From review

Author: muralibasani

release/github.py

@@ -26,6 +26,7 @@
 
 import json
 import os
+import time
 import urllib.request
 
 from runtime import fail
@@ -64,6 +65,22 @@ def _api_request(token, method, path, body=None):
         fail(f"GitHub API error {e.code} for {method} {path}: {error_body}")
 
 
+def _get_latest_run_url(token, workflow_file):
+    """
+    Fetch the most recent run URL for a workflow. Returns the HTML URL
+    of the latest run, or a fallback URL to the workflow's runs page.
+    """
+    fallback = f"https://github.com/{GITHUB_REPO}/actions/workflows/{workflow_file}"
+    path = f"/repos/{GITHUB_REPO}/actions/workflows/{workflow_file}/runs?per_page=1"
+    try:
+        result = _api_request(token, "GET", path)
+        if result and result.get("workflow_runs"):
+            return result["workflow_runs"][0]["html_url"]
+    except Exception:
+        pass
+    return fallback
+
+
 def trigger_workflow(token, workflow_file, ref, inputs):
     """
     Trigger a GitHub Actions workflow_dispatch event.
@@ -74,6 +91,11 @@ def trigger_workflow(token, workflow_file, ref, inputs):
     print(f"Triggering workflow {workflow_file} on {GITHUB_REPO} with inputs: {json.dumps(inputs)}")
     _api_request(token, "POST", path, body)
     print(f"Successfully triggered {workflow_file}")
+    # Brief pause to allow GitHub to register the run before querying
+    if not DRY_RUN:
+        time.sleep(2)
+    run_url = _get_latest_run_url(token, workflow_file)
+    print(f"  View run: {run_url}")
 
 
 def trigger_docker_build_test(token, ref, image_type, kafka_url):

release/release.py

@@ -218,6 +218,54 @@ def command_release_announcement_email():
 ## Default 'stage' subcommand implementation isn't isolated to its own function yet for historical reasons
 
 
+def trigger_docker_workflows(rc_tag, release_version, dev_branch):
+    """
+    Trigger Docker image build/test and RC release workflows via GitHub Actions API.
+    Prompts the user for confirmation before each step.
+    """
+    print("\n=== Docker Image Workflows ===")
+    if github.DRY_RUN:
+        print("NOTE: GITHUB_DRY_RUN is enabled. No actual API calls will be made.")
+    if github.GITHUB_REPO != "apache/kafka":
+        print(f"NOTE: Using custom repository: {github.GITHUB_REPO}")
+    if not confirm("Trigger Docker image build workflows via GitHub Actions?"):
+        print("Skipping Docker image workflows.")
+        return
+
+    def get_github_token():
+        print(templates.github_token_instructions())
+        return prompt("Enter your GitHub personal access token: ")
+    github_token = preferences.get('github_token', get_github_token)
+    kafka_url = f"https://dist.apache.org/repos/dist/dev/kafka/{rc_tag}/kafka_2.13-{release_version}.tgz"
+
+    # Step 1: Trigger build/test workflows and loop until CVE-free
+    while True:
+        print(f"\nStep 1/2: Triggering Docker Build Test workflows for JVM and native images...")
+        for image_type in ["jvm", "native"]:
+            github.trigger_docker_build_test(github_token, dev_branch, image_type, kafka_url)
+        print("\nDocker Build Test workflows triggered successfully for both JVM and native images.")
+        print(f"\nPlease check the build results and CVE scan reports at:")
+        print(f"  https://github.com/{github.GITHUB_REPO}/actions/workflows/docker_build_and_test.yml")
+        print("\nVerify that:")
+        print("  1. Both JVM and native image builds succeeded")
+        print("  2. The CVE scan reports show no CRITICAL or HIGH vulnerabilities")
+        print("  3. If CVEs are found, update the Dockerfiles and re-trigger")
+        print("     Dockerfiles are located at: docker/jvm/Dockerfile and docker/native/Dockerfile")
+        if confirm("Have the builds passed with no CVEs? (n to re-trigger after fixing Dockerfiles)"):
+            break
+        print("\nRe-triggering Docker Build Test workflows after Dockerfile updates...")
+
+    # Step 2: Push RC images to DockerHub
+    print(f"\nStep 2/2: Triggering Docker RC Release workflows for JVM and native images...")
+    for image_type in ["jvm", "native"]:
+        docker_image_name = "apache/kafka-native" if image_type == "native" else "apache/kafka"
+        rc_docker_image = f"{docker_image_name}:{rc_tag}"
+        github.trigger_docker_rc_release(github_token, dev_branch, image_type, rc_docker_image, kafka_url)
+    print("\nDocker RC Release workflows triggered successfully for both JVM and native images.")
+
+    print(f"\nAll Docker workflow runs can be monitored at: https://github.com/{github.GITHUB_REPO}/actions")
+
+
 def verify_gpg_key():
     if not gpg.key_exists(gpg_key_id):
         fail(f"GPG key {gpg_key_id} not found")
@@ -373,29 +421,7 @@ def delete_gitrefs():
 git.push_ref(rc_tag)
 git.push_ref(starting_branch)
 
