From 4f829f9e0a983692f36fe07900f89327364737d8 Mon Sep 17 00:00:00 2001 From: Brandon Kalinowski Date: Sat, 6 Dec 2025 01:43:51 -0500 Subject: [PATCH] chore: make ci-mgmt --- .ci-mgmt.yaml | 34 +----- .config/mise.test.toml | 11 ++ .config/mise.toml | 33 ++++++ .devcontainer/Dockerfile | 2 +- .../actions/download-prerequisites/action.yml | 4 +- .github/actions/download-provider/action.yml | 2 +- .github/actions/download-sdk/action.yml | 2 +- .github/actions/esc-action/action.yaml | 12 ++ .github/actions/esc-action/index.js | 14 +++ .github/actions/setup-tools/action.yml | 91 ---------------- .../actions/upload-prerequisites/action.yml | 4 +- .github/actions/upload-sdk/action.yml | 2 +- .github/workflows/build_provider.yml | 44 +++++--- .github/workflows/build_sdk.yml | 55 ++++++---- .github/workflows/license.yml | 39 ++++--- .github/workflows/lint.yml | 42 +++---- .github/workflows/main.yml | 45 +++++--- .github/workflows/prerelease.yml | 19 ++-- .github/workflows/prerequisites.yml | 61 +++++++---- .github/workflows/publish.yml | 103 ++++++++++++------ .github/workflows/pull-request.yml | 28 ++--- .github/workflows/release.yml | 27 +++-- .github/workflows/resync-build.yml | 22 ++-- .github/workflows/run-acceptance-tests.yml | 33 +++--- .github/workflows/test.yml | 55 ++++++---- .github/workflows/upgrade-bridge.yml | 49 +++++---- .github/workflows/upgrade-provider.yml | 38 +++++-- .github/workflows/verify-release.yml | 48 +++++--- .golangci.yml | 2 +- Makefile | 75 +++++++------ mise.toml | 3 + scripts/crossbuild.mk | 9 +- scripts/get-versions.sh | 55 ++++++++++ scripts/plugins.mk | 27 ----- 34 files changed, 623 insertions(+), 467 deletions(-) create mode 100644 .config/mise.test.toml create mode 100644 .config/mise.toml create mode 100644 .github/actions/esc-action/action.yaml create mode 100644 .github/actions/esc-action/index.js delete mode 100644 .github/actions/setup-tools/action.yml create mode 100644 mise.toml create mode 100755 scripts/get-versions.sh delete mode 100644 scripts/plugins.mk diff --git a/.ci-mgmt.yaml b/.ci-mgmt.yaml index fbd7e0a..ef16c30 100644 --- a/.ci-mgmt.yaml +++ b/.ci-mgmt.yaml @@ -1,53 +1,31 @@ # REQUIRED: provider is the name of the provider without the pulumi-prefix e.g. "aws". provider: incus - # The name of the GitHub organization or username the repository lives in. Defaults to 'pulumi' -organization: brandonkal - +organization: kiterun # The external template only includes workflows relevant for non-Pulumi managed providers. template: external-bridged-provider - # The name of the GitHub organisation or username where the upstream terraform provider lives. -upstreamProviderOrg: pulumi - +upstreamProviderOrg: lxc # major version of the current provider - used in make files # This should always be set by all providers as this is key to go module paths. major-version: 1 - # Enable using the terraform converter for example generation. pulumiConvert: 1 - # Set a GitHub username here for automatic upgrade PRs to be assigned to. # pr-assign: pulumi-bot -# List of pulumi plugins to install in the "install_plugins" makefile target. Will include at least the terraform plugin -# Should be set for all bridged providers -plugins: - - name: terraform - version: "1.0.16" - kind: converter - # providerDefaultBranch is used to customise the default branch for the repo providerDefaultBranch: main - # Explicit list of languages to support for SDKs. Java is currently excluded because it doesn't yet work well for non-internal providers. languages: - - go - - nodejs - + - go + - nodejs # Disable Java publishing and pushing the provider binary to the CDN as these only work internally within Pulumi. publish: - sdk: "all,!java" - cdn: false - + sdk: "all,!java" + cdn: false # Enables automatic generation of basic docs pages for the registry. # registryDocs: true # Disables a pulumi-internal-only step for running create_docs_build during the release publishRegistry: false - -# For additional options, please refer to the defaults set in ci-mgmt: -# https://github.com/pulumi/ci-mgmt/blob/master/provider-ci/internal/pkg/templates/defaults.config.yaml - -toolVersions: - pulumictl: "v0.0.48" \ No newline at end of file diff --git a/.config/mise.test.toml b/.config/mise.test.toml new file mode 100644 index 0000000..3ab7402 --- /dev/null +++ b/.config/mise.test.toml @@ -0,0 +1,11 @@ +# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt + +# Overrides for test workflows + +[env] +# Acceptance (specifically providertest) tests require that PULUMI_HOME be the default +PULUMI_HOME = "{{ env.HOME }}/.pulumi" + +[tools] +# always use pulumi latest for tests +pulumi = "latest" diff --git a/.config/mise.toml b/.config/mise.toml new file mode 100644 index 0000000..a0955e7 --- /dev/null +++ b/.config/mise.toml @@ -0,0 +1,33 @@ +# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt +# You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html + +[env] +_.source = "{{config_root}}/scripts/get-versions.sh" +PULUMI_HOME = "{{config_root}}/.pulumi" + +[tools] + +# Runtimes +# TODO: we may not need 'get_env' once https://github.com/jdx/mise/discussions/6339 is fixed +go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}" +node = '20.19.5' +python = '3.11.8' +dotnet = '8.0.414' +# Corretto version used as Java SE/OpenJDK version no longer offered +java = 'corretto-11' + +# Executable tools +pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}" +"github:pulumi/pulumictl" = '0.0.50' +"github:pulumi/schema-tools" = "0.6.0" +"aqua:gradle/gradle-distributions" = '7.6.6' +golangci-lint = "1.64.8" # See note about about overrides if you need to customize this. +"npm:yarn" = "1.22.22" +"vfox-pulumi:pulumi/pulumi-converter-terraform" = "1.0.16" + +[settings] +experimental = true # Required for Go binaries (e.g. pulumictl). +lockfile = false + +[plugins] +vfox-pulumi = "https://github.com/pulumi/vfox-pulumi" diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 7d46cd8..9366ae6 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,4 +1,4 @@ -FROM jetpackio/devbox:latest +FROM jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7 # Installing your devbox project WORKDIR /code diff --git a/.github/actions/download-prerequisites/action.yml b/.github/actions/download-prerequisites/action.yml index 8840a8d..7545a52 100644 --- a/.github/actions/download-prerequisites/action.yml +++ b/.github/actions/download-prerequisites/action.yml @@ -5,7 +5,7 @@ runs: using: "composite" steps: - name: Download the prerequisites bin - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: prerequisites-bin path: bin @@ -19,7 +19,7 @@ runs: run: rm bin/executables.txt - name: Download schema-embed.json - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: # Use a pattern to avoid failing if the artifact doesn't exist pattern: schema-embed.* diff --git a/.github/actions/download-provider/action.yml b/.github/actions/download-provider/action.yml index 41311de..7da258a 100644 --- a/.github/actions/download-provider/action.yml +++ b/.github/actions/download-provider/action.yml @@ -6,7 +6,7 @@ runs: steps: - name: Download pulumi-resource-incus - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: pattern: pulumi-resource-incus-*-linux-amd64.tar.gz path: ${{ github.workspace }}/bin diff --git a/.github/actions/download-sdk/action.yml b/.github/actions/download-sdk/action.yml index cbd4425..f25ad6f 100644 --- a/.github/actions/download-sdk/action.yml +++ b/.github/actions/download-sdk/action.yml @@ -10,7 +10,7 @@ runs: using: "composite" steps: - name: Download ${{ inputs.language }} SDK - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: ${{ inputs.language }}-sdk.tar.gz path: ${{ github.workspace}}/sdk/ diff --git a/.github/actions/esc-action/action.yaml b/.github/actions/esc-action/action.yaml new file mode 100644 index 0000000..86c88f0 --- /dev/null +++ b/.github/actions/esc-action/action.yaml @@ -0,0 +1,12 @@ +name: "Load secrets" +description: | + This is a temporary action which assists with our migration to ESC. Instead + of surrounding every step that references secrets with an "if ESC" block, we + instead modify those steps to consume their secrets from this step's outputs. + Then, later, we can replace this action with esc-action to actually load + secrets from ESC. +inputs: {} +outputs: {} +runs: + using: "node20" + main: "index.js" diff --git a/.github/actions/esc-action/index.js b/.github/actions/esc-action/index.js new file mode 100644 index 0000000..2299fdc --- /dev/null +++ b/.github/actions/esc-action/index.js @@ -0,0 +1,14 @@ +const fs = require("fs"); + +const file = process.env["GITHUB_OUTPUT"]; +var stream = fs.createWriteStream(file, { flags: "a" }); + +for (const [name, value] of Object.entries(process.env)) { + try { + stream.write(`${name}< bin/executables.txt - name: Upload prerequisites bin - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: prerequisites-bin path: bin/* retention-days: 30 - name: Upload schema-embed.json - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: schema-embed.json path: provider/cmd/pulumi-resource-incus/schema-embed.json diff --git a/.github/actions/upload-sdk/action.yml b/.github/actions/upload-sdk/action.yml index 75e262d..e941a31 100644 --- a/.github/actions/upload-sdk/action.yml +++ b/.github/actions/upload-sdk/action.yml @@ -13,7 +13,7 @@ runs: shell: bash run: tar -zcf sdk/${{ inputs.language }}.tar.gz -C sdk/${{ inputs.language }} . - name: Upload artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: ${{ inputs.language }}-sdk.tar.gz path: ${{ github.workspace}}/sdk/${{ inputs.language }}.tar.gz diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml index f83b65a..dd5ee20 100644 --- a/.github/workflows/build_provider.yml +++ b/.github/workflows/build_provider.yml @@ -19,7 +19,8 @@ on: {"os": "linux", "arch": "arm64"}, {"os": "darwin", "arch": "amd64"}, {"os": "darwin", "arch": "arm64"}, - {"os": "windows", "arch": "amd64"} + {"os": "windows", "arch": "amd64"}, + {"os": "windows", "arch": "arm64"} ] } @@ -33,22 +34,31 @@ jobs: strategy: fail-fast: true matrix: ${{ fromJSON(inputs.matrix) }} + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action # Without ldid cross-compiling Node binaries on a Linux worker intended to work on darwin-arm64 fails to sign the # binaries properly and they do not work as expected. See https://github.com/pulumi/pulumi-awsx/issues/1490 - - uses: MOZGIII/install-ldid-action@v1 + - uses: MOZGIII/install-ldid-action@d5ab465f3a66a4d60a59882b935eb30e18e8d043 # v1 with: tag: v2.1.5-procursus2 - - name: Setup tools - uses: ./.github/actions/setup-tools + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: - tools: pulumictl, go - # use per-platform/arch caches instead since we are doing cross-builds - cache-go: false + version: 2025.11.6 + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + # only saving the cache in the prerequisites job + cache_save: false # Based on https://github.com/actions/cache/blob/main/examples.md#go---modules - name: Get GOCACHE id: gocache @@ -61,7 +71,7 @@ jobs: run: | echo "path=$(go env GOMODCACHE)" >> "${GITHUB_OUTPUT}" - name: Go Cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | ${{ steps.gocache.outputs.path }} @@ -71,6 +81,8 @@ jobs: go-provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}- - name: Prepare local workspace before restoring previously built run: make prepare_local_workspace + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Restore prerequisites uses: ./.github/actions/download-prerequisites - name: Restore makefile progress @@ -80,17 +92,17 @@ jobs: - name: Build provider run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}" env: - AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} - AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} - AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} - AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} - SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} + AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} - name: Upload artifacts - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 with: name: pulumi-resource-incus-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz path: bin/pulumi-resource-incus-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz diff --git a/.github/workflows/build_sdk.yml b/.github/workflows/build_sdk.yml index 4b6cf04..44f1c65 100644 --- a/.github/workflows/build_sdk.yml +++ b/.github/workflows/build_sdk.yml @@ -10,21 +10,11 @@ on: type: string env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi PROVIDER_VERSION: ${{ inputs.version }} @@ -38,27 +28,48 @@ jobs: fail-fast: ${{ ! contains(github.actor, 'renovate') }} matrix: language: - - dotnet - go - nodejs - - python + permissions: + contents: write # For Renovate SDKs. + id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action - name: Cache examples generation - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | .pulumi/examples-cache key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }} - - name: Setup tools - uses: ./.github/actions/setup-tools + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: - tools: pulumictl, pulumicli, ${{ matrix.language }} + version: 2025.11.6 + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + # only saving the cache in the prerequisites job + cache_save: false + - name: Setup Go Cache + if: matrix.language == 'go' || contains(matrix.language, 'go') + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 + with: + cache-dependency-path: | + provider/*.sum + upstream/*.sum + sdk/go/*.sum + sdk/*.sum + *.sum - name: Prepare local workspace run: make prepare_local_workspace + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Download prerequisites uses: ./.github/actions/download-prerequisites - name: Update path @@ -67,6 +78,7 @@ jobs: run: make --touch provider schema - name: Build SDK run: make build_${{ matrix.language }} + - name: Check worktree clean id: worktreeClean uses: pulumi/git-status-check-action@v1 @@ -78,6 +90,7 @@ jobs: sdk/go/**/pulumiUtilities.go sdk/nodejs/package.json sdk/python/pyproject.toml + sdk/java/build.gradle - name: Commit ${{ matrix.language }} SDK changes for Renovate # If the worktree is dirty and this is a Renovate PR to bump # dependencies, commit the updated SDK and push it back to the PR. The @@ -111,7 +124,7 @@ jobs: # Push with pulumi-bot credentials to trigger a re-run of the # workflow. https://github.com/orgs/community/discussions/25702 - git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \ + git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \ "HEAD:$HEAD_REF" env: # head_ref is untrusted so it's recommended to pass via env var to diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 16d825c..65302c9 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -7,39 +7,42 @@ on: inputs: {} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi jobs: license_check: name: License Check runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false - - name: Setup tools - uses: ./.github/actions/setup-tools + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: - tools: go - cache-go: false + version: 2025.11.6 + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + # only saving the cache in the prerequisites job + cache_save: false - run: make prepare_local_workspace continue-on-error: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - uses: pulumi/license-check-action@main with: module-path: provider diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index bcbd2a0..dbdbf8f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,39 +7,37 @@ on: inputs: {} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi jobs: lint: name: lint runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false - - name: Install go - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5 + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: - # The versions of golangci-lint and setup-go here cross-depend and need to update together. - go-version: 1.23 - # Either this action or golangci-lint needs to disable the cache - cache: false + version: 2025.11.6 + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + cache_save: false # A different job handles caching our tools. - name: disarm go:embed directives to enable lint continue-on-error: true # this fails if there are no go:embed directives run: | @@ -47,8 +45,10 @@ jobs: - name: prepare workspace continue-on-error: true run: make prepare_local_workspace + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: golangci-lint uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6 with: - version: v1.64.6 + install-mode: none # Handled by mise. working-directory: provider diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ea028dc..ec5dc37 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,24 +1,19 @@ # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi + jobs: prerequisites: + permissions: + contents: read + pull-requests: write + id-token: write # For ESC secrets. uses: ./.github/workflows/prerequisites.yml secrets: inherit with: @@ -30,6 +25,9 @@ jobs: uses: ./.github/workflows/build_provider.yml needs: prerequisites secrets: inherit + permissions: + contents: read + id-token: write # For ESC secrets. with: version: ${{ needs.prerequisites.outputs.version }} @@ -38,6 +36,9 @@ jobs: needs: prerequisites uses: ./.github/workflows/build_sdk.yml secrets: inherit + permissions: + contents: write # For Renovate SDKs. + id-token: write # For ESC secrets. with: version: ${{ needs.prerequisites.outputs.version }} @@ -46,6 +47,9 @@ jobs: needs: prerequisites uses: ./.github/workflows/main-post-build.yml secrets: inherit + permissions: + contents: write # For Renovate SDKs. + id-token: write # For ESC secrets. with: version: ${{ needs.prerequisites.outputs.version }} @@ -73,6 +77,7 @@ jobs: with: version: ${{ needs.prerequisites.outputs.version }} isPrerelease: true + setLatestRelease: false skipGoSdk: true skipJavaSdk: true @@ -80,7 +85,17 @@ jobs: name: Tag release if labeled as needs-release needs: publish runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # For ESC secrets. steps: + - name: Checkout Repo + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action - name: check if this commit needs release if: ${{ env.RELEASE_BOT_ENDPOINT != '' }} uses: pulumi/action-release-by-pr-label@main @@ -88,10 +103,10 @@ jobs: command: "release-if-needed" repo: ${{ github.repository }} commit: ${{ github.sha }} - slack_channel: ${{ secrets.RELEASE_OPS_SLACK_CHANNEL }} + slack_channel: C02MGR8JVST env: - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} + RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }} + RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} test: diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 0884bd7..710bc9e 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -2,24 +2,18 @@ env: IS_PRERELEASE: true - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi + jobs: prerequisites: + permissions: + contents: read + pull-requests: write uses: ./.github/workflows/prerequisites.yml secrets: inherit with: @@ -66,6 +60,7 @@ jobs: with: version: ${{ needs.prerequisites.outputs.version }} isPrerelease: true + setLatestRelease: false test: uses: ./.github/workflows/test.yml diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml index 5208f4a..8048f16 100644 --- a/.github/workflows/prerequisites.yml +++ b/.github/workflows/prerequisites.yml @@ -20,68 +20,83 @@ on: value: ${{ jobs.prerequisites.outputs.version }} env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi jobs: prerequisites: name: prerequisites runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + id-token: write # For ESC secrets. outputs: version: ${{ steps.provider-version.outputs.version }} steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false - - uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action + - uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 id: provider-version with: major-version: 1 set-env: 'PROVIDER_VERSION' - name: Cache examples generation - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | .pulumi/examples-cache key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }} - - name: Setup tools - uses: ./.github/actions/setup-tools + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: - tools: go, pulumictl, pulumicli, schema-tools + version: 2025.11.6 + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + # only saving the cache in the prerequisites job + cache_save: true + - name: Setup Go Cache + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 + with: + cache-dependency-path: | + provider/*.sum + upstream/*.sum + sdk/go/*.sum + sdk/*.sum + *.sum - name: Prepare local workspace before restoring previously built files run: make prepare_local_workspace + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Generate schema run: make schema - name: Build provider binary run: make provider - name: Unit-test provider code run: make test_provider - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0 env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1 + env: + CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }} - if: inputs.is_pr name: Check Schema is Valid run: | EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/brandonkal -p incus -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-incus/schema.json; + schema-tools compare -r github://api.github.com/kiterun -p incus -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-incus/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false && github.actor != 'dependabot[bot]' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index fa8ddf9..fecd419 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -7,6 +7,9 @@ on: version: required: true type: string + setLatestRelease: + required: true + type: boolean isPrerelease: required: true type: boolean @@ -21,21 +24,17 @@ on: env: IS_PRERELEASE: ${{ inputs.isPrerelease }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} + JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} + JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -50,25 +49,31 @@ jobs: if: inputs.skipGoSdk && inputs.isPrerelease == false run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false - - name: Setup tools - uses: ./.github/actions/setup-tools + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: - tools: pulumictl, pulumicli, go, schema-tools - cache-go: false + version: 2025.11.6 + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + cache_save: false - name: Create dist directory run: mkdir -p dist - name: Download provider assets - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: pattern: pulumi-resource-incus-v${{ inputs.version }}-* path: dist # Don't create a directory for each artifact merge-multiple: true - name: Download schema - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1 + uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: # Use a pattern to avoid failing if the artifact doesn't exist pattern: schema-embed.* @@ -83,22 +88,24 @@ jobs: shell: bash run: | # Get latest stable release. Return only first column from result (tag). - LAST_VERSION=$(gh release view --repo brandonkal/pulumi-incus --json tagName -q .tagName || echo "No stable release" ) + LAST_VERSION=$(gh release view --repo kiterun/pulumi-incus --json tagName -q .tagName || echo "No stable release" ) { echo 'summary<> "$GITHUB_OUTPUT" - name: Create GH Release - uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 if: inputs.isPrerelease == false with: tag_name: v${{ inputs.version }} prerelease: ${{ inputs.isPrerelease }} # We keep pre-releases as drafts so they're not visible until we manually publish them. draft: ${{ inputs.isPrerelease }} + # Explicitly set make_latest to account for backported releases + make_latest: ${{ inputs.setLatestRelease }} body: ${{ steps.schema-summary.outputs.summary }} generate_release_notes: true files: dist/* @@ -113,27 +120,58 @@ jobs: python_version: ${{ steps.python_version.outputs.version }} steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: # Persist credentials so we can push back to the repo - persist-credentials: true - - name: Setup tools - uses: ./.github/actions/setup-tools + persist-credentials: true + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: - tools: pulumictl, pulumicli, dotnet, go, nodejs, python - cache-go: false + version: 2025.11.6 + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + # only saving the cache in the prerequisites job + cache_save: false + - name: Setup Node + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 + with: + # we don't set node-version because we install with mise. + # this step is needed to setup npm auth + registry-url: https://registry.npmjs.org - name: Publish SDKs if: inputs.skipJavaSdk == false - uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21 + uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23 with: sdk: all,!java version: ${{ inputs.version }} + env: + PYPI_USERNAME: __token__ + PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }} + NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }} + SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }} + SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }} + SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }} + PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }} + PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }} + NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }} - name: Publish SDKs (except Java) if: inputs.skipJavaSdk == true - uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21 + uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23 with: sdk: all,!java,!java version: ${{ inputs.version }} + env: + PYPI_USERNAME: __token__ + PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }} + NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }} + SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }} + SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }} + SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }} + NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }} - name: Download Go SDK uses: ./.github/actions/download-sdk with: @@ -169,9 +207,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 99f8d80..cee2cd0 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -1,32 +1,25 @@ # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi + +name: Comment on community PRs +on: + pull_request_target: {} + jobs: comment-on-pr: if: github.event.pull_request.head.repo.full_name != github.repository name: comment-on-pr runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - name: Comment PR uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: @@ -35,6 +28,3 @@ jobs: PR is now waiting for a maintainer to run the acceptance tests. **Note for the maintainer:** To run the acceptance tests, please comment */run-acceptance-tests* on the PR -name: pull-request -on: - pull_request_target: {} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c1df66f..846794c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,24 +7,19 @@ on: - "!v*.*.*-**" env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi + jobs: prerequisites: + permissions: + contents: read + pull-requests: write + id-token: write # For ESC secrets. uses: ./.github/workflows/prerequisites.yml secrets: inherit with: @@ -36,6 +31,9 @@ jobs: uses: ./.github/workflows/build_provider.yml needs: prerequisites secrets: inherit + permissions: + contents: read + id-token: write # For ESC secrets. with: version: ${{ needs.prerequisites.outputs.version }} @@ -44,6 +42,9 @@ jobs: needs: prerequisites uses: ./.github/workflows/build_sdk.yml secrets: inherit + permissions: + contents: write # For Renovate SDKs. + id-token: write # For ESC secrets. with: version: ${{ needs.prerequisites.outputs.version }} @@ -72,6 +73,8 @@ jobs: with: version: ${{ needs.prerequisites.outputs.version }} isPrerelease: false + # Only tags on the default branch should set the release as `latest`; backported releases (tagged on a feature branch) should not. + setLatestRelease: ${{ github.event.base_ref == format('refs/heads/{0}', github.event.repository.default_branch) }} test: uses: ./.github/workflows/test.yml diff --git a/.github/workflows/resync-build.yml b/.github/workflows/resync-build.yml index b31b41e..745d13b 100644 --- a/.github/workflows/resync-build.yml +++ b/.github/workflows/resync-build.yml @@ -2,32 +2,36 @@ name: "Resync Build Workflows" on: - schedule: - # 3 AM UTC ~ 8 PM PDT / 7 PM PST every Tuesday. - - cron: 0 3 * * TUE + workflow_dispatch: permissions: contents: write pull-requests: write -env: - GITHUB_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }} - jobs: upgrade_provider: name: pull-workflow-changes runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: # Persist credentials so pull-workflow-changes can push a new branch. persist-credentials: true + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s + with: + version: 2025.11.6 + github_token: ${{ secrets.GITHUB_TOKEN }} + # only saving the cache in the prerequisites job + cache_save: false - name: Regenerate the workflow files via https://github.com/pulumi/ci-mgmt run: | make ci-mgmt - name: Create PR (no linked issue) - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 + uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 with: author: pulumi-bot base: main @@ -39,3 +43,5 @@ jobs: labels: impact/no-changelog-required title: Regenerate Github Actions workflows for pulumi-incus token: ${{ env.GITHUB_TOKEN }} + env: + GITHUB_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 140ed06..957b0f3 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -12,21 +12,11 @@ on: env: PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi # This should cancel any previous runs of the same workflow on the same branch which are still running. @@ -41,10 +31,11 @@ jobs: permissions: contents: read pull-requests: write + id-token: write # For ESC secrets. uses: ./.github/workflows/prerequisites.yml secrets: inherit with: - default_branch: ${{ github.event.repository.default_branch }} + default_branch: ${{ github.event.pull_request.base.ref }} is_pr: ${{ github.event_name == 'pull_request' }} is_automated: ${{ github.actor == 'dependabot[bot]' }} @@ -52,6 +43,9 @@ jobs: uses: ./.github/workflows/build_provider.yml needs: prerequisites secrets: inherit + permissions: + contents: read + id-token: write # For ESC secrets. with: version: ${{ needs.prerequisites.outputs.version }} matrix: | @@ -69,6 +63,9 @@ jobs: needs: prerequisites uses: ./.github/workflows/build_sdk.yml secrets: inherit + permissions: + contents: write # For Renovate SDKs. + id-token: write # For ESC secrets. with: version: ${{ needs.prerequisites.outputs.version }} @@ -79,11 +76,15 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: + - name: Checkout Repo + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" - name: Update with Result - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 + uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}" issue-number: ${{ github.event.client_payload.github.payload.issue.number }} @@ -108,9 +109,9 @@ jobs: - lint runs-on: ubuntu-latest steps: - - uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13 + - uses: guibranco/github-status-action-v2@631f55ea0251f0fb284525ad86c30e9f7a8dd284 # v1.1.14 with: - authToken: ${{secrets.GITHUB_TOKEN}} + authToken: ${{ secrets.GITHUB_TOKEN }} # Write an explicit status check called "Sentinel" which will only pass if this code really runs. # This should always be a required check for PRs. context: 'Sentinel' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fef197e..b3fda44 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,21 +12,13 @@ on: env: PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + MISE_ENV: test + PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi jobs: @@ -39,24 +31,45 @@ jobs: PROVIDER_VERSION: ${{ inputs.version }} steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: ref: ${{ env.PR_COMMIT_SHA }} - persist-credentials: false + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: repository: pulumi/examples path: p-examples - - name: Setup tools - uses: ./.github/actions/setup-tools + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_ENV: test + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: - tools: pulumictl, pulumicli, ${{ matrix.language }} + version: 2025.11.6 + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + # also save this cache since we are using a different mise env. + cache_save: true - name: Prepare local workspace run: make prepare_local_workspace + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Download bin uses: ./.github/actions/download-provider + - name: Setup Go Cache + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 + if: matrix.language == 'go' || contains(matrix.language, 'go') + with: + cache-dependency-path: | + provider/*.sum + upstream/*.sum + sdk/go/*.sum + sdk/*.sum + *.sum - name: Download SDK uses: ./.github/actions/download-sdk with: @@ -75,15 +88,17 @@ jobs: - name: Run tests if: matrix.testTarget == 'local' run: cd examples && go test -v -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -skip TestPulumiExamples -parallel 4 . + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run pulumi/examples tests if: matrix.testTarget == 'pulumiExamples' run: cd examples && go test -v -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -run TestPulumiExamples -parallel 4 . + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} strategy: fail-fast: false matrix: language: - - dotnet - go - nodejs - - python testTarget: [local] diff --git a/.github/workflows/upgrade-bridge.yml b/.github/workflows/upgrade-bridge.yml index ba5ae84..ac67131 100644 --- a/.github/workflows/upgrade-bridge.yml +++ b/.github/workflows/upgrade-bridge.yml @@ -49,29 +49,24 @@ on: required: false type: boolean default: false + patch-release: + description: Whether to create a patch release + required: false + type: boolean + default: false permissions: contents: write issues: write pull-requests: write + id-token: write # For ESC secrets. env: - GH_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi jobs: @@ -80,16 +75,24 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false - - name: Setup tools - uses: ./.github/actions/setup-tools + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: - tools: pulumictl, pulumicli, dotnet, go, nodejs, python + version: 2025.11.6 + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + # only saving the cache in the prerequisites job + cache_save: false - name: Call upgrade provider action if: github.event_name == 'workflow_dispatch' - uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15 + uses: pulumi/pulumi-upgrade-provider-action@e247104aede3eb4641f48c8ad0ea9de9346f2457 # v0.0.18 with: kind: ${{ inputs.kind }} email: bot@pulumi.com @@ -100,9 +103,12 @@ jobs: pr-reviewers: ${{ inputs.pr-reviewers }} pr-description: ${{ inputs.pr-description }} pr-title-prefix: ${{ inputs.pr-title-prefix }} + patch-release: ${{ github.event.client_payload.patch-release }} + env: + GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }} - name: Call upgrade provider action if: github.event_name == 'repository_dispatch' - uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15 + uses: pulumi/pulumi-upgrade-provider-action@e247104aede3eb4641f48c8ad0ea9de9346f2457 # v0.0.18 with: kind: ${{ github.event.client_payload.kind || 'bridge' }} email: bot@pulumi.com @@ -113,3 +119,6 @@ jobs: pr-reviewers: ${{ github.event.client_payload.pr-reviewers }} pr-description: ${{ github.event.client_payload.pr-description }} pr-title-prefix: ${{ github.event.client_payload.pr-title-prefix }} + patch-release: ${{ github.event.client_payload.patch-release }} + env: + GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/upgrade-provider.yml b/.github/workflows/upgrade-provider.yml index 3c1bc76..da3466a 100644 --- a/.github/workflows/upgrade-provider.yml +++ b/.github/workflows/upgrade-provider.yml @@ -22,14 +22,19 @@ on: # 3 AM UTC ~ 8 PM PDT / 7 PM PST daily. Time chosen to run during off hours. - cron: 0 3 * * * +env: + PULUMI_API: https://api.pulumi-staging.io + PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. + PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }} + PULUMI_PULUMI_ENABLE_JOURNALING: "true" + TF_APPEND_USER_AGENT: pulumi + permissions: contents: write issues: write pull-requests: write - -env: - GH_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + id-token: write # For ESC secrets. jobs: upgrade_provider: @@ -37,14 +42,22 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: # Persist credentials so upgrade-provider can push a new branch. - persist-credentials: true - - name: Setup tools - uses: ./.github/actions/setup-tools + persist-credentials: true + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action + - name: Setup mise + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: - tools: pulumictl, pulumicli, dotnet, go, nodejs, python + version: 2025.11.6 + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + # only saving the cache in the prerequisites job + cache_save: false - name: Install upgrade-provider run: go install github.com/pulumi/upgrade-provider@${{ inputs.upgradeProviderVersion || 'main' }} shell: bash @@ -60,6 +73,7 @@ jobs: run: upgrade-provider "$REPO" --kind=check-upstream-version env: REPO: ${{ github.repository }} + GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }} shell: bash - name: Calculate target version id: target_version @@ -71,7 +85,7 @@ jobs: id: upgrade_provider if: steps.target_version.outputs.version != '' continue-on-error: true - uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15 + uses: pulumi/pulumi-upgrade-provider-action@e247104aede3eb4641f48c8ad0ea9de9346f2457 # v0.0.18 with: kind: provider email: bot@pulumi.com @@ -79,10 +93,14 @@ jobs: automerge: true target-version: ${{ steps.target_version.outputs.version }} allow-missing-docs: true + env: + GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }} - name: Comment on upgrade issue if automated PR failed if: steps.upgrade_provider.outcome == 'failure' shell: bash run: | issue_number=$(gh issue list --search "pulumiupgradeproviderissue" --repo "${{ github.repository }}" --json=number --jq=".[0].number") gh issue comment "${issue_number}" --repo "${{ github.repository }}" --body "Failed to create automatic PR: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/" + env: + GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml index 5b07394..4b44fdb 100644 --- a/.github/workflows/verify-release.yml +++ b/.github/workflows/verify-release.yml @@ -37,21 +37,17 @@ on: required: false env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} + JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} + JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - PYPI_USERNAME: __token__ - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -74,10 +70,32 @@ jobs: - name: Configure Git to checkout files with long names run: git config --global core.longpaths true - name: Checkout Repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false - - name: Setup tools - uses: ./.github/actions/setup-tools + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action + - name: Setup Node + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: - tools: pulumicli, dotnet, go, nodejs, python + node-version: 20.x + registry-url: https://registry.npmjs.org + - name: Install Go + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6 + with: + go-version: "1.21.x" + cache-dependency-path: | + provider/*.sum + upstream/*.sum + sdk/go/*.sum + sdk/*.sum + *.sum + cache: true + - name: Set Go Toolchain to auto explicitly + run: | + echo "GOTOOLCHAIN=auto" >> "$GITHUB_ENV" + - name: Install Pulumi CLI + uses: pulumi/actions@8582a9e8cc630786854029b4e09281acd6794b58 # v6 + with: + pulumi-version: "dev" diff --git a/.golangci.yml b/.golangci.yml index 32bafea..7f6d206 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -33,5 +33,5 @@ linters-settings: - blank # Blank section: contains all blank imports. - default # Default section: contains all imports that could not be matched to another section type. - prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix. - - prefix(git.kalinow.ski/nimbus/pulumi-incus) # Custom section: local imports + - prefix(github.com/kiterun/pulumi-incus) # Custom section: local imports custom-order: true diff --git a/Makefile b/Makefile index 86d48cd..82f9b8c 100644 --- a/Makefile +++ b/Makefile @@ -1,13 +1,12 @@ # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt PACK := incus -ORG := nimbus -PROJECT := git.kalinow.ski/$(ORG)/pulumi-$(PACK) +ORG := kiterun +PROJECT := github.com/$(ORG)/pulumi-$(PACK) PROVIDER_PATH := provider VERSION_PATH := $(PROVIDER_PATH)/pkg/version.Version CODEGEN := pulumi-tfgen-$(PACK) PROVIDER := pulumi-resource-$(PACK) -JAVA_GEN := pulumi-java-gen TESTPARALLELISM := 10 GOTESTARGS := "" WORKING_DIR := $(shell pwd) @@ -41,19 +40,36 @@ LDFLAGS=$(LDFLAGS_PROJ_VERSION) $(LDFLAGS_UPSTREAM_VERSION) $(LDFLAGS_EXTRAS) $( _ := $(shell mkdir -p .make bin .pulumi/bin) # Build the provider and all SDKs and install ready for testing -build: install_plugins provider build_sdks install_sdks +build: .make/mise_install provider build_sdks install_sdks +build: | mise_env + # Keep aliases for old targets to ensure backwards compatibility development: build only_build: build # Prepare the workspace for building the provider and SDKs # Importantly this is run by CI ahead of restoring the bin directory and resuming SDK builds -prepare_local_workspace: install_plugins upstream +prepare_local_workspace: .make/mise_install upstream +prepare_local_workspace: | mise_env # Creates all generated files which need to be committed generate: generate_sdks schema generate_sdks: generate_go generate_nodejs build_sdks: build_go build_nodejs install_sdks: install_go_sdk install_nodejs_sdk -.PHONY: development only_build build generate generate_sdks build_sdks install_sdks +.PHONY: development only_build build generate generate_sdks build_sdks install_sdks mise_install mise_env + +# Installs all necessary tools with mise and records completion in a sentinel +# file so dependent targets can participate in make's caching behaviour. The +# environment is refreshed via an order-only prerequisite so it still runs on +# every invocation without invalidating the sentinel. +mise_install: .make/mise_install | mise_env + +mise_env: + @mise env -q > /dev/null + +.make/mise_install: + @mise install -q + @touch $@ + help: @echo "Usage: make [target]" @@ -80,7 +96,7 @@ help: @echo "" @echo "Internal Targets (automatically run as dependencies of other targets)" @echo " prepare_local_workspace Prepare for building" - @echo " install_plugins Install plugin dependencies" + @echo " mise_install Install tools with mise" @echo " upstream Initialize the upstream submodule, if present" @echo "" @echo "Language-Specific Targets" @@ -88,7 +104,7 @@ help: @echo " build_[language] Build the SDK to check correctness" @echo " install_[language]_sdk Install the SDK ready for testing" @echo "" - @echo " [language] = dotnet go nodejs python" + @echo " [language] = go nodejs" @echo "" .PHONY: help @@ -98,8 +114,8 @@ GEN_ENVS := PULUMI_HOME=$(GEN_PULUMI_HOME) PULUMI_CONVERT_EXAMPLES_CACHE_DIR=$(G generate_dotnet: .make/generate_dotnet build_dotnet: .make/build_dotnet -.make/generate_dotnet: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) -.make/generate_dotnet: .make/install_plugins bin/$(CODEGEN) +.make/generate_dotnet: .make/mise_install bin/$(CODEGEN) +.make/generate_dotnet: | mise_env $(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) dotnet --out sdk/dotnet/ cd sdk/dotnet/ && \ printf "module fake_dotnet_module // Exclude this directory from Go tools\n\ngo 1.17\n" > go.mod && \ @@ -112,8 +128,8 @@ build_dotnet: .make/build_dotnet generate_go: .make/generate_go build_go: .make/build_go -.make/generate_go: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) -.make/generate_go: .make/install_plugins bin/$(CODEGEN) +.make/generate_go: .make/mise_install bin/$(CODEGEN) +.make/generate_go: | mise_env $(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) go --out sdk/go/ @touch $@ .make/build_go: .make/generate_go @@ -123,10 +139,10 @@ build_go: .make/build_go generate_java: .make/generate_java build_java: .make/build_java -.make/generate_java: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) .make/generate_java: PACKAGE_VERSION := $(PROVIDER_VERSION) -.make/generate_java: .make/install_plugins bin/pulumi-java-gen .make/schema - PULUMI_HOME=$(GEN_PULUMI_HOME) PULUMI_CONVERT_EXAMPLES_CACHE_DIR=$(GEN_PULUMI_CONVERT_EXAMPLES_CACHE_DIR) bin/$(JAVA_GEN) generate --schema provider/cmd/$(PROVIDER)/schema.json --out sdk/java --build gradle-nexus +.make/generate_java: .make/mise_install bin/$(CODEGEN) +.make/generate_java: | mise_env + $(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) java --out sdk/java/ printf "module fake_java_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/java/go.mod @touch $@ .make/build_java: PACKAGE_VERSION := $(PROVIDER_VERSION) @@ -139,23 +155,23 @@ build_java: .make/build_java generate_nodejs: .make/generate_nodejs build_nodejs: .make/build_nodejs -.make/generate_nodejs: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) -.make/generate_nodejs: .make/install_plugins bin/$(CODEGEN) +.make/generate_nodejs: .make/mise_install bin/$(CODEGEN) +.make/generate_nodejs: | mise_env $(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) nodejs --out sdk/nodejs/ printf "module fake_nodejs_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/nodejs/go.mod @touch $@ .make/build_nodejs: .make/generate_nodejs cd sdk/nodejs/ && \ - pnpm install && \ - pnpm tsc && \ - cp ../../README.md ../../LICENSE* package.json pnpm-lock.yaml ./bin/ + yarn install && \ + yarn run tsc && \ + cp ../../README.md ../../LICENSE package.json yarn.lock ./bin/ @touch $@ .PHONY: generate_nodejs build_nodejs generate_python: .make/generate_python build_python: .make/build_python -.make/generate_python: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) -.make/generate_python: .make/install_plugins bin/$(CODEGEN) +.make/generate_python: .make/mise_install bin/$(CODEGEN) +.make/generate_python: | mise_env $(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) python --out sdk/python/ printf "module fake_python_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/python/go.mod cp README.md sdk/python/ @@ -175,6 +191,7 @@ clean: rm -rf sdk/{dotnet,nodejs,go,python} rm -rf bin/* rm -rf .make/* + rm -rf "$(GEN_PULUMI_CONVERT_EXAMPLES_CACHE_DIR)" if dotnet nuget list source | grep "$(WORKING_DIR)/nuget"; then \ dotnet nuget remove source "$(WORKING_DIR)/nuget" \ ; fi @@ -192,7 +209,7 @@ install_go_sdk: install_java_sdk: install_nodejs_sdk: .make/install_nodejs_sdk .make/install_nodejs_sdk: .make/build_nodejs - pnpm link --global $(WORKING_DIR)/sdk/nodejs/bin + yarn link --cwd $(WORKING_DIR)/sdk/nodejs/bin @touch $@ install_python_sdk: .PHONY: install_dotnet_sdk install_go_sdk install_java_sdk install_nodejs_sdk install_python_sdk @@ -235,12 +252,12 @@ schema: .make/schema # This does actually have dependencies, but we're keeping it around for backwards compatibility for now tfgen_no_deps: .make/schema .make/schema: export PULUMI_HOME := $(WORKING_DIR)/.pulumi -.make/schema: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) .make/schema: export PULUMI_CONVERT := $(PULUMI_CONVERT) .make/schema: export PULUMI_CONVERT_EXAMPLES_CACHE_DIR := $(WORKING_DIR)/.pulumi/examples-cache .make/schema: export PULUMI_DISABLE_AUTOMATIC_PLUGIN_ACQUISITION := $(PULUMI_CONVERT) .make/schema: export PULUMI_MISSING_DOCS_ERROR := $(PULUMI_MISSING_DOCS_ERROR) -.make/schema: bin/$(CODEGEN) .make/install_plugins .make/upstream +.make/schema: bin/$(CODEGEN) .make/mise_install .make/upstream +.make/schema: | mise_env $(WORKING_DIR)/bin/$(CODEGEN) schema --out provider/cmd/$(PROVIDER) (cd provider && VERSION=$(PROVIDER_VERSION) go generate cmd/$(PROVIDER)/main.go) @touch $@ @@ -257,13 +274,6 @@ upstream: .make/upstream @touch $@ .PHONY: upstream -bin/pulumi-java-gen: PULUMI_JAVA_VERSION := $(shell cat .pulumi-java-gen.version) -bin/pulumi-java-gen: PLAT := $(shell go version | sed -En "s/go version go.