kiterun/pulumi-incus
2
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

chore: make ci-mgmt

Browse Source
This commit is contained in:
Brandon Kalinowski
2025-12-06 01:43:51 -05:00
parent ef3fde0b79
commit 4f829f9e0a
34 changed files with 623 additions and 467 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
.ci-mgmt.yaml
View File

@@ -1,53 +1,31 @@
# REQUIRED: provider is the name of the provider without the pulumi-prefix e.g. "aws".
provider: incus
# The name of the GitHub organization or username the repository lives in. Defaults to 'pulumi'
organization: brandonkal
organization: kiterun
# The external template only includes workflows relevant for non-Pulumi managed providers.
template: external-bridged-provider
# The name of the GitHub organisation or username where the upstream terraform provider lives.
upstreamProviderOrg: pulumi
upstreamProviderOrg: lxc
# major version of the current provider - used in make files
# This should always be set by all providers as this is key to go module paths.
major-version: 1
# Enable using the terraform converter for example generation.
pulumiConvert: 1
# Set a GitHub username here for automatic upgrade PRs to be assigned to.
# pr-assign: pulumi-bot
# List of pulumi plugins to install in the "install_plugins" makefile target. Will include at least the terraform plugin
# Should be set for all bridged providers
plugins:
- name: terraform
version: "1.0.16"
kind: converter
# providerDefaultBranch is used to customise the default branch for the repo
providerDefaultBranch: main
# Explicit list of languages to support for SDKs. Java is currently excluded because it doesn't yet work well for non-internal providers.
languages:
- go
- nodejs
# Disable Java publishing and pushing the provider binary to the CDN as these only work internally within Pulumi.
publish:
sdk: "all,!java"
cdn: false
# Enables automatic generation of basic docs pages for the registry.
# registryDocs: true
# Disables a pulumi-internal-only step for running create_docs_build during the release
publishRegistry: false
# For additional options, please refer to the defaults set in ci-mgmt:
# https://github.com/pulumi/ci-mgmt/blob/master/provider-ci/internal/pkg/templates/defaults.config.yaml
toolVersions:
pulumictl: "v0.0.48"

11
.config/mise.test.toml Normal file
View File

@@ -0,0 +1,11 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
# Overrides for test workflows
[env]
# Acceptance (specifically providertest) tests require that PULUMI_HOME be the default
PULUMI_HOME = "{{ env.HOME }}/.pulumi"
[tools]
# always use pulumi latest for tests
pulumi = "latest"

33
.config/mise.toml Normal file
View File

@@ -0,0 +1,33 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
# You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html
[env]
_.source = "{{config_root}}/scripts/get-versions.sh"
PULUMI_HOME = "{{config_root}}/.pulumi"
[tools]
# Runtimes
# TODO: we may not need 'get_env' once https://github.com/jdx/mise/discussions/6339 is fixed
go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}"
node = '20.19.5'
python = '3.11.8'
dotnet = '8.0.414'
# Corretto version used as Java SE/OpenJDK version no longer offered
java = 'corretto-11'
# Executable tools
pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
"github:pulumi/pulumictl" = '0.0.50'
"github:pulumi/schema-tools" = "0.6.0"
"aqua:gradle/gradle-distributions" = '7.6.6'
golangci-lint = "1.64.8" # See note about about overrides if you need to customize this.
"npm:yarn" = "1.22.22"
"vfox-pulumi:pulumi/pulumi-converter-terraform" = "1.0.16"
[settings]
experimental = true # Required for Go binaries (e.g. pulumictl).
lockfile = false
[plugins]
vfox-pulumi = "https://github.com/pulumi/vfox-pulumi"

2
.devcontainer/Dockerfile
View File

@@ -1,4 +1,4 @@
FROM jetpackio/devbox:latest
FROM jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7
# Installing your devbox project
WORKDIR /code

4
.github/actions/download-prerequisites/action.yml vendored
View File

@@ -5,7 +5,7 @@ runs:
using: "composite"
steps:
- name: Download the prerequisites bin
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: prerequisites-bin
path: bin
@@ -19,7 +19,7 @@ runs:
run: rm bin/executables.txt
- name: Download schema-embed.json
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
# Use a pattern to avoid failing if the artifact doesn't exist
pattern: schema-embed.*

