Skip to content

Automatically sign CLI binary using Goreleaser #3879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 22 commits into
base: main
Choose a base branch
from
Open

Automatically sign CLI binary using Goreleaser #3879

wants to merge 22 commits into from
+92 −74

Conversation

@andrewnester
Copy link
Contributor

@andrewnester andrewnester commented Nov 5, 2025
edited
Loading

Changes

Automatically sign CLI binary using Goreleaser

Why

Currently, it's a manual process; we want it to be automatic

Tests

Successful dry-run is here: https://github.com/databricks/cli/actions/runs/19235669891/job/54984805490

@eng-dev-ecosystem-bot
Copy link
Collaborator

eng-dev-ecosystem-bot commented Nov 5, 2025
edited
Loading

Run: 19236141613

Env 🔄​flaky 💚​RECOVERED 🙈​SKIP ✅​pass 🙈​skip
💚​ aws linux 1 1 356 602
💚​ aws windows 1 1 357 601
💚​ aws-ucws windows 1 1 492 492
💚​ azure linux 1 1 356 601
💚​ azure windows 1 1 357 600
🔄​ gcp linux 4 1 1 351 603
6 failing tests:
Test Name aws linux aws windows aws-ucws windows azure linux azure windows gcp linux
TestAccept 💚​R 💚​R 💚​R 💚​R 💚​R 💚​R
TestAccept/bundle/run/app-with-job 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S 🙈​S
TestAccept/bundle/templates/default-python/combinations/classic/DATABRICKS_BUNDLE_ENGINE=direct/DLT=no/NBOOK=no/PY=no ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
TestAccept/bundle/templates/default-python/combinations/classic/DATABRICKS_BUNDLE_ENGINE=direct/DLT=no/NBOOK=no/PY=yes ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
TestAccept/bundle/templates/default-python/combinations/classic/DATABRICKS_BUNDLE_ENGINE=direct/DLT=no/NBOOK=yes/PY=no ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f
TestAccept/bundle/templates/default-python/combinations/classic/DATABRICKS_BUNDLE_ENGINE=terraform/DLT=yes/NBOOK=yes/PY=yes ✅​p ✅​p ✅​p ✅​p ✅​p 🔄​f

andrewnester
andrewnester commented Nov 10, 2025
View reviewed changes
.github/workflows/release.yml
with:
packages-dir: experimental/python/dist

publish-to-winget-pkgs:
Copy link
Contributor Author

@andrewnester andrewnester Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This action moved from publish-winget.yml which was previously manually triggered, now it triggered automatically after goreleaser succeeds.

andrewnester
andrewnester commented Nov 10, 2025
View reviewed changes
.github/workflows/release.yml
urls=$(
gh api https://api.github.com/repos/databricks/cli/releases/tags/${{ github.ref_name }} | \
jq -r .assets[].browser_download_url | \
grep -E '_windows_.*\.zip$' | \
Copy link
Contributor Author

@andrewnester andrewnester Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only change it used to search for -signed suffixed archives, but nowthe default named archive for windows is already signed

pietern
pietern reviewed Nov 10, 2025
View reviewed changes
.github/workflows/release.yml
-p ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }} \
--tenant ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}
ACCESS_TOKEN=$(az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv)
echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV
Copy link
Contributor

@pietern pietern Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to mark this as secret/sensitive as well.

.goreleaser.yaml
hooks:
post:
- sh -c 'if [ "{{ .Os }}" = "windows" ]; then java -jar /tmp/jsign.jar --storetype AZUREKEYVAULT --keystore "${AZURE_KEY_VAULT_NAME}" --storepass "${ACCESS_TOKEN}" --alias "${AZURE_CERTIFICATE_NAME}" --tsaurl http://timestamp.digicert.com "{{ .Path }}"; fi'

Copy link
Contributor

@pietern pietern Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks a bit finicky. Is this the recommended approach with goreleaser?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pietern pietern pietern left review comments

@anton-107 anton-107 Awaiting requested review from anton-107 anton-107 is a code owner

@denik denik Awaiting requested review from denik denik is a code owner

@shreyas-goenka shreyas-goenka Awaiting requested review from shreyas-goenka shreyas-goenka is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@andrewnester @eng-dev-ecosystem-bot @pietern