-# Trigger Docker image build and test workflows via GitHub Actions
-print("\n=== Docker Image Workflows ===")
-if github.DRY_RUN:
-    print("NOTE: GITHUB_DRY_RUN is enabled. No actual API calls will be made.")
-if github.GITHUB_REPO != "apache/kafka":
-    print(f"NOTE: Using custom repository: {github.GITHUB_REPO}")
-if confirm("Trigger Docker image build workflows via GitHub Actions?"):
-    github_token = preferences.get('github_token', lambda: prompt("Enter your GitHub personal access token (with 'actions' scope): "))
-    kafka_url = f"https://dist.apache.org/repos/dist/dev/kafka/{rc_tag}/kafka_2.13-{release_version}.tgz"
-    print(f"\nStep 1/2: Triggering Docker Build Test workflows for JVM and native images...")
-    for image_type in ["jvm", "native"]:
-        github.trigger_docker_build_test(github_token, dev_branch, image_type, kafka_url)
-    print("\nDocker Build Test workflows triggered successfully for both JVM and native images.")
-    if confirm("Also trigger Docker RC release workflows to push RC images to DockerHub?"):
-        print(f"\nStep 2/2: Triggering Docker RC Release workflows for JVM and native images...")
-        for image_type in ["jvm", "native"]:
-            docker_image_name = "apache/kafka-native" if image_type == "native" else "apache/kafka"
-            rc_docker_image = f"{docker_image_name}:{rc_tag}"
-            github.trigger_docker_rc_release(github_token, dev_branch, image_type, rc_docker_image, kafka_url)
-        print("\nDocker RC Release workflows triggered successfully for both JVM and native images.")
-    print(f"\nAll Docker workflow runs can be monitored at: https://github.com/{github.GITHUB_REPO}/actions")
-else:
-    print("Skipping Docker image workflows.")
+trigger_docker_workflows(rc_tag, release_version, dev_branch)
 
 # Move back to starting branch and clean out the temporary release branch (e.g. 1.0.0) we used to generate everything
 git.reset_hard_head()

release/templates.py

@@ -268,6 +268,25 @@ def rc_email_instructions(rc_email_text):
 """
 
 
+def github_token_instructions():
+    return """
+To trigger Docker image builds, you need a GitHub Personal Access Token.
+
+How to generate one:
+  1. Go to https://github.com/settings/tokens
+  2. Click "Generate new token" -> "Generate new token (classic)"
+  3. Set a name (e.g. "kafka-release")
+  4. Set an expiration (e.g. 7 days is sufficient for a release cycle)
+  5. Select the scope: "repo" (Full control of private repositories)
+     - This includes the required "actions" write permission
+  6. Click "Generate token"
+  7. Copy the token (starts with "ghp_...")
+
+Note: The token will be saved in your release preferences file for reuse.
+      You only need to generate it once per release cycle.
+"""
+
+
 def cmd_failed():
     return """
 *************************************************

release/test_docker_trigger_interactive.py

@@ -0,0 +1,104 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+"""
+Interactive test script for the Docker workflow trigger flow.
+
+This invokes the actual trigger_docker_workflows() function from release.py
+without needing GPG, SVN, Maven, or committer access. The function is
+extracted from release.py without executing its top-level interactive code.
+
+Usage:
+  # Dry-run (no API calls, no token needed — recommended for first test):
+  GITHUB_DRY_RUN=true python test_docker_trigger_interactive.py
+
+  # Against your fork (real API calls, needs a GitHub token):
+  GITHUB_REPO=yourusername/kafka python test_docker_trigger_interactive.py
+
+  # Combine both:
+  GITHUB_DRY_RUN=true GITHUB_REPO=yourusername/kafka python test_docker_trigger_interactive.py
+"""
+
+import os
+import sys
+
+# Ensure release/ is on the path
+sys.path.insert(0, os.path.dirname(__file__))
+
+from runtime import confirm, confirm_or_fail, prompt
+import github
+import preferences
+import templates
+
+
+def _load_trigger_docker_workflows():
+    """
+    Extract trigger_docker_workflows from release.py without executing the
+    module's top-level interactive code. We parse the source and compile just
+    the function definition, then bind it to real (not mocked) dependencies.
+    """
+    release_path = os.path.join(os.path.dirname(__file__), "release.py")
+    with open(release_path) as f:
+        source = f.read()
+
+    lines = source.split('\n')
+    func_lines = []
+    capturing = False
+    for line in lines:
+        if line.startswith('def trigger_docker_workflows('):
+            capturing = True
+        elif capturing and line and not line[0].isspace() and not line.startswith('#'):
+            break
+        if capturing:
+            func_lines.append(line)
+
+    func_source = '\n'.join(func_lines)
+
+    ns = {
+        'github': github,
+        'confirm': confirm,
+        'confirm_or_fail': confirm_or_fail,
+        'preferences': preferences,
+        'templates': templates,
+        'prompt': prompt,
+    }
+    exec(compile(func_source, release_path, 'exec'), ns)
+    return ns['trigger_docker_workflows']
+
+
+if __name__ == "__main__":
+    trigger_docker_workflows = _load_trigger_docker_workflows()
+
+    print("=" * 70)
+    print("  Docker Workflow Trigger - Interactive Test")
+    print("=" * 70)
+    print(f"\n  Target repo  : {github.GITHUB_REPO}")
+    print(f"  Dry-run mode : {github.DRY_RUN}")
+    print()
+
+    release_version = prompt("Enter release version (e.g. 4.3.0): ")
+    rc = prompt("Enter RC number (e.g. 0): ")
+    rc_tag = f"{release_version}-rc{rc}"
+    dev_branch = '.'.join(release_version.split('.')[:2])
+
+    print(f"\n  Release version : {release_version}")
+    print(f"  RC tag          : {rc_tag}")
+    print(f"  Dev branch      : {dev_branch}")
+
+    trigger_docker_workflows(rc_tag, release_version, dev_branch)
+
+    print("\nDone.")