diff --git a/.github/actions/setup-tools/action.yml b/.github/actions/setup-tools/action.yml index 5b80b74..9c4f882 100644 --- a/.github/actions/setup-tools/action.yml +++ b/.github/actions/setup-tools/action.yml @@ -32,7 +32,9 @@ runs: cache-dependency-path: | provider/*.sum upstream/*.sum + sdk/go/*.sum sdk/*.sum + *.sum # TODO(https://github.com/actions/setup-go/issues/316): Restore but don't save the cache. cache: ${{ inputs.cache-go }} diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml index 13812af..a2bd0c7 100644 --- a/.github/workflows/build_provider.yml +++ b/.github/workflows/build_provider.yml @@ -15,7 +15,6 @@ jobs: env: PROVIDER_VERSION: ${{ inputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - AZURE_SIGNING_CONFIGURED: ${{ secrets.AZURE_SIGNING_CLIENT_ID != '' && secrets.AZURE_SIGNING_CLIENT_SECRET != '' && secrets.AZURE_SIGNING_TENANT_ID != '' && secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }} strategy: fail-fast: true matrix: @@ -54,24 +53,12 @@ jobs: - name: Build provider run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}" - - - name: Sign windows provider - if: matrix.platform.os == 'windows' && env.AZURE_SIGNING_CONFIGURED == 'true' - run: | - az login --service-principal \ - -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \ - -p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \ - -t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \ - -o none; - - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar; - - java -jar jsign-6.0.jar \ - --storetype AZUREKEYVAULT \ - --keystore "PulumiCodeSigning" \ - --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \ - --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \ - bin/windows-amd64/pulumi-resource-mailgun.exe; + env: + AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml index 12a5731..a64f003 100644 --- a/.github/workflows/prerequisites.yml +++ b/.github/workflows/prerequisites.yml @@ -72,7 +72,7 @@ jobs: - name: Unit-test provider code run: make test_provider - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@c2fcb216de2b0348de0100baa3ea2cad9f100a01 # v5.1.0 + uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1 env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - if: inputs.is_pr diff --git a/Makefile b/Makefile index 55861c1..6c6d4a9 100644 --- a/Makefile +++ b/Makefile @@ -308,6 +308,13 @@ debug_tfgen: # Provider cross-platform build & packaging +# Set these variables to enable signing of the windows binary +AZURE_SIGNING_CLIENT_ID ?= +AZURE_SIGNING_CLIENT_SECRET ?= +AZURE_SIGNING_TENANT_ID ?= +AZURE_SIGNING_KEY_VAULT_URI ?= +SKIP_SIGNING ?= + # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. bin/linux-amd64/$(PROVIDER): TARGET := linux-amd64 @@ -315,7 +322,7 @@ bin/linux-arm64/$(PROVIDER): TARGET := linux-arm64 bin/darwin-amd64/$(PROVIDER): TARGET := darwin-amd64 bin/darwin-arm64/$(PROVIDER): TARGET := darwin-arm64 bin/windows-amd64/$(PROVIDER).exe: TARGET := windows-amd64 -bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: +bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar @# check the TARGET is set test $(TARGET) cd provider && \ @@ -324,6 +331,37 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: export CGO_ENABLED=0 && \ go build -o "${WORKING_DIR}/$@" $(PULUMI_PROVIDER_BUILD_PARALLELISM) -ldflags "$(LDFLAGS)" "$(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)" + @# Only sign windows binary if fully configured. + @# Test variables set by joining with | between and looking for || showing at least one variable is empty. + @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. + set -e; \ + if [[ "${TARGET}" = "windows-amd64" && ${SKIP_SIGNING} != "true" ]]; then \ + if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ + echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ + echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ + if [[ ${CI} == "true" ]]; then exit 1; fi; \ + else \ + mv $@ $@.unsigned; \ + az login --service-principal \ + --username "${AZURE_SIGNING_CLIENT_ID}" \ + --password "${AZURE_SIGNING_CLIENT_SECRET}" \ + --tenant "${AZURE_SIGNING_TENANT_ID}" \ + --output none; \ + ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ + java -jar bin/jsign-6.0.jar \ + --storetype AZUREKEYVAULT \ + --keystore "PulumiCodeSigning" \ + --url "${AZURE_SIGNING_KEY_VAULT_URI}" \ + --storepass "$${ACCESS_TOKEN}" \ + $@.unsigned; \ + mv $@.unsigned $@; \ + az logout; \ + fi; \ + fi + +bin/jsign-6.0.jar: + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER)