refactor(tekton/tikv/migration): use tekton to replace jenkins job migration-docker-release

[lybcodes]

Depends on: PingCAP-QE/artifacts#907
Close: #3347

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the CI/CD pipeline for the tikv/migration project by migrating its docker release job from Jenkins to Tekton. The change introduces a new Tekton Trigger to automate builds and releases based on git push events to the main branch, streamlining the deployment process and leveraging Tekton's native Kubernetes capabilities.

Highlights

• Tekton Trigger for tikv/migration: A new Tekton Trigger named "git-push-tikv-migration" has been introduced. This trigger is designed to activate upon git push events to the 'main' branch of the 'tikv/migration' repository, initiating a build process using the 'build-component-linux' template with predefined parameters for component, OS, profile, workspace size, and timeout.
• Integration into GCP Environment: The newly defined Tekton Trigger for 'tikv/migration' has been incorporated into the 'env-gcp' kustomization. This ensures that the trigger is properly deployed and enabled within the Google Cloud Platform environment, facilitating automated CI/CD for the specified repository.

Changelog

• tekton/v1/triggers/triggers/env-gcp/kustomization.yaml
  • Added a reference to the new Tekton trigger for tikv/migration.
• tekton/v1/triggers/triggers/env-gcp/tikv/migration/git-push.yaml
  • Created a new Tekton Trigger resource for git-push events on the tikv/migration repository.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[ti-chi-bot]

I have already done a preliminary review for you, and I hope to help you do a better job.

Summary:
This PR refactors the migration Docker release process for the TikV migration repository by replacing the existing Jenkins job with a Tekton trigger and pipeline. The approach introduces a new Tekton Trigger resource that listens for GitHub branch push events to the tikv/migration repo, specifically on the main branch, and then launches a Tekton pipeline to build the component. The changes are concise and focused on Tekton YAML definitions, with no complex logic introduced. Overall, the implementation is clear and aligns with Tekton best practices, but there are some improvements around documentation, maintainability, and validation that could be addressed.

---

Code Improvements

• Missing newline at end of file

  • File: tekton/v1/triggers/triggers/env-gcp/tikv/migration/git-push.yaml (last line)
  • Why: POSIX standards recommend ending files with a newline to avoid issues with diff tools and some parsers.
  • Suggestion: Add a newline at the end of the file.

• Filter expression readability and robustness

  • File: git-push.yaml, lines 13-17
  • Why: The CEL filter expression is embedded in a multi-line string which can be error-prone and harder to maintain. Also, the regex ^refs/heads/main$ is very specific; if other branches need to trigger the pipeline in the future, this would require edits.
  • Suggestion:
    • For readability, consider writing the CEL expression in one line or use indentation consistent with YAML multiline strings.
    • If appropriate, parameterize the branch filter for easier future extension.
      Example:

    value: "body.repository.full_name == 'tikv/migration' && body.ref.matches('^refs/heads/main$')"

• Hardcoded values in bindings

  • File: git-push.yaml, lines 20-27
  • Why: Values such as component: migration, os: linux, profile: release, source-ws-size: 20Gi, and timeout: 60m are hardcoded. While this may be intended, consider if these should be parametrized or documented for future maintainers.
  • Suggestion: Add comments or consider extracting these values as parameters or config maps if they might change.

---

Best Practices

• Lack of documentation/comments

  • Files: Both YAML files, especially git-push.yaml
  • Why: The trigger YAML lacks comments explaining the purpose of the trigger, the meaning of each binding, and the role of the interceptor. This can hinder onboarding and future maintenance.
  • Suggestion: Add concise comments describing:
    • What this trigger does (e.g., "Trigger pipeline on push to main branch of tikv/migration repo")
    • Role of each binding (e.g., "component specifies the component to build")
    • Purpose of the interceptor filter
      For example:

  spec:
    # Interceptor filters events to only trigger on pushes to tikv/migration main branch
    interceptors:
      - name: filter on repo and branches
        ...

• Testing and validation

  • Why: No evidence of testing or validation steps for the new Tekton trigger. Since this replaces a Jenkins job, it’s important to verify all expected behaviors.
  • Suggestion: Include or link to test plans or pipelines runs that validate this trigger works as expected, or add unit tests for CEL expressions if supported.

• Kustomization.yaml update confirmation

  • File: kustomization.yaml, line 34
  • Why: The new resource tikv/migration/git-push.yaml was added to the kustomization.yaml. Verify that this is the intended place and that the resource path matches your repo structure. If multiple environments exist, consider whether this should be environment-specific.
  • Suggestion: Confirm and document the choice of placing it under env-gcp.

