Automatically sign CLI binary using Goreleaser by andrewnester · Pull Request #3879 · databricks/cli

andrewnester · 2025-11-05T11:00:24Z

Changes

Automatically sign CLI binary using Goreleaser

Why

Currently, it's a manual process; we want it to be automatic

Tests

Successful dry-run for latest commit https://github.com/databricks/cli/actions/runs/19298103765/job/55185055451

eng-dev-ecosystem-bot · 2025-11-05T11:16:26Z

Run: 19299728389

	Env	🔄flaky	💚RECOVERED	🙈SKIP	✅pass	🙈skip	Time
🔄	aws linux	3		1	357	602	18:23
💚	aws windows		1	1	360	601	16:16
💚	aws-ucws linux		1	1	494	493	23:36
💚	azure linux		1	1	359	601	21:24
💚	azure windows		1	1	360	600	22:09
🔄	azure-ucws linux	2		1	489	492	34:42
💚	azure-ucws windows		1	1	491	491	20:34
🔄	gcp linux	3	1	1	352	604	18:24
🔄	gcp windows	3		1	354	603	18:04

10 failing tests:

Test Name	aws linux	aws windows	aws-ucws linux	azure linux	azure windows	azure-ucws linux	azure-ucws windows	gcp linux	gcp windows
TestAccept	🔄f	💚R	💚R	💚R	💚R	🔄f	💚R	💚R	🔄f
TestAccept/bundle/deployment/bind/job/generate-and-bind	✅p	✅p	✅p	✅p	✅p	✅p	✅p	🔄f	✅p
TestAccept/bundle/deployment/unbind/permissions	✅p	✅p	✅p	✅p	✅p	🔄f	✅p	✅p	✅p
TestAccept/bundle/resources/clusters/deploy/data_security_mode	🔄f	✅p	✅p	✅p	✅p	✅p	✅p	✅p	✅p
TestAccept/bundle/resources/clusters/deploy/data_security_mode/DATABRICKS_BUNDLE_ENGINE=direct	🔄f	✅p	✅p	✅p	✅p	✅p	✅p	✅p	✅p
TestAccept/bundle/resources/dashboards/simple_outside_bundle_root	✅p	✅p	✅p	✅p	✅p	✅p	✅p	✅p	🔄f
TestAccept/bundle/resources/dashboards/simple_outside_bundle_root/DATABRICKS_BUNDLE_ENGINE=direct	✅p	✅p	✅p	✅p	✅p	✅p	✅p	✅p	🔄f
TestAccept/bundle/resources/models/basic	✅p	✅p	✅p	✅p	✅p	✅p	✅p	🔄f	✅p
TestAccept/bundle/resources/models/basic/DATABRICKS_BUNDLE_ENGINE=direct	✅p	✅p	✅p	✅p	✅p	✅p	✅p	🔄f	✅p
TestAccept/bundle/run/app-with-job	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S	🙈S

Top 32 slowest tests (at least 2 minutes):

duration	env	testname
11:21	azure-ucws linux	TestAccept/bundle/resources/clusters/deploy/data_security_mode/DATABRICKS_BUNDLE_ENGINE=direct
10:13	azure-ucws linux	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=terraform
9:46	azure-ucws linux	TestAccept/bundle/resources/permissions/factcheck/DATABRICKS_BUNDLE_ENGINE=terraform
8:27	azure-ucws linux	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=direct
7:55	azure windows	TestAccept/bundle/resources/permissions/factcheck/DATABRICKS_BUNDLE_ENGINE=terraform
7:32	aws linux	TestAccept/bundle/resources/permissions/factcheck/DATABRICKS_BUNDLE_ENGINE=terraform
7:25	azure-ucws windows	TestAccept/bundle/resources/permissions/factcheck/DATABRICKS_BUNDLE_ENGINE=terraform
7:07	azure linux	TestAccept/bundle/resources/permissions/factcheck/DATABRICKS_BUNDLE_ENGINE=terraform
7:04	azure windows	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=direct
6:31	aws-ucws linux	TestAccept/bundle/resources/permissions/factcheck/DATABRICKS_BUNDLE_ENGINE=terraform
6:31	gcp windows	TestAccept/bundle/resources/clusters/deploy/data_security_mode/DATABRICKS_BUNDLE_ENGINE=direct
5:59	gcp linux	TestAccept/bundle/resources/clusters/deploy/data_security_mode/DATABRICKS_BUNDLE_ENGINE=direct
5:46	gcp linux	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=direct
5:44	aws windows	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=direct
5:28	aws-ucws linux	TestAccept/bundle/resources/clusters/deploy/data_security_mode/DATABRICKS_BUNDLE_ENGINE=direct
5:27	gcp windows	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=direct
5:20	gcp linux	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=terraform
5:11	azure-ucws windows	TestAccept/bundle/resources/synced_database_tables/basic
5:10	azure windows	TestAccept/bundle/resources/clusters/deploy/data_security_mode/DATABRICKS_BUNDLE_ENGINE=direct
4:55	azure windows	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=terraform
4:49	aws windows	TestAccept/bundle/resources/permissions/factcheck/DATABRICKS_BUNDLE_ENGINE=terraform
4:43	aws windows	TestAccept/bundle/resources/clusters/deploy/data_security_mode/DATABRICKS_BUNDLE_ENGINE=direct
4:35	azure linux	TestAccept/bundle/resources/clusters/deploy/data_security_mode/DATABRICKS_BUNDLE_ENGINE=direct
4:16	azure linux	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=terraform
4:10	azure-ucws windows	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=direct
4:05	gcp windows	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=terraform
3:27	azure linux	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=direct
3:20	aws linux	TestAccept/bundle/resources/clusters/deploy/data_security_mode/DATABRICKS_BUNDLE_ENGINE=direct
3:08	azure-ucws linux	TestAccept/bundle/resources/synced_database_tables/basic
2:37	aws-ucws linux	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=direct
2:19	aws windows	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=terraform
2:00	aws linux	TestAccept/bundle/resources/clusters/deploy/update-after-create/DATABRICKS_BUNDLE_ENGINE=terraform

andrewnester · 2025-11-12T13:04:15Z

@pietern fixed both in the latest revision, now only ubuntu one creates a release, windows one uploads artifacts to that release

pietern · 2025-11-12T13:42:02Z

.github/workflows/release.yml

+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  # Build and sign Windows binaries using AzureSignTool with Azure Key Vault.
+  # Runs on GitHub-hosted windows-latest runner (has signtool and Windows SDK).


Does our own runner not have these?

We don't seem to have hosted windows runner or at least I haven't found one

.github/workflows/release.yml

pietern · 2025-11-12T13:43:33Z

.github/workflows/release.yml

+              echo "Uploading $(basename $file)"
+              gh release upload ${{ github.ref_name }} "$file"
+            fi
+          done


The only diff is we have a separate SHA256SUMS file for Windows?

yes, indeed, we use for homebrew though but we need only linux and os x one there so we should be good

Automatically sign CLI binary using Goreleaser

84942db

andrewnester requested review from anton-107, denik, pietern and shreyas-goenka as code owners November 5, 2025 11:00

andrewnester temporarily deployed to test-trigger-is November 5, 2025 11:00 — with GitHub Actions Inactive

skip publish

397e861

andrewnester temporarily deployed to test-trigger-is November 5, 2025 11:39 — with GitHub Actions Inactive

fix skip

29125ac

andrewnester temporarily deployed to test-trigger-is November 5, 2025 11:42 — with GitHub Actions Inactive

snap

d2d6b5a

andrewnester temporarily deployed to test-trigger-is November 5, 2025 11:44 — with GitHub Actions Inactive

change tmpl

fcba44d

andrewnester temporarily deployed to test-trigger-is November 5, 2025 11:56 — with GitHub Actions Inactive

fixed tool name

e28b76e

andrewnester temporarily deployed to test-trigger-is November 5, 2025 12:23 — with GitHub Actions Inactive

should run on windows

f596713

andrewnester temporarily deployed to test-trigger-is November 5, 2025 12:39 — with GitHub Actions Inactive

sign with jsign

543aff1

andrewnester temporarily deployed to test-trigger-is November 5, 2025 13:01 — with GitHub Actions Inactive

remove sign section

7a70b4f

andrewnester temporarily deployed to test-trigger-is November 5, 2025 13:07 — with GitHub Actions Inactive

use variables from deco-sign

d40bea1

andrewnester temporarily deployed to test-trigger-is November 10, 2025 11:48 — with GitHub Actions Inactive

az login and access token

0746707

andrewnester temporarily deployed to test-trigger-is November 10, 2025 13:20 — with GitHub Actions Inactive

foixed

e754fc2

andrewnester temporarily deployed to test-trigger-is November 10, 2025 13:24 — with GitHub Actions Inactive

fixed syntax for az

39d6f0a

post hook

356ade6

andrewnester temporarily deployed to test-trigger-is November 12, 2025 11:48 — with GitHub Actions Inactive

andrewnester had a problem deploying to sign November 12, 2025 11:48 — with GitHub Actions Failure

fix for signtool

a410c09

andrewnester temporarily deployed to test-trigger-is November 12, 2025 11:54 — with GitHub Actions Inactive

andrewnester had a problem deploying to sign November 12, 2025 11:55 — with GitHub Actions Failure

added missing creds

303b7cf

andrewnester had a problem deploying to sign November 12, 2025 12:00 — with GitHub Actions Failure

andrewnester temporarily deployed to test-trigger-is November 12, 2025 12:01 — with GitHub Actions Inactive

fixes

5e646f2

andrewnester temporarily deployed to test-trigger-is November 12, 2025 12:11 — with GitHub Actions Inactive

andrewnester had a problem deploying to sign November 12, 2025 12:11 — with GitHub Actions Failure

use ps1 file

4086e4b

andrewnester temporarily deployed to test-trigger-is November 12, 2025 12:21 — with GitHub Actions Inactive

andrewnester had a problem deploying to sign November 12, 2025 12:21 — with GitHub Actions Failure

use azuresigntool

ab1a633

andrewnester temporarily deployed to test-trigger-is November 12, 2025 12:30 — with GitHub Actions Inactive

andrewnester had a problem deploying to sign November 12, 2025 12:30 — with GitHub Actions Failure

fix typo

db3f6d0

andrewnester temporarily deployed to test-trigger-is November 12, 2025 12:52 — with GitHub Actions Inactive

andrewnester temporarily deployed to sign November 12, 2025 12:53 — with GitHub Actions Inactive

final cleanup

239c657

andrewnester temporarily deployed to test-trigger-is November 12, 2025 13:03 — with GitHub Actions Inactive

andrewnester requested a review from pietern November 12, 2025 13:04

pietern approved these changes Nov 12, 2025

View reviewed changes

run in parallel

8553fe1

andrewnester temporarily deployed to test-trigger-is November 12, 2025 13:51 — with GitHub Actions Inactive

andrewnester merged commit 7c3408e into main Nov 12, 2025
12 of 13 checks passed

andrewnester deleted the sign-cli branch November 12, 2025 13:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Automatically sign CLI binary using Goreleaser#3879

Automatically sign CLI binary using Goreleaser#3879
andrewnester merged 43 commits intomainfrom
sign-cli

andrewnester commented Nov 5, 2025 •

edited

Loading

Uh oh!

eng-dev-ecosystem-bot commented Nov 5, 2025 •

edited

Loading

Uh oh!

andrewnester commented Nov 12, 2025

Uh oh!

pietern Nov 12, 2025

Uh oh!

andrewnester Nov 12, 2025

Uh oh!

Uh oh!

pietern Nov 12, 2025

Uh oh!

andrewnester Nov 12, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

andrewnester commented Nov 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Why

Tests

Uh oh!

eng-dev-ecosystem-bot commented Nov 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

andrewnester commented Nov 12, 2025

Uh oh!

pietern Nov 12, 2025

Choose a reason for hiding this comment

Uh oh!

andrewnester Nov 12, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

pietern Nov 12, 2025

Choose a reason for hiding this comment

Uh oh!

andrewnester Nov 12, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

andrewnester commented Nov 5, 2025 •

edited

Loading

eng-dev-ecosystem-bot commented Nov 5, 2025 •

edited

Loading