Skip to content

ci: use tidbx images for next-gen integration#1995

Open
wuhuizuo wants to merge 2 commits into
tikv:masterfrom
wuhuizuo:feat/nextgen-tidbx-gar-auth
Open

ci: use tidbx images for next-gen integration#1995
wuhuizuo wants to merge 2 commits into
tikv:masterfrom
wuhuizuo:feat/nextgen-tidbx-gar-auth

Conversation

@wuhuizuo

@wuhuizuo wuhuizuo commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Summary

  • authenticate the next-gen integration workflow to GAR through Workload Identity Federation
  • fetch next-gen PD and TiKV binaries from pingcap-testing-account/tidbx
  • resolve image tags from the target branch so release-nextgen-* uses the branch name while main/master use the fixed next-gen tags
  • restrict the job to supported branches and same-repository PRs before requesting cloud credentials

Image mapping

  • PD: us-docker.pkg.dev/pingcap-testing-account/tidbx/tikv/pd/image:<tag>
  • TiKV: us-docker.pkg.dev/pingcap-testing-account/tidbx/tikv/tikv/image:<tag>

Tag rules

  • release-nextgen-* -> <tag> is the target branch name
  • main / master -> PD master-nextgen, TiKV cloud-engine-nextgen

Notes

  • this change assumes the GCP Workload Identity provider projects/890604261603/locations/global/workloadIdentityPools/github-tikv/providers/github-oidc and the tidbx-gar-reader@pingcap-testing-account.iam.gserviceaccount.com binding are in place

Summary by CodeRabbit

  • Chores
    • CI pipeline now runs for additional feature and release branches to broaden automated testing.
    • Improved build/runtime asset retrieval with authenticated access and dynamic image/tag resolution for Next‑Gen components.

@ti-chi-bot

ti-chi-bot Bot commented Jun 8, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ekexium for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ti-chi-bot ti-chi-bot Bot added contribution This PR is from a community contributor. dco-signoff: no Indicates the PR's author has not signed dco. labels Jun 8, 2026
@coderabbitai

coderabbitai Bot commented Jun 8, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The integration workflow expands branch triggers to include feature/* and release-nextgen-*, adds job-level permissions for integration-next-gen-tikv, and replaces hardcoded Next-Gen PD/TiKV sources with GAR-based tag resolution plus Google Cloud workload identity authentication and GAR login to fetch binaries.

Changes

Next-Gen TiKV Integration Workflow

Layer / File(s) Summary
Workflow triggers and job gating
.github/workflows/integration.yml
Updated push/pull_request branch filters to include feature/* and release-nextgen-*. Added explicit job-level permissions (contents: read, id-token: write) and refined job gating based on event type and target/base branch patterns.
Image resolution and GAR authentication
.github/workflows/integration.yml
Replaced hardcoded Next-Gen PD/TiKV image sources with logic that resolves GAR image tags from the target/base branch, obtains a GCP access token via workload identity, logs into Google Artifact Registry with that token, and pulls PD and TiKV binaries from GAR using the resolved tags. Included a whitespace-only change.

🎯 4 (Complex) | ⏱️ ~45 minutes

🐰
Branch by branch the tags align,
Workload keys unlock the sign,
From GAR the binaries hop,
No hardcodes left to stop. 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: using tidbx images (from Google Artifact Registry) for the next-gen integration workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ti-chi-bot ti-chi-bot Bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 8, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/integration.yml (1)

201-215: ⚡ Quick win

Consider pinning actions to SHA hashes for supply chain security.

The static analysis tool flagged google-github-actions/auth@v3 and docker/login-action@v3 as unpinned. SHA-pinned references (e.g., google-github-actions/auth@<commit-sha>) prevent tag mutations from silently changing action behavior.

