release.yml

name: release

on:
  push:
    tags:
      - "v*"

  workflow_dispatch:

jobs:
  # Build and publish Unix (Linux/macOS) binaries and Docker images.
  # This job creates the GitHub release that goreleaser-windows will upload to.
  goreleaser-unix:
    runs-on:
      group: databricks-deco-testing-runner-group
      labels: ubuntu-latest-deco

    outputs:
      artifacts: ${{ steps.releaser.outputs.artifacts }}

    steps:
      - name: Checkout repository and submodules
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          fetch-tags: true

      - name: Setup Go
        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version-file: go.mod
          cache-dependency-path: |
            go.sum
            .goreleaser-unix.yaml

      # Log into the GitHub Container Registry. The goreleaser action will create
      # the docker images and push them to the GitHub Container Registry.
      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
          registry: "ghcr.io"
          username: "${{ github.actor }}"
          password: "${{ secrets.GITHUB_TOKEN }}"

      # QEMU is required to build cross platform docker images using buildx.
      # It allows virtualization of the CPU architecture at the application level.
      - name: Set up QEMU dependency
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

      # Pin Docker to 28.0.4 because Docker 29.x changed how buildx pushes
      # images (they become manifest lists), which breaks goreleaser's
      # docker manifest create step with "is a manifest list" error.
      - name: Set up Docker
        uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 # v4.7.0
        with:
          version: v28.0.4

      - name: Run GoReleaser for Unix
        id: releaser
        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        with:
          version: ~> v2
          args: release -f .goreleaser-unix.yaml
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  # Build and sign Windows binaries using AzureSignTool with Azure Key Vault.
  # Runs on GitHub-hosted windows-latest runner (has signtool and Windows SDK).
  # Uses --skip=publish to avoid creating duplicate GitHub release.
  # Waits for goreleaser-unix to create the release first.
  goreleaser-windows:
    environment: sign
    runs-on: windows-latest

    steps:
      - name: Checkout repository and submodules
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          fetch-tags: true

      - name: Setup Go
        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version-file: go.mod
          cache-dependency-path: |
            go.sum
            .goreleaser-windows.yaml

      - name: Azure Login and get Key Vault token
        shell: pwsh
        run: |
          az login --service-principal `
            -u ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }} `
            -p ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }} `
            --tenant ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}

          $accessToken = az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv
          echo "::add-mask::$accessToken"
          echo "AZURE_VAULT_TOKEN=$accessToken" >> $env:GITHUB_ENV

      - name: Install AzureSignTool
        shell: pwsh
        run: |
          dotnet tool install --global AzureSignTool

      - name: Run GoReleaser for Windows
        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
        with:
          version: ~> v2
          args: release -f .goreleaser-windows.yaml --skip=publish
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AZURE_TENANT_ID: ${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}
          AZURE_CLIENT_ID: ${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}
          AZURE_CLIENT_SECRET: ${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}

      - name: Upload Windows artifacts to GitHub Actions
        uses: actions/upload-artifact@v6
        with:
          name: windows-artifacts
          path: |
            dist/*.zip
            dist/*SHA256SUMS*
          retention-days: 1

  # Upload Windows artifacts to the GitHub release.
  # Separated from goreleaser-windows because GitHub-hosted runners are not allowlisted
  # for GitHub API access due to IP restrictions. Self-hosted runners have allowlisted IPs.
  # Flow: goreleaser-windows (build) -> GitHub Actions artifacts -> self-hosted runner (upload)
  upload-windows-to-release:
    runs-on:
      group: databricks-deco-testing-runner-group
      labels: ubuntu-latest-deco
    needs: [goreleaser-windows, goreleaser-unix]

    steps:
      - name: Download Windows artifacts
        uses: actions/download-artifact@v7
        with:
          name: windows-artifacts
          path: dist

      - name: Download Unix checksum file from release
        run: |
          VERSION=${{ github.ref_name }}
          VERSION_NO_V=${VERSION:1}

          echo "Downloading Unix checksum file..."
          gh release download ${{ github.ref_name }} \
            --pattern "databricks_cli_${VERSION_NO_V}_SHA256SUMS_unix" \
            --dir dist \
            --repo ${{ github.repository }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Merge checksum files
        run: |
          VERSION=${{ github.ref_name }}
          VERSION_NO_V=${VERSION:1}

          echo "Merging Unix and Windows checksum files..."
          cat dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS_unix > dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS
          cat dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS_windows >> dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS

          echo "Merged SHA256SUMS file contents:"
          cat dist/databricks_cli_${VERSION_NO_V}_SHA256SUMS

      - name: Verify checksums after download
        run: |
          echo "Verifying Windows artifact checksums after download..."
          for file in dist/*.zip; do
            if [ -f "$file" ]; then
              sha256sum "$file"
            fi
          done

      - name: Upload to GitHub release
        run: |
          for file in dist/*.zip dist/*SHA256SUMS; do
            if [ -f "$file" ]; then
              echo "Uploading $(basename $file)"
              gh release upload ${{ github.ref_name }} "$file" --repo ${{ github.repository }}
            fi
          done
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  create-setup-cli-release-pr:
    runs-on:
      group: databricks-deco-testing-runner-group
      labels: ubuntu-latest-deco

    needs: upload-windows-to-release

    steps:
      - name: Set VERSION variable from tag
        run: |
          VERSION=${{ github.ref_name }}
          echo "VERSION=${VERSION:1}" >> $GITHUB_ENV

      - name: Update setup-cli
        uses: actions/github-script@450193c5abd4cdb17ba9f3ffcfe8f635c4bb6c2a # v8.0.0
        with:
          github-token: ${{ secrets.DECO_GITHUB_TOKEN }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: 'databricks',
              repo: 'setup-cli',
              workflow_id: 'release-pr.yml',
              ref: 'main',
              inputs: {
                version: "${{ env.VERSION }}",
              }
            });

  create-homebrew-tap-release-pr:
    runs-on:
      group: databricks-deco-testing-runner-group
      labels: ubuntu-latest-deco

    needs: [goreleaser-unix, upload-windows-to-release]

    steps:
      - name: Set VERSION variable from tag
        run: |
          VERSION=${{ github.ref_name }}
          echo "VERSION=${VERSION:1}" >> $GITHUB_ENV

      - name: Update homebrew-tap
        uses: actions/github-script@450193c5abd4cdb17ba9f3ffcfe8f635c4bb6c2a # v8.0.0
        with:
          github-token: ${{ secrets.DECO_GITHUB_TOKEN }}
          script: |
            let artifacts = ${{ needs.goreleaser-unix.outputs.artifacts }}
            artifacts = artifacts.filter(a => a.type == "Archive")
            artifacts = new Map(
              artifacts.map(a => [
                a.goos + "_" + a.goarch + "_" + a.extra.Format,
                a.extra.Checksum.replace("sha256:", "")
              ])
            )

            await github.rest.actions.createWorkflowDispatch({
              owner: 'databricks',
              repo: 'homebrew-tap',
              workflow_id: 'release-pr.yml',
              ref: 'main',
              inputs: {
                version: "${{ env.VERSION }}",
                darwin_amd64_sha: artifacts.get('darwin_amd64_zip'),
                darwin_arm64_sha: artifacts.get('darwin_arm64_zip'),
                linux_amd64_sha: artifacts.get('linux_amd64_zip'),
                linux_arm64_sha: artifacts.get('linux_arm64_zip')
              }
            });

  create-vscode-extension-update-pr:
    runs-on:
      group: databricks-deco-testing-runner-group
      labels: ubuntu-latest-deco

    needs: upload-windows-to-release

    steps:
      - name: Set VERSION variable from tag
        run: |
          VERSION=${{ github.ref_name }}
          echo "VERSION=${VERSION:1}" >> $GITHUB_ENV

      - name: Update CLI version in the VSCode extension
        uses: actions/github-script@450193c5abd4cdb17ba9f3ffcfe8f635c4bb6c2a # v8.0.0
        with:
          github-token: ${{ secrets.DECO_GITHUB_TOKEN }}
          script: |
            await github.rest.actions.createWorkflowDispatch({
              owner: 'databricks',
              repo: 'databricks-vscode',
              workflow_id: 'update-cli-version.yml',
              ref: 'main',
              inputs: {
                version: "${{ env.VERSION }}",
              }
            });

  pypi-publish:
    runs-on:
      group: databricks-deco-testing-runner-group
      labels: ubuntu-latest-deco

    needs: upload-windows-to-release

    # IMPORTANT:
    # - 'id-token: write' is mandatory for OIDC and trusted publishing to PyPi
    # - 'environment: release' is a part of OIDC assertion done by PyPi
    #
    # See: https://docs.pypi.org/trusted-publishers/creating-a-project-through-oidc/
    environment: release
    permissions:
      id-token: write

    steps:
      - name: Checkout repository and submodules
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0
          fetch-tags: true

      - name: Install uv
        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
        with:
          version: "0.6.5"

      - name: Build wheel
        working-directory: python
        run: make build

      - name: Publish package distributions to PyPI
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
        with:
          packages-dir: python/dist

  publish-to-winget-pkgs:
    runs-on:
      group: databricks-deco-testing-runner-group
      labels: ubuntu-latest-deco

    needs: upload-windows-to-release

    environment: release

    steps:
      - name: Checkout repository and submodules
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

        # When updating the version of komac, make sure to update the checksum in the next step.
        # Find both at https://github.com/russellbanks/Komac/releases.
      - name: Download komac binary
        run: |
          curl -s -L -o $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz https://github.com/russellbanks/Komac/releases/download/v2.9.0/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz

      - name: Verify komac binary
        run: |
          echo "d07a12831ad5418fee715488542a98ce3c0e591d05c850dd149fe78432be8c4c  $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz" | sha256sum -c -

      - name: Untar komac binary to temporary path
        run: |
          mkdir -p $RUNNER_TEMP/komac
          tar -xzf $RUNNER_TEMP/komac-2.9.0-x86_64-unknown-linux-gnu.tar.gz -C $RUNNER_TEMP/komac

      - name: Add komac to PATH
        run: echo "$RUNNER_TEMP/komac" >> $GITHUB_PATH

      - name: Confirm komac version
        run: komac --version

        # Use the tag from the input, or the ref name if the input is not provided.
        # The ref name is equal to the tag name when this workflow is triggered by the "sign-cli" command.
      - name: Strip "v" prefix from version
        id: strip_version
        run: echo "version=$(echo ${{ github.ref_name }} | sed 's/^v//')" >> "$GITHUB_OUTPUT"

      - name: Get URLs of signed Windows binaries
        id: get_windows_urls
        run: |
          urls=$(
            gh api https://api.github.com/repos/databricks/cli/releases/tags/${{ github.ref_name }} | \
            jq -r .assets[].browser_download_url | \
            grep -E '_windows_.*\.zip$' | \
            tr '\n' ' '
          )
          if [ -z "$urls" ]; then
            echo "No signed Windows binaries found" >&2
            exit 1
          fi
          echo "urls=$urls" >> "$GITHUB_OUTPUT"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Publish to Winget
        run: |
          komac update Databricks.DatabricksCLI \
            --version ${{ steps.strip_version.outputs.version }} \
            --submit \
            --urls ${{ steps.get_windows_urls.outputs.urls }} \
        env:
          KOMAC_FORK_OWNER: eng-dev-ecosystem-bot
          GITHUB_TOKEN: ${{ secrets.ENG_DEV_ECOSYSTEM_BOT_TOKEN }}