From ecdf3817834619ec2d8811d7cbaf7d2a2dffec8a Mon Sep 17 00:00:00 2001 From: Pulumi Bot Date: Fri, 13 Dec 2024 17:17:44 +0000 Subject: [PATCH] [internal] Update GitHub Actions workflow files --- .github/workflows/build_provider.yml | 25 +++++------------ Makefile | 40 +++++++++++++++++++++++++++- 2 files changed, 45 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml index e5aa301..34ee526 100644 --- a/.github/workflows/build_provider.yml +++ b/.github/workflows/build_provider.yml @@ -15,7 +15,6 @@ jobs: env: PROVIDER_VERSION: ${{ inputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - AZURE_SIGNING_CONFIGURED: ${{ secrets.AZURE_SIGNING_CLIENT_ID != '' && secrets.AZURE_SIGNING_CLIENT_SECRET != '' && secrets.AZURE_SIGNING_TENANT_ID != '' && secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }} strategy: fail-fast: true matrix: @@ -54,24 +53,12 @@ jobs: - name: Build provider run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}" - - - name: Sign windows provider - if: matrix.platform.os == 'windows' && env.AZURE_SIGNING_CONFIGURED == 'true' - run: | - az login --service-principal \ - -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \ - -p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \ - -t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \ - -o none; - - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar; - - java -jar jsign-6.0.jar \ - --storetype AZUREKEYVAULT \ - --keystore "PulumiCodeSigning" \ - --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \ - --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \ - bin/windows-amd64/pulumi-resource-xyz.exe; + env: + AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} diff --git a/Makefile b/Makefile index fcd3639..8c46807 100644 --- a/Makefile +++ b/Makefile @@ -303,6 +303,13 @@ debug_tfgen: # Provider cross-platform build & packaging +# Set these variables to enable signing of the windows binary +AZURE_SIGNING_CLIENT_ID ?= +AZURE_SIGNING_CLIENT_SECRET ?= +AZURE_SIGNING_TENANT_ID ?= +AZURE_SIGNING_KEY_VAULT_URI ?= +SKIP_SIGNING ?= + # These targets assume that the schema-embed.json exists - it's generated by tfgen. # We disable CGO to ensure that the binary is statically linked. bin/linux-amd64/$(PROVIDER): TARGET := linux-amd64 @@ -310,7 +317,7 @@ bin/linux-arm64/$(PROVIDER): TARGET := linux-arm64 bin/darwin-amd64/$(PROVIDER): TARGET := darwin-amd64 bin/darwin-arm64/$(PROVIDER): TARGET := darwin-arm64 bin/windows-amd64/$(PROVIDER).exe: TARGET := windows-amd64 -bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: +bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar @# check the TARGET is set test $(TARGET) cd provider && \ @@ -319,6 +326,37 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: export CGO_ENABLED=0 && \ go build -o "${WORKING_DIR}/$@" $(PULUMI_PROVIDER_BUILD_PARALLELISM) -ldflags "$(LDFLAGS)" "$(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)" + @# Only sign windows binary if fully configured. + @# Test variables set by joining with | between and looking for || showing at least one variable is empty. + @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. + set -e; \ + if [[ "${TARGET}" = "windows-amd64" && ${SKIP_SIGNING} != "true" ]]; then \ + if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ + echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ + echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ + if [[ ${CI} == "true" ]]; then exit 1; fi; \ + else \ + mv $@ $@.unsigned; \ + az login --service-principal \ + --username "${AZURE_SIGNING_CLIENT_ID}" \ + --password "${AZURE_SIGNING_CLIENT_SECRET}" \ + --tenant "${AZURE_SIGNING_TENANT_ID}" \ + --output none; \ + ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ + java -jar bin/jsign-6.0.jar \ + --storetype AZUREKEYVAULT \ + --keystore "PulumiCodeSigning" \ + --url "${AZURE_SIGNING_KEY_VAULT_URI}" \ + --storepass "$${ACCESS_TOKEN}" \ + $@.unsigned; \ + mv $@.unsigned $@; \ + az logout; \ + fi; \ + fi + +bin/jsign-6.0.jar: + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar + provider-linux-amd64: bin/linux-amd64/$(PROVIDER) provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER)