Single-job release with jsign for Windows signing on Linux #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release-test | |
| on: | |
| push: | |
| branches: | |
| - "split-release-workflows" | |
| workflow_dispatch: | |
| jobs: | |
| # Build all platforms and sign Windows binaries in a single job. | |
| # Uses jsign for Authenticode signing on Linux via Azure Key Vault. | |
| goreleaser: | |
| environment: sign | |
| runs-on: | |
| group: databricks-deco-testing-runner-group | |
| labels: ubuntu-latest-deco | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Checkout repository and submodules | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| fetch-tags: true | |
| - name: Setup JFrog CLI with OIDC | |
| uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1 | |
| env: | |
| JF_URL: https://databricks.jfrog.io | |
| with: | |
| oidc-provider-name: github-actions | |
| - name: Setup Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version-file: go.mod | |
| cache-dependency-path: | | |
| go.sum | |
| .goreleaser-test.yaml | |
| - name: Configure Go module proxy via JFrog | |
| run: jf goc --repo-resolve=db-golang | |
| - name: Setup Java | |
| uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 | |
| with: | |
| distribution: temurin | |
| java-version: '21' | |
| # jsign 7.4 from https://github.com/ebourg/jsign/releases/tag/7.4 | |
| - name: Download and verify jsign | |
| run: | | |
| curl -sfL -o "$RUNNER_TEMP/jsign.jar" \ | |
| https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar | |
| echo "2abf2ade9ea322acc2d60c24794eadc465ff9380938fca4c932d09e0b25f1c28 $RUNNER_TEMP/jsign.jar" | sha256sum -c - | |
| echo "JSIGN_JAR=$RUNNER_TEMP/jsign.jar" >> $GITHUB_ENV | |
| - name: Get Azure Key Vault access token | |
| run: | | |
| TOKEN=$(curl -sf -X POST \ | |
| "https://login.microsoftonline.com/${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}/oauth2/v2.0/token" \ | |
| -d "client_id=${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}" \ | |
| -d "client_secret=${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}" \ | |
| -d "scope=https://vault.azure.net/.default" \ | |
| -d "grant_type=client_credentials" | jq -r '.access_token') | |
| echo "::add-mask::$TOKEN" | |
| echo "AZURE_VAULT_TOKEN=$TOKEN" >> $GITHUB_ENV | |
| - name: Hide snapshot tag to outsmart GoReleaser | |
| run: git tag -d snapshot || true | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 | |
| with: | |
| version: ~> v2 | |
| args: release -f .goreleaser-test.yaml --snapshot | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: release-artifacts | |
| path: | | |
| dist/*.zip | |
| dist/*.tar.gz | |
| dist/*SHA256SUMS* |