Merge branch 'trunk' into KAFKA-20167

Author: m1a2st

.asf.yaml

@@ -25,9 +25,17 @@ notifications:
   pullrequests: jira@kafka.apache.org
   jira_options: link label
 
-# This list allows you to triage pull requests and trigger workflow runs on GitHub Actions. It can have a maximum of 10 collaborators.
-# Read more here: https://github.com/apache/infrastructure-asfyaml
 github:
+  description: "Apache Kafka - A distributed event streaming platform"
+  homepage: https://kafka.apache.org/
+  labels:
+    - java
+    - scala
+    - kafka
+    - streaming
+
+  # This list allows you to triage pull requests and trigger workflow runs on GitHub Actions. It can have a maximum of 10 collaborators.
+  # Read more here: https://github.com/apache/infrastructure-asfyaml
   collaborators:
     - brandboat
     - chirag-wadhwa5

.github/dependabot.yml

@@ -0,0 +1,26 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # 'daily' only runs on weekdays
+      interval: "cron"
+      cronjob: "00 20 * * *"
+    open-pull-requests-limit: 10
+    cooldown:
+      default: 4

.github/scripts/pr-format.py

@@ -18,12 +18,13 @@
 import json
 import logging
 import os
+import re
 import subprocess
 import shlex
 import sys
 import tempfile
 import textwrap
-from typing import Dict, Optional, TextIO
+from typing import Dict, List, Optional, TextIO
 
 logger = logging.getLogger()
 logger.setLevel(logging.DEBUG)
@@ -103,6 +104,108 @@ def split_paragraphs(text: str):
     yield paragraph, markdown
 
 
+def resolve_reviewer(login: str) -> tuple:
+    """Map a GitHub login to (name, email).
+
+    Tries three tiers in order: repo commit history, GitHub user profile,
+    and past `Reviewers:` trailers in git log (matched by name).
+    Noreply emails (@users.noreply.github.com) are treated as missing since
+    they are GitHub privacy placeholders that do not identify the reviewer.
+    Returns (name, None) when no usable email is found; the caller falls
+    back to the '(@login)' form in the Reviewers trailer.
+    """
+    def _usable_email(e):
+        if not e or e.endswith("@users.noreply.github.com"):
+            return None
+        return e
+
+    name = None
+    email = None
+
+    # Tier 1: find from repo commit history. Misses when the reviewer has no
+    # merged commit in apache/kafka, or had "Keep my email private" enabled
+    # at commit time (GitHub rewrites the author to the noreply form).
+    try:
+        cmd = f"gh api repos/apache/kafka/commits?author={login}&per_page=1"
+        p = subprocess.run(shlex.split(cmd), capture_output=True, text=True)
+        if p.returncode == 0:
+            commits = json.loads(p.stdout)
+            if commits:
+                author = commits[0].get("commit", {}).get("author", {})
+                name = author.get("name")
+                email = _usable_email(author.get("email"))
+    except Exception as e:
+        logger.debug(f"Failed to resolve {login} from commit history: {e}")
+
+    # Tier 2: GitHub user profile. Only exposes an email when the reviewer
+    # has set a Public email in their profile settings.
+    if not name or not email:
+        try:
+            cmd = f"gh api users/{login}"
+            p = subprocess.run(shlex.split(cmd), capture_output=True, text=True)
+            if p.returncode == 0:
+                user = json.loads(p.stdout)
+                if not name:
+                    name = user.get("name")
+                if not email:
+                    email = _usable_email(user.get("email"))
+        except Exception as e:
+            logger.debug(f"Failed to resolve {login} from GitHub profile: {e}")
+
+    # Tier 3: past Reviewers: trailers in git log, matched by name. Catches
+    # pure reviewers (no commits in apache/kafka, no public profile email)
+    # who have been credited with a real email in an earlier merged PR.
+    # git log is newest-first, so the first usable match is the most recent.
+    if name and not email:
+        try:
+            p = subprocess.run(
+                ["git", "log",
+                 "--pretty=format:%(trailers:key=Reviewers,valueonly=true,unfold=true)"],
+                capture_output=True, text=True,
+            )
+            if p.returncode == 0:
+                pattern = re.compile(rf"{re.escape(name)}\s*<([^>]+)>")
+                for line in p.stdout.splitlines():
+                    for m in pattern.finditer(line):
+                        candidate = _usable_email(m.group(1))
+                        if candidate:
+                            email = candidate
+                            break
+                    if email:
+                        break
+        except Exception as e:
+            logger.debug(f"Failed to resolve {login} from past Reviewers trailers: {e}")
+
+    if not name:
+        name = login
+
+    return (name, email)
+
+
+def already_exists(identity: str, existing_reviewers: List[str]) -> bool:
+    """Check if a reviewer identity is already in the existing reviewers list.
+
+    identity is the delimited token that uniquely identifies a reviewer, either
+    '<email>' (for the email form) or '(@login)' (for the login fallback).
+    """
+    return identity.lower() in ", ".join(existing_reviewers).lower()
+
+
+def update_reviewers_trailer(body: str, trailer: str) -> str:
+    """Update the Reviewers trailer in the body using git interpret-trailers."""
+    with tempfile.NamedTemporaryFile() as fp:
+        fp.write(body.strip().encode())
+        fp.write(b"\n")
+        fp.flush()
+        cmd = f"git interpret-trailers --if-exists replace --trailer {shlex.quote(trailer)} {fp.name}"
+        p = subprocess.run(shlex.split(cmd), capture_output=True)
+        fp.close()
+
+    if p.returncode == 0:
+        return p.stdout.decode()
+    return body
+
+
 if __name__ == "__main__":
     """
     This script performs some basic linting of our PR titles and body. The PR number is read from the PR_NUMBER
@@ -123,7 +226,7 @@ def split_paragraphs(text: str):
     """
 
