Automatically sign CLI binary using Goreleaser (#3879)

## Changes
Automatically sign CLI binary using Goreleaser

## Why
Currently, it's a manual process; we want it to be automatic

## Tests
Successful dry-run for latest commit
https://github.com/databricks/cli/actions/runs/19298103765/job/55185055451

<!-- If your PR needs to be included in the release notes for next
release,
add a separate entry in NEXT_CHANGELOG.md as part of your PR. -->

Author: andrewnester

.github/workflows/publish-winget.yml

@@ -8,7 +8,9 @@ on:
   workflow_dispatch:
 
 jobs:
-  goreleaser:
+  # Build and publish Unix (Linux/macOS) binaries and Docker images.
+  # This job creates the GitHub release that goreleaser-windows will upload to.
+  goreleaser-unix:
     runs-on:
       group: databricks-deco-testing-runner-group
       labels: ubuntu-latest-deco
@@ -27,13 +29,9 @@ jobs:
         uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version-file: go.mod
-
-          # The default cache key for this action considers only the `go.sum` file.
-          # We include .goreleaser.yaml here to differentiate from the cache used by the push action
-          # that runs unit tests. This job produces and uses a different cache.
           cache-dependency-path: |
             go.sum
-            .goreleaser.yaml
+            .goreleaser-unix.yaml
 
       # Log into the GitHub Container Registry. The goreleaser action will create
       # the docker images and push them to the GitHub Container Registry.
@@ -48,12 +46,100 @@ jobs:
       - name: Set up QEMU dependency
         uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
-      - name: Run GoReleaser
+      - name: Run GoReleaser for Unix
         id: releaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
         with:
           version: ~> v2
-          args: release
+          args: release -f .goreleaser-unix.yaml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # Build and sign Windows binaries using AzureSignTool with Azure Key Vault.
+  # Runs on GitHub-hosted windows-latest runner (has signtool and Windows SDK).
+  # Uses --skip=publish to avoid creating duplicate GitHub release.
+  # Waits for goreleaser-unix to create the release first.
+  goreleaser-windows:
+    environment: sign
+    runs-on: windows-latest
+
+    steps:
+      - name: Checkout repository and submodules
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Setup Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: |
+            go.sum
+            .goreleaser-windows.yaml
+
+      - name: Azure Login and get Key Vault token
+        shell: pwsh
+        run: |
+          az login --service-principal `
+            -u ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }} `
+            -p ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }} `
+            --tenant ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}
+
+          $accessToken = az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv
+          echo "::add-mask::$accessToken"
+          echo "AZURE_VAULT_TOKEN=$accessToken" >> $env:GITHUB_ENV
+
+      - name: Install AzureSignTool
+        shell: pwsh
+        run: |
+          dotnet tool install --global AzureSignTool
+
+      - name: Run GoReleaser for Windows
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          version: ~> v2
+          args: release -f .goreleaser-windows.yaml --skip=publish
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          AZURE_TENANT_ID: ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}
+          AZURE_CLIENT_ID: ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}
+
+      - name: Upload Windows artifacts to GitHub Actions
+        uses: actions/upload-artifact@v4
+        with:
+          name: windows-artifacts
+          path: |
+            dist/*.zip
+            dist/*SHA256SUMS*
+          retention-days: 1
+
+  # Upload Windows artifacts to the GitHub release.
+  # Separated from goreleaser-windows because GitHub-hosted runners are not allowlisted
+  # for GitHub API access due to IP restrictions. Self-hosted runners have allowlisted IPs.
+  # Flow: goreleaser-windows (build) -> GitHub Actions artifacts -> self-hosted runner (upload)
+  upload-windows-to-release:
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+    needs: [goreleaser-windows, goreleaser-unix]
+
+    steps:
+      - name: Download Windows artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: windows-artifacts
+          path: dist
+
+      - name: Upload to GitHub release
+        run: |
+          for file in dist/*.zip dist/*SHA256SUMS*; do
+            if [ -f "$file" ]; then
+              echo "Uploading $(basename $file)"
+              gh release upload ${{ github.ref_name }} "$file"
+            fi
+          done
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -62,7 +148,7 @@ jobs:
       group: databricks-deco-testing-runner-group
       labels: ubuntu-latest-deco
 
