databricks · andrewnester · Nov 5, 2025 · Nov 5, 2025 · Nov 5, 2025 · Nov 5, 2025
@@ -9,6 +9,7 @@ on:
 
 jobs:
   goreleaser:
+    environment: sign
     runs-on:
       group: databricks-deco-testing-runner-group
       labels: ubuntu-latest-deco
@@ -48,6 +49,22 @@ jobs:
       - name: Set up QEMU dependency
         uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
+      - name: Setup Java for jsign
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+
+      - name: Get Key Vault access token
+        id: get-token
+        run: |
+          az login --service-principal \
+            -u ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }} \
+            -p ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }} \
+            --tenant ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}
+          ACCESS_TOKEN=$(az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv)
+          echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> $GITHUB_ENV
+
       - name: Run GoReleaser
         id: releaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
@@ -56,6 +73,9 @@ jobs:
           args: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ACCESS_TOKEN: ${{ env.ACCESS_TOKEN }}
+          AZURE_KEY_VAULT_NAME: deco-sign
+          AZURE_CERTIFICATE_NAME: deco-sign
 
   create-setup-cli-release-pr:
     runs-on:
@@ -190,3 +210,70 @@ jobs:
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
         with:
           packages-dir: experimental/python/dist
+
+  publish-to-winget-pkgs:
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
+    needs: goreleaser
+
+    environment: release
+
+    steps:
+      - name: Checkout repository and submodules
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+        # When updating the version of komac, make sure to update the checksum in the next step.
+        # Find both at https://github.com/russellbanks/Komac/releases.
+      - name: Download komac binary
+        run: |
+          curl -s -L -o $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz https://github.com/russellbanks/Komac/releases/download/v2.9.0/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz
+
+      - name: Verify komac binary
+        run: |
+          echo "d07a12831ad5418fee715488542a98ce3c0e591d05c850dd149fe78432be8c4c  $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz" | sha256sum -c -
+
+      - name: Untar komac binary to temporary path
+        run: |
+          mkdir -p $RUNNER_TEMP/komac
+          tar -xzf $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz -C $RUNNER_TEMP/komac
+
+      - name: Add komac to PATH
+        run: echo "$RUNNER_TEMP/komac" >> $GITHUB_PATH
+
+      - name: Confirm komac version
+        run: komac --version
+
+        # Use the tag from the input, or the ref name if the input is not provided.
+        # The ref name is equal to the tag name when this workflow is triggered by the "sign-cli" command.
+      - name: Strip "v" prefix from version
+        id: strip_version
+        run: echo "version=$(echo ${{ github.ref_name }} | sed 's/^v//')" >> "$GITHUB_OUTPUT"
+
+      - name: Get URLs of signed Windows binaries
+        id: get_windows_urls
+        run: |
+          urls=$(
+            gh api https://api.github.com/repos/databricks/cli/releases/tags/${{ github.ref_name }} | \
+            jq -r .assets[].browser_download_url | \
+            grep -E '_windows_.*\.zip$' | \
+            tr '\n' ' '
+          )
+          if [ -z "$urls" ]; then
+            echo "No signed Windows binaries found" >&2
+            exit 1
+          fi
+          echo "urls=$urls" >> "$GITHUB_OUTPUT"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Publish to Winget
+        run: |
+          komac update Databricks.DatabricksCLI \
+            --version ${{ steps.strip_version.outputs.version }} \
+            --submit \
+            --urls ${{ steps.get_windows_urls.outputs.urls }} \
+        env:
+          KOMAC_FORK_OWNER: eng-dev-ecosystem-bot
+          GITHUB_TOKEN: ${{ secrets.ENG_DEV_ECOSYSTEM_BOT_TOKEN }}
@@ -3,6 +3,7 @@ version: 2
 before:
   hooks:
     - go mod download
+    - sh -c 'wget -q https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar -O /tmp/jsign.jar'
 
 builds:
   - env:
@@ -40,6 +41,10 @@ builds:
       - arm64
     binary: databricks
 
+    hooks:
+      post:
+        - sh -c 'if [ "{{ .Os }}" = "windows" ]; then java -jar /tmp/jsign.jar --storetype AZUREKEYVAULT --keystore "${AZURE_KEY_VAULT_NAME}" --storepass "${ACCESS_TOKEN}" --alias "${AZURE_CERTIFICATE_NAME}" --tsaurl http://timestamp.digicert.com "{{ .Path }}"; fi'
+
 archives:
   - formats: ["zip", "tar.gz"]