GH-49537: [C++][FlightRPC] Windows CI to Support ODBC DLL & MSI Signing

[alinaliBQ]

Rationale for this change

GH-49537

What changes are included in this PR?

• Implement Windows CIs to:
  1. CI A - odbc-msvc-upload-dll Upload unsigned DLL
  2. CI B - odbc-msvc-upload-msi Download signed DLL and upload unsigned MSI
• Remove odbc-release CI that is replaced by the new CIs.
• Use composite action to reuse code for building ODBC Windows.
• The release manager can run CI A first, then download the unsigned DLL and upload signed DLL.
• Run CI B to upload unsigned MSI. Then sign the MSI locally, and upload signed MSI to GitHub release. Example Command to trigger CI B:

gh workflow run cpp_extra.yml --ref apache-arrow-test-24.0.0-rc0 -f odbc_release_step=true

Example of 07-flightsqlodbc-upload.sh script (not tested):
We need to either 1) implement a way to get RUN_ID and then call gh run watch,
or 2) enter each command manually and wait for the CI to finish.

# download unsigned DLL
gh release download $tag --pattern arrow_flight_sql_odbc_unsigned.dll

# sign ODBC DLL and upload to GitHub release
jsign arrow_flight_sql_odbc_unsigned.dll ...
mv arrow_flight_sql_odbc_unsigned.dll arrow_flight_sql_odbc.dll
gh release upload $tag --clobber arrow_flight_sql_odbc.dll

# trigger CI B
gh workflow run cpp_extra.yml --ref $tag -f odbc_upload=msi

# download unsigned MSI
gh release download $tag --pattern Apache-Arrow-Flight-SQL-ODBC-*-win64.msi

# sign ODBC MSI and upload to GitHub release
jsign Apache-Arrow-Flight-SQL-ODBC-*-win64.msi ...
gh release upload $tag --clobber Apache-Arrow-Flight-SQL-ODBC-*-win64.msi

# remove ODBC DLLs from GitHub release
gh release delete-asset $tag arrow_flight_sql_odbc_unsigned.dll --yes
gh release delete-asset $tag arrow_flight_sql_odbc.dll --yes

Are these changes tested?

• The uploading and signing process is tested in my repo
• Workflows are verified in CI

Are there any user-facing changes?

N/A

• GitHub Issue: [C++][FlightRPC][ODBC] Add CI steps to support Windows DLL and MSI signing #49537

[alinaliBQ]

Since both DLL and MSI need to be signed and unsigned DLL is harder to catch, uploading as arrow_flight_sql_odbc_unsigned.dll to make it clear on GitHub release if the DLL is unsigned.

[alinaliBQ]

@amoeba PR is ready for review. We have an issue for flight-sql-tests ODBC Windows failure: #49465

[alinaliBQ]

I did an empty commit (a522393) and got this error:

Error: D:\a\arrow\arrow\./.github/actions/odbc-windows\action.yml (Line: 71, Col: 12): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.GITHUB_TOKEN
Error: GitHub.DistributedTask.ObjectTemplating.TemplateValidationException: The template is not valid. D:\a\arrow\arrow\./.github/actions/odbc-windows\action.yml (Line: 71, Col: 12): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.GITHUB_TOKEN
   at GitHub.DistributedTask.ObjectTemplating.TemplateValidationErrors.Check()
   at GitHub.Runner.Worker.ActionManifestManagerLegacy.ConvertRuns(IExecutionContext executionContext, TemplateContext templateContext, TemplateToken inputsToken, String fileRelativePath, MappingToken outputs)
   at GitHub.Runner.Worker.ActionManifestManagerLegacy.Load(IExecutionContext executionContext, String manifestFile)
Error: Failed to load D:\a\arrow\arrow\./.github/actions/odbc-windows\action.yml

The same implementation worked yesterday (see https://github.com/apache/arrow/actions/runs/23622018872/job/68803175375). Seems that GitHub might have updated runner, I will look into this.

[alinaliBQ]

Error: Failed to load D:\a\arrow\arrow./.github/actions/odbc-windows\action.yml

This issue should be resolved now by commit 95bc75b

[alinaliBQ]

@kou @raulcd This PR is ready for review. Please have a look if you have a chance, thank you

[amoeba]

Did you have any luck figuring out how to extract just the minimum set of files cpack needs to build the MSI? I see this job is rebuilding everything from scratch so we're building the ODBC driver twice. If it's not possible that's fine, and if we want to work on removing the extra full-build in a follow-up that's fine.

