIN to get your OTP. This is ESIGNER_KEYPASS. +# +# If you don't have access, see https://infra.apache.org/code-signing-use.html. + +set -e +set -u +set -o pipefail + +SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +if [ "$#" -ne 2 ]; then + echo "Usage: $0 <version> <rc-num>" + exit 1 +fi + +if [ -z "${ESIGNER_STOREPASS:-}" ]; then + echo "ERROR: ESIGNER_STOREPASS is not set" >&2 + exit 1 +fi +if [ -z "${ESIGNER_KEYPASS:-}" ]; then + echo "ERROR: ESIGNER_KEYPASS is not set" >&2 + exit 1 +fi + +. "${SOURCE_DIR}/utils-env.sh" + +version=$1 +rc=$2 + +version_with_rc="${version}-rc${rc}" +tag="apache-arrow-${version_with_rc}" + +dll_unsigned="arrow_flight_sql_odbc_unsigned.dll" +dll_signed="arrow_flight_sql_odbc.dll" + +: "${GITHUB_REPOSITORY:=apache/arrow}" + +: ${PHASE_DEFAULT=1} +: ${PHASE_SIGN_DLL=${PHASE_DEFAULT}} +: ${PHASE_BUILD_MSI=${PHASE_DEFAULT}} +: ${PHASE_SIGN_MSI=${PHASE_DEFAULT}} + +if [ ${PHASE_SIGN_DLL} -eq 0 ] && [ ${PHASE_BUILD_MSI} -eq 0 ] && [ ${PHASE_SIGN_MSI} -eq 0 ]; then + echo "No phases specified. Exiting." + exit 1 +fi + +# Utility function to use jsign to check if a file is signed or not +is_signed() { + local file="$1" + local output + local exit_code + output=$(jsign extract --format PEM "${file}" 2>&1) + exit_code=$? + # jsign writes a PEM file even though it also prints to stdout. Clean up after + # it. Use -f since so it still runs on unsigned files without error. + rm -f "${file}.sig.pem" + + return ${exit_code} +} + +# All work with release artifacts happens in a temp dir +tmp_dir="$(mktemp -d)" + +if [ ${PHASE_SIGN_DLL} -gt 0 ]; then + echo "[1/9] Downloading ${dll_unsigned} from release..." + gh release download "${tag}" \ + --repo "${GITHUB_REPOSITORY}" \ + --pattern "${dll_unsigned}" \ + --dir "${tmp_dir}" + if is_signed "${tmp_dir}/${dll_unsigned}"; then + echo "ERROR: ${dll_unsigned} is already signed" >&2 + exit 1 + fi + + echo "[2/9] Signing ${dll_signed}..." + echo "NOTE: Running jsign. You may be prompted for your OTP PIN..." + jsign --storetype ESIGNER \ + --alias d97c5110-c66a-4c0c-ac0c-1cd6af812ee6 \ + --storepass "${ESIGNER_STOREPASS}" \ + --keypass "${ESIGNER_KEYPASS}" \ + --tsaurl="http://ts.ssl.com"; \ + --tsmode RFC3161 \ + --alg SHA256 \ + "${tmp_dir}/${dll_unsigned}" + if ! is_signed "${tmp_dir}/${dll_signed}"; then + echo "ERROR: ${dll_signed} is not signed" >&2 + exit 1 + fi + + echo "[3/9] Uploading signed DLL to GitHub Release..." + gh release upload "${tag}" \ + --repo "${GITHUB_REPOSITORY}" \ + --clobber \ + "${tmp_dir}/${dll_signed}" + Review Comment: The DLL signing phase signs `${dll_unsigned}` in place, but then verifies/uploads `${dll_signed}` (`arrow_flight_sql_odbc.dll`) without ever creating/renaming that file. As written, the verification will fail and the upload will reference a non-existent path. After signing, rename/copy the signed `${dll_unsigned}` to `${dll_signed}` (or update the subsequent checks/uploads to point at the actual signed file). ########## dev/release/07-flightsqlodbc-upload.sh: ########## @@ -0,0 +1,190 @@ +#!/usr/bin/env bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# FlightSQL ODBC Release Signing Script +# +# This script handles the signing of FlightSQL ODBC Windows binaries and MSI +# installer. It requires jsign to be configured with ASF code signing +# credentials. Keep reading below: Review Comment: PR description mentions creating `07-flightsql-odbc-upload.sh`, but the added script is named `07-flightsqlodbc-upload.sh` (no dash). If the release guide / automation refers to the dashed name, this mismatch will break those instructions—either rename the script to match the documented name or update the docs accordingly. ########## dev/release/07-flightsqlodbc-upload.sh: ########## @@ -0,0 +1,190 @@ +#!