Add release-build and release-publish workflows

pietern · pietern · commit b31494d3f534 · 2026-04-02T09:30:09.000+02:00
Split the release pipeline into two independent workflows:
- release-build: produces all artifacts (binaries, archives, checksums,
  signed Windows binaries) without publishing
- release-publish: takes a build run ID and tag, downloads artifacts,
  creates GitHub release, builds Docker images, notifies downstream

The build workflow also handles snapshot builds on branch pushes,
consolidating the snapshot and release build paths.

Co-authored-by: Isaac
diff --git a/.github/workflows/RELEASE-DESIGN.md b/.github/workflows/RELEASE-DESIGN.md
@@ -0,0 +1,141 @@
+# Release Pipeline Design
+
+## Goal
+
+Split the release pipeline into two independent workflows:
+
+1. **Build** — produce all release artifacts (binaries, archives, checksums, signed Windows binaries)
+2. **Publish** — take artifacts from a previous build and publish them (GitHub release, Docker images, downstream notifications)
+
+A manual inspection/scanning step happens between build and publish.
+
+## Workflows
+
+### `release-build.yml`
+
+Produces release artifacts without publishing anything.
+
+**Triggers:**
+- `push` on tags matching `v*`
+- `push` on branches `main`, `split-release-workflows` (replaces `release-snapshot.yml`)
+- `workflow_dispatch` (for testing)
+
+When triggered by a branch push (not a tag), goreleaser runs in `--snapshot` mode.
+This consolidates snapshot and release builds into a single workflow.
+The `release-snapshot.yml` workflow can be removed once this is in place.
+
+**Single job: `build`**
+
+Runs on: `ubuntu-latest-deco` (self-hosted Linux)
+
+Steps:
+1. Checkout (with full history and tags for goreleaser versioning)
+2. Setup JFrog CLI with OIDC
+3. Setup Go
+4. Download Go modules via JFrog (`jf goc` + `jf go mod download`)
+5. Setup Java (for jsign)
+6. Download and verify jsign jar
+7. Acquire Azure Key Vault access token
+8. Run GoReleaser with `--skip=publish,docker`
+   - Builds linux/darwin/windows for amd64/arm64
+   - Signs Windows binaries via jsign post-hook
+9. Verify Windows binary signatures
+10. Upload `dist/` contents as GitHub Actions artifacts:
+    - `release-archives`: `*.zip`, `*.tar.gz`, `*SHA256SUMS*`
+    - `release-binaries-linux`: `dist/unix_linux_*/databricks`
+    - `release-binaries-darwin`: `dist/unix_darwin_*/databricks`
+    - `release-binaries-windows`: `dist/windows_windows_*/databricks.exe`
+
+The linux binaries are uploaded separately because they're needed to build Docker images in the publish step. GoReleaser does not include raw binaries in archives, so we need them as a separate artifact.
+
+### `release-publish.yml`
+
+Publishes artifacts from a previous build run.
+
+**Triggers:**
+- `workflow_dispatch` with inputs:
+  - `build-run-id` (required): the run ID of a `release-build.yml` run
+  - `tag` (required): the version tag to release (e.g. `v0.296.0`)
+
+**Jobs:**
+
+#### `create-github-release`
+
+Download archives and checksums from the build run and create a GitHub release.
+
+Steps:
+1. Download `release-archives` artifact from the specified build run
+2. Create GitHub release for the tag
+3. Upload archives and checksums to the release
+
+#### `docker` (needs: `create-github-release`)
+
+Build and push multi-arch Docker images to GHCR.
+
+Steps:
+1. Checkout (for Dockerfile and docker/ files)
+2. Download `release-binaries-linux` artifact from the build run
+3. Login to GHCR
+4. Setup QEMU (for cross-platform builds)
+5. Setup Docker (pinned version for buildx compatibility)
+6. For each arch (amd64, arm64):
+   - Copy the binary into a temp build context alongside Dockerfile and docker/ files
+   - Build with `docker buildx build --push`
+7. Create and push multi-arch manifest
+
+#### `notify-downstream` (needs: `create-github-release`)
+
+Trigger downstream repository updates. Parallel jobs for:
+- `setup-cli` — workflow dispatch to `databricks/setup-cli`
+- `homebrew-tap` — workflow dispatch to `databricks/homebrew-tap` (with checksums)
+- `vscode-extension` — workflow dispatch to `databricks/databricks-vscode`
+
+#### `pypi-publish` (needs: `create-github-release`)
+
+Build and publish Python wheel to PyPI.
+
+#### `publish-to-winget-pkgs` (needs: `create-github-release`)
+
+Publish to Windows Package Manager.
+
+## GoReleaser Configuration
+
+A single `.goreleaser-release.yaml` replaces both `.goreleaser-unix.yaml` and `.goreleaser-windows.yaml`.
+
+- Two build IDs: `unix` (linux + darwin) and `windows` (with jsign signing hook)
+- No `dockers:` or `docker_manifests:` sections (Docker is handled by the publish workflow)
+- No `release:` section (GitHub release is handled by the publish workflow)
+- No `before.hooks` (module download handled by the workflow)
+
+## Testing approach
+
+While iterating on this branch:
+- Both workflows use a dummy binary (`.github/release-test/main.go`) for fast builds
+- The build workflow has a `push` trigger for the branch
+- Windows signing is exercised on every build
+- Docker builds use the real Dockerfile
