Simplify release build pipeline (#4900)

## Summary
- Consolidate `.goreleaser-unix.yaml` and `.goreleaser-windows.yaml`
into a single `.goreleaser.yaml`
- Remove Docker build/push from goreleaser (to be handled separately)
- Sign Windows binaries using jsign on Linux, replacing azuresigntool
which required a Windows runner
- Add `release-build.yml` workflow that builds all platforms and the
Python wheel in parallel

## Test plan
- [x] Verify `release-build` workflow succeeds on push to branch
- [x] Verify Windows binary signatures in CI logs

This pull request was AI-assisted by Isaac.

Author: pietern

.github/scripts/sign-windows.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+#
+# Sign a Windows binary using jsign with Azure Key Vault.
+# Called as a goreleaser post-hook for every built binary.
+#
+# Skips signing when:
+#   - The binary is not a .exe (unix builds)
+#   - Not running in CI (local builds)
+#
+# Expected environment variables (set by the "cli" job in release-build.yml):
+#   JSIGN_JAR          - Path to the jsign jar file
+#   AZURE_VAULT_TOKEN  - Azure Key Vault access token
+#
+# https://github.com/ebourg/jsign
+
+set -euo pipefail
+
+binary="$1"
+
+# Skip non-Windows binaries.
+[[ "$binary" == *.exe ]] || exit 0
+
+# Skip when not running in CI.
+[[ "${CI:-}" == "true" ]] || exit 0
+
+# Verify required environment variables.
+if [[ -z "${JSIGN_JAR:-}" ]]; then
+  echo "ERROR: JSIGN_JAR is not set" >&2
+  exit 1
+fi
+if [[ -z "${AZURE_VAULT_TOKEN:-}" ]]; then
+  echo "ERROR: AZURE_VAULT_TOKEN is not set" >&2
+  exit 1
+fi
+
+java -jar "${JSIGN_JAR}" \
+  --storetype AZUREKEYVAULT \
+  --keystore deco-sign \
+  --storepass "${AZURE_VAULT_TOKEN}" \
+  --alias deco-sign \
+  --tsaurl http://timestamp.digicert.com \
+  --tsmode RFC3161 \
+  "$binary"

.github/workflows/release-build.yml

@@ -0,0 +1,133 @@
+name: release-build
+
+on:
+  push:
+    tags:
+      - "v*"
+    branches:
+      - "main"
+      - "split-release-workflows"
+
+  workflow_dispatch:
+
+jobs:
+  cli:
+    environment:
+      name: sign
+      deployment: false
+    runs-on:
+      group: databricks-protected-runner-group-large
+      labels: linux-ubuntu-latest-large
+
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Setup JFrog
+        uses: ./.github/actions/setup-jfrog
+
+      - name: Setup Go
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        with:
+          go-version-file: go.mod
+          cache-dependency-path: |
+            go.sum
+            .goreleaser.yaml
+
+      - name: Download Go modules
+        run: go mod download
+
+      - name: Setup Java
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        with:
+          distribution: temurin
+          java-version: '21'
+
+      # jsign 7.4 from https://github.com/ebourg/jsign/releases/tag/7.4
+      - name: Download and verify jsign
+        run: |
+          curl -sfL -o "$RUNNER_TEMP/jsign.jar" \
+            https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar
+          echo "2abf2ade9ea322acc2d60c24794eadc465ff9380938fca4c932d09e0b25f1c28  $RUNNER_TEMP/jsign.jar" | sha256sum -c -
+          echo "JSIGN_JAR=$RUNNER_TEMP/jsign.jar" >> $GITHUB_ENV
+
+      - name: Get Azure Key Vault access token
+        run: |
+          TOKEN=$(curl -sf -X POST \
+            "https://login.microsoftonline.com/${{ secrets.DECO_SIGN_AZURE_TENANT_ID }}/oauth2/v2.0/token" \
+            -d "client_id=${{ secrets.DECO_SIGN_AZURE_CLIENT_ID }}" \
+            -d "client_secret=${{ secrets.DECO_SIGN_AZURE_CLIENT_SECRET }}" \
+            -d "scope=https://vault.azure.net/.default" \
+            -d "grant_type=client_credentials" | jq -r '.access_token')
+          echo "::add-mask::$TOKEN"
+          echo "AZURE_VAULT_TOKEN=$TOKEN" >> $GITHUB_ENV
+
+      - name: Hide snapshot tag to outsmart GoReleaser
+        run: git tag -d snapshot || true
+
+      # Use --snapshot for branch builds (non-tag refs).
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
+        with:
+          version: v2.14.3
+          args: release --skip=publish ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot' || '' }}
+
+      - name: Verify Windows binary signatures
+        run: |
+          for exe in dist/*_windows_*/databricks.exe; do
+            echo "=== $exe ==="
+            java -jar "$JSIGN_JAR" extract --format PEM "$exe"
+            openssl pkcs7 -in "${exe}.sig.pem" -inform PEM -print_certs -text -noout
+            rm "${exe}.sig.pem"
+            echo
+          done
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: cli
+          path: |
+            dist/*.zip
+            dist/*.tar.gz
+            dist/*SHA256SUMS*
+
+  wheel:
+    runs-on:
+      group: databricks-protected-runner-group-large
+      labels: linux-ubuntu-latest-large
+
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Setup JFrog
+        uses: ./.github/actions/setup-jfrog
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+        with:
+          version: "0.6.5"
+
+      - name: Build wheel
+        working-directory: python
+        run: make build
+
+      - name: Upload Python wheel
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: wheel
+          path: python/dist/*