/usr/bin/env bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# FlightSQL ODBC Release Signing Script +# +# This script handles the signing of FlightSQL ODBC Windows binaries and MSI +# installer. It requires jsign to be configured with ASF code signing +# credentials. Keep reading below: +# +# Required environment variables: +# +# ESIGNER_STOREPASS - The ssl.com credentials in "username|password" format +# ESIGNER_KEYPASS - The ssl.com eSigner secret code (not the PIN) +# +# How to get ESIGNER_KEYPASS: +# +# 1. Log into ssl.com +# 2. In your Dashboard, under "invitations", click the link under the order. Or +# go to Orders, find the order, expand the order, and click "certificate +# details" +# 3. Enter your PIN to get your OTP. This is ESIGNER_KEYPASS. +# +# If you don't have access, see https://infra.apache.org/code-signing-use.html. + +set -e +set -u +set -o pipefail + +SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +if [ "$#" -ne 2 ]; then + echo "Usage: $0 <version> <rc-num>" + exit 1 +fi + +if [ -z "${ESIGNER_STOREPASS:-}" ]; then + echo "ERROR: ESIGNER_STOREPASS is not set" >&2 + exit 1 +fi +if [ -z "${ESIGNER_KEYPASS:-}" ]; then + echo "ERROR: ESIGNER_KEYPASS is not set" >&2 + exit 1 +fi + +. "${SOURCE_DIR}/utils-env.sh" + +version=$1 +rc=$2 + +version_with_rc="${version}-rc${rc}" +tag="apache-arrow-${version_with_rc}" + +dll_unsigned="arrow_flight_sql_odbc_unsigned.dll" +dll_signed="arrow_flight_sql_odbc.dll" + +: "${GITHUB_REPOSITORY:=apache/arrow}" + +: ${PHASE_DEFAULT=1} +: ${PHASE_SIGN_DLL=${PHASE_DEFAULT}} +: ${PHASE_BUILD_MSI=${PHASE_DEFAULT}} +: ${PHASE_SIGN_MSI=${PHASE_DEFAULT}} Review Comment: The phase default assignments use unquoted `${var=...}` expansions (e.g. `: ${PHASE_DEFAULT=1}`), which differs from the pattern used elsewhere in these release scripts (e.g. `: "${UPLOAD_DEFAULT:=1}"` in `05-binary-upload.sh`). Quoting and `:=` avoids word-splitting/globbing surprises and is more consistent with the rest of `dev/release`. ```suggestion : "${PHASE_DEFAULT:=1}" : "${PHASE_SIGN_DLL:=${PHASE_DEFAULT}}" : "${PHASE_BUILD_MSI:=${PHASE_DEFAULT}}" : "${PHASE_SIGN_MSI:=${PHASE_DEFAULT}}" ``` ########## dev/release/08-publish-gh-release.sh: ########## @@ -0,0 +1,38 @@ +#!/usr/bin/env bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +set -e +set -u +set -o pipefail + +SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +if [ "$#" -ne 2 ]; then + echo "Usage: $0 <version> <rc-num>" + exit +fi + +. "${SOURCE_DIR}/utils-env.sh" + +version=$1 +rc=$2 +REPOSITORY="apache/arrow" + +rc_tag="apache-arrow-${version}-rc${rc}" +gh release edit ${rc_tag} --repo ${REPOSITORY} --draft=false Review Comment: This file duplicates `dev/release/07-publish-gh-release.sh` (same contents) but with a different step number. Keeping both versions will be confusing and risks the release guide pointing at the wrong step. Consider renumbering by renaming/moving the existing script (and updating references) instead of adding a duplicate, or deleting one of the copies. ```suggestion # Compatibility wrapper: delegate to the canonical implementation to avoid # keeping two numbered scripts with the same release logic. exec "${SOURCE_DIR}/07-publish-gh-release.sh" "$@" ``` ########## dev/release/07-flightsqlodbc-upload.sh: ########## @@ -0,0 +1,190 @@ +#!