Skip to content
release-build

build(deps): bump github.com/hashicorp/hc-install from 0.9.3 to 0.9.4… #387

Sign in to view logs

build(deps): bump github.com/hashicorp/hc-install from 0.9.3 to 0.9.4…

build(deps): bump github.com/hashicorp/hc-install from 0.9.3 to 0.9.4… #387

Workflow file for this run

.github/workflows/release-build.yml at 975bf0c
name: release-build
on:
push:
tags:
- "v*"
branches:
- "main"
- "demo-*"
- "bugbash-*"
workflow_dispatch:
inputs:
tag:
description: "Tag to build (e.g. v1.2.3). Leave empty for a snapshot build of the current ref."
type: string
required: false
publish:
description: "Publish release artifacts to the GitHub release."
type: boolean
default: false
jobs:
cli:
environment:
name: sign
deployment: false
runs-on:
group: databricks-protected-runner-group-large
labels: linux-ubuntu-latest-large
permissions:
id-token: write
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
ref: ${{ inputs.tag || github.ref }}
# Check out the workflow's own ref into a side directory so local
# composite actions (e.g. setup-jfrog) and the goreleaser config are
# available even when the built ref is an older tag that predates them.
- name: Checkout workflow ref for local actions
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.sha }}
path: .workflow-actions
sparse-checkout: |
.github
.goreleaser.yaml
- name: Setup JFrog
uses: ./.workflow-actions/.github/actions/setup-jfrog
- name: Setup Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache-dependency-path: |
go.sum
.goreleaser.yaml
- name: Download Go modules
run: go mod download
- name: Setup Java
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: temurin
java-version: '21'
# jsign 7.4 from https://github.com/ebourg/jsign/releases/tag/7.4
- name: Download and verify jsign
run: |
curl -sfL -o "$RUNNER_TEMP/jsign.jar" \
https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar
echo "2abf2ade9ea322acc2d60c24794eadc465ff9380938fca4c932d09e0b25f1c28 $RUNNER_TEMP/jsign.jar" | sha256sum -c -
echo "JSIGN_JAR=$RUNNER_TEMP/jsign.jar" >> $GITHUB_ENV
- name: Get Azure Key Vault access token
run: |
TOKEN=$(curl -sf -X POST \
"https://login.microsoftonline.com/${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}/oauth2/v2.0/token" \
-d "client_id=${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}" \
-d "client_secret=${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}" \
-d "scope=https://vault.azure.net/.default" \
-d "grant_type=client_credentials" | jq -r '.access_token')
echo "::add-mask::$TOKEN"
echo "AZURE_VAULT_TOKEN=$TOKEN" >> $GITHUB_ENV
- name: Hide snapshot tag to outsmart GoReleaser
run: git tag -d snapshot || true
# Overlay scripts from the workflow ref so goreleaser hooks resolve
# correctly even when building an older tag that predates them.
# Register both injected paths in .git/info/exclude so goreleaser's
# dirty-state check does not flag them as untracked files.
- name: Sync workflow scripts to working directory
run: |
mkdir -p .github/scripts
cp -r .workflow-actions/.github/scripts/. .github/scripts/
printf '.workflow-actions/\n.github/scripts/\n' >> .git/info/exclude
# Use --snapshot for branch builds (non-tag refs).
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0
with:
version: v2.14.3
args: release ${{ !inputs.publish && '--skip=publish' || '' }} --config .workflow-actions/.goreleaser.yaml --skip=docker ${{ (!startsWith(github.ref, 'refs/tags/') && !inputs.tag) && '--snapshot' || '' }}
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Verify Windows binary signatures
run: |
for exe in dist/*_windows_*/databricks.exe; do
echo "=== $exe ==="
java -jar "$JSIGN_JAR" extract --format PEM "$exe"
openssl pkcs7 -in "${exe}.sig.pem" -inform PEM -print_certs -text -noout
rm "${exe}.sig.pem"
echo
done
- name: Stage bundle JSON schema for upload
run: cp bundle/schema/jsonschema.json dist/
- name: Upload artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: cli
path: |
dist/*.zip
dist/*.tar.gz
dist/*SHA256SUMS*
dist/jsonschema.json
wheel:
runs-on:
group: databricks-protected-runner-group-large
labels: linux-ubuntu-latest-large
permissions:
id-token: write
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
fetch-tags: true
ref: ${{ inputs.tag || github.ref }}
# Check out the workflow's own ref into a side directory so local
# composite actions (e.g. setup-jfrog) and the goreleaser config are
# available even when the built ref is an older tag that predates them.
- name: Checkout workflow ref for local actions
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.sha }}
path: .workflow-actions
sparse-checkout: |
.github
.goreleaser.yaml
- name: Setup JFrog
uses: ./.workflow-actions/.github/actions/setup-jfrog
- name: Install uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with:
version: "0.6.5"
- name: Build wheel
working-directory: python
run: |
rm -rf build dist
uv build .
- name: Upload Python wheel
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: wheel
path: python/dist/*