collibra · bobby-smedley · Feb 26, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 13, 2026
@@ -0,0 +1,2 @@
+_extends: .github-private
+
@@ -11,22 +11,21 @@ jobs:
     uses: ./.github/workflows/build.yaml
   release:
     needs: build
-    runs-on: ubuntu-latest
-    env:
-      BUILD_DIR: 'build'
+    runs-on:
+      - runs-on
+      - run-id=${{ github.run_id }}
+      - runner=md
+      - env=production-eu
+      - tag=build-${{ github.event.repository.name }}
+    environment: Release
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v5
+      - name: Checkout
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 
-      - name: Set version
-        run: |
-          VERSION=${{ github.ref_name }}
-          VERSION=${VERSION#v}
-          echo "VERSION=$VERSION" >> $GITHUB_ENV
-
       - name: Setup Go
         uses: actions/setup-go@v6
         with:
@@ -35,29 +34,94 @@ jobs:
       - name: Install dependencies
         run: go mod download
 
+      - name: Set version
+        run: |
+          VERSION=${{ github.ref_name }}
+          VERSION=${VERSION#v}
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+
       - name: Test
+        if: ${{ !contains(env.VERSION, '-') }} # Skip tests for pre-release versions (e.g., 1.0.0-beta) to avoid issues with version parsing in tests
         run: go test --tags release -run TestReleaseVersionCheck -v ./...
 
