SNOW-2272485: CICD reconfiguration (#2485)

sfc-gh-pcyrek · web-flow · commit 5e7fe20aa937 · 2025-08-20T11:04:40.000+02:00
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
@@ -196,9 +196,9 @@ jobs:
       - name: Setup private key file
         shell: bash
         env:
-          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Download wheel(s)
         uses: actions/download-artifact@v4
@@ -274,9 +274,9 @@ jobs:
       - name: Setup private key file
         shell: bash
         env:
-          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Upgrade setuptools, pip and wheel
         run: python -m pip install -U setuptools pip wheel
@@ -342,9 +342,9 @@ jobs:
       - name: Setup private key file
         shell: bash
         env:
-          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Download wheel(s)
         uses: actions/download-artifact@v4
@@ -402,9 +402,9 @@ jobs:
       - name: Setup private key file
         shell: bash
         env:
-          PYTHON_PRIVATE_KEY_SECRET: ${{ secrets.PYTHON_PRIVATE_KEY_SECRET }}
+          PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
         run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$PYTHON_PRIVATE_KEY_SECRET" \
+          gpg --quiet --batch --yes --decrypt --passphrase="$PARAMETERS_SECRET" \
           .github/workflows/parameters/public/rsa_keys/rsa_key_python_${{ matrix.cloud-provider }}.p8.gpg > test/rsa_key_python_${{ matrix.cloud-provider }}.p8
       - name: Download wheel(s)
         uses: actions/download-artifact@v4
diff --git a/.github/workflows/parameters/public/jenkins_test_parameters.py.gpg b/.github/workflows/parameters/public/jenkins_test_parameters.py.gpg
diff --git a/.github/workflows/parameters/public/rsa_keys/rsa_key_python_aws.p8.gpg b/.github/workflows/parameters/public/rsa_keys/rsa_key_python_aws.p8.gpg
diff --git a/.github/workflows/parameters/public/rsa_keys/rsa_key_python_azure.p8.gpg b/.github/workflows/parameters/public/rsa_keys/rsa_key_python_azure.p8.gpg
diff --git a/.github/workflows/parameters/public/rsa_keys/rsa_key_python_gcp.p8.gpg b/.github/workflows/parameters/public/rsa_keys/rsa_key_python_gcp.p8.gpg
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -33,7 +33,8 @@ timestamps {
         string(name: 'client_git_commit', value: scmInfo.GIT_COMMIT),
         string(name: 'client_git_branch', value: scmInfo.GIT_BRANCH),
         string(name: 'parent_job', value: env.JOB_NAME),
-        string(name: 'parent_build_number', value: env.BUILD_NUMBER)
+        string(name: 'parent_build_number', value: env.BUILD_NUMBER),
+        string(name: 'USE_PASSWORD', value: 'true')
       ]
       parallel(
       'Test': {
diff --git a/ci/test_darwin.sh b/ci/test_darwin.sh
@@ -14,11 +14,14 @@ export JUNIT_REPORT_DIR=${SF_REGRESS_LOGS:-$CONNECTOR_DIR}
 export COV_REPORT_DIR=${CONNECTOR_DIR}
 
 # Decrypt parameters file
-PARAMS_FILE="${PARAMETERS_DIR}/jenkins_test_parameters.py.gpg"
+PARAMS_FILE="${PARAMETERS_DIR}/parameters_aws.py.gpg"
 [ ${cloud_provider} == azure ] && PARAMS_FILE="${PARAMETERS_DIR}/parameters_azure.py.gpg"
 [ ${cloud_provider} == gcp ] && PARAMS_FILE="${PARAMETERS_DIR}/parameters_gcp.py.gpg"
 gpg --quiet --batch --yes --decrypt --passphrase="${PARAMETERS_SECRET}" ${PARAMS_FILE} > test/parameters.py
 
+# Decrypt private key file
+gpg --quiet --batch --yes --decrypt --passphrase="${PARAMETERS_SECRET}" "${CONNECTOR_DIR}/.github/workflows/parameters/public/rsa_keys/rsa_key_python_${cloud_provider}.p8.gpg" > "test/rsa_key_python_${cloud_provider}.p8"
+
 rm -rf venv
 python3.12 -m venv venv
 . venv/bin/activate
diff --git a/ci/test_docker.sh b/ci/test_docker.sh
@@ -45,6 +45,7 @@ docker run --network=host \
     -e JENKINS_HOME \
     -e is_old_driver \
     -e GITHUB_ACTIONS \
+    -e USE_PASSWORD=true \
     --mount type=bind,source="${CONNECTOR_DIR}",target=/home/user/snowflake-connector-python \
     ${CONTAINER_NAME}:1.0 \
     /home/user/snowflake-connector-python/ci/test_linux.sh ${PYTHON_ENV}
diff --git a/ci/test_fips.sh b/ci/test_fips.sh
@@ -1,8 +1,19 @@
 #!/bin/bash -e
 #
-# Test Snowflake Connector
-# Note this is the script that test_docker.sh runs inside of the docker container
+# Test Snowflake Connector (FIPS)
+# Note this is the script that test_fips_docker.sh runs inside of the docker container
 #
+
+# Export USE_PASSWORD only on Jenkins (not on GitHub Actions)
+# Jenkins FIPS tests run against mocked Snowflake with password auth
+# GitHub Actions FIPS tests run against real Snowflake with key-pair auth
+if [[ "${JENKINS_HOME}" != "false" && -n "${JENKINS_HOME}" ]]; then
+    export USE_PASSWORD=true
+    echo "[Info] Jenkins detected: Using password authentication for FIPS tests"
+else
+    echo "[Info] GitHub Actions detected: Using key-pair authentication for FIPS tests"
+fi
+
 THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # shellcheck disable=SC1090
 CONNECTOR_DIR="$( dirname "${THIS_DIR}")"
diff --git a/ci/test_linux.sh b/ci/test_linux.sh
@@ -6,6 +6,7 @@
 #   - This script assumes that ../dist/repaired_wheels has the wheel(s) built for all versions to be tested
 #   - This is the script that test_docker.sh runs inside of the docker container
 