2
.github/actions/download-provider/action.yml vendored
View File

@@ -6,7 +6,7 @@ runs:
steps:
- name: Download pulumi-resource-incus
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
pattern: pulumi-resource-incus-*-linux-amd64.tar.gz
path: ${{ github.workspace }}/bin

2
.github/actions/download-sdk/action.yml vendored
View File

@@ -10,7 +10,7 @@ runs:
using: "composite"
steps:
- name: Download ${{ inputs.language }} SDK
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
name: ${{ inputs.language }}-sdk.tar.gz
path: ${{ github.workspace}}/sdk/

12
.github/actions/esc-action/action.yaml vendored Normal file
View File

@@ -0,0 +1,12 @@
name: "Load secrets"
description: |
This is a temporary action which assists with our migration to ESC. Instead
of surrounding every step that references secrets with an "if ESC" block, we
instead modify those steps to consume their secrets from this step's outputs.
Then, later, we can replace this action with esc-action to actually load
secrets from ESC.
inputs: {}
outputs: {}
runs:
using: "node20"
main: "index.js"

14
.github/actions/esc-action/index.js vendored Normal file
View File

@@ -0,0 +1,14 @@
const fs = require("fs");
const file = process.env["GITHUB_OUTPUT"];
var stream = fs.createWriteStream(file, { flags: "a" });
for (const [name, value] of Object.entries(process.env)) {
try {
stream.write(`${name}<<EEEOOOFFF\n${value}\nEEEOOOFFF\n`); // << syntax accommodates multiline strings.
} catch (err) {
console.log(`error: failed to set output for ${name}: ${err.message}`);
}
}
stream.end();

91
.github/actions/setup-tools/action.yml vendored
View File

@@ -1,91 +0,0 @@
name: Setup tools
description: Installs Go, Pulumi, pulumictl, schema-tools, Node.JS, Python, dotnet and Java.
inputs:
tools:
description: |
Comma separated list of tools to install. The default of "all" installs all tools. Available tools are:
go
pulumicli
pulumictl
schema-tools
nodejs
python
dotnet
java
default: all
cache-go:
description: |
Whether to enable the GitHub cache for Go. Appropriate for disabling in
smaller jobs that typically completely before the "real" job has an
opportunity to populate the cache.
default: "true"
runs:
using: "composite"
steps:
- name: Install Go
if: inputs.tools == 'all' || contains(inputs.tools, 'go')
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
with:
go-version: "1.21.x"
cache-dependency-path: |
provider/*.sum
upstream/*.sum
sdk/go/*.sum
sdk/*.sum
*.sum
# TODO(https://github.com/actions/setup-go/issues/316): Restore but don't save the cache.
cache: ${{ inputs.cache-go }}
- name: Install pulumictl
if: inputs.tools == 'all' || contains(inputs.tools, 'pulumictl')
uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
with:
tag: v0.0.48
repo: pulumi/pulumictl
- name: Install Pulumi CLI
if: inputs.tools == 'all' || contains(inputs.tools, 'pulumicli')
uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6
with:
pulumi-version: "dev"
- name: Install Schema Tools
if: inputs.tools == 'all' || contains(inputs.tools, 'schema-tools')
uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
with:
repo: pulumi/schema-tools
- name: Setup Node
if: inputs.tools == 'all' || contains(inputs.tools, 'nodejs')
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: 20.x
registry-url: https://registry.npmjs.org
- name: Setup DotNet
if: inputs.tools == 'all' || contains(inputs.tools, 'dotnet')
uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
dotnet-version: 8.0.x
- name: Setup Python
if: inputs.tools == 'all' || contains(inputs.tools, 'python')
uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
with:
python-version: 3.11.8
- name: Setup Java
if: inputs.tools == 'all' || contains(inputs.tools, 'java')
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
with:
cache: gradle
distribution: temurin
java-version: 11
- name: Setup Gradle
if: inputs.tools == 'all' || contains(inputs.tools, 'java')
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3
with:
gradle-version: 7.6

4
.github/actions/upload-prerequisites/action.yml vendored
View File

@@ -9,14 +9,14 @@ runs:
run: find bin -type f -executable > bin/executables.txt
- name: Upload prerequisites bin
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: prerequisites-bin
path: bin/*
retention-days: 30
- name: Upload schema-embed.json
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: schema-embed.json
path: provider/cmd/pulumi-resource-incus/schema-embed.json

