Add windows signing for native provider releases #1318
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rquitales
force-pushed
the
rquitales/add-windows-signing-make-target
branch
2 times, most recently
from
0ed5155 to
eb7a8bf
Compare
rquitales
force-pushed
the
rquitales/add-windows-signing-make-target
branch
from
4b980b6 to
b74fa49
Compare
This was referenced Jan 27, 2025
rquitales
commented
Jan 27, 2025
| goarch: ["amd64", "arm64"], | ||
| ignore: ignores, | ||
| main: `./cmd/pulumi-resource-${opts.provider}/`, | ||
| ldflags: ldflags, | ||
| binary: `pulumi-resource-${opts.provider}`, | ||
| }, | ||
| { |
There was a problem hiding this comment.
Building for Windows needs to be separated out to allow calling for a post build hook.
There was a problem hiding this comment.
It's quite confusing that this is named goreleaser - we don't use goreleaser anywhere any more. Edit: oh do we still goreleaser but only for native CI?
It's also a bit unfortunate that we're exposing another custom make target that gets called in a specific way. Can we not make this more transparent and just a configuration option when calling the normal build targets?
|
In fact, can we just copy the approach taken already in all bridged providers and also avoid drift in the approaches? |
t0yv0
approved these changes
Jan 27, 2025
rquitales
added a commit
to pulumi/pulumi-kubernetes
that referenced
this pull request
Jan 27, 2025
### Proposed changes This PR adds a new Makefile target `make sign-goreleaser-exe` target to sign all built GoReleaser windows binaries. This PR contains 2 changes: - Makefile target - Copied ci-mgmt workflow files for validation purposes (generated from: pulumi/ci-mgmt#1318) Please see the linked ci-mgmt issue for status of GitHub actions workflows to validate that the binaries are signed.
rquitales
added a commit
to pulumi/pulumi-docker-build
that referenced
this pull request
Jan 27, 2025
### Proposed changes This PR adds a new Makefile target `make sign-goreleaser-exe` target to sign all built GoReleaser windows binaries. This PR contains 2 changes: - Makefile target - Copied ci-mgmt workflow files for validation purposes (generated from: pulumi/ci-mgmt#1318) Please see the linked ci-mgmt issue for status of GitHub actions workflows to validate that the binaries are signed.
rquitales
added a commit
to pulumi/pulumi-command
that referenced
this pull request
Jan 27, 2025
### Proposed changes This PR adds a new Makefile target `make sign-goreleaser-exe` target to sign all built GoReleaser windows binaries. This PR contains 2 changes: - Makefile target - Copied ci-mgmt workflow files for validation purposes (generated from: pulumi/ci-mgmt#1318) Please see the linked ci-mgmt issue for status of GitHub actions workflows to validate that the binaries are signed.
rquitales
added a commit
to pulumi/pulumi-kubernetes-cert-manager
that referenced
this pull request
Jan 27, 2025
### Proposed changes This PR adds a new Makefile target `make sign-goreleaser-exe` target to sign all built GoReleaser windows binaries. This PR contains 2 changes: - Makefile target - Copied ci-mgmt workflow files for validation purposes (generated from: pulumi/ci-mgmt#1318) Please see the linked ci-mgmt issue for status of GitHub actions workflows to validate that the binaries are signed.
rquitales
added a commit
to pulumi/pulumi-google-native
that referenced
this pull request
Jan 27, 2025
### Proposed changes This PR adds a new Makefile target `make sign-goreleaser-exe` target to sign all built GoReleaser windows binaries. This PR contains 2 changes: - Makefile target - Copied ci-mgmt workflow files for validation purposes (generated from: pulumi/ci-mgmt#1318) Please see the linked ci-mgmt issue for status of GitHub actions workflows to validate that the binaries are signed.
rquitales
added a commit
to pulumi/pulumi-aws-native
that referenced
this pull request
Jan 27, 2025
### Proposed changes This PR adds a new Makefile target `make sign-goreleaser-exe` target to sign all built GoReleaser windows binaries. This PR contains 2 changes: - Makefile target - Copied ci-mgmt workflow files for validation purposes (generated from: pulumi/ci-mgmt#1318) Please see the linked ci-mgmt issue for status of GitHub actions workflows to validate that the binaries are signed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR enables Windows singing for native provider releases made with GoReleaser. These changes require the
make sign-goreleaser-exetarget to exist. This is done in the individual provider repos as the Makefiles are not managed centrally by ci-mgmt.For testing purposes, these changes are also copied to their respective native provider repos with a prerelease tag cut to validate that the binaries are signed.
Confirmed native providers with signed prerelease windows builds: