Skip to content

Commit

Permalink
Add windows signing for native provider releases (#1318)
Browse files Browse the repository at this point in the history 
This PR enables Windows singing for native provider releases made with
GoReleaser. These changes require the `make sign-goreleaser-exe` target
to exist. This is done in the individual provider repos as the Makefiles
are not managed centrally by ci-mgmt.

For testing purposes, these changes are also copied to their respective
native provider repos with a prerelease tag cut to validate that the
binaries are signed.

Confirmed native providers with signed prerelease windows builds:

-
[kubernetes](https://github.com/pulumi/pulumi-kubernetes/actions/runs/12996104839)
-
[aws-native](https://github.com/pulumi/pulumi-aws-native/actions/runs/12996105418)
-
[command](https://github.com/pulumi/pulumi-command/actions/runs/12996105991)
-
[docker-build](https://github.com/pulumi/pulumi-docker-build/actions/runs/12996106508)
-
[kubernetes-cert-manager](https://github.com/pulumi/pulumi-kubernetes-cert-manager/actions/runs/12997632596)
-
[kubernetes-coredns](https://github.com/pulumi/pulumi-kubernetes-coredns/actions/runs/12997647427)
-
[kubernetes-ingress-nginx](https://github.com/pulumi/pulumi-kubernetes-ingress-nginx/actions/runs/12997658107)
-
[pulumistack](https://github.com/pulumi/pulumi-pulumistack/actions/runs/12996108738)
-
[google-native](https://github.com/pulumi/pulumi-google-native/actions/runs/12996109430)
  • Loading branch information
@rquitales
rquitales authored Jan 27, 2025
1 parent 13e81c8 commit f17a011
Show file tree
Hide file tree
Showing 45 changed files with 621 additions and 130 deletions.
7 changes: 7 additions & 0 deletions native-provider-ci/providers/aws-native/repo/.github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@ on:
- "**"
workflow_dispatch: {}
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: aws-native
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/aws-native/repo/.github/workflows/prerelease.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@ on:
tags:
- v*.*.*-**
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: aws-native
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/aws-native/repo/.github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ on:
- v*.*.*
- "!v*.*.*-**"
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: aws-native
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/command/repo/.github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@ on:
- "**"
workflow_dispatch: {}
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: command
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/command/repo/.github/workflows/prerelease.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@ on:
tags:
- v*.*.*-**
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: command
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/command/repo/.github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ on:
- v*.*.*
- "!v*.*.*-**"
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: command
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
31 changes: 24 additions & 7 deletions native-provider-ci/providers/command/repo/.goreleaser.prerelease.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,24 +5,41 @@ before:
hooks:
- make codegen
builds:
- dir: provider
- id: build-provider
dir: provider
env:
- CGO_ENABLED=0
- GO111MODULE=on
goos:
- darwin
- windows
- linux
goarch:
- amd64
- arm64
ignore: []
ignore: &a1 []
main: ./cmd/pulumi-resource-command/
ldflags: &a2
- -s
- -w
- -X github.com/pulumi/pulumi-command/provider/pkg/version.Version={{.Tag}}
binary: pulumi-resource-command
- id: build-provider-sign-windows
dir: provider
env:
- CGO_ENABLED=0
- GO111MODULE=on
goos:
- windows
goarch:
- amd64
- arm64
ignore: *a1
main: ./cmd/pulumi-resource-command/
ldflags:
- -s
- -w
- -X github.com/pulumi/pulumi-command/provider/pkg/version.Version={{.Tag}}
ldflags: *a2
binary: pulumi-resource-command
hooks:
post:
- make sign-goreleaser-exe-{{ .Arch }}
archives:
- name_template: "{{ .Binary }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
id: archive
Expand Down
31 changes: 24 additions & 7 deletions native-provider-ci/providers/command/repo/.goreleaser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,24 +5,41 @@ before:
hooks:
- make codegen
builds:
- dir: provider
- id: build-provider
dir: provider
env:
- CGO_ENABLED=0
- GO111MODULE=on
goos:
- darwin
- windows
- linux
goarch:
- amd64
- arm64
ignore: []
ignore: &a1 []
main: ./cmd/pulumi-resource-command/
ldflags: &a2
- -s
- -w
- -X github.com/pulumi/pulumi-command/provider/pkg/version.Version={{.Tag}}
binary: pulumi-resource-command
- id: build-provider-sign-windows
dir: provider
env:
- CGO_ENABLED=0
- GO111MODULE=on
goos:
- windows
goarch:
- amd64
- arm64
ignore: *a1
main: ./cmd/pulumi-resource-command/
ldflags:
- -s
- -w
- -X github.com/pulumi/pulumi-command/provider/pkg/version.Version={{.Tag}}
ldflags: *a2
binary: pulumi-resource-command
hooks:
post:
- make sign-goreleaser-exe-{{ .Arch }}
archives:
- name_template: "{{ .Binary }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
id: archive
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/docker-build/repo/.github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@ on:
- "**"
workflow_dispatch: {}
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: docker-build
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/docker-build/repo/.github/workflows/prerelease.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@ on:
tags:
- v*.*.*-**
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: docker-build
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/docker-build/repo/.github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ on:
- v*.*.*
- "!v*.*.*-**"
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: docker-build
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
35 changes: 26 additions & 9 deletions native-provider-ci/providers/docker-build/repo/.goreleaser.prerelease.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,43 @@

