diff --git a/.github/workflows/publish-winget.yml b/.github/workflows/publish-winget.yml deleted file mode 100644 index cbd24856bf..0000000000 --- a/.github/workflows/publish-winget.yml +++ /dev/null @@ -1,74 +0,0 @@ -name: publish-winget - -on: - workflow_dispatch: - inputs: - tag: - description: 'Tag to publish' - default: '' - -jobs: - publish-to-winget-pkgs: - runs-on: - group: databricks-deco-testing-runner-group - labels: ubuntu-latest-deco - - environment: release - - steps: - - name: Checkout repository and submodules - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # When updating the version of komac, make sure to update the checksum in the next step. - # Find both at https://github.com/russellbanks/Komac/releases. - - name: Download komac binary - run: | - curl -s -L -o $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz https://github.com/russellbanks/Komac/releases/download/v2.9.0/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz - - - name: Verify komac binary - run: | - echo "d07a12831ad5418fee715488542a98ce3c0e591d05c850dd149fe78432be8c4c $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz" | sha256sum -c - - - - name: Untar komac binary to temporary path - run: | - mkdir -p $RUNNER_TEMP/komac - tar -xzf $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz -C $RUNNER_TEMP/komac - - - name: Add komac to PATH - run: echo "$RUNNER_TEMP/komac" >> $GITHUB_PATH - - - name: Confirm komac version - run: komac --version - - # Use the tag from the input, or the ref name if the input is not provided. - # The ref name is equal to the tag name when this workflow is triggered by the "sign-cli" command. - - name: Strip "v" prefix from version - id: strip_version - run: echo "version=$(echo ${{ inputs.tag || github.ref_name }} | sed 's/^v//')" >> "$GITHUB_OUTPUT" - - - name: Get URLs of signed Windows binaries - id: get_windows_urls - run: | - urls=$( - gh api https://api.github.com/repos/databricks/cli/releases/tags/${{ inputs.tag || github.ref_name }} | \ - jq -r .assets[].browser_download_url | \ - grep -E '_windows_.*-signed\.zip$' | \ - tr '\n' ' ' - ) - if [ -z "$urls" ]; then - echo "No signed Windows binaries found" >&2 - exit 1 - fi - echo "urls=$urls" >> "$GITHUB_OUTPUT" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Publish to Winget - run: | - komac update Databricks.DatabricksCLI \ - --version ${{ steps.strip_version.outputs.version }} \ - --submit \ - --urls ${{ steps.get_windows_urls.outputs.urls }} \ - env: - KOMAC_FORK_OWNER: eng-dev-ecosystem-bot - GITHUB_TOKEN: ${{ secrets.ENG_DEV_ECOSYSTEM_BOT_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aca2d33880..4decff59c3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,6 +9,7 @@ on: jobs: goreleaser: + environment: sign runs-on: group: databricks-deco-testing-runner-group labels: ubuntu-latest-deco @@ -48,6 +49,22 @@ jobs: - name: Set up QEMU dependency uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 + - name: Setup Java for jsign + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '17' + + - name: Get Key Vault access token + id: get-token + run: | + az login --service-principal \ + -u ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }} \ + -p ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }} \ + --tenant ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }} + ACCESS_TOKEN=$(az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv) + echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV + - name: Run GoReleaser id: releaser uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 @@ -56,6 +73,9 @@ jobs: args: release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ACCESS_TOKEN: ${{ env.ACCESS_TOKEN }} + AZURE_KEY_VAULT_NAME: deco-sign + AZURE_CERTIFICATE_NAME: deco-sign create-setup-cli-release-pr: runs-on: @@ -190,3 +210,70 @@ jobs: uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 with: packages-dir: experimental/python/dist + + publish-to-winget-pkgs: + runs-on: + group: databricks-deco-testing-runner-group + labels: ubuntu-latest-deco + + needs: goreleaser + + environment: release + + steps: + - name: Checkout repository and submodules + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # When updating the version of komac, make sure to update the checksum in the next step. + # Find both at https://github.com/russellbanks/Komac/releases. + - name: Download komac binary + run: | + curl -s -L -o $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz https://github.com/russellbanks/Komac/releases/download/v2.9.0/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz + + - name: Verify komac binary + run: | + echo "d07a12831ad5418fee715488542a98ce3c0e591d05c850dd149fe78432be8c4c $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz" | sha256sum -c - + + - name: Untar komac binary to temporary path + run: | + mkdir -p $RUNNER_TEMP/komac + tar -xzf $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz -C $RUNNER_TEMP/komac + + - name: Add komac to PATH + run: echo "$RUNNER_TEMP/komac" >> $GITHUB_PATH + + - name: Confirm komac version + run: komac --version + + # Use the tag from the input, or the ref name if the input is not provided. + # The ref name is equal to the tag name when this workflow is triggered by the "sign-cli" command. + - name: Strip "v" prefix from version + id: strip_version + run: echo "version=$(echo ${{ github.ref_name }} | sed 's/^v//')" >> "$GITHUB_OUTPUT" + + - name: Get URLs of signed Windows binaries + id: get_windows_urls + run: | + urls=$( + gh api https://api.github.com/repos/databricks/cli/releases/tags/${{ github.ref_name }} | \ + jq -r .assets[].browser_download_url | \ + grep -E '_windows_.*\.zip$' | \ + tr '\n' ' ' + ) + if [ -z "$urls" ]; then + echo "No signed Windows binaries found" >&2 + exit 1 + fi + echo "urls=$urls" >> "$GITHUB_OUTPUT" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Publish to Winget + run: | + komac update Databricks.DatabricksCLI \ + --version ${{ steps.strip_version.outputs.version }} \ + --submit \ + --urls ${{ steps.get_windows_urls.outputs.urls }} \ + env: + KOMAC_FORK_OWNER: eng-dev-ecosystem-bot + GITHUB_TOKEN: ${{ secrets.ENG_DEV_ECOSYSTEM_BOT_TOKEN }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 8471d8410f..421ab6213e 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -3,6 +3,7 @@ version: 2 before: hooks: - go mod download + - sh -c 'wget -q https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar -O /tmp/jsign.jar' builds: - env: @@ -40,6 +41,10 @@ builds: - arm64 binary: databricks + hooks: + post: + - sh -c 'if [ "{{ .Os }}" = "windows" ]; then java -jar /tmp/jsign.jar --storetype AZUREKEYVAULT --keystore "${AZURE_KEY_VAULT_NAME}" --storepass "${ACCESS_TOKEN}" --alias "${AZURE_CERTIFICATE_NAME}" --tsaurl http://timestamp.digicert.com "{{ .Path }}"; fi' + archives: - formats: ["zip", "tar.gz"]