diff --git a/.github/workflows/release-prs.yml b/.github/workflows/release-prs.yml new file mode 100644 index 0000000000..0048cf04b5 --- /dev/null +++ b/.github/workflows/release-prs.yml @@ -0,0 +1,242 @@ +name: release-prs + +on: + workflow_dispatch: + inputs: + tag: + description: "Release tag (e.g. v0.295.0)" + required: true + type: string + dry_run: + description: "Dry run (log what would happen, skip actual dispatches)" + required: false + type: boolean + default: true + setup_cli: + description: "Create setup-cli release PR" + required: false + type: boolean + default: false + homebrew_tap: + description: "Create homebrew-tap release PR" + required: false + type: boolean + default: false + vscode_extension: + description: "Create VS Code extension update PR" + required: false + type: boolean + default: false + winget: + description: "Publish to winget-pkgs" + required: false + type: boolean + default: false + +jobs: + create-setup-cli-release-pr: + if: ${{ inputs.setup_cli }} + runs-on: + group: databricks-deco-testing-runner-group + labels: ubuntu-latest-deco + + steps: + - name: Derive version from tag + run: | + VERSION="${{ inputs.tag }}" + echo "VERSION=${VERSION#v}" >> $GITHUB_ENV + + - name: Log dispatch + run: | + echo "Repository: databricks/setup-cli" + echo "Workflow: release-pr.yml" + echo "Version: $VERSION" + echo "Dry run: ${{ inputs.dry_run }}" + + - name: Dispatch setup-cli release PR + if: ${{ !inputs.dry_run }} + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{ secrets.DECO_GITHUB_TOKEN }} + script: | + await github.rest.actions.createWorkflowDispatch({ + owner: 'databricks', + repo: 'setup-cli', + workflow_id: 'release-pr.yml', + ref: 'main', + inputs: { + version: "${{ env.VERSION }}", + } + }); + + create-homebrew-tap-release-pr: + if: ${{ inputs.homebrew_tap }} + runs-on: + group: databricks-deco-testing-runner-group + labels: ubuntu-latest-deco + + steps: + - name: Derive version from tag + run: | + VERSION="${{ inputs.tag }}" + echo "VERSION=${VERSION#v}" >> $GITHUB_ENV + + - name: Download checksums from release + run: | + gh release download "${{ inputs.tag }}" \ + --pattern "databricks_cli_${VERSION}_SHA256SUMS" \ + --dir . \ + --repo "${{ github.repository }}" + echo "SHA256SUMS contents:" + cat "databricks_cli_${VERSION}_SHA256SUMS" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract per-platform checksums + run: | + extract_sha() { + grep "databricks_cli_${VERSION}_${1}.zip" "databricks_cli_${VERSION}_SHA256SUMS" | awk '{print $1}' + } + { + echo "DARWIN_AMD64_SHA=$(extract_sha darwin_amd64)" + echo "DARWIN_ARM64_SHA=$(extract_sha darwin_arm64)" + echo "LINUX_AMD64_SHA=$(extract_sha linux_amd64)" + echo "LINUX_ARM64_SHA=$(extract_sha linux_arm64)" + } >> $GITHUB_ENV + + - name: Log dispatch + run: | + echo "Repository: databricks/homebrew-tap" + echo "Workflow: release-pr.yml" + echo "Version: $VERSION" + echo "darwin_amd64_sha: $DARWIN_AMD64_SHA" + echo "darwin_arm64_sha: $DARWIN_ARM64_SHA" + echo "linux_amd64_sha: $LINUX_AMD64_SHA" + echo "linux_arm64_sha: $LINUX_ARM64_SHA" + echo "Dry run: ${{ inputs.dry_run }}" + + - name: Dispatch homebrew-tap release PR + if: ${{ !inputs.dry_run }} + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{ secrets.DECO_GITHUB_TOKEN }} + script: | + await github.rest.actions.createWorkflowDispatch({ + owner: 'databricks', + repo: 'homebrew-tap', + workflow_id: 'release-pr.yml', + ref: 'main', + inputs: { + version: "${{ env.VERSION }}", + darwin_amd64_sha: "${{ env.DARWIN_AMD64_SHA }}", + darwin_arm64_sha: "${{ env.DARWIN_ARM64_SHA }}", + linux_amd64_sha: "${{ env.LINUX_AMD64_SHA }}", + linux_arm64_sha: "${{ env.LINUX_ARM64_SHA }}", + } + }); + + create-vscode-extension-update-pr: + if: ${{ inputs.vscode_extension }} + runs-on: + group: databricks-deco-testing-runner-group + labels: ubuntu-latest-deco + + steps: + - name: Derive version from tag + run: | + VERSION="${{ inputs.tag }}" + echo "VERSION=${VERSION#v}" >> $GITHUB_ENV + + - name: Log dispatch + run: | + echo "Repository: databricks/databricks-vscode" + echo "Workflow: update-cli-version.yml" + echo "Version: $VERSION" + echo "Dry run: ${{ inputs.dry_run }}" + + - name: Dispatch VS Code extension update PR + if: ${{ !inputs.dry_run }} + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + with: + github-token: ${{ secrets.DECO_GITHUB_TOKEN }} + script: | + await github.rest.actions.createWorkflowDispatch({ + owner: 'databricks', + repo: 'databricks-vscode', + workflow_id: 'update-cli-version.yml', + ref: 'main', + inputs: { + version: "${{ env.VERSION }}", + } + }); + + publish-to-winget-pkgs: + if: ${{ inputs.winget }} + runs-on: + group: databricks-deco-testing-runner-group + labels: ubuntu-latest-deco + + environment: release + + steps: + - name: Derive version from tag + run: | + VERSION="${{ inputs.tag }}" + echo "VERSION=${VERSION#v}" >> $GITHUB_ENV + + - name: Get URLs of signed Windows binaries + id: get_windows_urls + run: | + urls=$( + gh api "repos/${{ github.repository }}/releases/tags/${{ inputs.tag }}" | \ + jq -r .assets[].browser_download_url | \ + grep -E '_windows_.*\.zip$' | \ + tr '\n' ' ' + ) + if [ -z "$urls" ]; then + echo "No signed Windows binaries found" >&2 + exit 1 + fi + echo "urls=$urls" >> "$GITHUB_OUTPUT" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Log publish + run: | + echo "Package: Databricks.DatabricksCLI" + echo "Version: $VERSION" + echo "URLs: ${{ steps.get_windows_urls.outputs.urls }}" + echo "Dry run: ${{ inputs.dry_run }}" + + # When updating the version of komac, make sure to update the checksum in the next step. + # Find both at https://github.com/russellbanks/Komac/releases. + - name: Download komac binary + if: ${{ !inputs.dry_run }} + run: | + curl -s -L -o $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz https://github.com/russellbanks/Komac/releases/download/v2.9.0/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz + + - name: Verify komac binary + if: ${{ !inputs.dry_run }} + run: | + echo "d07a12831ad5418fee715488542a98ce3c0e591d05c850dd149fe78432be8c4c $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz" | sha256sum -c - + + - name: Untar komac binary to temporary path + if: ${{ !inputs.dry_run }} + run: | + mkdir -p $RUNNER_TEMP/komac + tar -xzf $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz -C $RUNNER_TEMP/komac + + - name: Add komac to PATH + if: ${{ !inputs.dry_run }} + run: echo "$RUNNER_TEMP/komac" >> $GITHUB_PATH + + - name: Publish to Winget + if: ${{ !inputs.dry_run }} + run: | + komac update Databricks.DatabricksCLI \ + --version $VERSION \ + --submit \ + --urls ${{ steps.get_windows_urls.outputs.urls }} + env: + KOMAC_FORK_OWNER: eng-dev-ecosystem-bot + GITHUB_TOKEN: ${{ secrets.ENG_DEV_ECOSYSTEM_BOT_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 8d88e4222b..0000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,390 +0,0 @@ -name: release - -on: - push: - tags: - - "v*" - - workflow_dispatch: - -jobs: - # Build and publish Unix (Linux/macOS) binaries and Docker images. - # This job creates the GitHub release that goreleaser-windows will upload to. - goreleaser-unix: - runs-on: - group: databricks-deco-testing-runner-group - labels: ubuntu-latest-deco - - outputs: - artifacts: ${{ steps.releaser.outputs.artifacts }} - - steps: - - name: Checkout repository and submodules - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - fetch-tags: true - - - name: Setup Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 - with: - go-version-file: go.mod - cache-dependency-path: | - go.sum - .goreleaser-unix.yaml - - # Log into the GitHub Container Registry. The goreleaser action will create - # the docker images and push them to the GitHub Container Registry. - - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 - with: - registry: "ghcr.io" - username: "${{ github.actor }}" - password: "${{ secrets.GITHUB_TOKEN }}" - - # QEMU is required to build cross platform docker images using buildx. - # It allows virtualization of the CPU architecture at the application level. - - name: Set up QEMU dependency - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - - # Pin Docker to 28.0.4 because Docker 29.x changed how buildx pushes - # images (they become manifest lists), which breaks goreleaser's - # docker manifest create step with "is a manifest list" error. - - name: Set up Docker - uses: docker/setup-docker-action@1a6edb0ba9ac496f6850236981f15d8f9a82254d # v5.0.0 - with: - version: v28.0.4 - - - name: Run GoReleaser for Unix - id: releaser - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 - with: - version: ~> v2 - args: release -f .goreleaser-unix.yaml - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # Build and sign Windows binaries using AzureSignTool with Azure Key Vault. - # Runs on GitHub-hosted windows-latest runner (has signtool and Windows SDK). - # Uses --skip=publish to avoid creating duplicate GitHub release. - # Waits for goreleaser-unix to create the release first. - goreleaser-windows: - environment: sign - runs-on: windows-latest - - steps: - - name: Checkout repository and submodules - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - fetch-tags: true - - - name: Setup Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 - with: - go-version-file: go.mod - cache-dependency-path: | - go.sum - .goreleaser-windows.yaml - - - name: Azure Login and get Key Vault token - shell: pwsh - run: | - az login --service-principal ` - -u ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }} ` - -p ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }} ` - --tenant ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }} - - $accessToken = az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv - echo "::add-mask::$accessToken" - echo "AZURE_VAULT_TOKEN=$accessToken" >> $env:GITHUB_ENV - - # AzureSignTool is installed from nuget.org (https://www.nuget.org/packages/AzureSignTool/7.0.1) - # Security: On Windows, NuGet verifies repository signatures by default. The package is - # version-pinned and pulled over HTTPS from nuget.org's CDN. Source: https://github.com/vcsjones/AzureSignTool - - name: Install AzureSignTool - shell: pwsh - run: | - dotnet tool install --global AzureSignTool --version 7.0.1 - - - name: Run GoReleaser for Windows - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 - with: - version: ~> v2 - args: release -f .goreleaser-windows.yaml --skip=publish - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - AZURE_TENANT_ID: ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }} - AZURE_CLIENT_ID: ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }} - AZURE_CLIENT_SECRET: ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }} - - - name: Upload Windows artifacts to GitHub Actions - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 - with: - name: windows-artifacts - path: | - dist/*.zip - dist/*SHA256SUMS* - retention-days: 1 - - # Upload Windows artifacts to the GitHub release. - # Separated from goreleaser-windows because GitHub-hosted runners are not allowlisted - # for GitHub API access due to IP restrictions. Self-hosted runners have allowlisted IPs. - # Flow: goreleaser-windows (build) -> GitHub Actions artifacts -> self-hosted runner (upload) - upload-windows-to-release: - runs-on: - group: databricks-deco-testing-runner-group - labels: ubuntu-latest-deco - needs: [goreleaser-windows, goreleaser-unix] - - steps: - - name: Download Windows artifacts - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - with: - name: windows-artifacts - path: dist - - - name: Download Unix checksum file from release - run: | - VERSION=${{ github.ref_name }} - VERSION_NO_V=${VERSION:1} - - echo "Downloading Unix checksum file..." - gh release download ${{ github.ref_name }} \ - --pattern "databricks_cli_${VERSION_NO_V}_SHA256SUMS_unix" \ - --dir dist \ - --repo ${{ github.repository }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Merge checksum files - run: | - VERSION=${{ github.ref_name }} - VERSION_NO_V=${VERSION:1} - - echo "Merging Unix and Windows checksum files..." - cat dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS_unix > dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS - cat dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS_windows >> dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS - - echo "Merged SHA256SUMS file contents:" - cat dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS - - - name: Verify checksums after download - run: | - echo "Verifying Windows artifact checksums after download..." - for file in dist/*.zip; do - if [ -f "$file" ]; then - sha256sum "$file" - fi - done - - - name: Upload to GitHub release - run: | - for file in dist/*.zip dist/*SHA256SUMS; do - if [ -f "$file" ]; then - echo "Uploading $(basename $file)" - gh release upload ${{ github.ref_name }} "$file" --repo ${{ github.repository }} - fi - done - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - create-setup-cli-release-pr: - runs-on: - group: databricks-deco-testing-runner-group - labels: ubuntu-latest-deco - - needs: upload-windows-to-release - - steps: - - name: Set VERSION variable from tag - run: | - VERSION=${{ github.ref_name }} - echo "VERSION=${VERSION:1}" >> $GITHUB_ENV - - - name: Update setup-cli - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - with: - github-token: ${{ secrets.DECO_GITHUB_TOKEN }} - script: | - await github.rest.actions.createWorkflowDispatch({ - owner: 'databricks', - repo: 'setup-cli', - workflow_id: 'release-pr.yml', - ref: 'main', - inputs: { - version: "${{ env.VERSION }}", - } - }); - - create-homebrew-tap-release-pr: - runs-on: - group: databricks-deco-testing-runner-group - labels: ubuntu-latest-deco - - needs: [goreleaser-unix, upload-windows-to-release] - - steps: - - name: Set VERSION variable from tag - run: | - VERSION=${{ github.ref_name }} - echo "VERSION=${VERSION:1}" >> $GITHUB_ENV - - - name: Update homebrew-tap - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - with: - github-token: ${{ secrets.DECO_GITHUB_TOKEN }} - script: | - let artifacts = ${{ needs.goreleaser-unix.outputs.artifacts }} - artifacts = artifacts.filter(a => a.type == "Archive") - artifacts = new Map( - artifacts.map(a => [ - a.goos + "_" + a.goarch + "_" + a.extra.Format, - a.extra.Checksum.replace("sha256:", "") - ]) - ) - - await github.rest.actions.createWorkflowDispatch({ - owner: 'databricks', - repo: 'homebrew-tap', - workflow_id: 'release-pr.yml', - ref: 'main', - inputs: { - version: "${{ env.VERSION }}", - darwin_amd64_sha: artifacts.get('darwin_amd64_zip'), - darwin_arm64_sha: artifacts.get('darwin_arm64_zip'), - linux_amd64_sha: artifacts.get('linux_amd64_zip'), - linux_arm64_sha: artifacts.get('linux_arm64_zip') - } - }); - - create-vscode-extension-update-pr: - runs-on: - group: databricks-deco-testing-runner-group - labels: ubuntu-latest-deco - - needs: upload-windows-to-release - - steps: - - name: Set VERSION variable from tag - run: | - VERSION=${{ github.ref_name }} - echo "VERSION=${VERSION:1}" >> $GITHUB_ENV - - - name: Update CLI version in the VSCode extension - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - with: - github-token: ${{ secrets.DECO_GITHUB_TOKEN }} - script: | - await github.rest.actions.createWorkflowDispatch({ - owner: 'databricks', - repo: 'databricks-vscode', - workflow_id: 'update-cli-version.yml', - ref: 'main', - inputs: { - version: "${{ env.VERSION }}", - } - }); - - pypi-publish: - runs-on: - group: databricks-deco-testing-runner-group - labels: ubuntu-latest-deco - - needs: upload-windows-to-release - - # IMPORTANT: - # - 'id-token: write' is mandatory for OIDC and trusted publishing to PyPi - # - 'environment: release' is a part of OIDC assertion done by PyPi - # - # See: https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/ - environment: release - permissions: - id-token: write - - steps: - - name: Checkout repository and submodules - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - fetch-tags: true - - - name: Install uv - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - with: - version: "0.6.5" - - - name: Build wheel - working-directory: python - run: make build - - - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 - with: - packages-dir: python/dist - - publish-to-winget-pkgs: - runs-on: - group: databricks-deco-testing-runner-group - labels: ubuntu-latest-deco - - needs: upload-windows-to-release - - environment: release - - steps: - - name: Checkout repository and submodules - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - # When updating the version of komac, make sure to update the checksum in the next step. - # Find both at https://github.com/russellbanks/Komac/releases. - - name: Download komac binary - run: | - curl -s -L -o $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz https://github.com/russellbanks/Komac/releases/download/v2.9.0/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz - - - name: Verify komac binary - run: | - echo "d07a12831ad5418fee715488542a98ce3c0e591d05c850dd149fe78432be8c4c $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz" | sha256sum -c - - - - name: Untar komac binary to temporary path - run: | - mkdir -p $RUNNER_TEMP/komac - tar -xzf $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz -C $RUNNER_TEMP/komac - - - name: Add komac to PATH - run: echo "$RUNNER_TEMP/komac" >> $GITHUB_PATH - - - name: Confirm komac version - run: komac --version - - # Use the tag from the input, or the ref name if the input is not provided. - # The ref name is equal to the tag name when this workflow is triggered by the "sign-cli" command. - - name: Strip "v" prefix from version - id: strip_version - run: echo "version=$(echo ${{ github.ref_name }} | sed 's/^v//')" >> "$GITHUB_OUTPUT" - - - name: Get URLs of signed Windows binaries - id: get_windows_urls - run: | - urls=$( - gh api https://api.github.com/repos/databricks/cli/releases/tags/${{ github.ref_name }} | \ - jq -r .assets[].browser_download_url | \ - grep -E '_windows_.*\.zip$' | \ - tr '\n' ' ' - ) - if [ -z "$urls" ]; then - echo "No signed Windows binaries found" >&2 - exit 1 - fi - echo "urls=$urls" >> "$GITHUB_OUTPUT" - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Publish to Winget - run: | - komac update Databricks.DatabricksCLI \ - --version ${{ steps.strip_version.outputs.version }} \ - --submit \ - --urls ${{ steps.get_windows_urls.outputs.urls }} \ - env: - KOMAC_FORK_OWNER: eng-dev-ecosystem-bot - GITHUB_TOKEN: ${{ secrets.ENG_DEV_ECOSYSTEM_BOT_TOKEN }}