/usr/bin/env bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# FlightSQL ODBC Release Signing Script +# +# This script handles the signing of FlightSQL ODBC Windows binaries and MSI +# installer. It requires jsign to be configured with ASF code signing +# credentials. Keep reading below: +# +# Required environment variables: +# +# ESIGNER_STOREPASS - The ssl.com credentials in "username|password" format +# ESIGNER_KEYPASS - The ssl.com eSigner secret code (not the PIN) +# +# How to get ESIGNER_KEYPASS: +# +# 1. Log into ssl.com +# 2. In your Dashboard, under "invitations", click the link under the order. Or +# go to Orders, find the order, expand the order, and click "certificate +# details" +# 3. Enter your PIN to get your OTP. This is ESIGNER_KEYPASS. +# +# If you don't have access, see https://infra.apache.org/code-signing-use.html. + +set -e +set -u +set -o pipefail + +SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +if [ "$#" -ne 2 ]; then + echo "Usage: $0 <version> <rc-num>" + exit 1 +fi + +if [ -z "${ESIGNER_STOREPASS:-}" ]; then + echo "ERROR: ESIGNER_STOREPASS is not set" >&2 + exit 1 +fi +if [ -z "${ESIGNER_KEYPASS:-}" ]; then + echo "ERROR: ESIGNER_KEYPASS is not set" >&2 + exit 1 +fi + +. "${SOURCE_DIR}/utils-env.sh" + +version=$1 +rc=$2 + +version_with_rc="${version}-rc${rc}" +tag="apache-arrow-${version_with_rc}" + +dll_unsigned="arrow_flight_sql_odbc_unsigned.dll" +dll_signed="arrow_flight_sql_odbc.dll" + +: "${GITHUB_REPOSITORY:=apache/arrow}" + +: ${PHASE_DEFAULT=1} +: ${PHASE_SIGN_DLL=${PHASE_DEFAULT}} +: ${PHASE_BUILD_MSI=${PHASE_DEFAULT}} +: ${PHASE_SIGN_MSI=${PHASE_DEFAULT}} + +if [ ${PHASE_SIGN_DLL} -eq 0 ] && [ ${PHASE_BUILD_MSI} -eq 0 ] && [ ${PHASE_SIGN_MSI} -eq 0 ]; then + echo "No phases specified. Exiting." + exit 1 +fi + +# Utility function to use jsign to check if a file is signed or not +is_signed() { + local file="$1" + local output + local exit_code + output=$(jsign extract --format PEM "${file}" 2>&1) + exit_code=$? + # jsign writes a PEM file even though it also prints to stdout. Clean up after + # it. Use -f since so it still runs on unsigned files without error. + rm -f "${file}.sig.pem" + + return ${exit_code} +} + +# All work with release artifacts happens in a temp dir +tmp_dir="$(mktemp -d)" + +if [ ${PHASE_SIGN_DLL} -gt 0 ]; then + echo "[1/9] Downloading ${dll_unsigned} from release..." + gh release download "${tag}" \ + --repo "${GITHUB_REPOSITORY}" \ + --pattern "${dll_unsigned}" \ + --dir "${tmp_dir}" + if is_signed "${tmp_dir}/${dll_unsigned}"; then + echo "ERROR: ${dll_unsigned} is already signed" >&2 + exit 1 + fi + + echo "[2/9] Signing ${dll_signed}..." + echo "NOTE: Running jsign. You may be prompted for your OTP PIN..." + jsign --storetype ESIGNER \ + --alias d97c5110-c66a-4c0c-ac0c-1cd6af812ee6 \ + --storepass "${ESIGNER_STOREPASS}" \ + --keypass "${ESIGNER_KEYPASS}" \ + --tsaurl="http://ts.ssl.com"; \ + --tsmode RFC3161 \ + --alg SHA256 \ + "${tmp_dir}/${dll_unsigned}" + if ! is_signed "${tmp_dir}/${dll_signed}"; then + echo "ERROR: ${dll_signed} is not signed" >&2 + exit 1 + fi + + echo "[3/9] Uploading signed DLL to GitHub Release..." + gh release upload "${tag}" \ + --repo "${GITHUB_REPOSITORY}" \ + --clobber \ + "${tmp_dir}/${dll_signed}" + + echo "[4/9] Removing unsigned DLL from GitHub Release..." + gh release delete-asset "${tag}" \ + --repo "${GITHUB_REPOSITORY}" \ + --yes \ + "${dll_unsigned}" +fi + +if [ ${PHASE_BUILD_MSI} -gt 0 ]; then + echo "[5/9] Triggering odbc_release_step in cpp_extra.yml workflow..." + run_url=$(gh workflow run cpp_extra.yml \ + --repo "${GITHUB_REPOSITORY}" \ + --ref "${tag}" \ + --field odbc_release_step=true 2>&1 | grep -oE 'https://[^ ]+') + run_id=${run_url##*/} # Extract the run ID from the URL (the part after the last slash) + if [ -z "${run_id}" ]; then + echo "ERROR: failed to get run ID from workflow trigger" >&2 + exit 1 + fi + echo "Triggered run: ${run_url}" Review Comment: `run_url=$(gh workflow run ... | grep ...)