2
.github/actions/upload-sdk/action.yml vendored
View File

@@ -13,7 +13,7 @@ runs:
shell: bash
run: tar -zcf sdk/${{ inputs.language }}.tar.gz -C sdk/${{ inputs.language }} .
- name: Upload artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: ${{ inputs.language }}-sdk.tar.gz
path: ${{ github.workspace}}/sdk/${{ inputs.language }}.tar.gz

42
.github/workflows/build_provider.yml vendored
View File

@@ -19,7 +19,8 @@ on:
{"os": "linux", "arch": "arm64"},
{"os": "darwin", "arch": "amd64"},
{"os": "darwin", "arch": "arm64"},
{"os": "windows", "arch": "amd64"}
{"os": "windows", "arch": "amd64"},
{"os": "windows", "arch": "arm64"}
]
}
@@ -33,22 +34,31 @@ jobs:
strategy:
fail-fast: true
matrix: ${{ fromJSON(inputs.matrix) }}
permissions:
contents: read
id-token: write # For ESC secrets.
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
# Without ldid cross-compiling Node binaries on a Linux worker intended to work on darwin-arm64 fails to sign the
# binaries properly and they do not work as expected. See https://github.com/pulumi/pulumi-awsx/issues/1490
- uses: MOZGIII/install-ldid-action@v1
- uses: MOZGIII/install-ldid-action@d5ab465f3a66a4d60a59882b935eb30e18e8d043 # v1
with:
tag: v2.1.5-procursus2
- name: Setup tools
uses: ./.github/actions/setup-tools
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
tools: pulumictl, go
# use per-platform/arch caches instead since we are doing cross-builds
cache-go: false
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
# only saving the cache in the prerequisites job
cache_save: false
# Based on https://github.com/actions/cache/blob/main/examples.md#go---modules
- name: Get GOCACHE
id: gocache
@@ -61,7 +71,7 @@ jobs:
run: |
echo "path=$(go env GOMODCACHE)" >> "${GITHUB_OUTPUT}"
- name: Go Cache
uses: actions/cache@v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: |
${{ steps.gocache.outputs.path }}
@@ -71,6 +81,8 @@ jobs:
go-provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}-
- name: Prepare local workspace before restoring previously built
run: make prepare_local_workspace
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Restore prerequisites
uses: ./.github/actions/download-prerequisites
- name: Restore makefile progress
@@ -80,17 +92,17 @@ jobs:
- name: Build provider
run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}"
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
- name: Package provider
run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
- name: Upload artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: pulumi-resource-incus-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
path: bin/pulumi-resource-incus-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz

53
.github/workflows/build_sdk.yml vendored
View File

@@ -10,21 +10,11 @@ on:
type: string
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
PROVIDER_VERSION: ${{ inputs.version }}
@@ -38,27 +28,48 @@ jobs:
fail-fast: ${{ ! contains(github.actor, 'renovate') }}
matrix:
language:
- dotnet
- go
- nodejs
- python
permissions:
contents: write # For Renovate SDKs.
id-token: write # For ESC secrets.
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Cache examples generation
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: |
.pulumi/examples-cache
key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }}
- name: Setup tools
uses: ./.github/actions/setup-tools
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
tools: pulumictl, pulumicli, ${{ matrix.language }}
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
# only saving the cache in the prerequisites job
cache_save: false
- name: Setup Go Cache
if: matrix.language == 'go' || contains(matrix.language, 'go')
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
with:
cache-dependency-path: |
provider/*.sum
upstream/*.sum
sdk/go/*.sum
sdk/*.sum
*.sum
- name: Prepare local workspace
run: make prepare_local_workspace
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Download prerequisites
uses: ./.github/actions/download-prerequisites
- name: Update path
@@ -67,6 +78,7 @@ jobs:
run: make --touch provider schema
- name: Build SDK
run: make build_${{ matrix.language }}
- name: Check worktree clean
id: worktreeClean
uses: pulumi/git-status-check-action@v1
@@ -78,6 +90,7 @@ jobs:
sdk/go/**/pulumiUtilities.go
sdk/nodejs/package.json
sdk/python/pyproject.toml
sdk/java/build.gradle
- name: Commit ${{ matrix.language }} SDK changes for Renovate
# If the worktree is dirty and this is a Renovate PR to bump
# dependencies, commit the updated SDK and push it back to the PR. The
@@ -111,7 +124,7 @@ jobs:
# Push with pulumi-bot credentials to trigger a re-run of the
# workflow. https://github.com/orgs/community/discussions/25702
git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \
git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \
"HEAD:$HEAD_REF"
env:
# head_ref is untrusted so it's recommended to pass via env var to