+
 PYTHON_VERSIONS="${1:-3.9 3.10 3.11 3.12 3.13}"
 THIS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 CONNECTOR_DIR="$( dirname "${THIS_DIR}")"
diff --git a/ci/test_windows.bat b/ci/test_windows.bat
@@ -20,13 +20,15 @@ if "%connector_whl%"=="" (
 )
 echo %connector_whl%
 
-:: Decrypt parameters file
+:: Decrypt parameters file and private key file
 :: Default to aws as cloud provider
+if "%cloud_provider%"=="" set cloud_provider=aws
 set PARAMETERS_DIR=%CONNECTOR_DIR%\.github\workflows\parameters\public
-set PARAMS_FILE=%PARAMETERS_DIR%\jenkins_test_parameters.py.gpg
+set PARAMS_FILE=%PARAMETERS_DIR%\parameters_aws.py.gpg
 if "%cloud_provider%"=="azure" set PARAMS_FILE=%PARAMETERS_DIR%\parameters_azure.py.gpg
 if "%cloud_provider%"=="gcp" set PARAMS_FILE=%PARAMETERS_DIR%\parameters_gcp.py.gpg
 gpg --quiet --batch --yes --decrypt --passphrase="%PARAMETERS_SECRET%" %PARAMS_FILE% > test\parameters.py
+gpg --quiet --batch --yes --decrypt --passphrase="%PARAMETERS_SECRET%" %CONNECTOR_DIR%\.github\workflows\parameters\public\rsa_keys\rsa_key_python_%cloud_provider%.p8.gpg > test\rsa_key_python_%cloud_provider%.p8
 
 :: create tox execution virtual env
 set venv_dir=%WORKSPACE%\tox_venv
diff --git a/test/integ/conftest.py b/test/integ/conftest.py
@@ -38,6 +38,7 @@
 
 RUNNING_ON_GH = os.getenv("GITHUB_ACTIONS") == "true"
 RUNNING_ON_JENKINS = os.getenv("JENKINS_HOME") not in (None, "false")
+USE_PASSWORD_AUTH = os.getenv("USE_PASSWORD") == "true"
 RUNNING_OLD_DRIVER = os.getenv("TOX_ENV_NAME") == "olddriver"
 TEST_USING_VENDORED_ARROW = os.getenv("TEST_USING_VENDORED_ARROW") == "true"
 
@@ -120,7 +121,7 @@ def _get_worker_specific_schema():
     )
 
 
-if RUNNING_ON_JENKINS:
+if USE_PASSWORD_AUTH:
     DEFAULT_PARAMETERS: dict[str, Any] = {
         "account": "<account_name>",
         "user": "<user_name>",
@@ -271,7 +272,7 @@ def init_test_schema(db_parameters) -> Generator[None]:
 
     This is automatically called per test session.
     """
-    if RUNNING_ON_JENKINS:
+    if USE_PASSWORD_AUTH:
         connection_params = {
             "user": db_parameters["user"],
             "password": db_parameters["password"],
@@ -335,8 +336,8 @@ def create_connection(connection_name: str, **kwargs) -> SnowflakeConnection:
     ret = get_db_parameters(connection_name)
     ret.update(kwargs)
 
-    # Handle private key authentication differently for old vs new driver (only if not on Jenkins)
-    if not RUNNING_ON_JENKINS and "private_key_file" in ret:
+    # Handle private key authentication differently for old vs new driver (only if not using password auth)
+    if not USE_PASSWORD_AUTH and "private_key_file" in ret:
         if RUNNING_OLD_DRIVER:
             # Old driver (3.1.0) expects private_key as bytes and SNOWFLAKE_JWT authenticator
             private_key_file = ret.get("private_key_file")
diff --git a/tox.ini b/tox.ini
@@ -55,6 +55,7 @@ passenv =
     # Github Actions provided environmental variables
     GITHUB_ACTIONS
     JENKINS_HOME
+    USE_PASSWORD
     SINGLE_TEST_NAME
     # This is required on windows. Otherwise pwd module won't be imported successfully,
     # see https://github.com/tox-dev/tox/issues/1455