-    needs: goreleaser
+    needs: [goreleaser-windows, goreleaser-unix]
 
     steps:
       - name: Set VERSION variable from tag
@@ -90,7 +176,7 @@ jobs:
       group: databricks-deco-testing-runner-group
       labels: ubuntu-latest-deco
 
-    needs: goreleaser
+    needs: goreleaser-unix
 
     steps:
       - name: Set VERSION variable from tag
@@ -103,7 +189,7 @@ jobs:
         with:
           github-token: ${{ secrets.DECO_GITHUB_TOKEN }}
           script: |
-            let artifacts = ${{ needs.goreleaser.outputs.artifacts }}
+            let artifacts = ${{ needs.goreleaser-unix.outputs.artifacts }}
             artifacts = artifacts.filter(a => a.type == "Archive")
             artifacts = new Map(
               artifacts.map(a => [
@@ -131,7 +217,7 @@ jobs:
       group: databricks-deco-testing-runner-group
       labels: ubuntu-latest-deco
 
-    needs: goreleaser
+    needs: [goreleaser-windows, goreleaser-unix]
 
     steps:
       - name: Set VERSION variable from tag
@@ -159,7 +245,7 @@ jobs:
       group: databricks-deco-testing-runner-group
       labels: ubuntu-latest-deco
 
-    needs: goreleaser
+    needs: [goreleaser-windows, goreleaser-unix]
 
     # IMPORTANT:
     # - 'id-token: write' is mandatory for OIDC and trusted publishing to PyPi
@@ -190,3 +276,70 @@ jobs:
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           packages-dir: python/dist
+
+  publish-to-winget-pkgs:
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
+    needs: upload-windows-to-release
+
+    environment: release
+
+    steps:
+      - name: Checkout repository and submodules
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+        # When updating the version of komac, make sure to update the checksum in the next step.
+        # Find both at https://github.com/russellbanks/Komac/releases.
+      - name: Download komac binary
+        run: |
+          curl -s -L -o $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz https://github.com/russellbanks/Komac/releases/download/v2.9.0/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz
+
+      - name: Verify komac binary
+        run: |
+          echo "d07a12831ad5418fee715488542a98ce3c0e591d05c850dd149fe78432be8c4c  $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz" | sha256sum -c -
+
+      - name: Untar komac binary to temporary path
+        run: |
+          mkdir -p $RUNNER_TEMP/komac
+          tar -xzf $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz -C $RUNNER_TEMP/komac
+
+      - name: Add komac to PATH
+        run: echo "$RUNNER_TEMP/komac" >> $GITHUB_PATH
+
+      - name: Confirm komac version
+        run: komac --version
+
+        # Use the tag from the input, or the ref name if the input is not provided.
+        # The ref name is equal to the tag name when this workflow is triggered by the "sign-cli" command.
+      - name: Strip "v" prefix from version
+        id: strip_version
+        run: echo "version=$(echo ${{ github.ref_name }} | sed 's/^v//')" >> "$GITHUB_OUTPUT"
+
+      - name: Get URLs of signed Windows binaries
+        id: get_windows_urls
+        run: |
+          urls=$(
+            gh api https://api.github.com/repos/databricks/cli/releases/tags/${{ github.ref_name }} | \
+            jq -r .assets[].browser_download_url | \
+            grep -E '_windows_.*\.zip$' | \
+            tr '\n' ' '
+          )
+          if [ -z "$urls" ]; then
+            echo "No signed Windows binaries found" >&2
+            exit 1
+          fi
+          echo "urls=$urls" >> "$GITHUB_OUTPUT"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish to Winget
+        run: |
+          komac update Databricks.DatabricksCLI \
+            --version ${{ steps.strip_version.outputs.version }} \
+            --submit \
+            --urls ${{ steps.get_windows_urls.outputs.urls }} \
+        env:
+          KOMAC_FORK_OWNER: eng-dev-ecosystem-bot
+          GITHUB_TOKEN: ${{ secrets.ENG_DEV_ECOSYSTEM_BOT_TOKEN }}