     pr_number = get_env("PR_NUMBER")
-    cmd = f"gh pr view {pr_number} --json 'title,body,reviews'"
+    cmd = f"gh pr view {pr_number} --json 'title,body,reviews,author'"
     p = subprocess.run(shlex.split(cmd), capture_output=True)
     if p.returncode != 0:
         logger.error(f"GitHub CLI failed with exit code {p.returncode}.\nSTDOUT: {p.stdout.decode()}\nSTDERR:{p.stderr.decode()}")
@@ -134,6 +237,23 @@ def split_paragraphs(text: str):
     body = gh_json["body"]
     reviews = gh_json["reviews"]
 
+    # Auto-fill reviewer from the current review event.
+    # Approvals are also review events, so approvers are automatically added.
+    reviewer_login = get_env("REVIEWER_LOGIN")
+    pr_author = (gh_json.get("author") or {}).get("login")
+    if reviewer_login and reviewer_login != pr_author:
+        name, email = resolve_reviewer(reviewer_login)
+        if email:
+            identity = f"<{email}>"
+        else:
+            identity = f"(@{reviewer_login})"
+        resolved = f"{name} {identity}"
+        existing_reviewers = parse_trailers(title, body).get("Reviewers", [])
+        if not already_exists(identity, existing_reviewers):
+            existing_value = ", ".join(existing_reviewers)
+            new_value = f"{existing_value}, {resolved}" if existing_value else resolved
+            body = update_reviewers_trailer(body, f"Reviewers: {new_value}")
+
     checks = [] # (bool (0=ok, 1=error), message)
 
     def check(positive_assertion, ok_msg, err_msg):

.github/scripts/requirements.txt

@@ -16,4 +16,4 @@
 # Note: Ensure the 'requests' version here matches the version in tests/setup.py
 PyYAML~=6.0
 pytz==2024.2
-requests==2.32.4
+requests==2.33.0

