GH-49537: [C++][FlightRPC] Windows CI to Support ODBC DLL & MSI Signing

[alinaliBQ]

Rationale for this change

GH-49537

What changes are included in this PR?

• Implement Windows CIs to:
  1. CI A - odbc-msvc-upload-dll Upload unsigned DLL
  2. CI B - odbc-msvc-upload-msi Download signed DLL and upload unsigned MSI
• Remove odbc-release CI that is replaced by the new CIs.
• Use composite action to reuse code for building ODBC Windows.
• The release manager can run CI A first, then download the unsigned DLL and upload signed DLL.
• Run CI B to upload unsigned MSI. Then sign the MSI locally, and upload signed MSI to GitHub release. Example Command to trigger CI B:

gh workflow run cpp_extra.yml --ref apache-arrow-test-24.0.0-rc0 -f odbc_release_step=true

Example of 07-flightsqlodbc-upload.sh script (not tested):
We need to either 1) implement a way to get RUN_ID and then call gh run watch,
or 2) enter each command manually and wait for the CI to finish.

# download unsigned DLL
gh release download $tag --pattern arrow_flight_sql_odbc_unsigned.dll

# sign ODBC DLL and upload to GitHub release
jsign arrow_flight_sql_odbc_unsigned.dll ...
mv arrow_flight_sql_odbc_unsigned.dll arrow_flight_sql_odbc.dll
gh release upload $tag --clobber arrow_flight_sql_odbc.dll

# trigger CI B
gh workflow run cpp_extra.yml --ref $tag -f odbc_upload=msi

# download unsigned MSI
gh release download $tag --pattern Apache-Arrow-Flight-SQL-ODBC-*-win64.msi

# sign ODBC MSI and upload to GitHub release
jsign Apache-Arrow-Flight-SQL-ODBC-*-win64.msi ...
gh release upload $tag --clobber Apache-Arrow-Flight-SQL-ODBC-*-win64.msi

# remove ODBC DLLs from GitHub release
gh release delete-asset $tag arrow_flight_sql_odbc_unsigned.dll --yes
gh release delete-asset $tag arrow_flight_sql_odbc.dll --yes

Are these changes tested?

• The uploading and signing process is tested in my repo
• Workflows are verified in CI

Are there any user-facing changes?

N/A

• GitHub Issue: [C++][FlightRPC][ODBC] Add CI steps to support Windows DLL and MSI signing #49537

[alinaliBQ]

Since both DLL and MSI need to be signed and unsigned DLL is harder to catch, uploading as arrow_flight_sql_odbc_unsigned.dll to make it clear on GitHub release if the DLL is unsigned.

[alinaliBQ]

@amoeba PR is ready for review. We have an issue for flight-sql-tests ODBC Windows failure: #49465

[alinaliBQ]

I did an empty commit (a522393) and got this error:

Error: D:\a\arrow\arrow\./.github/actions/odbc-windows\action.yml (Line: 71, Col: 12): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.GITHUB_TOKEN
Error: GitHub.DistributedTask.ObjectTemplating.TemplateValidationException: The template is not valid. D:\a\arrow\arrow\./.github/actions/odbc-windows\action.yml (Line: 71, Col: 12): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.GITHUB_TOKEN
   at GitHub.DistributedTask.ObjectTemplating.TemplateValidationErrors.Check()
   at GitHub.Runner.Worker.ActionManifestManagerLegacy.ConvertRuns(IExecutionContext executionContext, TemplateContext templateContext, TemplateToken inputsToken, String fileRelativePath, MappingToken outputs)
   at GitHub.Runner.Worker.ActionManifestManagerLegacy.Load(IExecutionContext executionContext, String manifestFile)
Error: Failed to load D:\a\arrow\arrow\./.github/actions/odbc-windows\action.yml

The same implementation worked yesterday (see https://github.com/apache/arrow/actions/runs/23622018872/job/68803175375). Seems that GitHub might have updated runner, I will look into this.

