From a287b5bdc5d4b5109cd812de29036b487236316c Mon Sep 17 00:00:00 2001 From: Ramon Quitales Date: Mon, 27 Jan 2025 15:22:58 -0800 Subject: [PATCH] Sign Windows release binaries (#1154) ### Proposed changes This PR adds a new Makefile target `make sign-goreleaser-exe` target to sign all built GoReleaser windows binaries. This PR contains 2 changes: - Makefile target - Copied ci-mgmt workflow files for validation purposes (generated from: https://github.com/pulumi/ci-mgmt/pull/1318) Please see the linked ci-mgmt issue for status of GitHub actions workflows to validate that the binaries are signed. --- .github/workflows/build.yml | 33 ++++++++++++++--------- .github/workflows/prerelease.yml | 39 +++++++++++++++------------ .github/workflows/release.yml | 39 +++++++++++++++------------ .goreleaser.prerelease.yml | 33 +++++++++++++++++------ .goreleaser.yml | 33 +++++++++++++++++------ Makefile | 45 ++++++++++++++++++++++++++++++++ 6 files changed, 161 insertions(+), 61 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2659b2c06a..fb6171d2e9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,6 +15,13 @@ on: - "**" workflow_dispatch: {} env: + AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && + secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID + == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PROVIDER: google-native PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -58,7 +65,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -71,7 +78,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0 @@ -93,7 +100,7 @@ jobs: echo 'EOF' >> $GITHUB_ENV env: GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} - - if: github.event_name == 'pull_request' + - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' name: Comment on PR with Details of Schema Check uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: @@ -168,7 +175,7 @@ jobs: github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }} pulumi-gen-${{ env.PROVIDER}} - name: Upload artifacts - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: pulumi-${{ env.PROVIDER }}-provider.tar.gz path: ${{ github.workspace }}/bin/provider.tar.gz @@ -205,7 +212,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -218,7 +225,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Node uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: @@ -314,7 +321,7 @@ jobs: - name: Tar SDK folder run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} . - name: Upload artifacts - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: ${{ matrix.language }}-sdk.tar.gz path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz @@ -350,7 +357,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -363,7 +370,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Node uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: @@ -457,7 +464,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -479,7 +486,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: @@ -515,7 +522,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Checkout Scripts Repo @@ -534,7 +541,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Node uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 59f58f56e8..c8f30583c0 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -6,6 +6,13 @@ on: tags: - v*.*.*-** env: + AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && + secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID + == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PROVIDER: google-native PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -50,7 +57,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -63,7 +70,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0 @@ -85,7 +92,7 @@ jobs: echo 'EOF' >> $GITHUB_ENV env: GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} - - if: github.event_name == 'pull_request' + - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' name: Comment on PR with Details of Schema Check uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: @@ -160,7 +167,7 @@ jobs: github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }} pulumi-gen-${{ env.PROVIDER}} - name: Upload artifacts - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: pulumi-${{ env.PROVIDER }}-provider.tar.gz path: ${{ github.workspace }}/bin/provider.tar.gz @@ -197,7 +204,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -210,7 +217,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Node uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: @@ -306,7 +313,7 @@ jobs: - name: Tar SDK folder run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} . - name: Upload artifacts - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: ${{ matrix.language }}-sdk.tar.gz path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz @@ -341,7 +348,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -354,7 +361,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Node uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: @@ -448,7 +455,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -470,7 +477,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: @@ -506,7 +513,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Checkout Scripts Repo @@ -525,7 +532,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Node uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: @@ -589,7 +596,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -602,7 +609,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Java uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 with: @@ -640,7 +647,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Download go SDK diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 02c4178501..318760236e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,13 @@ on: - v*.*.* - "!v*.*.