-
Notifications
You must be signed in to change notification settings - Fork 14
231 lines (224 loc) · 8.78 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: Publish
on:
workflow_call:
inputs:
version:
required: true
type: string
isPrerelease:
required: true
type: boolean
skipGoSdk:
default: false
type: boolean
description: Skip publishing & verifying the Go SDK
skipJavaSdk:
default: false
type: boolean
description: Skip publishing the Java SDK
env:
IS_PRERELEASE: ${{ inputs.isPrerelease }}
ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
AWS_REGION: us-west-2
AZURE_LOCATION: westus
DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: [email protected]
GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
GOOGLE_PROJECT: pulumi-ci-gcp-provider
GOOGLE_PROJECT_NUMBER: "895284651812"
GOOGLE_REGION: us-central1
GOOGLE_ZONE: us-central1-a
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PRIVATE_SSH_KEY_FOR_DIGITALOCEAN: ${{ secrets.PRIVATE_SSH_KEY_FOR_DIGITALOCEAN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
publish:
name: publish
runs-on: ubuntu-latest
steps:
- name: Validate prerelease
if: inputs.isPrerelease == false && (contains(inputs.version, '-') || contains(inputs.version, '+'))
run: echo "Can't publish a prerelease version as a stable release. This is likely a bug in the calling workflow." && exit 1
- name: Validate skipGoSdk
if: inputs.skipGoSdk && inputs.isPrerelease == false
run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: pulumictl, pulumicli, go, schema-tools
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-region: us-east-2
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-duration-seconds: 7200
role-external-id: upload-pulumi-release
role-session-name: docker@githubActions
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
- name: Create dist directory
run: mkdir -p dist
- name: Download provider assets
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
pattern: pulumi-resource-docker-v${{ inputs.version }}-*
path: dist
# Don't create a directory for each artifact
merge-multiple: true
- name: Calculate checksums
working-directory: dist
run: shasum ./*.tar.gz > "pulumi-docker_${{ inputs.version }}_checksums.txt"
- name: Get Schema Change Summary
id: schema-summary
shell: bash
run: |
# Get latest stable release. Return only first column from result (tag).
LAST_VERSION=$(gh release view --repo pulumi/pulumi-docker --json tagName -q .tagName || echo "No stable release" )
{
echo 'summary<<EOF'
if [[ "$LAST_VERSION" != "No stable release" ]]; then
schema-tools compare --provider="docker" --old-commit="$LAST_VERSION" --repository="github://api.github.com/pulumi" --new-commit="--local-path=provider/cmd/pulumi-resource-docker/schema.json"
fi
echo 'EOF'
} >> "$GITHUB_OUTPUT"
- name: Upload Provider Binaries
run: aws s3 cp dist s3://get.pulumi.com/releases/plugins/ --recursive
- name: Create GH Release
uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2
if: inputs.isPrerelease == false
with:
tag_name: v${{ inputs.version }}
prerelease: ${{ inputs.isPrerelease }}
# We keep pre-releases as drafts so they're not visible until we manually publish them.
draft: ${{ inputs.isPrerelease }}
body: ${{ steps.schema-summary.outputs.summary }}
generate_release_notes: true
files: dist/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish_sdk:
name: publish_sdk
needs: publish
runs-on: ubuntu-latest
outputs:
python_version: ${{ steps.python_version.outputs.version }}
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# Persist credentials so we can push back to the repo
persist-credentials: true
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: pulumictl, pulumicli, nodejs, python, dotnet, go, java
- name: Publish SDKs
if: inputs.skipJavaSdk == false
uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21
with:
sdk: all
version: ${{ inputs.version }}
- name: Publish SDKs (except Java)
if: inputs.skipJavaSdk == true
uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21
with:
sdk: all,!java
version: ${{ inputs.version }}
- name: Download Go SDK
uses: ./.github/actions/download-sdk
with:
language: go
- uses: pulumi/publish-go-sdk-action@v1
if: inputs.skipGoSdk == false
with:
repository: ${{ github.repository }}
base-ref: ${{ github.sha }}
source: sdk
path: sdk
version: ${{ inputs.version }}
additive: false
# Avoid including other language SDKs & artifacts in the commit
files: |
go.*
go/**
!*.tar.gz
- name: Extract python version
id: python_version
working-directory: sdk/python
run: |
pip install toml-cli==0.7.0
version=$(toml get --toml-path pyproject.toml project.version)
echo "version=${version}" >> "$GITHUB_OUTPUT"
create_docs_build:
name: create_docs_build
needs: publish_sdk
# Only run for non-prerelease, if the publish_go_sdk job was successful or skipped
if: inputs.isPrerelease == false
runs-on: ubuntu-latest
steps:
- name: Dispatch Metadata build
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
with:
token: ${{ secrets.PULUMI_BOT_TOKEN }}
repository: pulumi/registry
event-type: resource-provider
client-payload: |-
{
"project": "${{ github.repository }}",
"project-shortname": "docker",
"ref": "${{ github.ref_name }}"
}
clean_up_release_labels:
name: Clean up release labels
# Only run for non-prerelease, if the publish_go_sdk job was successful or skipped
if: inputs.isPrerelease == false
needs: create_docs_build
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Clean up release labels
uses: pulumi/action-release-by-pr-label@main
with:
command: "clean-up-release-labels"
repo: ${{ github.repository }}
commit: ${{ github.sha }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
verify_release:
name: verify_release
needs: publish_sdk
uses: ./.github/workflows/verify-release.yml
secrets: inherit
with:
providerVersion: ${{ inputs.version }}
# Prelease is run often but we only have 5 concurrent macos runners, so we only test after the stable release.
enableMacosRunner: ${{ inputs.isPrerelease == false }}
skipGoSdk: ${{ inputs.skipGoSdk }}
pythonVersion: ${{ needs.publish_sdk.outputs.python_version }}