+- The publish workflow can be tested with `workflow_dispatch` pointing at a build run
+
+To go to production:
+- Remove `main:` overrides from `.goreleaser-release.yaml` (builds the real CLI)
+- Remove the `split-release-workflows` branch from the push trigger
+- Delete `.goreleaser-unix.yaml` and `.goreleaser-windows.yaml`
+- Replace `release.yml` with `release-build.yml` + `release-publish.yml`
+- Replace `release-snapshot.yml` with `release-build.yml` (already handles snapshot mode)
+- Delete `release-test.yml`
+
+## Artifact flow
+
+```
+release-build.yml (run ID: 12345)
+  └─ uploads artifacts ─┐
+                         │
+  [manual inspection]    │
+                         │
+release-publish.yml      │
+  (input: build-run-id=12345, tag=v0.296.0)
+  ├─ downloads artifacts ┘
+  ├─ creates GitHub release with archives
+  ├─ builds + pushes Docker images from linux binaries
+  └─ notifies downstream repos
+```
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -0,0 +1,131 @@
+name: release-build
+
+on:
+  push:
+    tags:
+      - "v*"
+    branches:
+      - "main"
+      - "split-release-workflows"
+
+  workflow_dispatch:
+
+jobs:
+  build:
+    environment: sign
+    runs-on:
+      group: databricks-deco-testing-runner-group
+      labels: ubuntu-latest-deco
+
+    permissions:
+      id-token: write
+      contents: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Setup JFrog CLI with OIDC
+        uses: jfrog/setup-jfrog-cli@279b1f629f43dd5bc658d8361ac4802a7ef8d2d5 # v4.9.1
+        env:
+          JF_URL: https://databricks.jfrog.io
+        with:
+          oidc-provider-name: github-actions
+
+      - name: Setup Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: |
+            go.sum
+            .goreleaser-release.yaml
+
+      - name: Download Go modules via JFrog
+        run: |
+          jf goc --repo-resolve=db-golang
+          jf go mod download
+
+      - name: Setup Java
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
+        with:
+          distribution: temurin
+          java-version: '21'
+
+      # jsign 7.4 from https://github.com/ebourg/jsign/releases/tag/7.4
+      - name: Download and verify jsign
+        run: |
+          curl -sfL -o "$RUNNER_TEMP/jsign.jar" \
+            https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar
+          echo "2abf2ade9ea322acc2d60c24794eadc465ff9380938fca4c932d09e0b25f1c28  $RUNNER_TEMP/jsign.jar" | sha256sum -c -
+          echo "JSIGN_JAR=$RUNNER_TEMP/jsign.jar" >> $GITHUB_ENV
+
+      - name: Get Azure Key Vault access token
+        run: |
+          TOKEN=$(curl -sf -X POST \
+            "https://login.microsoftonline.com/${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}/oauth2/v2.0/token" \
+            -d "client_id=${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}" \
+            -d "client_secret=${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}" \
+            -d "scope=https://vault.azure.net/.default" \
+            -d "grant_type=client_credentials" | jq -r '.access_token')
+          echo "::add-mask::$TOKEN"
+          echo "AZURE_VAULT_TOKEN=$TOKEN" >> $GITHUB_ENV
+
+      - name: Hide snapshot tag to outsmart GoReleaser
+        run: git tag -d snapshot || true
+
+      # Use --snapshot for branch builds (non-tag refs).
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+        with:
+          version: ~> v2
+          args: release -f .goreleaser-release.yaml --skip=publish,docker ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot' || '' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify Windows binary signatures
+        run: |
+          for exe in dist/windows_*/databricks.exe; do
+            echo "=== $exe ==="
+            java -jar "$JSIGN_JAR" extract --format PEM "$exe"
+            openssl pkcs7 -in "${exe}.sig.pem" -inform PEM -print_certs -text -noout
+            rm "${exe}.sig.pem"
+            echo
+          done
+
+      - name: Upload archives
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: release-archives
+          path: |
+            dist/*.zip
+            dist/*.tar.gz
+            dist/*SHA256SUMS*
+
+      # Upload raw linux binaries separately; needed to build Docker images in the publish workflow.
+      - name: Upload linux binaries
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: release-binaries-linux
+          path: dist/unix_linux_*/databricks
+
+      # For snapshot builds on main: update the snapshot tag and release.
+      - name: Update snapshot tag
+        if: github.ref == 'refs/heads/main'
+        run: |
+          git tag snapshot
+          git push origin snapshot --force
+
+      - name: Update snapshot release
+        if: github.ref == 'refs/heads/main'
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        with:
+          name: Snapshot
+          prerelease: true
+          tag_name: snapshot
+          token: ${{ secrets.GITHUB_TOKEN }}
+          files: |-
+            dist/databricks_cli_*.zip
+            dist/databricks_cli_*.tar.gz
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
