chore: make ci-mgmt

2025-12-06 01:43:51 -05:00
parent ef3fde0b79
commit 4f829f9e0a
34 changed files with 623 additions and 467 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,6 +7,9 @@ on:
      version:
        required: true
        type: string
+      setLatestRelease:
+        required: true
+        type: boolean
      isPrerelease:
        required: true
        type: boolean
@@ -21,21 +24,17 @@ on:

 env:
  IS_PRERELEASE: ${{ inputs.isPrerelease }}
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
-  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
-  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-  PYPI_USERNAME: __token__
-  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
-  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
-  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
  TF_APPEND_USER_AGENT: pulumi

 jobs:
@@ -50,25 +49,31 @@ jobs:
      if: inputs.skipGoSdk && inputs.isPrerelease == false
      run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
-        persist-credentials: false
-    - name: Setup tools
-      uses: ./.github/actions/setup-tools
+        persist-credentials: false    
+    - id: esc-secrets
+      name: Map environment to ESC outputs
+      uses: ./.github/actions/esc-action
+    - name: Setup mise
+      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
+      env:
+        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
-        tools: pulumictl, pulumicli, go, schema-tools
-        cache-go: false
+        version: 2025.11.6
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        cache_save: false
    - name: Create dist directory
      run: mkdir -p dist
    - name: Download provider assets
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        pattern: pulumi-resource-incus-v${{ inputs.version }}-*
        path: dist
        # Don't create a directory for each artifact
        merge-multiple: true
    - name: Download schema
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        # Use a pattern to avoid failing if the artifact doesn't exist
        pattern: schema-embed.*
@@ -83,22 +88,24 @@ jobs:
      shell: bash
      run: |
        # Get latest stable release. Return only first column from result (tag).
-        LAST_VERSION=$(gh release view --repo brandonkal/pulumi-incus --json tagName -q .tagName || echo "No stable release" )
+        LAST_VERSION=$(gh release view --repo kiterun/pulumi-incus --json tagName -q .tagName || echo "No stable release" )
        {
          echo 'summary<<EOF'
          if [[ "$LAST_VERSION" != "No stable release" ]]; then
-            schema-tools compare --provider="incus" --old-commit="$LAST_VERSION" --repository="github://api.github.com/brandonkal" --new-commit="--local-path=provider/cmd/pulumi-resource-incus/schema.json"
+            schema-tools compare --provider="incus" --old-commit="$LAST_VERSION" --repository="github://api.github.com/kiterun" --new-commit="--local-path=provider/cmd/pulumi-resource-incus/schema.json"
          fi
          echo 'EOF'
        } >> "$GITHUB_OUTPUT"
    - name: Create GH Release
-      uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2
+      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
      if: inputs.isPrerelease == false
      with:
        tag_name: v${{ inputs.version }}
        prerelease: ${{ inputs.isPrerelease }}
        # We keep pre-releases as drafts so they're not visible until we manually publish them.
        draft: ${{ inputs.isPrerelease }}
+        # Explicitly set make_latest to account for backported releases
+        make_latest: ${{ inputs.setLatestRelease }}
        body: ${{ steps.schema-summary.outputs.summary }}
        generate_release_notes: true
        files: dist/*
@@ -113,27 +120,58 @@ jobs:
      python_version: ${{ steps.python_version.outputs.version }}
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
        # Persist credentials so we can push back to the repo
-        persist-credentials: true
-    - name: Setup tools
-      uses: ./.github/actions/setup-tools
+        persist-credentials: true    
+    - id: esc-secrets
+      name: Map environment to ESC outputs
+      uses: ./.github/actions/esc-action
+    - name: Setup mise
+      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
+      env:
+        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
-        tools: pulumictl, pulumicli, dotnet, go, nodejs, python
-        cache-go: false
+        version: 2025.11.6
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        # only saving the cache in the prerequisites job
+        cache_save: false
+    - name: Setup Node
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
+      with:
+        # we don't set node-version because we install with mise.
+        # this step is needed to setup npm auth
+        registry-url: https://registry.npmjs.org
    - name: Publish SDKs
      if: inputs.skipJavaSdk == false
-      uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21
+      uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23
      with:
        sdk: all,!java
        version: ${{ inputs.version }}
+      env:
+        PYPI_USERNAME: __token__
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
    - name: Publish SDKs (except Java)
      if: inputs.skipJavaSdk == true
-      uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21
+      uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23
      with:
        sdk: all,!java,!java
        version: ${{ inputs.version }}
+      env:
+        PYPI_USERNAME: __token__
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
    - name: Download Go SDK
      uses: ./.github/actions/download-sdk
      with:
@@ -169,9 +207,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
-        persist-credentials: false
+        persist-credentials: false    
+    - id: esc-secrets
+      name: Map environment to ESC outputs
+      uses: ./.github/actions/esc-action
    - name: Clean up release labels
      uses: pulumi/action-release-by-pr-label@main
      with: