KAFKA-19686 : release - Trigger docker builds with rc and release

[muralibasani]

https://issues.apache.org/jira/browse/KAFKA-19686

How It Works

After the RC tag is pushed, the script prompts: "Trigger Docker image
build workflows via GitHub Actions?"

If the user accepts:

1. Collects the user's GitHub Personal Access Token (with step-by-step
   generation instructions; token is saved in preferences for reuse)

2. Step 1 — Build & CVE scan: Triggers docker_build_and_test.yml for
   both JVM and native images. Then asks the user to verify builds passed
   with no CVEs. If CVEs are found (n), the user fixes the Dockerfiles
   (docker/jvm/Dockerfile, docker/native/Dockerfile) and the script
   re-triggers automatically. This loop continues until builds are clean.

3. Step 2 — RC release: Triggers docker_rc_release.yml for both JVM and
   native, pushing RC images to DockerHub with the correct names
   (apache/kafka:{rc_tag}, apache/kafka-native:{rc_tag}).

The entire Docker flow is optional — if the user declines the initial
prompt, the existing release flow is unchanged. No new dependencies were
added (only Python stdlib urllib).

Supports GITHUB_DRY_RUN=true (prints API calls without executing) and
GITHUB_REPO=user/fork (test against a personal fork)

Added a interactive test for docker flow. GITHUB_DRY_RUN=true python3
test_docker_trigger_interactive.py

release % GITHUB_DRY_RUN=true python3 test_docker_trigger_interactive.py
Using preferences from:
/Users/username/projects/others/kafka2/kafka/release/.release-settings.json
======================================================================
  Docker Workflow Trigger - Interactive Test
======================================================================

  Target repo  : apache/kafka    Dry-run mode : True

Enter release version (e.g. 4.3.0): 4.4.0  Enter RC number (e.g. 0): 0

  Release version : 4.4.0    RC tag          : 4.4.0-rc0    Dev branch
: 4.4

=== Docker Image Workflows ===
NOTE: GITHUB_DRY_RUN is enabled. No actual API calls will be made.
Trigger Docker image build workflows via GitHub Actions? (y/n): y
Assuming: github_token = fhkdskjfhsdakjfksjhgfdjsadgfjhdsagfjagsjfhgs

Step 1/2: Triggering Docker Build Test workflows for JVM and native
images...

--- Docker Build Test (jvm) ---
  Image type : jvm
  Branch/ref : 4.4
  Kafka URL  :
https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz
Triggering workflow docker_build_and_test.yml on apache/kafka with
inputs: {"image_type": "jvm", "kafka_url":
"https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz"}
[DRY RUN] POST
https://api.github.com/repos/apache/kafka/actions/workflows/docker_build_and_test.yml/dispatches
[DRY RUN] Body: {
  "ref": "4.4",
  "inputs": {
    "image_type": "jvm",
    "kafka_url":
"https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz"
  }
}
Successfully triggered docker_build_and_test.yml
[DRY RUN] GET
https://api.github.com/repos/apache/kafka/actions/workflows/docker_build_and_test.yml/runs?per_page=1
  View run:
https://github.com/apache/kafka/actions/workflows/docker_build_and_test.yml

--- Docker Build Test (native) ---
  Image type : native
  Branch/ref : 4.4
  Kafka URL  :
https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz
Triggering workflow docker_build_and_test.yml on apache/kafka with
inputs: {"image_type": "native", "kafka_url":
"https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz"}
[DRY RUN] POST
https://api.github.com/repos/apache/kafka/actions/workflows/docker_build_and_test.yml/dispatches
[DRY RUN] Body: {
  "ref": "4.4",
  "inputs": {
    "image_type": "native",
    "kafka_url":
"https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz"
  }
}
Successfully triggered docker_build_and_test.yml
[DRY RUN] GET
https://api.github.com/repos/apache/kafka/actions/workflows/docker_build_and_test.yml/runs?per_page=1
  View run:
https://github.com/apache/kafka/actions/workflows/docker_build_and_test.yml

Docker Build Test workflows triggered successfully for both JVM and
native images.