-      - name: Build
+      - name: Setup Java 17
+        run: |
+          mkdir -p /tmp/chip-signing
+          pushd /tmp/chip-signing
+          wget -q https://corretto.aws/downloads/latest/amazon-corretto-17-x64-linux-jdk.tar.gz
+          tar -xzf amazon-corretto-17-x64-linux-jdk.tar.gz
+          JAVA_DIR=$(find . -maxdepth 1 -type d -name "amazon-corretto-*" -print -quit | sed 's|^\./||')
+          echo "$PWD/$JAVA_DIR/bin" >> $GITHUB_PATH
+          echo "Java 17 installed: $JAVA_DIR"
+          popd
+
+      - name: Download JSign
         run: |
-          GOFIPS140=v1.0.0 GOOS=linux GOARCH=amd64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-linux-amd64 ./cmd/chip
-          GOFIPS140=v1.0.0 GOOS=linux GOARCH=arm64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-linux-arm64 ./cmd/chip
-          GOFIPS140=v1.0.0 GOOS=darwin GOARCH=amd64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-mac-amd64 ./cmd/chip
-          GOFIPS140=v1.0.0 GOOS=darwin GOARCH=arm64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-mac-arm64 ./cmd/chip
-          GOFIPS140=v1.0.0 GOOS=windows GOARCH=amd64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-windows-amd64.exe ./cmd/chip
-          GOFIPS140=v1.0.0 GOOS=windows GOARCH=arm64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-windows-arm64.exe ./cmd/chip
-
-      - name: Release
-        uses: softprops/action-gh-release@v2
+          mkdir -p /tmp/chip-signing
+          wget -q https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar -O /tmp/chip-signing/jsign.jar
+          echo "JSIGN_JAR_PATH=/tmp/chip-signing/jsign.jar" >> $GITHUB_ENV
+          echo "JSign downloaded successfully"
+
+      - name: Create certificate chain file
+        run: |
+          mkdir -p /tmp/chip-signing
+          echo "${{ secrets.CODE_SIGNING_CERTIFICATE_CHAIN }}" > /tmp/chip-signing/signing_chain.pem
+          if [ ! -s /tmp/chip-signing/signing_chain.pem ]; then
+            echo "ERROR: CODE_SIGNING_CERTIFICATE_CHAIN secret is empty or not set"
+            exit 1
+          fi
+          echo "CODE_SIGNING_CERT_CHAIN_FILE=/tmp/chip-signing/signing_chain.pem" >> $GITHUB_ENV
+          echo "Certificate chain file created"
+
+      # RunsOn workers have the CodeSigningPolicy attached, which grants
+      # access to the KMS signing key via EC2 instance metadata (IMDSv2).
+      - name: Configure AWS credentials
+        run: |
+          TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
+          ROLE_NAME=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/iam/security-credentials/)
+          CREDENTIALS=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME)
+
+          ACCESS_KEY=$(echo $CREDENTIALS | jq -r .AccessKeyId)
+          SECRET_KEY=$(echo $CREDENTIALS | jq -r .SecretAccessKey)
+          SESSION_TOKEN=$(echo $CREDENTIALS | jq -r .Token)
+
+          mkdir -p ~/.aws
+          echo "[default]" > ~/.aws/credentials
+          echo "aws_access_key_id = ${ACCESS_KEY}" >> ~/.aws/credentials
+          echo "aws_secret_access_key = ${SECRET_KEY}" >> ~/.aws/credentials
+          echo "aws_session_token = ${SESSION_TOKEN}" >> ~/.aws/credentials
+
+          echo "[default]" > ~/.aws/config
+          echo "region = ${{ vars.CODE_SIGNING_AWS_REGION || 'eu-west-1' }}" >> ~/.aws/config
+
+          echo "AWS credentials configured successfully"
+
+      - name: Set signing environment variables
+        run: |
+          echo "CODE_SIGNING_AWS_REGION=${{ vars.CODE_SIGNING_AWS_REGION || 'eu-west-1' }}" >> $GITHUB_ENV
+          if [ -z "${{ secrets.KMS_SIGNING_KEY_ARN }}" ]; then
+            echo "ERROR: KMS_SIGNING_KEY_ARN secret is not set"
+            exit 1
+          fi
+          echo "KMS_SIGNING_KEY_ARN=${{ secrets.KMS_SIGNING_KEY_ARN }}" >> $GITHUB_ENV
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
         with:
-          files: |
-            ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-linux-amd64
-            ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-linux-arm64
-            ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-mac-amd64
-            ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-mac-arm64
-            ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-windows-amd64.exe
-            ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-windows-arm64.exe
-          generate_release_notes: true
-          make_latest: true
-          draft: false
-          prerelease: false
+          distribution: goreleaser
+          version: latest
+          args: release --clean --verbose
+        env:
+          GORELEASER_CURRENT_TAG: ${{ github.ref_name }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          JSIGN_JAR_PATH: ${{ env.JSIGN_JAR_PATH }}
+          CODE_SIGNING_CERT_CHAIN_FILE: ${{ env.CODE_SIGNING_CERT_CHAIN_FILE }}
+          CODE_SIGNING_AWS_REGION: ${{ env.CODE_SIGNING_AWS_REGION }}
+          KMS_SIGNING_KEY_ARN: ${{ env.KMS_SIGNING_KEY_ARN }}
+
+      - name: Cleanup
+        if: always()
+        run: |
+          rm -rf /tmp/chip-signing ~/.aws
+          echo "Cleanup completed"
+
@@ -0,0 +1,67 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+version: 2
+
+project_name: chip
+dist: ./build/dist
+
+builds:
+  - id: default
+    main: ./cmd/chip
+    env:
+      - CGO_ENABLED=0
+      - GOFIPS140=v1.0.0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    binary: chip
+    ldflags:
+      - -X github.com/collibra/chip/pkg/chip.Version={{.Version}}
+    # Sign Windows binaries using AWS KMS and JSign (the signature is embedded in the binary)
+    hooks:
+      post:
+        - >
+          bash -c '
+          if [ -n "${SKIP_SIGNING}" ]; then
+            echo "Skipping signing Windows binaries (SKIP_SIGNING is set)";
+            exit 0;
+          fi;
+          if [ "{{ .Os }}" = "windows" ]; then
+            echo "Signing Windows binary {{ .Path }}";
+            if [ ! -f "{{ .Path }}" ]; then
+              echo "ERROR Binary file does not exist: {{ .Path }}";
+              exit 1;
+            fi;
+            java -jar "${JSIGN_JAR_PATH}" --storetype AWS --keystore "${CODE_SIGNING_AWS_REGION}" --alias "${KMS_SIGNING_KEY_ARN}" --certfile "${CODE_SIGNING_CERT_CHAIN_FILE}" --tsaurl http://timestamp.digicert.com "{{ .Path }}" || {
+                echo "ERROR Failed to sign {{ .Path }}";
+                exit 1;
+              };
+            if [ ! -f "{{ .Path }}" ]; then
+              echo "ERROR Binary file disappeared after signing {{ .Path }}";
+              exit 1;
+            fi;
+            echo "✓ Signed {{ .Path }}";
+          else
+            echo "Skipping non-Windows binary ({{ .Os }}) {{ .Path }}";
+          fi
+          '
+
+archives:
+  - id: default
+    formats: ["binary"]
+    name_template: '{{ .ProjectName }}-{{ .Version }}-{{ if eq .Os "darwin" }}mac{{ else }}{{ .Os }}{{ end }}-{{ .Arch }}'
+
+checksum:
+  name_template: 'checksums.txt'
+
+release:
+  draft: false
+  prerelease: auto
+  make_latest: legacy
+
+changelog:
+  use: github-native
+
@@ -6,18 +6,28 @@ A Model Context Protocol (MCP) server that provides AI agents with access to Col
 
 This Go-based MCP server acts as a bridge between AI applications and Collibra, enabling intelligent data discovery and governance operations through the following tools:
 