.github/workflows/ci-complete.yml

@@ -32,30 +32,54 @@ run-name: Build Scans for ${{ github.event.workflow_run.display_title}}
 # the repository secrets. Here we can download the build scan files produced by a PR and publish
 # them to develocity.apache.org.
 #
+# The CI workflow itself runs according to the branch of the PR or push event. However, this
+# ci-complete workflow always runs using the trunk branch, regardless of the source branch of the
+# CI workflow.
+#
 # If we need to do things like comment on, label, or otherwise modify PRs from public forks. This
 # workflow is the place to do it. PR number is ${{ github.event.workflow_run.pull_requests[0].number }}
 
 jobs:
+  get-build-scan-names:
+    if: (github.event.workflow_run.conclusion == 'success' || github.event.workflow_run.conclusion == 'failure')
+    runs-on: ubuntu-latest
+    outputs:
+      build-scan-names: ${{ steps.build-scan-names.outputs.build-scan-names }}
+    steps:
+      - name: List buildscan artifacts
+        id: build-scan-names
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RUN_ID: ${{ github.event.workflow_run.id }}
+        run: |
+          names=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            /repos/${{ github.repository }}/actions/runs/$RUN_ID/artifacts \
+            --jq '[.artifacts[] | select(.name | startswith("build-scan-")) | .name]')
+          echo "Found: $names"
+
+          echo "build-scan-names=$names" >> $GITHUB_OUTPUT
+
   upload-build-scan:
+    needs: get-build-scan-names
     # Skip this workflow if the CI run was skipped or cancelled
     if: (github.event.workflow_run.conclusion == 'success' || github.event.workflow_run.conclusion == 'failure')
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        # Make sure these match build.yml and also keep in mind that GitHub Actions build will always use this file from the trunk branch.
-        java: [ 25, 17 ]
-        run-flaky: [ true, false ]
-        run-new: [ true, false ]
-        exclude:
-          - run-flaky: true
-            run-new: true
-
-    env:
-      job-variation: ${{ matrix.java }}-${{ matrix.run-flaky == true && 'flaky' || 'noflaky' }}-${{ matrix.run-new == true && 'new' || 'nonew' }}
-      status-context: Java ${{ matrix.java }}${{ matrix.run-flaky == true && ' / Flaky' || '' }}${{ matrix.run-new == true && ' / New' || '' }}
-
+        build-scan-name: ${{ fromJson(needs.get-build-scan-names.outputs.build-scan-names) }}
     steps:
+      - name: Setup build scan info
+        run: |
+          BUILD_SCAN_NAME="${{ matrix.build-scan-name }}"
+          JAVA=$(echo "$BUILD_SCAN_NAME" | grep -oE '[0-9]+')
+          STATUS_CONTEXT="Java $JAVA"
+          [[ "$BUILD_SCAN_NAME" == *"-flaky"* ]] && STATUS_CONTEXT="$STATUS_CONTEXT / Flaky"
+          [[ "$BUILD_SCAN_NAME" == *"-new"* ]] && STATUS_CONTEXT="$STATUS_CONTEXT / New"
+
+          echo "JAVA=$JAVA" >> $GITHUB_ENV
+          echo "STATUS_CONTEXT=$STATUS_CONTEXT" >> $GITHUB_ENV
       - name: Env
         run: printenv
         env:
@@ -68,7 +92,7 @@ jobs:
       - name: Setup Gradle
         uses: ./.github/actions/setup-gradle
         with:
-          java-version: ${{ matrix.java }}
+          java-version: ${{ env.JAVA }}
           develocity-access-key: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
       - name: Download build scan archive
         id: download-build-scan
@@ -77,7 +101,7 @@ jobs:
         with:
           github-token: ${{ github.token }}
           run-id: ${{ github.event.workflow_run.id }}
-          name: build-scan-${{ env.job-variation }}
+          name: ${{ matrix.build-scan-name }}
           path: ~/.gradle/build-scan-data  # This is where Gradle buffers unpublished build scan data when --no-scan is given
       - name: Handle missing scan
         if: ${{ steps.download-build-scan.outcome == 'failure' }}
@@ -88,8 +112,8 @@ jobs:
           commit_sha: ${{ github.event.workflow_run.head_sha }}
           url: '${{ github.event.workflow_run.html_url }}'
           description: 'Could not find build scan'
-          context: Gradle Build Scan / ${{ env.status-context }}
-          state: 'success' # Always mark as successful as a temporary fix; non-trunk branches will miss build scan. Real fix in KAFKA-19768
+          context: Gradle Build Scan / ${{ env.STATUS_CONTEXT }}
+          state: 'error'
       - name: Publish Scan
         id: publish-build-scan
         if: ${{ steps.download-build-scan.outcome == 'success' }}
@@ -116,7 +140,7 @@ jobs:
           commit_sha: ${{ github.event.workflow_run.head_sha }}
           url: '${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}'
           description: 'The build scan failed to be published'
-          context: Gradle Build Scan / ${{ env.status-context }}
+          context: Gradle Build Scan / ${{ env.STATUS_CONTEXT }}
           state: 'error'
       - name: Update Status Check
         if: ${{ steps.publish-build-scan.outcome == 'success' }}
@@ -127,5 +151,5 @@ jobs:
           commit_sha: ${{ github.event.workflow_run.head_sha }}
           url: ${{ steps.publish-build-scan.outputs.build-scan-url }}
           description: 'The build scan was successfully published'
-          context: Gradle Build Scan / ${{ env.status-context }}
+          context: Gradle Build Scan / ${{ env.STATUS_CONTEXT }}
           state: 'success'