However, I note that existing actions in this file (actions/checkout@v2, actions/setup-go@v4, shrink/actions-docker-extract@v1) also use version tags rather than SHA hashes, so this is consistent with current practice. A comprehensive pinning effort could be addressed separately.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/integration.yml around lines 201 - 215, The workflow uses
unpinned action versions (google-github-actions/auth@v3 and
docker/login-action@v3); replace each tag with the corresponding commit SHA to
pin the action (e.g., google-github-actions/auth@<commit-sha> and
docker/login-action@<commit-sha>) by looking up the canonical commit in each
action's GitHub repo and updating the uses: fields for the "Authenticate to
Google Cloud" (auth) step and the "Login to GAR" step so the workflow references
the exact commit SHA instead of the v3 tag.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/integration.yml:
- Around line 201-215: The workflow uses unpinned action versions
(google-github-actions/auth@v3 and docker/login-action@v3); replace each tag
with the corresponding commit SHA to pin the action (e.g.,
google-github-actions/auth@<commit-sha> and docker/login-action@<commit-sha>) by
looking up the canonical commit in each action's GitHub repo and updating the
uses: fields for the "Authenticate to Google Cloud" (auth) step and the "Login
to GAR" step so the workflow references the exact commit SHA instead of the v3
tag.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1ccd89ac-7384-4d43-882f-74912dffde5d

📥 Commits

Reviewing files that changed from the base of the PR and between 0242c57 and c4acd8b.

📒 Files selected for processing (1)
  • .github/workflows/integration.yml

@wuhuizuo wuhuizuo force-pushed the feat/nextgen-tidbx-gar-auth branch from c4acd8b to 68e22e0 Compare June 8, 2026 11:58
@ti-chi-bot ti-chi-bot Bot added dco-signoff: yes Indicates the PR's author has signed the dco. and removed dco-signoff: no Indicates the PR's author has not signed dco. labels Jun 8, 2026
@wuhuizuo wuhuizuo force-pushed the feat/nextgen-tidbx-gar-auth branch from 68e22e0 to dab0fe2 Compare June 8, 2026 11:59
@wuhuizuo

wuhuizuo commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Updated this PR:

  • removed the main branch path from the next-gen integration workflow
  • kept support for master and release-nextgen-* only
  • force-pushed a signed-off commit to satisfy DCO

Current tag rules are:

  • release-nextgen-* -> use the target branch name for both PD and TiKV
  • master -> PD master-nextgen, TiKV cloud-engine-nextgen

@wuhuizuo wuhuizuo force-pushed the feat/nextgen-tidbx-gar-auth branch from dab0fe2 to 026b825 Compare June 8, 2026 12:00
@wuhuizuo

wuhuizuo commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

Follow-up update:

  • for pull_request, any same-repository PR now uses the next-gen job
  • tag resolution is now:
    • release-nextgen-* target branch -> use that branch name for both PD and TiKV
    • any other target branch -> fall back to the same tags as master (master-nextgen for PD, cloud-engine-nextgen for TiKV)
  • force-pushed another signed-off commit with this adjustment

Signed-off-by: wuhuizuo <wuhuizuo@126.com>
@wuhuizuo wuhuizuo force-pushed the feat/nextgen-tidbx-gar-auth branch from 026b825 to 7d2bab5 Compare June 8, 2026 12:10
@wuhuizuo

Copy link
Copy Markdown
Contributor Author

/test ?

@ti-chi-bot

ti-chi-bot Bot commented Jun 10, 2026

Copy link
Copy Markdown

@wuhuizuo: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@wuhuizuo

Copy link
Copy Markdown
Contributor Author

/test ?

@ti-chi-bot

ti-chi-bot Bot commented Jun 10, 2026

Copy link
Copy Markdown

@wuhuizuo: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.github/workflows/integration.yml (1)

177-177: ⚡ Quick win

Pin actions to commit SHAs for supply-chain security.

The google-github-actions/auth and docker/login-action are referenced by mutable tags (@v3). For jobs with id-token: write permission, pinning to commit SHAs prevents a compromised tag from obtaining OIDC tokens. While the existing workflow uses tag references, these new actions handle sensitive credentials.