[alinaliBQ]

Error: Failed to load D:\a\arrow\arrow./.github/actions/odbc-windows\action.yml

This issue should be resolved now by commit 95bc75b

[alinaliBQ]

@kou @raulcd This PR is ready for review. Please have a look if you have a chance, thank you

[amoeba]

Suggested change

	if: inputs.odbc_upload == 'dll'
	if: inputs.odbc_release_step == 'dll'

[alinaliBQ]

fixed

[alinaliBQ]

Addressed comments. Please have another look, thanks!

[alinaliBQ]

fixed

[amoeba]

Thanks @alinaliBQ.

@raulcd do you want to have a look? Once we merge, I'll test the whole flow with the script (PR to come) that does the signing so we'll have more chances to fix any issues.

[raulcd]

Thanks for the work @alinaliBQ ! I am unsure this is ready yet, sorry it took me a couple days for review, it was Easter and had some family around. My main concern is around, the tag hasn't been updated to match the one on the packaging linux jobs, currently any tag will trigger the job and we only want to do it for RC's. The worlflow dispatch is still around and I thought this was not necessary with the tag.
@amoeba I am about to do the feature freeze, I think this is going to miss 24.0.0, is that ok?

[raulcd]

I am not sure I understand this. Didn't we agreed to use the tag for the RC? Why is the workflow dispatch needed and referenced below?

[amoeba]

The flow is a bit complicated, we need to trigger some jobs when the RC is created but the odbc-msvc-upload-msi step needs to be triggered manually so we use workflow_dispatch. The sequence is,

1. Release manager tags release
2. cpp_extra.yml jobs odbc-msvc-upload-dll and odbc-dll-release are run automatically, unsigned DLL is added to release
3. Release manager locally runs script (TBD) that downloads, signs (w/ jsign), and uploads the signed DLL to the release
4. Release manager triggers odbc-msvc-upload-msi via workflow_dispatch which builds an unsigned MSI with a signed DLL inside and adds it to the release
5. Release manager locally runs script that downloads signs (w/ jsign), and uploads the signed MSI to the releasee

[raulcd]

I see, I did not understood the process. As the process isn't entirely automated and it requires several manual steps, can we document it on the release page?
https://github.com/apache/arrow/blob/main/docs/source/developers/release.rst

[alinaliBQ]

@amoeba Could you kindly help with the documentation on release page?

[amoeba]

Absolutely. I'll file an issue and fill it in as we finish the final PRs.

[amoeba]

#49687

[alinaliBQ]

Thanks!

[amoeba]

Thanks for taking a look @raulcd. It's okay if this doesn't make it for 24 but if it's at all possible that'd be great.

Re: the jobs running on any tag, I'm not seeing what you see, could you point out which job needs updating?

• odbc-msvc: Runs as normal (when labeled with "Extra" label). This is the pre-existing CI for the driver.
• odbc-msvc-upload-dll: Only runs when ref matches an RC tag and correctly doesn't run on workflow_dispatch
• odbc-dll-release: Only runs after odbc-msvc-upload-dll
• odbc-msvc-upload-msi: Only runs on workflow_dispatch

I could see making the last one (odbc-msvc-upload-msi) more defensive.

[alinaliBQ]

I am unsure this is ready yet, sorry it took me a couple days for review, it was Easter and had some family around. My main concern is around, the tag hasn't been updated to match the one on the packaging linux jobs, currently any tag will trigger the job and we only want to do it for RC's.

No worries @raulcd, hope you had a good Easter.
odbc-msvc-upload-dll is the job that is only triggered by RC tags. It does a if check to make sure the tag contains -rc:

     ${{ 
        startsWith(github.ref_name, 'apache-arrow-') && 
        contains(github.ref_name, '-rc') && 
        !inputs.odbc_release_step 
      }}

Since having a tags: section will impact all jobs in the cpp_extra.yml file, I used the if statement approach to the job odbc-msvc-upload-dll.