Google Git
Sign in
bazel/continuous-integration/refs/heads/master^!/.
commit
289e96230cc29a926231cd2023055fbb879db9e2
[log]
author
deepalak56 <deepalakshmib@google.com>
Tue May 12 15:19:20 2026 +0530
committer
GitHub <noreply@github.com>
Tue May 12 11:49:20 2026 +0200
tree
2b14d51d1b77a3f5388c990f308f453fd020b26c
parent
97d827836f07cd4ed29e9dfea723f240ff3f0a99 [diff]
ci: update Buildkite pipeline for GitHub CLI migration (#2602)

Purpose
This PR updates the .buildkite/pipeline.yml configuration to support the
migration of our release scripts to the official GitHub CLI (gh).

Key Changes
Tool Provisioning: The legacy ubuntu1804-java11 release image does not
have gh pre-installed. Added a step to securely install gh via the
official apt repository before the release script executes.

Script Patching: The previous pipeline used sed -i -e '403,410d' to
remove the GPG signing loop from build.sh. Because the release script
has been refactored, those line numbers are no longer accurate. This PR
updates the sed command to use content-based pattern matching (/rm
-f.*sha256/,/done/d), making it immune to future line-number shifts.

Variable Escaping: Ensured all Bash variables (\${ARTIFACTS},
\${keyfile}) are properly escaped so they are evaluated at runtime
inside the Docker container, not interpolated by Buildkite on the host.

Verification
[x] Verified gh installation commands for Ubuntu 18.04.

[x] Confirmed sed regex accurately targets the correct code block in
build.sh.

[29452](https://github.com/bazelbuild/bazel/pull/29452) - Github CLI
migration for release
diff --git a/buildkite/terraform/bazel-trusted/bazel-release-arm64.yml b/buildkite/terraform/bazel-trusted/bazel-release-arm64.yml
index ab8267b..3f67691 100644
--- a/buildkite/terraform/bazel-trusted/bazel-release-arm64.yml
+++ b/buildkite/terraform/bazel-trusted/bazel-release-arm64.yml

@@ -151,23 +151,32 @@
             - "/var/lib/gitmirrors:/var/lib/gitmirrors:ro"
             - "/var/run/docker.sock:/var/run/docker.sock"
     command: |
+      # Install gh
+      apt-get update -y && apt-get install wget -y
+      mkdir -p -m 755 /etc/apt/keyrings
+      wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
+      echo "deb [arch=\$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+      apt-get update -y && apt-get install gh -y
+
       echo "+++ Fetching Git notes"
       git fetch origin master
       git fetch --force origin refs/notes/*:refs/notes/*
       git checkout ${BUILDKITE_BRANCH}
 
       echo "+++ Downloading release artifacts"
-      ARTIFACTS="$(mktemp -d)"
+      ARTIFACTS="\$(mktemp -d)"
       buildkite-agent artifact download "*" "\${ARTIFACTS}/"
 
       echo "+++ Importing GPG release key"
-      keyfile="$(mktemp --tmpdir)"
+      keyfile="\$(mktemp --tmpdir)"
       chmod 0600 "\${keyfile}"
       gsutil cat "gs://bazel-trusted-encrypted-secrets/release-key.gpg.enc" | gcloud kms decrypt --project "bazel-public" --location "global" --keyring "buildkite" --key "bazel-release-key" --ciphertext-file "-" --plaintext-file "\${keyfile}"
-      gpg --allow-secret-key-import --import "\${keyfile}"
+      gpg --allow-secret-key-import --import "\${keyfile}" 
       rm -f "\${keyfile}"
 
       echo "+++ Deploying release"
-      sed -i -e '403,410d' scripts/ci/build.sh
+      # Remove GPG signing loop by pattern
+      sed -i '/rm -f.*sha256/,/done/d' scripts/ci/build.sh
+      
       source scripts/ci/build.sh
       deploy_release "\${ARTIFACTS}"

diff --git a/pipelines/bazel-release.yml b/pipelines/bazel-release.yml
index a364015..9375f58 100644
--- a/pipelines/bazel-release.yml
+++ b/pipelines/bazel-release.yml

@@ -468,10 +468,13 @@
       echo "+++ Installing required packages"
       sudo apt -y update && sudo apt -y install devscripts pandoc reprepro
 
-      echo "+++ Downloading github-release"
-      curl -L https://mirror.bazel.build/github.com/c4milo/github-release/releases/download/v1.1.0/github-release_v1.1.0_linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin
-      sudo chown root:root /usr/local/bin/github-release
-      sudo chmod 0755 /usr/local/bin/github-release
+      echo "+++ Installing GitHub CLI"
+      mkdir -p -m 755 /etc/apt/keyrings
+      wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null
+      sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
+      echo "deb [arch=\$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
+      sudo apt -y update
+      sudo apt -y install gh
 
       echo "+++ Checking out Git branch"
       git fetch origin ${BUILDKITE_BRANCH}
@@ -489,6 +492,7 @@
       rm -f "\${keyfile}"
 
       echo "+++ Deploying release"
+      sed -i '/rm -f.*sha256/,/done/d' scripts/ci/build.sh
       source scripts/ci/build.sh
       deploy_release "\${ARTIFACTS}"