ci: sign RPM packages before pushing to GCP Artifact Registry

- Add sign_rpm() to push_pkg_to_gcp_ar.sh: fetches the Redpanda GPG
  private key from AWS Secrets Manager (sdlc/prod/github/rpm_signing_key_private),
  signs each RPM with rpmsign --resign, verifies the signature using a
  temp RPM database, then uploads to GCP AR
- Fix signature verification to use rpm --dbpath <tmpdb> so the GPG
  check actually validates the signature (plain rpm --checksig ignores
  GNUPGHOME and checks the system keyring, returning exit 0 even for NOKEY)
- Add test-push-to-gcp-ar CI job: generates a throwaway GPG key, builds
  a minimal RPM, mocks aws and gcloud, and asserts signing + routing for
  GA (redpanda-yum), RC (redpanda-unstable-yum), DEB (redpanda-apt), and
  missing-region error cases

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Przemek Zglinicki

.github/workflows/release.yml

@@ -74,6 +74,9 @@ jobs:
           tar -C "$RUNNER_TEMP/microsoft" -xf "$RUNNER_TEMP/msgo.tgz"
           echo "$RUNNER_TEMP/bin" >> "$GITHUB_PATH"
 
+      - name: Install rpm (provides rpmsign for RPM package signing)
+        run: sudo apt-get install -y rpm
+
       - name: Release Notes
         run: ./resources/scripts/release_notes.sh > ./release_notes.md
 

.github/workflows/test.yml

@@ -62,6 +62,143 @@ jobs:
           skip-cache: true
           skip-save-cache: true
 
+  # Runs integration tests for any internal/impl/* packages changed in this PR.
+  #
+  # Trigger: add the 'run-integration-tests' label to the PR.
+  # The label is checked at job start — if added after the workflow triggered,
+  # re-run the workflow (or push a new commit) to pick it up.
+  #
+  # Package detection: diffs HEAD against the PR base branch and extracts
+  # unique affected internal/impl/* package directories. Tests run sequentially.
+  integration-test:
+    if: |
+      github.event_name == 'pull_request' &&
+      contains(github.event.pull_request.labels.*.name, 'run-integration-tests')
+    environment: integration-tests
+    runs-on: ubuntu-latest-32
+    env:
+      CGO_ENABLED: 0
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Install Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: "go.mod"
+
+      - name: Install Task
+        uses: ./.github/actions/setup-task
+
+      - name: Pull Latest Redpanda Image
+        run: task docker:pull-redpanda
+
+      - name: Run Integration Tests
+        run: |
+          mapfile -t pkgs < <(
+            git diff --name-only "$(git merge-base HEAD origin/${{ github.base_ref }})"...HEAD \
+              | { grep '^internal/impl/' || true; } \
+              | sed 's|/[^/]*$||' \
+              | sort -u
+          )
+          failed=0
+          for pkg in "${pkgs[@]}"; do
+            task test:integration-package PKG="./$pkg/..." || failed=1
+          done
+          exit $failed
+        # 30m total: normally a single package is changed per PR, so 15m per-package
+        # timeout plus overhead fits comfortably. Keeps CI fast-failing instead of
+        # hanging for hours when Docker networking is degraded.
+        timeout-minutes: 30
+
+  test-push-to-gcp-ar:
+    if: ${{ github.repository == 'redpanda-data/connect' || github.event_name != 'schedule' }}
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Install rpm tools
+        run: sudo apt-get install -y rpm rpm-build gnupg2
+
+      - name: Set up test GPG key and test RPM
+        run: |
+          # Generate a throwaway GPG key — no passphrase, expires never
+          printf '%s\n' \
+            '%no-protection' \
+            'Key-Type: RSA' \
+            'Key-Length: 2048' \
+            'Name-Real: Test Signing Key' \
+            'Name-Email: test@redpanda.com' \
+            'Expire-Date: 0' \
+            | gpg --batch --gen-key
+          # Export private key so the aws mock can serve it
+          gpg --armor --export-secret-keys > /tmp/test-signing-key.asc
+
+          # Build a minimal empty RPM
+          mkdir -p /tmp/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
+          printf '%s\n' \
+            'Name: test-pkg' \
+            'Version: 1.0.0' \
+            'Release: 1' \
+            'Summary: Test package for RPM signing CI' \
+            'License: MIT' \
+            'BuildArch: noarch' \
+            '%description' \
+            'Minimal test RPM.' \
+            '%install' \
+            'mkdir -p %{buildroot}' \
+            '%files' \
+            > /tmp/rpmbuild/SPECS/test-pkg.spec
+          rpmbuild --define "_topdir /tmp/rpmbuild" -bb /tmp/rpmbuild/SPECS/test-pkg.spec
+          cp /tmp/rpmbuild/RPMS/noarch/test-pkg-1.0.0-1.noarch.rpm /tmp/test.rpm
+
+      - name: Mock aws and gcloud CLIs
+        run: |
+          # aws: return the test private key for any secretsmanager get-secret-value call
+          printf '#!/bin/bash\ncat /tmp/test-signing-key.asc\n' \
+            | sudo tee /usr/local/bin/aws > /dev/null
+          sudo chmod +x /usr/local/bin/aws
+          # gcloud: echo arguments so we can assert routing
+          printf '#!/bin/bash\necho "gcloud $*"\n' \
+            | sudo tee /usr/local/bin/gcloud > /dev/null
+          sudo chmod +x /usr/local/bin/gcloud
+
+      - name: Test RPM GA — signed and routed to redpanda-yum
+        env:
+          AWS_DEFAULT_REGION: us-east-1
+        run: |
+          out=$(./resources/scripts/push_pkg_to_gcp_ar.sh /tmp/test.rpm 1.0.0)
+          echo "$out"
+          echo "$out" | grep -q "artifacts yum upload redpanda-yum"
+
+      - name: Test RPM RC — routed to redpanda-unstable-yum
+        env:
+          AWS_DEFAULT_REGION: us-east-1
+        run: |
+          out=$(./resources/scripts/push_pkg_to_gcp_ar.sh /tmp/test.rpm 1.0.0-rc1)
+          echo "$out"
+          echo "$out" | grep -q "artifacts yum upload redpanda-unstable-yum"
+
+      - name: Test DEB — skips signing, routed to redpanda-apt
+        run: |
+          touch /tmp/test.deb
+          out=$(./resources/scripts/push_pkg_to_gcp_ar.sh /tmp/test.deb 1.0.0)
+          echo "$out"
+          echo "$out" | grep -q "artifacts apt upload redpanda-apt"
+
+      - name: Test missing AWS region — exits with error
+        env:
+          AWS_DEFAULT_REGION: ""
+          AWS_REGION: ""
+        run: |
+          out=$(./resources/scripts/push_pkg_to_gcp_ar.sh /tmp/test.rpm 1.0.0 2>&1 || true)
+          echo "$out"
+          echo "$out" | grep -q "AWS_DEFAULT_REGION"
+
   test-push-to-cloudsmith:
     runs-on: ubuntu-latest
     env:

