88 workflow_dispatch :
99
1010jobs :
11- goreleaser :
11+ # Build and publish Unix (Linux/macOS) binaries and Docker images.
12+ # This job creates the GitHub release that goreleaser-windows will upload to.
13+ goreleaser-unix :
1214 runs-on :
1315 group : databricks-deco-testing-runner-group
1416 labels : ubuntu-latest-deco
2729 uses : actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
2830 with :
2931 go-version-file : go.mod
30-
31- # The default cache key for this action considers only the `go.sum` file.
32- # We include .goreleaser.yaml here to differentiate from the cache used by the push action
33- # that runs unit tests. This job produces and uses a different cache.
3432 cache-dependency-path : |
3533 go.sum
36- .goreleaser.yaml
34+ .goreleaser-unix .yaml
3735
3836# Log into the GitHub Container Registry. The goreleaser action will create
3937 # the docker images and push them to the GitHub Container Registry.
@@ -48,12 +46,134 @@ jobs:
4846 - name : Set up QEMU dependency
4947 uses : docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
5048
51- - name : Run GoReleaser
49+ - name : Run GoReleaser for Unix
5250 id : releaser
5351 uses : goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
5452 with :
5553 version : ~> v2
56- args : release
54+ args : release -f .goreleaser-unix.yaml
55+ env :
56+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
57+
58+ # Build and sign Windows binaries using AzureSignTool with Azure Key Vault.
59+ # Runs on GitHub-hosted windows-latest runner (has signtool and Windows SDK).
60+ # Uses --skip=publish to avoid creating duplicate GitHub release.
61+ # Waits for goreleaser-unix to create the release first.
62+ goreleaser-windows :
63+ environment : sign
64+ runs-on : windows-latest
65+
66+ steps :
67+ - name : Checkout repository and submodules
68+ uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
69+ with :
70+ fetch-depth : 0
71+ fetch-tags : true
72+
73+ - name : Setup Go
74+ uses : actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
75+ with :
76+ go-version-file : go.mod
77+ cache-dependency-path : |
78+ go.sum
79+ .goreleaser-windows.yaml
80+
81+ name : Azure Login and get Key Vault token
82+ shell : pwsh
83+ run : |
84+ az login --service-principal `
85+ -u ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }} `
86+ -p ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }} `
87+ --tenant ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}
88+
89+ $accessToken = az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv
90+ echo "::add-mask::$accessToken"
91+ echo "AZURE_VAULT_TOKEN=$accessToken" >> $env:GITHUB_ENV
92+
93+ name : Install AzureSignTool
94+ shell : pwsh
95+ run : |
96+ dotnet tool install --global AzureSignTool
97+
98+ name : Run GoReleaser for Windows
99+ uses : goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
100+ with :
101+ version : ~> v2
102+ args : release -f .goreleaser-windows.yaml --skip=publish
103+ env :
104+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
105+ AZURE_TENANT_ID : ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}
106+ AZURE_CLIENT_ID : ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}
107+ AZURE_CLIENT_SECRET : ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}
108+
109+ - name : Upload Windows artifacts to GitHub Actions
110+ uses : actions/upload-artifact@v4
111+ with :
112+ name : windows-artifacts
113+ path : |
114+ dist/*.zip
115+ dist/*SHA256SUMS*
116+ retention-days : 1
117+
118+ # Upload Windows artifacts to the GitHub release.
119+ # Separated from goreleaser-windows because GitHub-hosted runners are not allowlisted
120+ # for GitHub API access due to IP restrictions. Self-hosted runners have allowlisted IPs.
121+ # Flow: goreleaser-windows (build) -> GitHub Actions artifacts -> self-hosted runner (upload)
122+ upload-windows-to-release :
123+ runs-on :
124+ group : databricks-deco-testing-runner-group
125+ labels : ubuntu-latest-deco
126+ needs : [goreleaser-windows, goreleaser-unix]
127+
128+ steps :
129+ - name : Download Windows artifacts
130+ uses : actions/download-artifact@v4
131+ with :
132+ name : windows-artifacts
133+ path : dist
134+
135+ - name : Download Unix checksum file from release
136+ run : |
137+ VERSION=${{ github.ref_name }}
138+ VERSION_NO_V=${VERSION:1}
139+
140+ echo "Downloading Unix checksum file..."
141+ gh release download ${{ github.ref_name }} \
142+ --pattern "databricks_cli_${VERSION_NO_V}_SHA256SUMS_unix" \
143+ --dir dist \
144+ --repo ${{ github.repository }}
145+ env :
146+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
147+
148+ - name : Merge checksum files
149+ run : |
150+ VERSION=${{ github.ref_name }}
151+ VERSION_NO_V=${VERSION:1}
152+
153+ echo "Merging Unix and Windows checksum files..."
154+ cat dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS_unix > dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS
155+ cat dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS_windows >> dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS
156+
157+ echo "Merged SHA256SUMS file contents:"
158+ cat dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS
159+
160+ name : Verify checksums after download
161+ run : |
162+ echo "Verifying Windows artifact checksums after download..."
