Disable auto-deployment for sign environment #11
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release-publish | |
| on: | |
| # Push trigger for testing on this branch. Remove before merging. | |
| push: | |
| branches: | |
| - "split-release-workflows" | |
| workflow_dispatch: | |
| inputs: | |
| build_run_id: | |
| description: 'Run ID of the release-build workflow' | |
| required: true | |
| type: string | |
| tag: | |
| description: 'Version tag to release (e.g. v0.296.0)' | |
| required: true | |
| type: string | |
| dry_run: | |
| description: 'Dry run: download and verify artifacts without publishing' | |
| required: false | |
| type: boolean | |
| default: true | |
| env: | |
| DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }} | |
| jobs: | |
| # Always runs. Downloads artifacts from the build run and verifies them. | |
| # In non-dry-run mode, also creates the GitHub release. | |
| # Skipped on push trigger (used only to register the workflow with GitHub). | |
| prepare-release: | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| runs-on: | |
| group: databricks-deco-testing-runner-group | |
| labels: ubuntu-latest-deco | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Download release artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: release-artifacts | |
| path: dist | |
| run-id: ${{ inputs.build_run_id }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: List downloaded artifacts | |
| run: ls -lR dist/ | |
| - name: Verify checksums | |
| run: | | |
| echo "Verifying SHA256 checksums..." | |
| cd dist | |
| checksums_file=$(ls *SHA256SUMS* | head -1) | |
| sha256sum -c "$checksums_file" | |
| - name: Create GitHub release | |
| if: env.DRY_RUN == 'false' | |
| run: | | |
| gh release create "${{ inputs.tag }}" \ | |
| --repo "${{ github.repository }}" \ | |
| --title "${{ inputs.tag }}" \ | |
| --generate-notes \ | |
| dist/*.zip \ | |
| dist/*.tar.gz \ | |
| dist/*SHA256SUMS* | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Dry run summary | |
| if: env.DRY_RUN == 'true' | |
| run: | | |
| echo "::notice::Dry run complete. Artifacts downloaded and verified successfully." | |
| echo "::notice::To publish, re-run this workflow with dry_run=false." | |
| echo "" | |
| echo "Archives that would be published:" | |
| ls dist/*.zip dist/*.tar.gz dist/*SHA256SUMS* | |
| docker: | |
| if: ${{ !inputs.dry_run }} | |
| needs: prepare-release | |
| runs-on: | |
| group: databricks-deco-testing-runner-group | |
| labels: ubuntu-latest-deco | |
| permissions: | |
| packages: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ inputs.tag }} | |
| - name: Download release artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: release-artifacts | |
| path: dist | |
| run-id: ${{ inputs.build_run_id }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to GHCR | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| # Pin Docker to 28.0.4 because Docker 29.x changed how buildx pushes | |
| # images (they become manifest lists), which breaks docker manifest create. | |
| - name: Set up Docker | |
| uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5.0.0 | |
| with: | |
| version: v28.0.4 | |
| - name: Strip v prefix from tag | |
| id: version | |
| run: echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" | |
| env: | |
| TAG: ${{ inputs.tag }} | |
| - name: Build and push Docker images | |
| run: | | |
| VERSION="${{ steps.version.outputs.version }}" | |
| for arch in amd64 arm64; do | |
| # Set up a temporary build context with the binary and docker files. | |
| tmp=$(mktemp -d) | |
| cp Dockerfile "$tmp/" | |
| mkdir -p "$tmp/docker" | |
| cp docker/config.tfrc docker/setup.sh "$tmp/docker/" | |
| # Extract the linux binary from the tar.gz archive. | |
| tar -xzf "dist/databricks_cli_${VERSION}_linux_${arch}.tar.gz" -C "$tmp" databricks | |
| chmod +x "$tmp/databricks" | |
| docker buildx build \ | |
| --platform "linux/${arch}" \ | |
| --build-arg "ARCH=${arch}" \ | |
| --tag "ghcr.io/databricks/cli:${VERSION}-${arch}" \ | |
| --tag "ghcr.io/databricks/cli:latest-${arch}" \ | |
| --push \ | |
| "$tmp" | |
| rm -rf "$tmp" | |
| done | |
| - name: Create and push multi-arch manifests | |
| run: | | |
| VERSION="${{ steps.version.outputs.version }}" | |
| docker manifest create "ghcr.io/databricks/cli:${VERSION}" \ | |
| "ghcr.io/databricks/cli:${VERSION}-amd64" \ | |
| "ghcr.io/databricks/cli:${VERSION}-arm64" | |
| docker manifest push "ghcr.io/databricks/cli:${VERSION}" | |
| docker manifest create "ghcr.io/databricks/cli:latest" \ | |
| "ghcr.io/databricks/cli:latest-amd64" \ | |
| "ghcr.io/databricks/cli:latest-arm64" | |
| docker manifest push "ghcr.io/databricks/cli:latest" | |
| create-setup-cli-release-pr: | |
| if: ${{ !inputs.dry_run }} | |
| needs: prepare-release | |
| runs-on: | |
| group: databricks-deco-testing-runner-group | |
| labels: ubuntu-latest-deco | |
| steps: | |
| - name: Strip v prefix from tag | |
| id: version | |
| run: echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" | |
| env: | |
| TAG: ${{ inputs.tag }} | |
| - name: Update setup-cli | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| github-token: ${{ secrets.DECO_GITHUB_TOKEN }} | |
| script: | | |
| await github.rest.actions.createWorkflowDispatch({ | |
| owner: 'databricks', | |
| repo: 'setup-cli', | |
| workflow_id: 'release-pr.yml', | |
| ref: 'main', | |
| inputs: { | |
| version: "${{ steps.version.outputs.version }}", | |
| } | |
| }); | |
| create-homebrew-tap-release-pr: | |
| if: ${{ !inputs.dry_run }} | |
| needs: prepare-release | |
| runs-on: | |
| group: databricks-deco-testing-runner-group | |
| labels: ubuntu-latest-deco | |
| steps: | |
| - name: Download release artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: release-artifacts | |
| path: dist | |
| run-id: ${{ inputs.build_run_id }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Strip v prefix from tag | |
| id: version | |
| run: echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" | |
| env: | |
| TAG: ${{ inputs.tag }} | |
| - name: Compute checksums for homebrew | |
| id: checksums | |
| run: | | |
| VERSION="${{ steps.version.outputs.version }}" | |
| for combo in darwin_amd64 darwin_arm64 linux_amd64 linux_arm64; do | |
| sha=$(sha256sum "dist/databricks_cli_${VERSION}_${combo}.zip" | cut -d' ' -f1) | |
| echo "${combo}_sha=${sha}" >> "$GITHUB_OUTPUT" | |
| done | |
| - name: Update homebrew-tap | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| github-token: ${{ secrets.DECO_GITHUB_TOKEN }} | |
| script: | | |
| await github.rest.actions.createWorkflowDispatch({ | |
| owner: 'databricks', | |
| repo: 'homebrew-tap', | |
| workflow_id: 'release-pr.yml', | |
| ref: 'main', | |
| inputs: { | |
| version: "${{ steps.version.outputs.version }}", | |
| darwin_amd64_sha: "${{ steps.checksums.outputs.darwin_amd64_sha }}", | |
| darwin_arm64_sha: "${{ steps.checksums.outputs.darwin_arm64_sha }}", | |
| linux_amd64_sha: "${{ steps.checksums.outputs.linux_amd64_sha }}", | |
| linux_arm64_sha: "${{ steps.checksums.outputs.linux_arm64_sha }}" | |
| } | |
| }); | |
| create-vscode-extension-update-pr: | |
| if: ${{ !inputs.dry_run }} | |
| needs: prepare-release | |
| runs-on: | |
| group: databricks-deco-testing-runner-group | |
| labels: ubuntu-latest-deco | |
| steps: | |
| - name: Strip v prefix from tag | |
| id: version | |
| run: echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" | |
| env: | |
| TAG: ${{ inputs.tag }} | |
| - name: Update CLI version in the VSCode extension | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| github-token: ${{ secrets.DECO_GITHUB_TOKEN }} | |
| script: | | |
| await github.rest.actions.createWorkflowDispatch({ | |
| owner: 'databricks', | |
| repo: 'databricks-vscode', | |
| workflow_id: 'update-cli-version.yml', | |
| ref: 'main', | |
| inputs: { | |
| version: "${{ steps.version.outputs.version }}", | |
| } | |
| }); | |
| pypi-publish: | |
| if: ${{ !inputs.dry_run }} | |
| needs: prepare-release | |
| runs-on: | |
| group: databricks-deco-testing-runner-group | |
| labels: ubuntu-latest-deco | |
| environment: release | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Download Python wheel | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: python-wheel | |
| path: dist | |
| run-id: ${{ inputs.build_run_id }} | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Publish package distributions to PyPI | |
| uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 | |
| with: | |
| packages-dir: dist | |
| publish-to-winget-pkgs: | |
| if: ${{ !inputs.dry_run }} | |
| needs: prepare-release | |
| runs-on: | |
| group: databricks-deco-testing-runner-group | |
| labels: ubuntu-latest-deco | |
| environment: release | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| # When updating the version of komac, make sure to update the checksum in the next step. | |
| # Find both at https://github.com/russellbanks/Komac/releases. | |
| - name: Download komac binary | |
| run: | | |
| curl -s -L -o $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz https://github.com/russellbanks/Komac/releases/download/v2.9.0/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz | |
| - name: Verify komac binary | |
| run: | | |
| echo "d07a12831ad5418fee715488542a98ce3c0e591d05c850dd149fe78432be8c4c $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz" | sha256sum -c - | |
| - name: Untar komac binary to temporary path | |
| run: | | |
| mkdir -p $RUNNER_TEMP/komac | |
| tar -xzf $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz -C $RUNNER_TEMP/komac | |
| - name: Add komac to PATH | |
| run: echo "$RUNNER_TEMP/komac" >> $GITHUB_PATH | |
| - name: Confirm komac version | |
| run: komac --version | |
| - name: Strip v prefix from tag | |
| id: version | |
| run: echo "version=${TAG#v}" >> "$GITHUB_OUTPUT" | |
| env: | |
| TAG: ${{ inputs.tag }} | |
| - name: Get URLs of signed Windows binaries | |
| id: get_windows_urls | |
| run: | | |
| urls=$( | |
| gh api "https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ inputs.tag }}" | \ | |
| jq -r .assets[].browser_download_url | \ | |
| grep -E '_windows_.*\.zip$' | \ | |
| tr '\n' ' ' | |
| ) | |
| if [ -z "$urls" ]; then | |
| echo "No signed Windows binaries found" >&2 | |
| exit 1 | |
| fi | |
| echo "urls=$urls" >> "$GITHUB_OUTPUT" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Publish to Winget | |
| run: | | |
| komac update Databricks.DatabricksCLI \ | |
| --version ${{ steps.version.outputs.version }} \ | |
| --submit \ | |
| --urls ${{ steps.get_windows_urls.outputs.urls }} \ | |
| env: | |
| KOMAC_FORK_OWNER: eng-dev-ecosystem-bot | |
| GITHUB_TOKEN: ${{ secrets.ENG_DEV_ECOSYSTEM_BOT_TOKEN }} |