-
Notifications
You must be signed in to change notification settings - Fork 63
feat(kernel): consolidated DAIS gap-closure + PuPr feature set + nightly workflows for e2e tests #399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
mani-mathur-arch
wants to merge
26
commits into
main
Choose a base branch
from
mani/sea-kernel-consolidated
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
feat(kernel): consolidated DAIS gap-closure + PuPr feature set + nightly workflows for e2e tests #399
Changes from all commits
Commits
Show all changes
26 commits
Select commit
Hold shift + click to select a range
1826696
feat(kernel): close deferred DAIS rows — OAuth M2M/U2M, metric-view, …
mani-mathur-arch 596fd65
fix(kernel): address code-review findings — internal auth interfaces,…
mani-mathur-arch 62bb700
feat(arrowscan): render INTERVAL day-time & year-month
mani-mathur-arch 9e7e932
test(kernel): pin TIMESTAMP vs TIMESTAMP_NTZ parity
mani-mathur-arch 832e73d
test(kernel): pin VARIANT & GEOMETRY render parity
mani-mathur-arch ad9eebc
fix(kernel): surface kernel errors as DBExecutionError with sqlstate
mani-mathur-arch 24c4d83
docs(kernel): document verified inherited features; drop stale interv…
mani-mathur-arch 608763e
feat(kernel): bind query parameters via the C ABI
mani-mathur-arch 0a17eff
feat(kernel): surface server query id for EXECUTE_STATEMENT telemetry
mani-mathur-arch d996b9e
build(kernel): pin KERNEL_REV to the PuPr statement-surface rev
mani-mathur-arch bb11634
fix(kernel): address PR review — interval MinInt overflow, cancel evi…
mani-mathur-arch 8c62521
fix(kernel): wrap unsupported-auth rejection with ErrNotSupportedByKe…
mani-mathur-arch 5c99a7a
feat(kernel): richer TLS Go options — CA bundle + independent hostnam…
mani-mathur-arch d37ce50
Address review: sentinel error, defensive PEM copy, MITM warning, Thr…
mani-mathur-arch f741ac0
Address review nits: mirror sentinel doc, PEM-copy test, DeepCopy cov…
mani-mathur-arch 58ed62a
feat(kernel): route kernel logging through the driver log level + cor…
mani-mathur-arch c0ecc6d
fix(kernel): tighten logging docs + fatal/panic->OFF + correlation test
mani-mathur-arch 7acc85f
test(kernel): add resolveKernelLogArg seam + untagged level tests
mani-mathur-arch 334e5ff
ci: nightly E2E workflow for the Thrift and kernel backends
mani-mathur-arch 773e19c
ci(nightly-e2e): split the kernel job timeout budget so Go's timeout …
mani-mathur-arch 5ac4ad2
ci: dispatch the SEA-via-kernel integration leg behind a kernel label
mani-mathur-arch c85ff22
fix(kernel): record CLOSE_STATEMENT telemetry + sentinel-wrap the aut…
mani-mathur-arch 0b1df5b
test(kernel): exercise the real construction-failure OnClose path; fi…
mani-mathur-arch 13e1b7c
fix(kernel): fix errcheck lint + trim comments and cross-references
mani-mathur-arch 988bcb9
Address PR #399 review comments: bind-NUL guard, failure telemetry, M…
mani-mathur-arch 484ed03
Fix stale execute() doc: params are bound, not rejected
mani-mathur-arch File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,246 @@ | ||
| name: Nightly E2E | ||
|
|
||
| # Runs the credential-gated end-to-end suites against a real test SQL warehouse. | ||
| # These tests self-skip in the ordinary "Go" workflow (which injects no warehouse | ||
| # secrets), so real-warehouse behaviour — large multi-page CloudFetch, S3 downloads, | ||
| # drain-past-deadline, real auth — is otherwise not exercised in CI. | ||
| # | ||
| # Covers both backends against one test warehouse: | ||
| # - Thrift (default pure-Go) E2E — driver_e2e_test.go | ||
| # - SEA-via-kernel E2E — kernel_e2e_test.go (cgo + databricks_kernel) | ||
| # | ||
| # Both suites read the same DATABRICKS_PECOTESTING_* warehouse credentials, so a | ||