---

Summary of Actionable Suggestions

- Add a newline at end of `git-push.yaml`.
- Simplify and/or document the CEL filter expression for better readability and future extensibility.
- Add comments to `git-push.yaml` explaining the purpose of the trigger, interceptor, and bindings.
- Consider parameterizing hardcoded values or at least document them.
- Ensure testing/validation steps for the new Tekton trigger are in place.
- Confirm the kustomization resource path and document the rationale.

[ti-chi-bot]

I have already done a preliminary review for you, and I hope to help you do a better job.

Summary
This PR refactors the CI/CD setup by replacing the Jenkins job migration-docker-release with a Tekton pipeline trigger for the tikv/migration repository. The approach adds a new Tekton Trigger resource under env-gcp that listens to GitHub branch push events specifically on the main branch of the tikv/migration repo. The overall code quality looks clean and consistent with existing Tekton trigger definitions.

---

Code Improvements

• Trigger Filtering Logic (File: tekton/v1/triggers/triggers/env-gcp/tikv/migration/git-push.yaml, lines 13-17)
  The CEL filter expression uses a matches function on body.ref to match the branch name. However, body.ref is the full ref string (e.g., refs/heads/main). The regex ^refs/heads/main$ works but could be simplified or made more readable.
  Suggestion:
  Use exact string comparison if only the main branch is needed:

  value: "body.repository.full_name == 'tikv/migration' && body.ref == 'refs/heads/main'"

  This approach is more performant and less error-prone than regex matching.

• Timeout Parameter (File: tekton/v1/triggers/triggers/env-gcp/tikv/migration/git-push.yaml, lines 26-27)
  The timeout is set to 60m, which may be sufficient but depends on the migration build duration. Consider making this configurable or documenting the rationale.
  Suggestion: Add a comment or link to documentation explaining why 60 minutes is chosen or provide a variable for easier updates.

• Parameter Consistency
  The trigger passes parameters like component, os, profile, source-ws-size, and timeout. Verify that these parameters align with the build-component-linux template and that all required parameters are passed. Missing or extra params could cause runtime errors.
  Suggestion: Cross-check build-component-linux for expected parameters.

---

Best Practices

• Documentation (Files: All new Tekton trigger files)
  There is no inline comment or external documentation referencing this new trigger. Since this replaces an existing Jenkins job, it would be helpful to add:

  • A brief comment explaining the purpose of this trigger and its relation to the Jenkins job it replaces.
  • Documentation updates outside of code (e.g., README or Confluence) to guide maintainers on the migration from Jenkins to Tekton.

  Example comment at the top of git-push.yaml:

  # Tekton Trigger for tikv/migration repository.
  # Replaces the Jenkins job 'migration-docker-release' with a Tekton-based build trigger.

• Testing Coverage
  There's no indication of tests or validation for this trigger configuration. While Tekton triggers are declarative, it is good practice to have integration tests or manual validation steps documented to ensure the trigger behaves as expected on GitHub events.

• Naming Conventions
  The trigger name git-push-tikv-migration is clear and consistent. No issues found here.

---

Critical Issues

No critical issues such as bugs, security vulnerabilities, or broken functionality were identified from the provided diff. The changes are additive and focused on configuration.

---

Summary of Actionable Suggestions:

• Simplify the CEL filter expression for branch matching to exact string comparison.
• Document or justify the 60-minute timeout value.
• Verify parameter alignment with the referenced Tekton template build-component-linux.
• Add comments and documentation about the trigger’s purpose and Jenkins replacement.
• Consider adding or documenting testing steps for this new trigger.

[gemini-code-assist]

Code Review

This pull request migrates the "migration-docker-release" Jenkins job to a Tekton trigger for the "tikv/migration" repository. A critical security vulnerability has been identified: the trigger configuration lacks webhook signature validation, which could allow unauthorized users to trigger builds with malicious source code and lead to a supply chain attack. It is strongly recommended to add a github interceptor for HMAC signature validation. Additionally, there are minor suggestions to improve the overall robustness of the new trigger, including a file formatting convention.

[ti-chi-bot]

I have already done a preliminary review for you, and I hope to help you do a better job.

Summary
This PR refactors the CI pipeline for the tikv/migration repository by replacing the existing Jenkins job migration-docker-release with a Tekton-based trigger and pipeline. The approach introduces a new Tekton Trigger resource that listens for GitHub push events on the tikv/migration repo’s main branch, with relevant pipeline parameters configured for building the component. The changes are concise, focused, and follow Tekton best practices for event filtering and parameterization.

---

Code Improvements

• Trigger Filtering Logic (tekton/v1/triggers/triggers/env-gcp/tikv/migration/git-push.yaml, lines 11-17):
  The CEL expression for filtering GitHub events uses body.ref.matches('^refs/heads/main$'). While this works, the use of matches() with a regex for an exact match is somewhat heavy. Consider using body.ref == 'refs/heads/main' for simplicity and improved readability and performance:

  value: >-
    body.deleted != true
    &&
    body.repository.full_name == 'tikv/migration'
    &&
    body.ref == 'refs/heads/main'

• Timeout Configuration (kustomization.yaml and git-push.yaml):
  The timeout is set to "60m" as a string. Verify that the Tekton pipeline and trigger templates expect a string or duration format. If numeric minutes are required, ensure this matches the expected type to avoid silent misconfiguration.

• Resource Naming Consistency (kustomization.yaml):
  You added tikv/migration/git-push.yaml to the resources list. Please confirm that the file path and naming convention (git-push.yaml) is consistent with other similar triggers to maintain uniformity.

---

Best Practices

• Documentation (git-push.yaml):
  The new trigger resource lacks comments describing its purpose and the parameters. Adding brief comments would improve maintainability, for example:

  # Trigger for building tikv/migration on pushes to the main branch.
  # Filters out deleted branch events.
  # Uses build-component-linux template with release profile.

• Testing Coverage:
  There is no mention of test coverage or validation for this new Tekton trigger. Consider adding or referencing tests that simulate GitHub push events to verify the trigger fires correctly and the pipeline runs as expected.

---

Critical Issues

No critical bugs, security issues, or broken functionality observed in the provided diff.

---

Overall, the PR is well-scoped and integrates the new Tekton trigger cleanly. Addressing the above improvements will enhance readability, maintainability, and reliability.

[ti-chi-bot]

I have already done a preliminary review for you, and I hope to help you do a better job.

Summary
This PR refactors the Tekton pipeline setup to replace the Jenkins job for migration-docker-release in the tikv/migration repository. It adds a new Tekton Trigger YAML to listen for GitHub branch pushes on the main branch of tikv/migration and includes it in the GCP environment kustomization. The approach is straightforward, defining a Trigger with relevant bindings and an interceptor filter. Overall, the code is clear and well-structured for the intended purpose.

Code Improvements

• Trigger Filtering Logic (tekton/v1/triggers/triggers/env-gcp/tikv/migration/git-push.yaml, lines 11-15)
  The CEL filter expression currently hardcodes the repository full name and branch as a single string match:

  body.repository.full_name == 'tikv/migration' && body.ref.matches('^refs/heads/main$')

  This is redundant given the trigger is scoped to tikv/migration repo and main branch by GitHub webhook configuration.
  Suggestion: Simplify the interceptor or ensure this matches production webhook payloads exactly to avoid trigger misses. Alternatively, document why both repo and branch filtering is necessary here.

• Timeout Parameter (lines 27-28)
  The timeout is set to 60m, which may be appropriate, but consider verifying if this duration aligns with the migration build's expected runtime based on historical Jenkins job data.
  Suggestion: If builds frequently take longer, increase timeout or make it configurable.

• Parameter Consistency
  The bindings include component: migration, os: linux, profile: release, and source-ws-size: 20Gi. Confirm these values match the Jenkins job parameters to ensure functional equivalence.
  Suggestion: Add a comment referencing the Jenkins job or include a README snippet describing these parameters for maintainability.

Best Practices

• Documentation (tekton/v1/triggers/triggers/env-gcp/tikv/migration/git-push.yaml)
  The new trigger YAML lacks comments explaining its purpose and relationship to the replaced Jenkins job.
  Suggestion: Add a header comment, e.g.:

  # Trigger to start Tekton pipeline on main branch push for tikv/migration,
  # replacing the Jenkins migration-docker-release job.

• Testing Coverage
  No mention of tests or validation of the new Tekton trigger.
  Suggestion: Ensure this trigger is tested in a staging environment with test pushes to verify pipeline execution and parameter correctness.

• Kustomization Inclusion (env-gcp/kustomization.yaml, line 35)
  The new resource is added:

  - tikv/migration/git-push.yaml

  Confirm that this file path is correct relative to the kustomization root to avoid deployment errors.

Minor Suggestions

• Labeling Consistency
  The label type: github-branch-push in the Trigger metadata is generic. Consider aligning labels with other triggers for easier filtering and management.

---

Addressing the above points will improve maintainability, clarity, and robustness of this Jenkins-to-Tekton migration for the tikv/migration component.

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wuhuizuo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• tekton/OWNERS [wuhuizuo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-03-05 07:05:13.953299048 +0000 UTC m=+428158.531378242: ☑️ agreed by wuhuizuo.