MartijnVisser opened a new pull request, #28327: URL: https://github.com/apache/flink/pull/28327
## What is the purpose of the change The nightly **Upload artifacts to S3** step (`flink-ci.flink-master-mirror`, definitionId=1) has failed on every run since 2026-06-02: ``` /home/vsts_azpcontainer/bin/artifacts: line 1: syntax error near unexpected token `newline' /home/vsts_azpcontainer/bin/artifacts: line 1: `<?xml version="1.0" encoding="UTF-8"?>' ##[error]Bash exited with code '2'. ``` `tools/ci/deploy_nightly_to_s3.sh` installs the `travis-ci/artifacts` uploader via `curl ... | bash`. That installer downloads its binary from a hardcoded travis-ci S3 bucket (`s3.amazonaws.com/travis-ci-gmbh/artifacts/...`) which now returns HTTP 403 AccessDenied. Because the install writes the response without checking it, the XML error page is saved as the `artifacts` binary and executed, producing the syntax error above. The `travis-ci/artifacts` project is abandoned. Failure history (nightly cron runs): | Build | Date | Result | |---|---|---| | 75662 | 2026-06-05 | failed | | 75618 | 2026-06-04 | failed | | 75582 | 2026-06-03 | failed | | 75557 | 2026-06-02 | failed | | 75530 | 2026-06-01 | succeeded | ## Brief change log - Replace the `travis-ci/artifacts` uploader in `tools/ci/deploy_nightly_to_s3.sh` with `aws s3 cp "$FILES_DIR" "s3://$ARTIFACTS_S3_BUCKET/" --recursive`. The recursive copy to the bucket root preserves the previous `--target-paths /` layout, and the bucket's default (private) ACL matches the travis uploader's default. - Install AWS CLI v2 via the official installer when `aws` is not already present in the build container (`chesnay/flink-ci` does not ship it, but provides `curl` and `unzip`). - In `tools/azure-pipelines/build-nightly-dist.yml`, map the existing Azure secret variables to `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY`, which the AWS CLI reads from the environment. Credentials are no longer passed as command-line arguments, so they no longer appear in the `set -x` trace. ## Verifying this change This change is a CI/build-tooling fix and is verified by the nightly pipeline itself. Additionally validated locally: - `bash -n tools/ci/deploy_nightly_to_s3.sh` passes. - A dry run (`aws s3 cp <dir> s3://<bucket>/ --recursive --dryrun`) confirms the recursive upload preserves the relative path layout (files land at the bucket root, sub-directories preserved). - Confirmed via a `set -x` trace that the credential values do not appear on the `aws s3 cp` command line. ## Does this pull request potentially affect one of the following parts: - Dependencies (does it add or upgrade a dependency): **no** (removes an abandoned external download; uses AWS CLI already expected in the deploy environment) - The public API, i.e., is any changed class annotated with `@Public(Evolving)`: **no** - The serializers: **no** - The runtime per-record code paths (performance sensitive): **no** - Anything that affects deployment or recovery: **no** - The S3 file system connector: **no** ## Documentation - Does this pull request introduce a new feature? **no** - If yes, how is the feature documented? **not applicable** -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