| # single secret set drives the whole workflow. A failed scheduled run surfaces via | ||
| # GitHub's built-in notification. | ||
|
|
||
| on: | ||
| schedule: | ||
| # 07:00 UTC daily (~midnight PT / mid-morning IST) — off-peak for the shared | ||
| # test warehouse. Scheduled workflows only run on the default branch. | ||
| - cron: '0 7 * * *' | ||
| # Manual trigger for on-demand runs (e.g. validating a fix or new secret wiring) | ||
| # without waiting for the nightly cron. | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| thrift-e2e: | ||
| name: E2E (Thrift backend) | ||
| # Runs by default; disable by setting the NIGHTLY_E2E_ENABLED repo variable to | ||
| # 'false'. This is NOT a skip-on-missing-secret gate: if the variable is unset | ||
| # and the warehouse secrets aren't provisioned, the credential step below | ||
| # hard-fails by design (a silent skip reporting green is the gap being closed). | ||
| if: ${{ vars.NIGHTLY_E2E_ENABLED != 'false' }} | ||
| timeout-minutes: 20 | ||
| runs-on: | ||
| group: databricks-protected-runner-group | ||
| labels: linux-ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out code into the Go module directory | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
|
|
||
| - name: Setup JFrog | ||
| uses: ./.github/actions/setup-jfrog | ||
|
|
||
| - name: Set up Go Toolchain | ||
| uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 | ||
| with: | ||
| go-version: '1.25.x' | ||
| cache: false | ||
|
|
||
| - name: Get dependencies | ||
| run: | | ||
| if ! command -v make &> /dev/null ; then | ||
| apt-get update && apt-get install -y make | ||
| fi | ||
| go get -v -t -d ./... | ||
|
|
||
| # Guard: fail loudly if a credential is missing rather than letting the tests | ||
| # silently t.Skip() into a misleading green. The token may be provided as either | ||
| # _TOKEN or _TOKEN_PERSONAL (the tests accept either), so require at least one. | ||
| - name: Verify warehouse credentials are present | ||
| env: | ||
| HOST: ${{ secrets.DATABRICKS_PECOTESTING_SERVER_HOSTNAME }} | ||
| HTTP_PATH: ${{ secrets.DATABRICKS_PECOTESTING_HTTP_PATH2 }} | ||
| TOKEN: ${{ secrets.DATABRICKS_PECOTESTING_TOKEN }} | ||
| TOKEN_PERSONAL: ${{ secrets.DATABRICKS_PECOTESTING_TOKEN_PERSONAL }} | ||
| run: | | ||
| if [ -z "$HOST" ] || [ -z "$HTTP_PATH" ] || { [ -z "$TOKEN" ] && [ -z "$TOKEN_PERSONAL" ]; }; then | ||
| echo "::error::Nightly E2E warehouse secrets are not set (need DATABRICKS_PECOTESTING_SERVER_HOSTNAME, _HTTP_PATH2, and _TOKEN or _TOKEN_PERSONAL). Provision them in the repository settings." >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| # The Thrift E2E tests read the DATABRICKS_PECOTESTING_* vars directly and run | ||
| # in the default pure-Go build (CGO_ENABLED=0). -run targets the high-value | ||
| # real-warehouse scenarios: large multi-page CloudFetch drain-past-caller- | ||
| # deadline and exact row count. -count=1 defeats the test cache so a scheduled | ||
| # run always re-exercises the warehouse. NOT -short, so | ||
| # TestE2ECloudFetchExactRowCount (guarded by -short) actually runs. | ||
| - name: Run Thrift E2E | ||
| env: | ||
| CGO_ENABLED: 0 | ||
| DATABRICKS_PECOTESTING_SERVER_HOSTNAME: ${{ secrets.DATABRICKS_PECOTESTING_SERVER_HOSTNAME }} | ||
| DATABRICKS_PECOTESTING_HTTP_PATH2: ${{ secrets.DATABRICKS_PECOTESTING_HTTP_PATH2 }} | ||
| DATABRICKS_PECOTESTING_TOKEN: ${{ secrets.DATABRICKS_PECOTESTING_TOKEN }} | ||
| DATABRICKS_PECOTESTING_TOKEN_PERSONAL: ${{ secrets.DATABRICKS_PECOTESTING_TOKEN_PERSONAL }} | ||
| run: | | ||
| go test -count=1 -v -timeout 15m \ | ||
| -run 'TestE2EArrowBatchesSurviveQueryContextCancellation|TestE2ECloudFetchExactRowCount' . | ||
|
|
||
| kernel-e2e: | ||
| name: E2E (kernel backend) | ||
| if: ${{ vars.NIGHTLY_E2E_ENABLED != 'false' }} | ||
| # Bounds the same source-build blast radius as the go.yml kernel job: an external | ||
| # clone + ~200-crate cold compile shouldn't hold a protected-runner slot to the | ||
| # 360-min default. Budget is split explicitly (see the per-step timeout on "Build | ||
| # kernel lib" below) so the job cap sits strictly above setup + build + the go | ||
| # test -timeout, letting Go's own timeout fire first and emit its which-test-hung | ||
| # goroutine dump instead of GitHub SIGKILLing the job mid-build on a cache miss. | ||
| timeout-minutes: 65 | ||
| runs-on: | ||
| group: databricks-protected-runner-group | ||
| labels: linux-ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out code into the Go module directory | ||
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
|
|
||
| # Go module proxy (GOPROXY + ~/.netrc) via JFrog OIDC. Also exports | ||
| # JFROG_ACCESS_TOKEN, which the cargo step below reuses. | ||
| - name: Setup JFrog | ||
| uses: ./.github/actions/setup-jfrog | ||
|
|
||
| # The protected runner blocks direct crates.io access (go/hardened-gha), so | ||
| # point cargo at the JFrog crates proxy, reusing setup-jfrog's JFROG_ACCESS_TOKEN. | ||
| - name: Configure cargo to use JFrog | ||
| shell: bash | ||
| run: | | ||
| set -euo pipefail | ||
| mkdir -p ~/.cargo | ||
| cat > ~/.cargo/config.toml << 'EOF' | ||
| [source.crates-io] | ||
| replace-with = "jfrog" | ||
|
|
||
| [source.jfrog] | ||
| registry = "sparse+https://databricks.jfrog.io/artifactory/api/cargo/db-cargo-remote/index/" | ||
|
|
||
| [registries.jfrog] | ||
| index = "sparse+https://databricks.jfrog.io/artifactory/api/cargo/db-cargo-remote/index/" | ||
| credential-provider = ["cargo:token"] | ||
| EOF | ||
| cat > ~/.cargo/credentials.toml << EOF | ||
| [registries.jfrog] | ||
| token = "Bearer ${JFROG_ACCESS_TOKEN}" | ||
| EOF | ||
| chmod 600 ~/.cargo/credentials.toml | ||
|
|
||
| - name: Set up Go Toolchain | ||
| uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 | ||
| with: | ||
| go-version: '1.25.x' | ||
| cache: false | ||
|
|
||
| # Keep in lockstep with rust-toolchain.toml's channel (it governs the archive | ||
| # under a fixed KERNEL_REV; a floating `stable` here would drift it). | ||
| - name: Set up Rust Toolchain | ||
| uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1 | ||
| with: | ||
| toolchain: 1.96.1 | ||
|
|
||
| # The kernel repo is private and the hardened runner has no ambient git creds. | ||
| # Mint a repo-scoped token from the INTEGRATION_TEST_APP GitHub App and rewrite | ||
| # the kernel HTTPS URL to carry it (same mechanism as the go.yml kernel job). | ||
| - name: Generate GitHub App token for databricks-sql-kernel | ||
| id: kernel-token | ||
| uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0 | ||
| with: | ||
| app-id: ${{ secrets.INTEGRATION_TEST_APP_ID }} | ||
| private-key: ${{ secrets.INTEGRATION_TEST_PRIVATE_KEY }} | ||
| owner: databricks | ||
| repositories: databricks-sql-kernel | ||
|
|
||
| - name: Rewrite kernel repo URL to authenticated HTTPS | ||
| env: | ||
| TOKEN: ${{ steps.kernel-token.outputs.token }} | ||
| run: | | ||
| git config --global \ | ||
| url."https://x-access-token:${TOKEN}@github.com/databricks/".insteadOf \ | ||
| "https://github.com/databricks/" | ||
|
|
||
| - name: Cache kernel static lib | ||
| uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 | ||
| with: | ||
| path: | | ||
| internal/backend/kernel/lib | ||
| internal/backend/kernel/include | ||
| key: ${{ runner.os }}-kernellib-${{ hashFiles('KERNEL_REV', 'rust-toolchain.toml') }} | ||
|
|
||
