pulumi · blampe · Dec 11, 2024 · Dec 9, 2024 · Dec 10, 2024 · Dec 10, 2024
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -366,6 +366,28 @@ jobs:
           make --touch codegen schema
           make provider_prebuild
 
+      - name: Build and sign windows provider
+        shell: bash # Runs with -eo pipefail
+        run: |
+          make bin/windows-amd64/pulumi-resource-azure-native.exe;
+
+          az login --service-principal \
+            --username ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \
+            --password ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \
+            --tenant ${{ secrets.AZURE_SIGNING_TENANT_ID }} \
+            --output none;
+
+          wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar;
+
+          java -jar jsign-6.0.jar \
+             --storetype AZUREKEYVAULT \
+             --keystore "PulumiCodeSigning" \
+             --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \
+             --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \
+             bin/windows-amd64/pulumi-resource-azure-native.exe;
+
+          az logout;
+
       - name: Build dist packages
         run: make dist --jobs=2