163+ for file in dist/*.zip; do
164+ if [ -f "$file" ]; then
165+ sha256sum "$file"
166+ fi
167+ done
168+
169+ name : Upload to GitHub release
170+ run : |
171+ for file in dist/*.zip dist/*SHA256SUMS; do
172+ if [ -f "$file" ]; then
173+ echo "Uploading $(basename $file)"
174+ gh release upload ${{ github.ref_name }} "$file" --repo ${{ github.repository }}
175+ fi
176+ done
57177env :
58178 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
59179
62182 group : databricks-deco-testing-runner-group
63183 labels : ubuntu-latest-deco
64184
65- needs : goreleaser
185+ needs : upload-windows-to-release
66186
67187 steps :
68188 - name : Set VERSION variable from tag
90210 group : databricks-deco-testing-runner-group
91211 labels : ubuntu-latest-deco
92212
93- needs : goreleaser
213+ needs : [ goreleaser-unix, upload-windows-to-release]
94214
95215 steps :
96216 - name : Set VERSION variable from tag
@@ -103,7 +223,7 @@ jobs:
103223 with :
104224 github-token : ${{ secrets.DECO_GITHUB_TOKEN }}
105225 script : |
106- let artifacts = ${{ needs.goreleaser.outputs.artifacts }}
226+ let artifacts = ${{ needs.goreleaser-unix .outputs.artifacts }}
107227 artifacts = artifacts.filter(a => a.type == "Archive")
108228 artifacts = new Map(
109229 artifacts.map(a => [
@@ -131,7 +251,7 @@ jobs:
131251 group : databricks-deco-testing-runner-group
132252 labels : ubuntu-latest-deco
133253
134- needs : goreleaser
254+ needs : upload-windows-to-release
135255
136256 steps :
137257 - name : Set VERSION variable from tag
@@ -159,7 +279,7 @@ jobs:
159279 group : databricks-deco-testing-runner-group
160280 labels : ubuntu-latest-deco
161281
162- needs : goreleaser
282+ needs : upload-windows-to-release
163283
164284 # IMPORTANT:
165285 # - 'id-token: write' is mandatory for OIDC and trusted publishing to PyPi
@@ -190,3 +310,70 @@ jobs:
190310 uses : pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
191311 with :
192312 packages-dir : python/dist
313+
314+ publish-to-winget-pkgs :
315+ runs-on :
316+ group : databricks-deco-testing-runner-group
317+ labels : ubuntu-latest-deco
318+
319+ needs : upload-windows-to-release
320+
321+ environment : release
322+
323+ steps :
324+ - name : Checkout repository and submodules
325+ uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
326+
327+ # When updating the version of komac, make sure to update the checksum in the next step.
328+ # Find both at https://github.com/russellbanks/Komac/releases.
329+ - name : Download komac binary
330+ run : |
331+ curl -s -L -o $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz https://github.com/russellbanks/Komac/releases/download/v2.9.0/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz
332+
333+ name : Verify komac binary
334+ run : |
335+ echo "d07a12831ad5418fee715488542a98ce3c0e591d05c850dd149fe78432be8c4c $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz" | sha256sum -c -
336+
337+ name : Untar komac binary to temporary path
338+ run : |
339+ mkdir -p $RUNNER_TEMP/komac
340+ tar -xzf $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz -C $RUNNER_TEMP/komac
341+
342+ name : Add komac to PATH
343+ run : echo "$RUNNER_TEMP/komac" >> $GITHUB_PATH
344+
345+ - name : Confirm komac version
346+ run : komac --version
347+
348+ # Use the tag from the input, or the ref name if the input is not provided.
349+ # The ref name is equal to the tag name when this workflow is triggered by the "sign-cli" command.
350+ - name : Strip "v" prefix from version
351+ id : strip_version
352+ run : echo "version=$(echo ${{ github.ref_name }} | sed 's/^v//')" >> "$GITHUB_OUTPUT"
353+
354+ - name : Get URLs of signed Windows binaries
355+ id : get_windows_urls
356+ run : |
357+ urls=$(
358+ gh api https://api.github.com/repos/databricks/cli/releases/tags/${{ github.ref_name }} | \
359+ jq -r .assets[].browser_download_url | \
360+ grep -E '_windows_.*\.zip$' | \
361+ tr '\n' ' '
362+ )
363+ if [ -z "$urls" ]; then
364+ echo "No signed Windows binaries found" >&2
365+ exit 1
366+ fi
367+ echo "urls=$urls" >> "$GITHUB_OUTPUT"
368+ env :
369+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
370+
371+ - name : Publish to Winget
372+ run : |
373+ komac update Databricks.DatabricksCLI \
374+ --version ${{ steps.strip_version.outputs.version }} \
375+ --submit \
376+ --urls ${{ steps.get_windows_urls.outputs.urls }} \
377+ env :
378+ KOMAC_FORK_OWNER : eng-dev-ecosystem-bot
379+ GITHUB_TOKEN : ${{ secrets.ENG_DEV_ECOSYSTEM_BOT_TOKEN }}
0 commit comments