.github/workflows/ci.yml

@@ -19,7 +19,7 @@ on:
   push:
     branches:
       - 'trunk'
-      - '4.0'
+      - '4.3'
 
   schedule:
     - cron: '0 0 * * 6,0'    # Run on Saturday and Sunday at midnight UTC
@@ -28,7 +28,7 @@ on:
     types: [ opened, synchronize, ready_for_review, reopened ]
     branches:
       - 'trunk'
-      - '4.0'
+      - '4.3'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

.github/workflows/docker_build_and_test.yml

@@ -54,9 +54,10 @@ jobs:
       run: |
         python docker_build_test.py kafka/test -tag=test -type=$IMAGE_TYPE -u=$KAFKA_URL
     - name: Run CVE scan
-      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+      uses: lhotari/sandboxed-trivy-action@555963036b2012b44c1071508a236e569db28ebb # v1.0.1
       with:
-        image-ref: 'kafka/test:test'
+        scan-type: 'image'
+        scan-ref: 'kafka/test:test'
         format: 'table'
         severity: 'CRITICAL,HIGH'
         output: scan_report_${{ github.event.inputs.image_type }}.txt

.github/workflows/docker_official_image_build_and_test.yml

@@ -53,9 +53,10 @@ jobs:
       run: |
         python docker_official_image_build_test.py kafka/test -tag=test -type=$IMAGE_TYPE -v=$KAFKA_VERSION
     - name: Run CVE scan
-      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+      uses: lhotari/sandboxed-trivy-action@555963036b2012b44c1071508a236e569db28ebb # v1.0.1
       with:
-        image-ref: 'kafka/test:test'
+        scan-type: 'image'
+        scan-ref: 'kafka/test:test'
         format: 'table'
         severity: 'CRITICAL,HIGH'
         output: scan_report_${{ github.event.inputs.image_type }}.txt

.github/workflows/docker_promote.yml

@@ -31,11 +31,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
     - name: Login to Docker Hub
-      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
       with:
         username: ${{ secrets.DOCKERHUB_USER }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/docker_rc_release.yml

@@ -47,11 +47,11 @@ jobs:
         python -m pip install --upgrade pip
         pip install -r docker/requirements.txt
     - name: Set up QEMU
-      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
     - name: Login to Docker Hub
-      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+      uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
       with:
         username: ${{ secrets.DOCKERHUB_USER }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}