Please check the build results and CVE scan reports at:
https://github.com/apache/kafka/actions/workflows/docker_build_and_test.yml

Verify that:    1. Both JVM and native image builds succeeded    2. The
CVE scan reports show no CRITICAL or HIGH vulnerabilities    3. If CVEs
are found, update the Dockerfiles and re-trigger       Dockerfiles are
located at: docker/jvm/Dockerfile and docker/native/Dockerfile  Have the
builds passed with no CVEs? (n to re-trigger after fixing Dockerfiles)
(y/n): y

Step 2/2: Triggering Docker RC Release workflows for JVM and native
images...

--- Docker RC Release (jvm) ---
  Image type   : jvm
  Docker image : apache/kafka:4.4.0-rc0
  Branch/ref   : 4.4
  Kafka URL    :
https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz
Triggering workflow docker_rc_release.yml on apache/kafka with inputs:
{"image_type": "jvm", "rc_docker_image": "apache/kafka:4.4.0-rc0",
"kafka_url":
"https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz"}
[DRY RUN] POST
https://api.github.com/repos/apache/kafka/actions/workflows/docker_rc_release.yml/dispatches
[DRY RUN] Body: {
  "ref": "4.4",
  "inputs": {
    "image_type": "jvm",
    "rc_docker_image": "apache/kafka:4.4.0-rc0",
    "kafka_url":
"https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz"
  }
}
Successfully triggered docker_rc_release.yml
[DRY RUN] GET
https://api.github.com/repos/apache/kafka/actions/workflows/docker_rc_release.yml/runs?per_page=1
  View run:
https://github.com/apache/kafka/actions/workflows/docker_rc_release.yml

--- Docker RC Release (native) ---
  Image type   : native
  Docker image : apache/kafka-native:4.4.0-rc0
  Branch/ref   : 4.4
  Kafka URL    :
https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz
Triggering workflow docker_rc_release.yml on apache/kafka with inputs:
{"image_type": "native", "rc_docker_image":
"apache/kafka-native:4.4.0-rc0", "kafka_url":
"https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz"}
[DRY RUN] POST
https://api.github.com/repos/apache/kafka/actions/workflows/docker_rc_release.yml/dispatches
[DRY RUN] Body: {
  "ref": "4.4",
  "inputs": {
    "image_type": "native",
    "rc_docker_image": "apache/kafka-native:4.4.0-rc0",
    "kafka_url":
"https://dist.apache.org/repos/dist/dev/kafka/4.4.0-rc0/kafka_2.13-4.4.0.tgz"
  }
}
Successfully triggered docker_rc_release.yml
[DRY RUN] GET
https://api.github.com/repos/apache/kafka/actions/workflows/docker_rc_release.yml/runs?per_page=1
  View run:
https://github.com/apache/kafka/actions/workflows/docker_rc_release.yml

Docker RC Release workflows triggered successfully for both JVM and
native images.

All Docker workflow runs can be monitored at:
https://github.com/apache/kafka/actions

Done.

[mimaison]

Thanks for looking into this. I left a few suggestions

[mimaison]

Can we have some detail how to generate a token?

[muralibasani]

Added get token instructions to template, so when user starts the script, it prints them. https://github.com/apache/kafka/pull/21963/changes#diff-e0b37c325cc2eb8c49ab256555554edc05bf4e316f6d6d728169bdc50eba68c7R271

[mimaison]

Instead of asking whether to run this step or not, the prompt should ask to go check the builds have succeeded and the reports indicate no CVEs where found. If CVEs are found then we need to update the Dockerfiles and rerun until no CVEs are detected.

Once this is done, the following steps should be run.

[mimaison]

Could we also print links to the builds this triggers?

[muralibasani]

Now the flow is in 2 steps.

• Docker Build Test workflows with cve scan prompts
• RC release

[muralibasani]

Added a test interactive script and updated pr description with it's execution. There we can see how are the prompts.

[muralibasani]

Build run urls are printed yes.

[muralibasani]

Thanks for looking into this. I left a few suggestions

@mimaison Thankyou for the review. Made the below changes.

• I moved the docker workflows codeblocks to a def now making it more clear
• Getting token instructions are added. Token is cached and reset insurctutions are there.
• Added prompts for cve and passed builds
• If user replies as 'n' for cve or build prompts, it will be in the loop
• Added a definition for build run urls
• A interactive test is added to simulate the flow

[muralibasani]

@mimaison possible for another review ?

[muralibasani]

@dejan2609 possible for you to review this one ?