*-**" env: + AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && + secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID + == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PROVIDER: google-native PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} @@ -50,7 +57,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -63,7 +70,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0 @@ -85,7 +92,7 @@ jobs: echo 'EOF' >> $GITHUB_ENV env: GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} - - if: github.event_name == 'pull_request' + - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' name: Comment on PR with Details of Schema Check uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: @@ -160,7 +167,7 @@ jobs: github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }} pulumi-gen-${{ env.PROVIDER}} - name: Upload artifacts - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: pulumi-${{ env.PROVIDER }}-provider.tar.gz path: ${{ github.workspace }}/bin/provider.tar.gz @@ -197,7 +204,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -210,7 +217,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Node uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: @@ -306,7 +313,7 @@ jobs: - name: Tar SDK folder run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} . - name: Upload artifacts - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: ${{ matrix.language }}-sdk.tar.gz path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz @@ -341,7 +348,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -354,7 +361,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Node uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: @@ -448,7 +455,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -470,7 +477,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: @@ -506,7 +513,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Checkout Scripts Repo @@ -525,7 +532,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Node uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: @@ -589,7 +596,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Install Go @@ -602,7 +609,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6.0.0 + uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6.0.1 - name: Setup Java uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4.6.0 with: @@ -640,7 +647,7 @@ jobs: lfs: true - id: version name: Set Provider Version - uses: pulumi/provider-version-action@0391d47b9b0d865d33dd0a295b1fcf9f7021dd4c # v1.5.3 + uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 with: set-env: PROVIDER_VERSION - name: Download go SDK diff --git a/.goreleaser.prerelease.yml b/.goreleaser.prerelease.yml index 2b22bceef3..a068cffc51 100644 --- a/.goreleaser.prerelease.yml +++ b/.goreleaser.prerelease.yml @@ -7,25 +7,42 @@ before: - make codegen - make generate_schema builds: -- dir: provider +- id: build-provider + dir: provider env: - CGO_ENABLED=0 - GO111MODULE=on goos: - darwin - - windows - linux goarch: - amd64 - arm64 - ignore: [] + ignore: &a1 [] + main: ./cmd/pulumi-resource-google-native/ + ldflags: &a2 + - -s + - -w + - -X + github.com/pulumi/pulumi-google-native/provider/pkg/version.Version={{.Tag}} + binary: pulumi-resource-google-native +- id: build-provider-sign-windows + dir: provider + env: + - CGO_ENABLED=0 + - GO111MODULE=on + goos: + - windows + goarch: + - amd64 + - arm64 + ignore: *a1 main: ./cmd/pulumi-resource-google-native/ - ldflags: - - -s - - -w - - -X - github.com/pulumi/pulumi-google-native/provider/pkg/version.Version={{.Tag}} + ldflags: *a2 binary: pulumi-resource-google-native + hooks: + post: + - make sign-goreleaser-exe-{{ .Arch }} archives: - name_template: "{{ .Binary }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}" id: archive diff --git a/.goreleaser.yml b/.goreleaser.yml index 516b20f074..be825e193e 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -7,25 +7,42 @@ before: - make codegen - make generate_schema builds: -- dir: provider +- id: build-provider + dir: provider env: - CGO_ENABLED=0 - GO111MODULE=on goos: - darwin - - windows - linux goarch: - amd64 - arm64 - ignore: [] + ignore: &a1 [] + main: ./cmd/pulumi-resource-google-native/ + ldflags: &a2 + - -s + - -w + - -X + github.com/pulumi/pulumi-google-native/provider/pkg/version.Version={{.Tag}} + binary: pulumi-resource-google-native +- id: build-provider-sign-windows + dir: provider + env: + - CGO_ENABLED=0 + - GO111MODULE=on + goos: + - windows + goarch: + - amd64 + - arm64 + ignore: *a1 main: ./cmd/pulumi-resource-google-native/ - ldflags: - - -s - - -w - - -X - github.com/pulumi/pulumi-google-native/provider/pkg/version.Version={{.Tag}} + ldflags: *a2 binary: pulumi-resource-google-native + hooks: + post: + - make sign-goreleaser-exe-{{ .Arch }} archives: - name_template: "{{ .Binary }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}" id: archive diff --git a/Makefile b/Makefile index faca64d534..1b34f1cc79 100644 --- a/Makefile +++ b/Makefile @@ -138,3 +138,48 @@ install_sdks:: install_dotnet_sdk install_python_sdk install_nodejs_sdk install_ only_build:: build .PHONY: init_submodules update_submodules ensure generate_schema generate build_provider build + +# Set these variables to enable signing of the windows binary +AZURE_SIGNING_CLIENT_ID ?= +AZURE_SIGNING_CLIENT_SECRET ?= +AZURE_SIGNING_TENANT_ID ?= +AZURE_SIGNING_KEY_VAULT_URI ?= +SKIP_SIGNING ?= + +bin/jsign-6.0.jar: + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar + +sign-goreleaser-exe-amd64: GORELEASER_ARCH := amd64_v1 +sign-goreleaser-exe-arm64: GORELEASER_ARCH := arm64 + +# Set the shell to bash to allow for the use of bash syntax. +sign-goreleaser-exe-%: SHELL:=/bin/bash +sign-goreleaser-exe-%: bin/jsign-6.0.jar + @# Only sign windows binary if fully configured. + @# Test variables set by joining with | between and looking for || showing at least one variable is empty. + @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. + @set -e; \ + if [[ "${SKIP_SIGNING}" != "true" ]]; then \ + if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ + echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ + echo "To rebuild with signing delete the unsigned windows exe file and rebuild with the fixed configuration"; \ + if [[ "${CI}" == "true" ]]; then exit 1; fi; \ + else \ + file=dist/build-provider-sign-windows_windows_${GORELEASER_ARCH}/pulumi-resource-google-native.exe; \ + mv $${file} $${file}.unsigned; \ + az login --service-principal \ + --username "${AZURE_SIGNING_CLIENT_ID}" \ + --password "${AZURE_SIGNING_CLIENT_SECRET}" \ + --tenant "${AZURE_SIGNING_TENANT_ID}" \ + --output none; \ + ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ + java -jar bin/jsign-6.0.jar \ + --storetype AZUREKEYVAULT \ + --keystore "PulumiCodeSigning" \ + --url "${AZURE_SIGNING_KEY_VAULT_URI}" \ + --storepass "$${ACCESS_TOKEN}" \ + $${file}.unsigned; \ + mv $${file}.unsigned $${file}; \ + az logout; \ + fi; \ + fi