Proposed fix (example SHAs - verify current releases)
       - name: Authenticate to Google Cloud
         id: auth
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@71f986410dfbc7added4569a411d84f104ca3d5  # v3.0.0
         with:
           project_id: pingcap-testing-account

       - name: Login to GAR
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3.4.0
         with:
           registry: us-docker.pkg.dev

Also applies to: 185-185

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/integration.yml at line 177, The workflow uses mutable
action tags (google-github-actions/auth@v3 and docker/login-action@v3) which is
a supply-chain risk; update the action references to specific commit SHAs
(replace the `@v3` references for the steps that call google-github-actions/auth
and docker/login-action with the corresponding verified commit SHA for each
action), verify the SHA against the official repo release you intend to use, and
ensure the steps that request id-token: write continue to function after
pinning.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/integration.yml:
- Line 138: The job currently runs for forked PRs and checks only for the
'skip-integration-tests' label; update the job's if condition to also require
the PR originate from the same repository by combining the existing
contains(...) check with a same-repo check such as
github.event.pull_request.head.repo.full_name == github.repository (e.g. if: ${{
github.event.pull_request.head.repo.full_name == github.repository &&
!contains(github.event.pull_request.labels.*.name, 'skip-integration-tests')
}}), so the job runs only for same-repository PRs and avoids OIDC auth failures
for forks.

---

Nitpick comments:
In @.github/workflows/integration.yml:
- Line 177: The workflow uses mutable action tags (google-github-actions/auth@v3
and docker/login-action@v3) which is a supply-chain risk; update the action
references to specific commit SHAs (replace the `@v3` references for the steps
that call google-github-actions/auth and docker/login-action with the
corresponding verified commit SHA for each action), verify the SHA against the
official repo release you intend to use, and ensure the steps that request
id-token: write continue to function after pinning.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 629642fd-9ea3-4dc1-80fc-9ec799409aa9

📥 Commits

Reviewing files that changed from the base of the PR and between c4acd8b and f4be5bf.

📒 Files selected for processing (1)
  • .github/workflows/integration.yml

@@ -137,6 +137,9 @@ jobs:
integration-next-gen-tikv:
if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-integration-tests') }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Consider gating the job for same-repository PRs only.

Per PR objectives, this job should request cloud credentials "only for same-repository PRs." Currently, the job runs for fork PRs but will fail at the auth step since GitHub doesn't grant OIDC tokens to forks. Adding an explicit condition avoids confusing failures:

Proposed fix
   integration-next-gen-tikv:
-    if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-integration-tests') }}
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-integration-tests') && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) }}
     runs-on: ubuntu-latest
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-integration-tests') }}
if: ${{ !contains(github.event.pull_request.labels.*.name, 'skip-integration-tests') && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/integration.yml at line 138, The job currently runs for
forked PRs and checks only for the 'skip-integration-tests' label; update the
job's if condition to also require the PR originate from the same repository by
combining the existing contains(...) check with a same-repo check such as
github.event.pull_request.head.repo.full_name == github.repository (e.g. if: ${{
github.event.pull_request.head.repo.full_name == github.repository &&
!contains(github.event.pull_request.labels.*.name, 'skip-integration-tests')
}}), so the job runs only for same-repository PRs and avoids OIDC auth failures
for forks.

@ti-chi-bot

Copy link
Copy Markdown
Member

/ok-to-test

@ti-chi-bot

Copy link
Copy Markdown
Member

/test ?

@ti-chi-bot ti-chi-bot added the ok-to-test Indicates a PR is ready to be tested. label Jun 10, 2026
@wuhuizuo

Copy link
Copy Markdown
Contributor Author

/test ?

@ti-chi-bot

ti-chi-bot Bot commented Jun 10, 2026

Copy link
Copy Markdown

@wuhuizuo: The following commands are available to trigger optional jobs:

/test pull-integration-nextgen

Use /test all to run all jobs.

Details

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@wuhuizuo

Copy link
Copy Markdown
Contributor Author

/test pull-integration-nextgen

@wuhuizuo

Copy link
Copy Markdown
Contributor Author

/retest

@ti-chi-bot

ti-chi-bot Bot commented Jun 11, 2026

Copy link
Copy Markdown

@wuhuizuo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-integration-nextgen f4be5bf link false /test pull-integration-nextgen
pull-integration-test-nextgen f4be5bf link false /test pull-integration-test-nextgen

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contribution This PR is from a community contributor. dco-signoff: yes Indicates the PR's author has signed the dco. ok-to-test Indicates a PR is ready to be tested. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants