Skip to content

Commit

Permalink
[internal] Update GitHub Actions workflow files
Browse files Browse the repository at this point in the history
  • Loading branch information
pulumi-bot committed Dec 14, 2024
1 parent 7bdd32f commit df98763
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 21 deletions.
2 changes: 2 additions & 0 deletions .github/actions/setup-tools/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,9 @@ runs:
cache-dependency-path: |
provider/*.sum
upstream/*.sum
sdk/go/*.sum
sdk/*.sum
*.sum
# TODO(https://github.com/actions/setup-go/issues/316): Restore but don't save the cache.
cache: ${{ inputs.cache-go }}

Expand Down
25 changes: 6 additions & 19 deletions .github/workflows/build_provider.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@ jobs:
env:
PROVIDER_VERSION: ${{ inputs.version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AZURE_SIGNING_CONFIGURED: ${{ secrets.AZURE_SIGNING_CLIENT_ID != '' && secrets.AZURE_SIGNING_CLIENT_SECRET != '' && secrets.AZURE_SIGNING_TENANT_ID != '' && secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }}
strategy:
fail-fast: true
matrix:
Expand Down Expand Up @@ -54,24 +53,12 @@ jobs:

- name: Build provider
run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}"

- name: Sign windows provider
if: matrix.platform.os == 'windows' && env.AZURE_SIGNING_CONFIGURED == 'true'
run: |
az login --service-principal \
-u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \
-p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \
-t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \
-o none;
wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar;
java -jar jsign-6.0.jar \
--storetype AZUREKEYVAULT \
--keystore "PulumiCodeSigning" \
--url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \
--storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \
bin/windows-amd64/pulumi-resource-dnsimple.exe;
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}

- name: Package provider
run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/prerequisites.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:
- name: Unit-test provider code
run: make test_provider
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@c2fcb216de2b0348de0100baa3ea2cad9f100a01 # v5.1.0
uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
- if: inputs.is_pr
Expand Down
40 changes: 39 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -307,14 +307,21 @@ debug_tfgen:

# Provider cross-platform build & packaging

# Set these variables to enable signing of the windows binary
AZURE_SIGNING_CLIENT_ID ?=
AZURE_SIGNING_CLIENT_SECRET ?=
AZURE_SIGNING_TENANT_ID ?=
AZURE_SIGNING_KEY_VAULT_URI ?=
SKIP_SIGNING ?=

# These targets assume that the schema-embed.json exists - it's generated by tfgen.
# We disable CGO to ensure that the binary is statically linked.
bin/linux-amd64/$(PROVIDER): TARGET := linux-amd64
bin/linux-arm64/$(PROVIDER): TARGET := linux-arm64
bin/darwin-amd64/$(PROVIDER): TARGET := darwin-amd64
bin/darwin-arm64/$(PROVIDER): TARGET := darwin-arm64
bin/windows-amd64/$(PROVIDER).exe: TARGET := windows-amd64
bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe:
bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar
@# check the TARGET is set
test $(TARGET)
cd provider && \
Expand All @@ -323,6 +330,37 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe:
export CGO_ENABLED=0 && \
go build -o "${WORKING_DIR}/$@" $(PULUMI_PROVIDER_BUILD_PARALLELISM) -ldflags "$(LDFLAGS)" "$(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)"

@# Only sign windows binary if fully configured.
@# Test variables set by joining with | between and looking for || showing at least one variable is empty.
@# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails.
set -e; \
if [[ "${TARGET}" = "windows-amd64" && ${SKIP_SIGNING} != "true" ]]; then \
if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \
echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \
echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \
if [[ ${CI} == "true" ]]; then exit 1; fi; \
else \
mv $@ [email protected]; \
az login --service-principal \
--username "${AZURE_SIGNING_CLIENT_ID}" \
--password "${AZURE_SIGNING_CLIENT_SECRET}" \
--tenant "${AZURE_SIGNING_TENANT_ID}" \
--output none; \
ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \
java -jar bin/jsign-6.0.jar \
--storetype AZUREKEYVAULT \
--keystore "PulumiCodeSigning" \
--url "${AZURE_SIGNING_KEY_VAULT_URI}" \
--storepass "$${ACCESS_TOKEN}" \
[email protected]; \
mv [email protected] $@; \
az logout; \
fi; \
fi

bin/jsign-6.0.jar:
wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar

provider-linux-amd64: bin/linux-amd64/$(PROVIDER)
provider-linux-arm64: bin/linux-arm64/$(PROVIDER)
provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER)
Expand Down

0 comments on commit df98763

Please sign in to comment.