GH-48904: [C++][FlightRPC][CI][Packaging] Upload ODBC installer into GitHub release as RC

[alinaliBQ]

Rationale for this change

#48904

Upload ODBC as a GitHub draft release upon release candidate tag

What changes are included in this PR?

• Create a draft GitHub release for ODBC, and upload the ODBC MSI to the draft release. ODBC release is only triggered by RC tag
• add gh release ODBC download pattern to 04-binary-download.sh
• add gh release ODBC upload pattern to 05-binary-upload.sh

Are these changes tested?

• CI changes tested in forked repository, a draft GitHub release is created
• 04-binary-download.sh and 05-binary-upload.sh changes are not tested

Are there any user-facing changes?

Yes, this PR adds GitHub release for Apache Arrow Flight SQL ODBC MSI installer.

• GitHub Issue: [C++][FlightRPC] ODBC GitHub release #48904

[github-actions]

⚠️ GitHub issue #48904 has been automatically assigned in GitHub to PR creator.

[alinaliBQ]

Moved path to make it easier for uploading GitHub release

[alinaliBQ]

No release notes are added in this PR. Please let me know if I should put the release notes in the PR

[kou]

We don't need to add release notes here.

[kou]

We don't need to add release notes here.

[raulcd]

Thanks @alinaliBQ for working on this!
From my understanding we are going to integrate this to the major quarterly Arrow releases. Should we modify the tag to be triggered only on RCs, similar to how we do on Linux packaging jobs:

arrow/.github/workflows/package_linux.yml

Lines 38 to 39 in 9cde706

	tags:
	- "apache-arrow-*-rc*"

We should also add it to the binary download:

arrow/dev/release/04-binary-download.sh

Lines 50 to 58 in 9cde706

	gh release download "${tag}" \
	--dir "packages/${CROSSBOW_JOB_ID}" \
	--pattern "almalinux-*.tar.gz" \
	--pattern "amazon-linux-*.tar.gz" \
	--pattern "centos-*.tar.gz" \
	--pattern "debian-*.tar.gz" \
	--pattern "ubuntu-*.tar.gz" \
	--repo "${REPOSITORY:-apache/arrow}" \
	--skip-existing

and the signing and upload to sign the released artifacts:

arrow/dev/release/05-binary-upload.sh

Lines 64 to 72 in 9cde706

	: "${UPLOAD_DEFAULT:=1}"
	: "${UPLOAD_ALMALINUX:=${UPLOAD_DEFAULT}}"
	: "${UPLOAD_AMAZON_LINUX:=${UPLOAD_DEFAULT}}"
	: "${UPLOAD_CENTOS:=${UPLOAD_DEFAULT}}"
	: "${UPLOAD_DEBIAN:=${UPLOAD_DEFAULT}}"
	: "${UPLOAD_DOCS:=${UPLOAD_DEFAULT}}"
	: "${UPLOAD_PYTHON:=${UPLOAD_DEFAULT}}"
	: "${UPLOAD_R:=${UPLOAD_DEFAULT}}"
	: "${UPLOAD_UBUNTU:=${UPLOAD_DEFAULT}}"

I am unsure if there is anything we have to do on verification apart from validating signatures. From my understanding if we upload to GH Release and add signatures the verification script will already validate the signature (nothing has to be done there) but better to double check.

[alinaliBQ]

@raulcd Thanks! I am working on the comments and testing on the forked repo before porting the changes over. Regarding the MSI signatures, I checked other Apache projects with MSI releases for reference. I found that Apache CouchDB does MSI signing (https://github.com/apache/couchdb-glazier/pull/29/changes) with JSign that signs the Apache CouchDB MSI with Digi Cert One credentials.
The current unsigned MSI pops up a notification "do you want to allow this app from an unknown publisher to make changes to your device?" when opened. Screenshot is attached. User can click "yes" and then complete install/uninstall, so there isn't any blockers for end users. Does the ODBC MSI installer require Windows Authenticode signature for an official release?

[alinaliBQ]

I am still working on adding MSI to 05-binary-upload.sh.
Update: MSI has been added to 05-binary-upload.sh.

[alinaliBQ]

Modified the tag to be triggered only on RCs.

[kou]

Why do we need this?

Can we use the following if: in odbc-release?

if: github.ref_type == 'tag' && contains(github.ref_name, '*-rc*')

or

if: github.ref_type == 'tag'

and

diff --git a/.github/workflows/cpp_extra.yml b/.github/workflows/cpp_extra.yml
index 49995752fa..9edec1f46b 100644
--- a/.github/workflows/cpp_extra.yml
+++ b/.github/workflows/cpp_extra.yml
@@ -43,7 +43,7 @@ on:
       - 'format/Flight.proto'
       - 'testing'
     tags:
-      - '**'
+      - 'apache-arrow-*-rc*'
   pull_request:
     paths:
       - '.dockerignore'

[alinaliBQ]

This check is added for checking tag before the upload to GitHub release. It works like a simpler check_labels.yml for tags.

I think if we apply the change below, it will change the entire C++ Extra workflow to only be triggered by apache-arrow-*-rc* tags, and we want tags like C++ Extra to trigger the workflow as well.

     tags:
-      - '**'
+      - 'apache-arrow-*-rc*'

I think the contains(github.ref_name, '*-rc*') check is less strict compared to the current implementation, which I am leaning towards

[kou]

If *-rc* feels loose, we can use contains(github.ref_name, 'apache-arrow-*-rc*). I want to keep GitHub Actions configuration as much as simple for easy to maintain. So I want to remove this odbc-check-tags` step if possible.

[alinaliBQ]

Totally understandable. odbc-check-tags step has been removed. As a workaround, I have changed the approach to use

    if: ${{ startsWith(github.ref_name, 'apache-arrow-') && contains(github.ref_name, '-rc') }}

Please note that this check can pick up 'apache-arrow-rc' tag.

I have tried contains(github.ref_name, 'apache-arrow-*-rc*') and it didn't work, I think contains() doesn't support regex or wild card checks.

[alinaliBQ]

added ODBC msi to the binary download

[amoeba]

Hey @alinaliBQ, Re:

Does the ODBC MSI installer require Windows Authenticode signature for an official release?

While all artifacts must be signed, I'm not sure that level of code signing is strictly required for a release. That said, I think it would be best to take the extra steps to sign the installer so it shows up as trusted by Windows.

ASF Infra provides projects access to their DigiCert cert and has a help page for it: https://infra.apache.org/digicert-use.html. So for the Arrow project to sign those, I think one of us PMC members would need to go through that process and would also need to manually build and sign the MSI as part of the release process. @raulcd @kou does that sound doable to have a manual step like that? I could go through the ASF process and do the signing.

[kou]

It seems that we can sign built MSI. So we may not need to build MSI manually. We can use uploaded MSI on GitHub Release instead.

I can also help it because it seems that we can sign on Linux by JSign.

[alinaliBQ]

This change should fix the c++ extra error, sorry I didn't catch this earlier

[kou]

Could you rebase on main?

[alinaliBQ]

Could you rebase on main?

Yes, done