b0c5918c7c
## Summary Migrates Windows binary signing from Azure Key Vault (`jsign --storetype AZUREKEYVAULT`) to [Azure Trusted Signing](https://learn.microsoft.com/en-us/azure/trusted-signing/). The previous AKV code-signing cert expired, breaking the release pipeline. Trusted Signing issues short-lived Microsoft-managed certs so there's nothing to rotate. - `Makefile` / `scripts/crossbuild.mk`: bump `jsign` 6.0 → 7.4, switch `--storetype` to `TRUSTEDSIGNING`, use the `https://codesigning.azure.net` token audience, derive the keystore host from `AZURE_SIGNING_ACCOUNT_ENDPOINT`, pass account/profile via `--alias`, update the `SKIP_SIGNING` guard and error message. - `.github/workflows/{build,release,prerelease,build_provider}.yml`: replace the `AZURE_SIGNING_KEY_VAULT_URI` env passthrough with the three new `AZURE_SIGNING_ACCOUNT_*` outputs and update the `SKIP_SIGNING` expression. Companion to pulumi/ci-mgmt#2126, pulumi/pulumi-command#1200, and pulumi/pulumi-provider-boilerplate#1236. The ESC environment already exposes the new variables and the signing SP has the `Artifact Signing Certificate Profile Signer` role on the `pulumi-code-signing/pulumi-code-signing` profile. Verified end-to-end against pulumi-command, pulumi-random, and pulumi-provider-boilerplate. ## Test plan - [ ] CI release build produces a Windows binary with a valid Trusted Signing certificate chain
Docker-Build Resource Provider
A Pulumi provider for building modern Docker images with buildx and BuildKit.
Not to be confused with the earlier Docker provider, which is still appropriate for managing resources unrelated to building images.
| Provider | Use cases |
|---|---|
@pulumi/docker-build |
Anything related to building images with docker build. |
@pulumi/docker |
Everything else -- including running containers and creating networks. |
Reference
For more information, including examples and migration guidance, please see the Docker-Build provider's detailed API documentation.