* (.*)\/(.*)/\1-\2/p") -bin/pulumi-java-gen: PULUMI_JAVA_URL := "https://github.com/pulumi/pulumi-java/releases/download/v$(PULUMI_JAVA_VERSION)/pulumi-language-java-v$(PULUMI_JAVA_VERSION)-$(PLAT).tar.gz" -bin/pulumi-java-gen: - wget -q -O - "$(PULUMI_JAVA_URL)" | tar -xzf - -C $(WORKING_DIR)/bin pulumi-java-gen - @touch bin/pulumi-language-java - # To make an immediately observable change to .ci-mgmt.yaml: # # - Edit .ci-mgmt.yaml @@ -278,7 +288,6 @@ debug_tfgen: dlv --listen=:2345 --headless=true --api-version=2 exec $(WORKING_DIR)/bin/$(CODEGEN) -- schema --out provider/cmd/$(PROVIDER) .PHONY: debug_tfgen -include scripts/plugins.mk include scripts/crossbuild.mk # Permit providers to extend the Makefile with provider-specific Make includes. diff --git a/mise.toml b/mise.toml new file mode 100644 index 0000000..d035d09 --- /dev/null +++ b/mise.toml @@ -0,0 +1,3 @@ +# Overwrites mise configuration at .config/mise.toml +[tools] +pulumictl = "v0.0.48" \ No newline at end of file diff --git a/scripts/crossbuild.mk b/scripts/crossbuild.mk index bdde184..4c7562e 100644 --- a/scripts/crossbuild.mk +++ b/scripts/crossbuild.mk @@ -19,6 +19,8 @@ bin/darwin-arm64/$(PROVIDER): GOOS := darwin bin/darwin-arm64/$(PROVIDER): GOARCH := arm64 bin/windows-amd64/$(PROVIDER).exe: GOOS := windows bin/windows-amd64/$(PROVIDER).exe: GOARCH := amd64 +bin/windows-arm64/$(PROVIDER).exe: GOOS := windows +bin/windows-arm64/$(PROVIDER).exe: GOARCH := arm64 bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar $(call build_provider_cmd,$(GOOS),$(GOARCH),$(WORKING_DIR)/$@) @@ -26,7 +28,7 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar @# Test variables set by joining with | between and looking for || showing at least one variable is empty. @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. @set -e; \ - if [[ "${GOOS}-${GOARCH}" = "windows-amd64" && "${SKIP_SIGNING}" != "true" ]]; then \ + if [[ "${GOOS}" = "windows" && "${SKIP_SIGNING}" != "true" ]]; then \ if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ @@ -58,13 +60,15 @@ provider-linux-arm64: bin/linux-arm64/$(PROVIDER) provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) provider-darwin-arm64: bin/darwin-arm64/$(PROVIDER) provider-windows-amd64: bin/windows-amd64/$(PROVIDER).exe -.PHONY: provider-linux-amd64 provider-linux-arm64 provider-darwin-amd64 provider-darwin-arm64 provider-windows-amd64 +provider-windows-arm64: bin/windows-arm64/$(PROVIDER).exe +.PHONY: provider-linux-amd64 provider-linux-arm64 provider-darwin-amd64 provider-darwin-arm64 provider-windows-amd64 provider-windows-arm64 bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-amd64.tar.gz: bin/linux-amd64/$(PROVIDER) bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.gz: bin/linux-arm64/$(PROVIDER) bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz: bin/darwin-amd64/$(PROVIDER) bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz: bin/darwin-arm64/$(PROVIDER) bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz: bin/windows-amd64/$(PROVIDER).exe +bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-arm64.tar.gz: bin/windows-arm64/$(PROVIDER).exe bin/$(PROVIDER)-v$(PROVIDER_VERSION)-%.tar.gz: @mkdir -p dist @# $< is the last dependency (the binary path from above) e.g. bin/linux-amd64/pulumi-resource-xyz @@ -76,5 +80,6 @@ provider_dist-linux-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar. provider_dist-darwin-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz provider_dist-darwin-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz provider_dist-windows-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz +provider_dist-windows-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-arm64.tar.gz provider_dist: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64 .PHONY: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64 provider_dist diff --git a/scripts/get-versions.sh b/scripts/get-versions.sh new file mode 100755 index 0000000..bc92573 --- /dev/null +++ b/scripts/get-versions.sh @@ -0,0 +1,55 @@ +#!/usr/bin/env bash +set -euo pipefail + +# This script can be simplified to use go when https://github.com/jdx/mise/discussions/6374 is fixed +# e.g. go list -m -f '{{.GoVersion}}' + +module_path="github.com/pulumi/pulumi/pkg/v3" +go_mod_path="provider" +gomod="go.mod" + +if [[ "$go_mod_path" != "" && "$go_mod_path" != "." ]]; then + gomod="$go_mod_path/$gomod" +fi + +if [[ ! -f "$gomod" ]]; then + echo "missing $gomod" >&2 + exit 1 +fi + +raw_version=$(awk -v module="$module_path" ' + $1 == module || $2 == module { + for (i = 1; i <= NF; i++) { + if ($i ~ /^v[0-9]/) { + sub(/^v/, "", $i) + print $i + exit + } + } + } +' "$gomod") + +if [[ -z "${raw_version:-}" ]]; then + echo "failed to determine Pulumi version from $gomod" >&2 + exit 1 +fi + +echo "PULUMI_VERSION_MISE=$raw_version" +export PULUMI_VERSION_MISE=$raw_version + +# Prefer the toolchain directive if present, otherwise fall back to the `go` version line +go_toolchain=$(awk '/^toolchain[[:space:]]+go[0-9]/{ print $2; exit }' "$gomod") + +if [[ -n "${go_toolchain:-}" ]]; then + go_version=${go_toolchain#go} +else + go_version=$(awk '/^go[[:space:]]+[0-9]/{ print $2; exit }' "$gomod") +fi + +if [[ -z "${go_version:-}" ]]; then + echo "failed to determine Go version from $gomod" >&2 + exit 1 +fi + +echo "GO_VERSION_MISE=$go_version" +export GO_VERSION_MISE=$go_version diff --git a/scripts/plugins.mk b/scripts/plugins.mk deleted file mode 100644 index 64a0222..0000000 --- a/scripts/plugins.mk +++ /dev/null @@ -1,27 +0,0 @@ -# Install Pulumi and plugins required at build time. -install_plugins: .make/install_plugins -.make/install_plugins: export PULUMI_HOME := $(WORKING_DIR)/.pulumi -.make/install_plugins: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) -.make/install_plugins: .pulumi/bin/pulumi - .pulumi/bin/pulumi plugin install converter terraform 1.0.16 - @touch $@ -.PHONY: install_plugins - -# Because some codegen depends on the version of the CLI used, we install a local CLI -# version pinned to the same version as the provider `go.mod`. -# -# This logic compares the version of .pulumi/bin/pulumi already installed. If it matches -# the desired version, we just print. Otherwise we (re)install pulumi at the desired -# version. -.pulumi/bin/pulumi: .pulumi/version - @if [ -x .pulumi/bin/pulumi ] && [ "v$$(cat .pulumi/version)" = "$$(.pulumi/bin/pulumi version)" ]; then \ - echo "pulumi/bin/pulumi version: v$$(cat .pulumi/version)"; \ - touch $@; \ - else \ - curl -fsSL https://get.pulumi.com | \ - HOME=$(WORKING_DIR) sh -s -- --version "$$(cat .pulumi/version)"; \ - fi - -# Compute the version of Pulumi to use by inspecting the Go dependencies of the provider. -.pulumi/version: provider/go.mod - (cd provider && go list -f "{{slice .Version 1}}" -m github.com/pulumi/pulumi/pkg/v3) | tee $@