-- [`asset_details_get`](pkg/tools/get_asset_details.go) - Retrieve detailed information about specific assets by UUID
-- [`asset_keyword_search`](pkg/tools/keyword_search.go) - Wildcard keyword search for assets
-- [`asset_types_list`](pkg/tools/list_asset_types.go) - List available asset types
-- [`business_glossary_discover`](pkg/tools/ask_glossary.go) - Ask questions about terms and definitions
-- [`data_classification_match_add`](pkg/tools/add_data_classification_match.go) - Associate a data class with an asset
-- [`data_classification_match_remove`](pkg/tools/remove_data_classification_match.go) - Remove a classification match
-- [`data_classification_match_search`](pkg/tools/find_data_classification_matches.go) - Find associations between data classes and assets
-- [`data_assets_discover`](pkg/tools/ask_dad.go) - Query available data assets using natural language
-- [`data_class_search`](pkg/tools/search_data_classes.go) - Search for data classes with filters
-- [`data_contract_list`](pkg/tools/list_data_contracts.go) - List data contracts with pagination
-- [`data_contract_manifest_pull`](pkg/tools/pull_data_contract_manifest.go) - Download manifest for a data contract
-- [`data_contract_manifest_push`](pkg/tools/push_data_contract_manifest.go) - Upload manifest for a data contract
+- [`add_data_classification_match`](pkg/tools/add_data_classification_match.go) - Associate a data class with an asset
+- [`discover_business_glossary`](pkg/tools/discover_business_glossary.go) - Ask questions about terms and definitions
+- [`discover_data_assets`](pkg/tools/discover_data_assets.go) - Query available data assets using natural language
+- [`get_asset_details`](pkg/tools/get_asset_details.go) - Retrieve detailed information about specific assets by UUID
+- [`get_business_term_data`](pkg/tools/get_business_term_data.go) - Trace a business term back to its connected physical data assets
+- [`get_column_semantics`](pkg/tools/get_column_semantics.go) - Retrieve data attributes, measures, and business assets connected to a column
+- [`get_measure_data`](pkg/tools/get_measure_data.go) - Trace a measure back to its underlying physical columns and tables
+- [`get_table_semantics`](pkg/tools/get_table_semantics.go) - Retrieve the semantic layer for a table: columns, data attributes, and connected measures
+- [`list_asset_types`](pkg/tools/list_asset_types.go) - List available asset types
+- [`list_data_contract`](pkg/tools/list_data_contracts.go) - List data contracts with pagination
+- [`pull_data_contract_manifest`](pkg/tools/pull_data_contract_manifest.go) - Download manifest for a data contract
+- [`push_data_contract_manifest`](pkg/tools/push_data_contract_manifest.go) - Upload manifest for a data contract
+- [`removedata_classification_match`](pkg/tools/remove_data_classification_match.go) - Remove a classification match
+- [`search_asset_keyword`](pkg/tools/search_asset_keyword.go) - Wildcard keyword search for assets
+- [`search_data_class`](pkg/tools/search_data_classes.go) - Search for data classes with filters
+- [`search_data_classification_match`](pkg/tools/search_data_classification_matches.go) - Search for associations between data classes and assets
+- [`get_lineage_entity`](pkg/tools/get_lineage_entity.go) - Get metadata about a specific entity in the technical lineage graph
+- [`get_lineage_upstream`](pkg/tools/get_lineage_upstream.go) - Get upstream technical lineage (sources) for a data entity
+- [`get_lineage_downstream`](pkg/tools/get_lineage_downstream.go) - Get downstream technical lineage (consumers) for a data entity
+- [`search_lineage_entities`](pkg/tools/search_lineage_entities.go) - Search for entities in the technical lineage graph
+- [`get_lineage_transformation`](pkg/tools/get_lineage_transformation.go) - Get details and logic of a specific data transformation
+- [`search_lineage_transformations`](pkg/tools/search_lineage_transformations.go) - Search for transformations in the technical lineage graph
 
 ## Quick Start
 
@@ -162,7 +172,7 @@ Here's how to integrate with some popular clients assuming you have a configurat
 ## Enabling or disabling specific tools
 
 You can enable or disable specific tools by passing command line parameters, setting environment variables, or customizing the `mcp.yaml` configuration file.
-You can specify tools to enable or disable by using the tool names listed above (e.g. `asset_details_get`).  For more information, see the [CONFIG.md](docs/CONFIG.md) documentation.
+You can specify tools to enable or disable by using the tool names listed above (e.g. `get_asset_details`).  For more information, see the [CONFIG.md](docs/CONFIG.md) documentation.
 
 By default, all tools are enabled. Specifying tools to be enabled will enable *only* those tools.  Disabling tools will disable *only* those tools and leave all others enabled.
 At present, enabling and disabling at the same time is not supported.