` runs under `set -e -o pipefail`; if `gh` output format changes or `grep` finds no match, the assignment will cause an immediate exit and the later `run_id` validation won’t run. Prefer using `gh workflow run ... --json` (if available) or add a non-fatal fallback (`|| true`) and/or follow up by querying `gh run list` for the latest run on the tag. ```suggestion trigger_output=$(gh workflow run cpp_extra.yml \ --repo "${GITHUB_REPOSITORY}" \ --ref "${tag}" \ --field odbc_release_step=true 2>&1) run_url=$(printf '%s\n' "${trigger_output}" | grep -oE 'https://[^ ]+' || true) run_id="" if [ -n "${run_url}" ]; then run_id=${run_url##*/} # Extract the run ID from the URL (the part after the last slash) fi if [ -z "${run_id}" ]; then run_id=$(gh run list \ --repo "${GITHUB_REPOSITORY}" \ --workflow cpp_extra.yml \ --branch "${tag}" \ --limit 1 \ --json databaseId \ --jq '.[0].databaseId' || true) fi if [ -z "${run_id}" ] || [ "${run_id}" = "null" ]; then echo "ERROR: failed to get run ID from workflow trigger" >&2 exit 1 fi if [ -n "${run_url}" ]; then echo "Triggered run: ${run_url}" else echo "Triggered run id: ${run_id}" fi ``` ########## dev/release/09-binary-verify.sh: ########## @@ -0,0 +1,49 @@ +#!/usr/bin/env bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +set -e +set -u +set -o pipefail + +SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +if [ "$#" -ne 2 ]; then + echo "Usage: $0 <version> <rc-num>" + exit +fi + +. "${SOURCE_DIR}/utils-env.sh" + +version=$1 +rc=$2 + +rc_tag="apache-arrow-${version}-rc${rc}" +repository="${REPOSITORY:-apache/arrow}" + +run_id=$(gh run list \ + --branch "${rc_tag}" \ + --jq '.[].databaseId' \ + --json databaseId \ + --limit 1 \ + --repo "${repository}" \ + --workflow "verify_rc.yml") +gh run rerun \ + "${run_id}" \ + --failed \ + --repo "${repository}" Review Comment: `run_id` is derived from `gh run list` without checking for an empty result. If there are no matching runs on the tag (or the workflow name changes), `gh run rerun` will be invoked with an empty ID. Add a guard that errors out with a clear message when `run_id` is empty (similar to `utils-watch-gh-workflow.sh`). ########## dev/release/09-binary-verify.sh: ########## @@ -0,0 +1,49 @@ +#!/usr/bin/env bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +set -e +set -u +set -o pipefail + +SOURCE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +if [ "$#" -ne 2 ]; then + echo "Usage: $0 <version> <rc-num>" + exit +fi + +. "${SOURCE_DIR}/utils-env.sh" + +version=$1 +rc=$2 + +rc_tag="apache-arrow-${version}-rc${rc}" +repository="${REPOSITORY:-apache/arrow}" + +run_id=$(gh run list \ + --branch "${rc_tag}" \ + --jq '.[].databaseId' \ + --json databaseId \ + --limit 1 \ + --repo "${repository}" \ + --workflow "verify_rc.yml") +gh run rerun \ + "${run_id}" \ + --failed \ + --repo "${repository}" Review Comment: This script is a copy of `dev/release/08-binary-verify.sh` but renumbered. Having both makes it unclear which step should be used and makes future changes easy to miss in one of the copies. Prefer renaming the existing script (and updating references) rather than adding a duplicate. ```suggestion # Keep this script as a compatibility entry point, but delegate to the # canonical implementation to avoid maintaining duplicate release logic. exec "${SOURCE_DIR}/08-binary-verify.sh" "$@" ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