project_name: pulumi-docker-build
builds:
- dir: provider
- id: build-provider
dir: provider
env:
- CGO_ENABLED=0
- GO111MODULE=on
goos:
- darwin
- windows
- linux
goarch:
- amd64
- arm64
ignore: []
ignore: &a1 []
main: ./cmd/pulumi-resource-docker-build/
ldflags: &a2
- -s
- -w
- -X
github.com/pulumi/pulumi-docker-build/provider/pkg/version.Version={{.Tag}}
- -X github.com/pulumi/pulumi-docker-build/provider.Version={{.Tag}}
binary: pulumi-resource-docker-build
- id: build-provider-sign-windows
dir: provider
env:
- CGO_ENABLED=0
- GO111MODULE=on
goos:
- windows
goarch:
- amd64
- arm64
ignore: *a1
main: ./cmd/pulumi-resource-docker-build/
ldflags:
- -s
- -w
- -X
github.com/pulumi/pulumi-docker-build/provider/pkg/version.Version={{.Tag}}
- -X github.com/pulumi/pulumi-docker-build/provider.Version={{.Tag}}
ldflags: *a2
binary: pulumi-resource-docker-build
hooks:
post:
- make sign-goreleaser-exe-{{ .Arch }}
archives:
- name_template: "{{ .Binary }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
id: archive
Expand Down
35 changes: 26 additions & 9 deletions native-provider-ci/providers/docker-build/repo/.goreleaser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,26 +2,43 @@

project_name: pulumi-docker-build
builds:
- dir: provider
- id: build-provider
dir: provider
env:
- CGO_ENABLED=0
- GO111MODULE=on
goos:
- darwin
- windows
- linux
goarch:
- amd64
- arm64
ignore: []
ignore: &a1 []
main: ./cmd/pulumi-resource-docker-build/
ldflags: &a2
- -s
- -w
- -X
github.com/pulumi/pulumi-docker-build/provider/pkg/version.Version={{.Tag}}
- -X github.com/pulumi/pulumi-docker-build/provider.Version={{.Tag}}
binary: pulumi-resource-docker-build
- id: build-provider-sign-windows
dir: provider
env:
- CGO_ENABLED=0
- GO111MODULE=on
goos:
- windows
goarch:
- amd64
- arm64
ignore: *a1
main: ./cmd/pulumi-resource-docker-build/
ldflags:
- -s
- -w
- -X
github.com/pulumi/pulumi-docker-build/provider/pkg/version.Version={{.Tag}}
- -X github.com/pulumi/pulumi-docker-build/provider.Version={{.Tag}}
ldflags: *a2
binary: pulumi-resource-docker-build
hooks:
post:
- make sign-goreleaser-exe-{{ .Arch }}
archives:
- name_template: "{{ .Binary }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
id: archive
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/google-native/repo/.github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@ on:
- "**"
workflow_dispatch: {}
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: google-native
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/google-native/repo/.github/workflows/prerelease.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@ on:
tags:
- v*.*.*-**
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: google-native
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
7 changes: 7 additions & 0 deletions native-provider-ci/providers/google-native/repo/.github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ on:
- v*.*.*
- "!v*.*.*-**"
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
== '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PROVIDER: google-native
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
Loading

0 comments on commit f17a011

Please sign in to comment.