-
Notifications
You must be signed in to change notification settings - Fork 159
181 lines (156 loc) · 6.1 KB
/
release-build.yml
File metadata and controls
181 lines (156 loc) · 6.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
name: release-build
on:
push:
tags:
- "v*"
branches:
- "main"
- "demo-*"
- "bugbash-*"
workflow_dispatch:
inputs:
tag:
description: "Tag to build (e.g. v1.2.3). Leave empty for a snapshot build of the current ref."
type: string
required: false
publish:
description: "Publish release artifacts to the GitHub release."
type: boolean
default: false
jobs:
cli:
environment:
name: sign
deployment: false
runs-on:
group: databricks-protected-runner-group-large
labels: linux-ubuntu-latest-large
permissions:
id-token: write
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
ref: ${{ inputs.tag || github.ref }}
# Check out the workflow's own ref into a side directory so local
# composite actions (e.g. setup-jfrog) and the goreleaser config are
# available even when the built ref is an older tag that predates them.
- name: Checkout workflow ref for local actions
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.sha }}
path: .workflow-actions
sparse-checkout: |
.github
.goreleaser.yaml
- name: Setup JFrog
uses: ./.workflow-actions/.github/actions/setup-jfrog
- name: Setup Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache-dependency-path: |
go.sum
.goreleaser.yaml
- name: Download Go modules
run: go mod download
- name: Setup Java
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: temurin
java-version: '21'
# jsign 7.4 from https://github.com/ebourg/jsign/releases/tag/7.4
- name: Download and verify jsign
run: |
curl -sfL -o "$RUNNER_TEMP/jsign.jar" \
https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar
echo "2abf2ade9ea322acc2d60c24794eadc465ff9380938fca4c932d09e0b25f1c28 $RUNNER_TEMP/jsign.jar" | sha256sum -c -
echo "JSIGN_JAR=$RUNNER_TEMP/jsign.jar" >> $GITHUB_ENV
- name: Get Azure Key Vault access token
run: |
TOKEN=$(curl -sf -X POST \
"https://login.microsoftonline.com/${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}/oauth2/v2.0/token" \
-d "client_id=${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}" \
-d "client_secret=${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}" \
-d "scope=https://vault.azure.net/.default" \
-d "grant_type=client_credentials" | jq -r '.access_token')
echo "::add-mask::$TOKEN"
echo "AZURE_VAULT_TOKEN=$TOKEN" >> $GITHUB_ENV
- name: Hide snapshot tag to outsmart GoReleaser
run: git tag -d snapshot || true
# Overlay scripts from the workflow ref so goreleaser hooks resolve
# correctly even when building an older tag that predates them.
# Register both injected paths in .git/info/exclude so goreleaser's
# dirty-state check does not flag them as untracked files.
- name: Sync workflow scripts to working directory
run: |
mkdir -p .github/scripts
cp -r .workflow-actions/.github/scripts/. .github/scripts/
printf '.workflow-actions/\n.github/scripts/\n' >> .git/info/exclude
# Use --snapshot for branch builds (non-tag refs).
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
with:
version: v2.14.3
args: release ${{ !inputs.publish && '--skip=publish' || '' }} --config .workflow-actions/.goreleaser.yaml --skip=docker ${{ (!startsWith(github.ref, 'refs/tags/') && !inputs.tag) && '--snapshot' || '' }}
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Verify Windows binary signatures
run: |
for exe in dist/*_windows_*/databricks.exe; do
echo "=== $exe ==="
java -jar "$JSIGN_JAR" extract --format PEM "$exe"
openssl pkcs7 -in "${exe}.sig.pem" -inform PEM -print_certs -text -noout
rm "${exe}.sig.pem"
echo
done
- name: Upload artifacts
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: cli
path: |
dist/*.zip
dist/*.tar.gz
dist/*SHA256SUMS*
wheel:
runs-on:
group: databricks-protected-runner-group-large
labels: linux-ubuntu-latest-large
permissions:
id-token: write
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
ref: ${{ inputs.tag || github.ref }}
# Check out the workflow's own ref into a side directory so local
# composite actions (e.g. setup-jfrog) and the goreleaser config are
# available even when the built ref is an older tag that predates them.
- name: Checkout workflow ref for local actions
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.sha }}
path: .workflow-actions
sparse-checkout: |
.github
.goreleaser.yaml
- name: Setup JFrog
uses: ./.workflow-actions/.github/actions/setup-jfrog
- name: Install uv
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
version: "0.6.5"
- name: Build wheel
working-directory: python
run: make build
- name: Upload Python wheel
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: wheel
path: python/dist/*