dev-inf: add EngFlow artifact support to investigate workflow#164587
Draft
rafiss wants to merge 1 commit intocockroachdb:masterfrom
Draft
dev-inf: add EngFlow artifact support to investigate workflow#164587rafiss wants to merge 1 commit intocockroachdb:masterfrom
rafiss wants to merge 1 commit intocockroachdb:masterfrom
Conversation
The investigate workflow could only download artifacts from TeamCity. When it encountered an EngFlow-based failure, it had to skip artifact analysis entirely. This commit adds EngFlow support: - engflow_artifacts.py: replace get_token() with get_curl_auth_args() that supports mTLS certificates (via ENGFLOW_CERT_FILE/ENGFLOW_KEY_FILE env vars), JWT from env (ENGFLOW_TOKEN), and the existing engflow_auth CLI fallback. All callers updated to thread auth_args through. - investigate.yml: add a step to retrieve EngFlow mTLS certs from Google Cloud Secret Manager after OIDC auth, with graceful fallback if access is denied. Add python3:* to allowedTools. Add a cleanup step to remove temp cert files. - investigate.md: replace the "EngFlow not supported" fallback text with full instructions for discovering failed targets, listing artifacts, and downloading test.log/outputs.zip via the script. The mTLS path requires the ai-review service account to have secretmanager.versions.access on the engflow-mesolite-key/crt secrets, which is an IAM change outside this PR. The workflow fails gracefully if that access is not yet granted. Epic: CRDB-60540 Release note: None Co-Authored-By: roachdev-claude <roachdev-claude-bot@cockroachlabs.com>
Contributor
|
Merging to
|
Member
|
This change is |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The investigate workflow could only download artifacts from TeamCity. When it encountered an EngFlow-based failure, it had to skip artifact analysis entirely. This commit adds EngFlow support:
engflow_artifacts.py: replace get_token() with get_curl_auth_args() that supports mTLS certificates (via ENGFLOW_CERT_FILE/ENGFLOW_KEY_FILE env vars), JWT from env (ENGFLOW_TOKEN), and the existing engflow_auth CLI fallback. All callers updated to thread auth_args through.
investigate.yml: add a step to retrieve EngFlow mTLS certs from Google Cloud Secret Manager after OIDC auth, with graceful fallback if access is denied. Add python3:* to allowedTools. Add a cleanup step to remove temp cert files.
investigate.md: replace the "EngFlow not supported" fallback text with full instructions for discovering failed targets, listing artifacts, and downloading test.log/outputs.zip via the script.
The mTLS path requires the ai-review service account to have secretmanager.versions.access on the engflow-mesolite-key/crt secrets, which is an IAM change outside this PR. The workflow fails gracefully if that access is not yet granted.
fixes #163955
Epic: CRDB-60540
Release note: None