[alinaliBQ]

I am assuming we are referring to the comment here (#49404 (comment)). Yup the approach builds everything twice by design. Unfortunately getting specific files for a CPack build isn't doable as CPack only packages from a single build directory.

This workflow looks for cache, if a cache is hit, the build will be faster. I think this is the cleanest approach. And thanks for your understanding.

[amoeba]

Could we automatically build and upload the unsigned DLL when we tag a release? I think it could speed things up for the release managers. It looks like the way you have it here, the release manager has to manually run odbc-msvc-upload-dll. Is that just because of the renaming step?

[raulcd]

We do it on the Linux packaging ones. We trigger the job on tag creation:

arrow/.github/workflows/package_linux.yml

Lines 38 to 39 in 9273467

	tags:
	- "apache-arrow-*-rc*"

We wait until the Release is created on GitHub so we can use the tar.gz from the release:

arrow/.github/workflows/package_linux.yml

Lines 228 to 235 in 9273467

	- name: Wait for creating GitHub Release
	if: github.ref_type == 'tag'
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: |
	dev/release/utils-watch-gh-workflow.sh \
	${GITHUB_REF_NAME} \
	release_candidate.yml

And we only upload to the release:

arrow/.github/workflows/package_linux.yml

Lines 288 to 295 in 9273467

	- name: Upload the artifacts to GitHub Release
	if: github.ref_type == 'tag'
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: |
	gh release upload ${GITHUB_REF_NAME} \
	--clobber \
	${{ matrix.id }}.tar.gz*

Some of those steps are only done in the case of tag trigger (so only on RCs).

I think we should use a similar pattern.

[amoeba]

👍 thanks @raulcd

[alinaliBQ]

Yes I have changed odbc-msvc-upload-dll to be automatically triggered by the release tag. odbc-msvc-upload-dll will no longer be trigged via workflow dispatch.

From the discussion at #49404, I originally thought we wanted the odbc-msvc-upload-dll workflow to be triggered manually as well.

[amoeba]

Suggested change

	- name: Name Unsigned ODBC DLL
	- name: Rename Unsigned ODBC DLL

[alinaliBQ]

fixed

[amoeba]

Suggested change

	name: ODBC Windows Upload Unsigned MSI
	name: ODBC Windows Build & Upload Unsigned MSI

[alinaliBQ]

fixed

[amoeba]

Just a suggestion, this seems clearer as to the intent:

Suggested change

	odbc_upload:
	odbc_release_step:

[alinaliBQ]

yup sure, changed the name to odbc_release_step. I have changed the input to be boolean as well since odbc_release_step will only be used for triggering the MSI step.

[amoeba]

Suggested change

	description: 'ODBC Component Upload'
	description: 'Which ODBC release step to run'

[alinaliBQ]

Changed to ODBC MSI release step

[amoeba]

Suggested change

	if: inputs.odbc_upload == 'dll'
	if: inputs.odbc_release_step == 'dll'

[alinaliBQ]

fixed

[amoeba]

Suggested change

	if: inputs.odbc_upload == 'msi'
	if: inputs.odbc_release_step == 'msi'

[alinaliBQ]

fixed

[alinaliBQ]

Addressed comments. Please have another look, thanks!

[alinaliBQ]

I am assuming we are referring to the comment here (#49404 (comment)). Yup the approach builds everything twice by design. Unfortunately getting specific files for a CPack build isn't doable as CPack only packages from a single build directory.

This workflow looks for cache, if a cache is hit, the build will be faster. I think this is the cleanest approach. And thanks for your understanding.

[alinaliBQ]

Yes I have changed odbc-msvc-upload-dll to be automatically triggered by the release tag. odbc-msvc-upload-dll will no longer be trigged via workflow dispatch.

From the discussion at #49404, I originally thought we wanted the odbc-msvc-upload-dll workflow to be triggered manually as well.

[alinaliBQ]

fixed

[alinaliBQ]

fixed

[alinaliBQ]

yup sure, changed the name to odbc_release_step. I have changed the input to be boolean as well since odbc_release_step will only be used for triggering the MSI step.

[alinaliBQ]

Changed to ODBC MSI release step

[alinaliBQ]

fixed

[alinaliBQ]

fixed