resources/scripts/push_pkg_to_gcp_ar.sh

@@ -42,8 +42,43 @@ else
   repo="redpanda-unstable"
 fi
 
+sign_rpm() {
+  local pkg=$1
+
+  local region=${AWS_DEFAULT_REGION:-$AWS_REGION}
+  if [[ -z "$region" ]]; then
+    echo "ERROR: AWS_DEFAULT_REGION or AWS_REGION must be set for RPM signing"
+    exit 1
+  fi
+
+  local gnupghome
+  gnupghome=$(mktemp -d)
+  trap 'rm -rf "$gnupghome"' RETURN
+
+  aws secretsmanager get-secret-value \
+    --secret-id sdlc/prod/github/rpm_signing_key_private \
+    --query SecretString \
+    --output text | GNUPGHOME="$gnupghome" gpg --batch --import
+
+  local key_id
+  key_id=$(GNUPGHOME="$gnupghome" gpg --list-secret-keys --with-colons | awk -F: '/^sec/{print $5}' | head -1)
+
+  GNUPGHOME="$gnupghome" rpmsign --define "_gpg_name $key_id" --resign "$pkg"
+
+  # Verify against our key using a temp RPM database — rpm --checksig checks
+  # the RPM keyring (not GNUPGHOME), so we must import the key into a temp db.
+  local tmpdb pubkey
+  tmpdb=$(mktemp -d)
+  pubkey=$(mktemp)
+  trap 'rm -rf "$gnupghome" "$tmpdb" "$pubkey"' RETURN
+  GNUPGHOME="$gnupghome" gpg --armor --export "$key_id" >"$pubkey"
+  rpm --dbpath "$tmpdb" --import "$pubkey"
+  rpm --dbpath "$tmpdb" --checksig "$pkg"
+}
+
 if [[ "$PKG_TYPE" == "deb" ]]; then
   gcloud artifacts apt upload "${repo}-apt" --location=us-central1 --source="$PKG_FILE" --project=production-devprod
 else
+  sign_rpm "$PKG_FILE"
   gcloud artifacts yum upload "${repo}-yum" --location=us-central1 --source="$PKG_FILE" --project=production-devprod
 fi