Update GitHub Actions workflows.

.github/actions/setup-tools/action.yml

@@ -32,7 +32,9 @@ runs:
         cache-dependency-path: |
           provider/*.sum
           upstream/*.sum
+          sdk/go/*.sum
           sdk/*.sum
+          *.sum
         # TODO(https://github.com/actions/setup-go/issues/316): Restore but don't save the cache.
         cache: ${{ inputs.cache-go }}
 

.github/workflows/build_provider.yml

@@ -15,7 +15,6 @@ jobs:
     env:
       PROVIDER_VERSION: ${{ inputs.version }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      AZURE_SIGNING_CONFIGURED: ${{ secrets.AZURE_SIGNING_CLIENT_ID != '' && secrets.AZURE_SIGNING_CLIENT_SECRET != '' && secrets.AZURE_SIGNING_TENANT_ID != '' && secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }}
     strategy:
       fail-fast: true
       matrix:
@@ -54,24 +53,12 @@ jobs:
 
       - name: Build provider
         run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}"
-
-      - name: Sign windows provider
-        if: matrix.platform.os == 'windows' && env.AZURE_SIGNING_CONFIGURED == 'true'
-        run: |
-          az login --service-principal \
-            -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \
-            -p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \
-            -t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \
-            -o none;
-
-          wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar;
-
-          java -jar jsign-6.0.jar \
-             --storetype AZUREKEYVAULT \
-             --keystore "PulumiCodeSigning" \
-             --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \
-             --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \
-             bin/windows-amd64/pulumi-resource-digitalocean.exe;
+        env:
+          AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+          AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+          AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+          AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+          SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
 
       - name: Package provider
         run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}

.github/workflows/prerequisites.yml

@@ -72,7 +72,7 @@ jobs:
     - name: Unit-test provider code
       run: make test_provider
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@c2fcb216de2b0348de0100baa3ea2cad9f100a01 # v5.1.0
+      uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
       env:
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: inputs.is_pr

Makefile

@@ -309,14 +309,21 @@ debug_tfgen:
 
 # Provider cross-platform build & packaging
 
+# Set these variables to enable signing of the windows binary
+AZURE_SIGNING_CLIENT_ID ?=
+AZURE_SIGNING_CLIENT_SECRET ?=
+AZURE_SIGNING_TENANT_ID ?=
+AZURE_SIGNING_KEY_VAULT_URI ?=
+SKIP_SIGNING ?=
+
 # These targets assume that the schema-embed.json exists - it's generated by tfgen.
 # We disable CGO to ensure that the binary is statically linked.
 bin/linux-amd64/$(PROVIDER): TARGET := linux-amd64
 bin/linux-arm64/$(PROVIDER): TARGET := linux-arm64
 bin/darwin-amd64/$(PROVIDER): TARGET := darwin-amd64
 bin/darwin-arm64/$(PROVIDER): TARGET := darwin-arm64
 bin/windows-amd64/$(PROVIDER).exe: TARGET := windows-amd64
-bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe:
+bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar
 	@# check the TARGET is set
 	test $(TARGET)
 	cd provider && \
@@ -325,6 +332,37 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe:
 		export CGO_ENABLED=0 && \
 		go build -o "${WORKING_DIR}/$@" $(PULUMI_PROVIDER_BUILD_PARALLELISM) -ldflags "$(LDFLAGS)" "$(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)"
 
+	@# Only sign windows binary if fully configured. 
+	@# Test variables set by joining with | between and looking for || showing at least one variable is empty.
+	@# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails.
+	set -e; \
+	if [[ "${TARGET}" = "windows-amd64" && ${SKIP_SIGNING} != "true" ]]; then \
+		if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \
+			echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \
+			echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \
+			if [[ ${CI} == "true" ]]; then exit 1; fi; \
+		else \
+			mv $@ [email protected]; \
+			az login --service-principal \
+				--username "${AZURE_SIGNING_CLIENT_ID}" \
+				--password "${AZURE_SIGNING_CLIENT_SECRET}" \
+				--tenant "${AZURE_SIGNING_TENANT_ID}" \
+				--output none; \
+			ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \
+			java -jar bin/jsign-6.0.jar \
+				--storetype AZUREKEYVAULT \
+				--keystore "PulumiCodeSigning" \
+				--url "${AZURE_SIGNING_KEY_VAULT_URI}" \
+				--storepass "$${ACCESS_TOKEN}" \
+				[email protected]; \
+			mv [email protected] $@; \
+			az logout; \
+		fi; \
+	fi
+
+bin/jsign-6.0.jar:
+	wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar
+
 provider-linux-amd64: bin/linux-amd64/$(PROVIDER)
 provider-linux-arm64: bin/linux-arm64/$(PROVIDER)
 provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER)