-
Notifications
You must be signed in to change notification settings - Fork 160
134 lines (112 loc) · 3.97 KB
/
release-build.yml
File metadata and controls
134 lines (112 loc) · 3.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: release-build
on:
push:
tags:
- "v*"
branches:
- "main"
- "demo-*"
- "bugbash-*"
workflow_dispatch:
jobs:
cli:
environment:
name: sign
deployment: false
runs-on:
group: databricks-protected-runner-group-large
labels: linux-ubuntu-latest-large
permissions:
id-token: write
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
- name: Setup JFrog
uses: ./.github/actions/setup-jfrog
- name: Setup Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache-dependency-path: |
go.sum
.goreleaser.yaml
- name: Download Go modules
run: go mod download
- name: Setup Java
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: temurin
java-version: '21'
# jsign 7.4 from https://github.com/ebourg/jsign/releases/tag/7.4
- name: Download and verify jsign
run: |
curl -sfL -o "$RUNNER_TEMP/jsign.jar" \
https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar
echo "2abf2ade9ea322acc2d60c24794eadc465ff9380938fca4c932d09e0b25f1c28 $RUNNER_TEMP/jsign.jar" | sha256sum -c -
echo "JSIGN_JAR=$RUNNER_TEMP/jsign.jar" >> $GITHUB_ENV
- name: Get Azure Key Vault access token
run: |
TOKEN=$(curl -sf -X POST \
"https://login.microsoftonline.com/${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}/oauth2/v2.0/token" \
-d "client_id=${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}" \
-d "client_secret=${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}" \
-d "scope=https://vault.azure.net/.default" \
-d "grant_type=client_credentials" | jq -r '.access_token')
echo "::add-mask::$TOKEN"
echo "AZURE_VAULT_TOKEN=$TOKEN" >> $GITHUB_ENV
- name: Hide snapshot tag to outsmart GoReleaser
run: git tag -d snapshot || true
# Use --snapshot for branch builds (non-tag refs).
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
with:
version: v2.14.3
args: release --skip=publish ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot' || '' }}
- name: Verify Windows binary signatures
run: |
for exe in dist/*_windows_*/databricks.exe; do
echo "=== $exe ==="
java -jar "$JSIGN_JAR" extract --format PEM "$exe"
openssl pkcs7 -in "${exe}.sig.pem" -inform PEM -print_certs -text -noout
rm "${exe}.sig.pem"
echo
done
- name: Upload artifacts
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: cli
path: |
dist/*.zip
dist/*.tar.gz
dist/*SHA256SUMS*
wheel:
runs-on:
group: databricks-protected-runner-group-large
labels: linux-ubuntu-latest-large
permissions:
id-token: write
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
- name: Setup JFrog
uses: ./.github/actions/setup-jfrog
- name: Install uv
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
version: "0.6.5"
- name: Build wheel
working-directory: python
run: make build
- name: Upload Python wheel
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: wheel
path: python/dist/*