WIP: attempt to fix binary signing

.github/actions/upload-sdk/action.yml

@@ -13,7 +13,7 @@ runs:
       shell: bash
       run: tar -zcf sdk/${{ inputs.language }}.tar.gz -C sdk/${{ inputs.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
         name: ${{ inputs.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ inputs.language }}.tar.gz

.github/workflows/build_provider.yml

@@ -71,7 +71,7 @@ jobs:
         run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: pulumi-resource-xyz-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
           path: bin/pulumi-resource-xyz-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz

.github/workflows/prerequisites.yml

@@ -98,14 +98,14 @@ jobs:
           Maintainer note: consult the [runbook](https://github.com/pulumi/platform-providers-team/blob/main/playbooks/tf-provider-updating.md) for dealing with any breaking changes.
 
     - name: Upload codegen binary for xyz
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
         name: pulumi-tfgen-xyz
         path: ${{ github.workspace }}/bin/pulumi-tfgen-xyz
         retention-days: 30
 
     - name: Upload schema-embed.json
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
         name: schema-embed.json
         path: provider/cmd/pulumi-resource-xyz/schema-embed.json

.github/workflows/verify-release.yml

@@ -70,7 +70,7 @@ jobs:
         # Expression expands to ["ubuntu-latest","windows-latest"] or ["ubuntu-latest","windows-latest","macos-latest"]
         # GitHub expressions don't have 'if' statements, so we use a ternary operator to conditionally include the MacOS runner suffix.
         # See the docs for a similar example to this: https://docs.github.com/en/actions/learn-github-actions/expressions#fromjson
-        runner: ${{ fromJSON(format('["ubuntu-latest","windows-latest"{0}]', github.event.inputs.enableMacRunner == 'true' && ',"macos-latest"' || '')) }}
+        runner: ${{ fromJSON(format('["ubuntu-latest","windows-latest"{0}]', github.event.inputs.enableMacRunner && ',"macos-latest"' || '')) }} #
     runs-on: ${{ matrix.runner }}
     steps:
       - name: Checkout Repo

Makefile

@@ -217,30 +217,29 @@ lint_provider: provider
 lint_provider.fix:
 	cd provider && golangci-lint run --path-prefix provider -c ../.golangci.yml --fix
 .PHONY: lint_provider lint_provider.fix
-build_provider_cmd = cd provider && GOOS=$(1) GOARCH=$(2) CGO_ENABLED=0 go build $(PULUMI_PROVIDER_BUILD_PARALLELISM) -o "$(3)" -ldflags "$(LDFLAGS)" $(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)
-
-provider: bin/$(PROVIDER)
 
 # `make provider_no_deps` builds the provider binary directly, without ensuring that
 # `cmd/pulumi-resource-xyz/schema.json` is valid and up to date.
 # To create a release ready binary, you should use `make provider`.
+build_provider_cmd = cd provider && CGO_ENABLED=0 go build $(PULUMI_PROVIDER_BUILD_PARALLELISM) -o "$(1)" -ldflags "$(LDFLAGS)" $(PROJECT)/$(PROVIDER_PATH)/cmd/$(PROVIDER)
+provider: bin/$(PROVIDER)
 provider_no_deps:
-	$(call build_provider_cmd,$(shell go env GOOS),$(shell go env GOARCH),$(WORKING_DIR)/bin/$(PROVIDER))
+	$(call build_provider_cmd,$(WORKING_DIR)/bin/$(PROVIDER))
 bin/$(PROVIDER): .make/schema
-	$(call build_provider_cmd,$(shell go env GOOS),$(shell go env GOARCH),$(WORKING_DIR)/bin/$(PROVIDER))
+	$(call build_provider_cmd,$(WORKING_DIR)/bin/$(PROVIDER))
 .PHONY: provider provider_no_deps
 
 test: export PATH := $(WORKING_DIR)/bin:$(PATH)
 test:
 	cd examples && go test -v -tags=all -parallel $(TESTPARALLELISM) -timeout 2h
 .PHONY: test
-test_provider_cmd = cd provider && go test -v -short \
-	-coverprofile="coverage.txt" \
-	-coverpkg="./...,github.com/hashicorp/terraform-provider-..." \
-	-parallel $(TESTPARALLELISM) \
-	./...
+
 test_provider:
-	$(call test_provider_cmd)
+	cd provider && go test -v -short \
+		-coverprofile="coverage.txt" \
+		-coverpkg="./...,github.com/hashicorp/terraform-provider-..." \
+		-parallel $(TESTPARALLELISM) \
+		./...
 .PHONY: test_provider
 
 tfgen: schema
@@ -319,18 +318,18 @@ SKIP_SIGNING ?=
 
 # These targets assume that the schema-embed.json exists - it's generated by tfgen.
 # We disable CGO to ensure that the binary is statically linked.
-bin/linux-amd64/$(PROVIDER): GOOS := linux
-bin/linux-amd64/$(PROVIDER): GOARCH := amd64
-bin/linux-arm64/$(PROVIDER): GOOS := linux
-bin/linux-arm64/$(PROVIDER): GOARCH := arm64
-bin/darwin-amd64/$(PROVIDER): GOOS := darwin
-bin/darwin-amd64/$(PROVIDER): GOARCH := amd64
-bin/darwin-arm64/$(PROVIDER): GOOS := darwin
-bin/darwin-arm64/$(PROVIDER): GOARCH := arm64
-bin/windows-amd64/$(PROVIDER).exe: GOOS := windows
-bin/windows-amd64/$(PROVIDER).exe: GOARCH := amd64
+bin/linux-amd64/$(PROVIDER): export GOOS := linux
+bin/linux-amd64/$(PROVIDER): export GOARCH := amd64
+bin/linux-arm64/$(PROVIDER): export GOOS := linux
+bin/linux-arm64/$(PROVIDER): export GOARCH := arm64
+bin/darwin-amd64/$(PROVIDER): export GOOS := darwin
+bin/darwin-amd64/$(PROVIDER): export GOARCH := amd64
+bin/darwin-arm64/$(PROVIDER): export GOOS := darwin
+bin/darwin-arm64/$(PROVIDER): export GOARCH := arm64
+bin/windows-amd64/$(PROVIDER).exe: export GOOS := windows
+bin/windows-amd64/$(PROVIDER).exe: export GOARCH := amd64
 bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar
-	$(call build_provider_cmd,$(GOOS),$(GOARCH),$(WORKING_DIR)/$@)
+	$(call build_provider_cmd,$(WORKING_DIR)/$@)
 
 	@# Only sign windows binary if fully configured.
 	@# Test variables set by joining with | between and looking for || showing at least one variable is empty.