| - name: Cache cargo + kernel build tree | ||
| uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0 | ||
| with: | ||
| path: | | ||
| ~/.cargo/registry | ||
| ~/.cargo/git | ||
| build/kernel-src/target | ||
| key: ${{ runner.os }}-kernel-cargo-${{ hashFiles('KERNEL_REV', 'rust-toolchain.toml') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-kernel-cargo- | ||
|
|
||
| - name: Install build prerequisites (make, C compiler) | ||
| run: | | ||
| if ! command -v make &> /dev/null ; then | ||
| apt-get update && apt-get install -y make | ||
| fi | ||
| if ! command -v cc &> /dev/null ; then | ||
| apt-get update && apt-get install -y build-essential | ||
| fi | ||
|
|
||
| # Same guard as the Thrift job: require host, http path, and at least one of | ||
| # _TOKEN / _TOKEN_PERSONAL so a missing credential fails loud instead of skipping. | ||
| - name: Verify warehouse credentials are present | ||
| env: | ||
| HOST: ${{ secrets.DATABRICKS_PECOTESTING_SERVER_HOSTNAME }} | ||
| HTTP_PATH: ${{ secrets.DATABRICKS_PECOTESTING_HTTP_PATH2 }} | ||
| TOKEN: ${{ secrets.DATABRICKS_PECOTESTING_TOKEN }} | ||
| TOKEN_PERSONAL: ${{ secrets.DATABRICKS_PECOTESTING_TOKEN_PERSONAL }} | ||
| run: | | ||
| if [ -z "$HOST" ] || [ -z "$HTTP_PATH" ] || { [ -z "$TOKEN" ] && [ -z "$TOKEN_PERSONAL" ]; }; then | ||
| echo "::error::Nightly E2E warehouse secrets are not set (need DATABRICKS_PECOTESTING_SERVER_HOSTNAME, _HTTP_PATH2, and _TOKEN or _TOKEN_PERSONAL). Provision them in the repository settings." >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| # Build the pinned kernel .a (make kernel-lib, cache permitting). Cap the Rust | ||
| # build explicitly so a cold ~200-crate compile that wedges is killed here as a | ||
| # build failure, rather than eating into the go test budget and letting GitHub | ||
| # SIGKILL the whole job before Go's -timeout can report which test hung. 25m | ||
| # (build) + 30m (go test) + setup stays under the 65m job cap. | ||
| - name: Build kernel lib | ||
| timeout-minutes: 25 | ||
| run: make kernel-lib | ||
|
|
||
| # Run the kernel E2E tests tagged cgo+databricks_kernel. The kernel suite reads | ||
| # the same DATABRICKS_PECOTESTING_* credentials as the Thrift suite. -run selects | ||
| # the kernel E2E funcs plus the Thrift-vs-kernel parity funcs (TestKernelThriftParity | ||
| # / TestKernelParamsVsThrift) — the latter need both the kernel lib AND live | ||
| # credentials, so this is the only job that can run them. The tagged UNIT tests | ||
| # already run credential-free in the go.yml kernel job. | ||
| # | ||
| # TestKernelE2EM2M is excluded: -run matches it (unanchored prefix), but it needs | ||
| # a service principal (DATABRICKS_CLIENT_ID / _CLIENT_SECRET) that this warehouse | ||
| # secret set doesn't carry, so it would t.Skip() every run. -skip keeps it clearly | ||
| # out of scope here rather than a misleading silent skip; add M2M service-principal | ||
| # secrets + drop the -skip to cover it. | ||
| - name: Run kernel E2E | ||
| env: | ||
| DATABRICKS_PECOTESTING_SERVER_HOSTNAME: ${{ secrets.DATABRICKS_PECOTESTING_SERVER_HOSTNAME }} | ||
| DATABRICKS_PECOTESTING_HTTP_PATH2: ${{ secrets.DATABRICKS_PECOTESTING_HTTP_PATH2 }} | ||
| DATABRICKS_PECOTESTING_TOKEN: ${{ secrets.DATABRICKS_PECOTESTING_TOKEN }} | ||
| DATABRICKS_PECOTESTING_TOKEN_PERSONAL: ${{ secrets.DATABRICKS_PECOTESTING_TOKEN_PERSONAL }} | ||
| run: | | ||
| CGO_ENABLED=1 go test -tags databricks_kernel -count=1 -v -timeout 30m \ | ||
| -run 'TestKernelE2E|TestKernelThriftParity|TestKernelParamsVsThrift' \ | ||
| -skip 'TestKernelE2EM2M' . | ||
|
mani-mathur-arch marked this conversation as resolved.
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.