37
.github/workflows/license.yml vendored
View File

@@ -7,39 +7,42 @@ on:
inputs: {}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
jobs:
license_check:
name: License Check
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
id-token: write # For ESC secrets.
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- name: Setup tools
uses: ./.github/actions/setup-tools
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
tools: go
cache-go: false
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
# only saving the cache in the prerequisites job
cache_save: false
- run: make prepare_local_workspace
continue-on-error: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: pulumi/license-check-action@main
with:
module-path: provider

40
.github/workflows/lint.yml vendored
View File

@@ -7,39 +7,37 @@ on:
inputs: {}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
jobs:
lint:
name: lint
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
id-token: write # For ESC secrets.
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- name: Install go
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
# The versions of golangci-lint and setup-go here cross-depend and need to update together.
go-version: 1.23
# Either this action or golangci-lint needs to disable the cache
cache: false
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
cache_save: false # A different job handles caching our tools.
- name: disarm go:embed directives to enable lint
continue-on-error: true # this fails if there are no go:embed directives
run: |
@@ -47,8 +45,10 @@ jobs:
- name: prepare workspace
continue-on-error: true
run: make prepare_local_workspace
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: golangci-lint
uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
with:
version: v1.64.6
install-mode: none # Handled by mise.
working-directory: provider

45
.github/workflows/main.yml vendored
View File

@@ -1,24 +1,19 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
jobs:
prerequisites:
permissions:
contents: read
pull-requests: write
id-token: write # For ESC secrets.
uses: ./.github/workflows/prerequisites.yml
secrets: inherit
with:
@@ -30,6 +25,9 @@ jobs:
uses: ./.github/workflows/build_provider.yml
needs: prerequisites
secrets: inherit
permissions:
contents: read
id-token: write # For ESC secrets.
with:
version: ${{ needs.prerequisites.outputs.version }}
@@ -38,6 +36,9 @@ jobs:
needs: prerequisites
uses: ./.github/workflows/build_sdk.yml
secrets: inherit
permissions:
contents: write # For Renovate SDKs.
id-token: write # For ESC secrets.
with:
version: ${{ needs.prerequisites.outputs.version }}
@@ -46,6 +47,9 @@ jobs:
needs: prerequisites
uses: ./.github/workflows/main-post-build.yml
secrets: inherit
permissions:
contents: write # For Renovate SDKs.
id-token: write # For ESC secrets.
with:
version: ${{ needs.prerequisites.outputs.version }}
@@ -73,6 +77,7 @@ jobs:
with:
version: ${{ needs.prerequisites.outputs.version }}
isPrerelease: true
setLatestRelease: false
skipGoSdk: true
skipJavaSdk: true
@@ -80,7 +85,17 @@ jobs:
name: Tag release if labeled as needs-release
needs: publish
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # For ESC secrets.
steps:
- name: Checkout Repo
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: check if this commit needs release
if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
uses: pulumi/action-release-by-pr-label@main
@@ -88,10 +103,10 @@ jobs:
command: "release-if-needed"
repo: ${{ github.repository }}
commit: ${{ github.sha }}
slack_channel: ${{ secrets.RELEASE_OPS_SLACK_CHANNEL }}
slack_channel: C02MGR8JVST
env:
RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
test:

19
.github/workflows/prerelease.yml vendored
View File

@@ -2,24 +2,18 @@
env:
IS_PRERELEASE: true
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
jobs:
prerequisites:
permissions:
contents: read
pull-requests: write
uses: ./.github/workflows/prerequisites.yml
secrets: inherit
with:
@@ -66,6 +60,7 @@ jobs:
with:
version: ${{ needs.prerequisites.outputs.version }}
isPrerelease: true
setLatestRelease: false
test:
uses: ./.github/workflows/test.yml

59
.github/workflows/prerequisites.yml vendored
View File

@@ -20,68 +20,83 @@ on:
value: ${{ jobs.prerequisites.outputs.version }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
jobs:
prerequisites:
name: prerequisites
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
id-token: write # For ESC secrets.
outputs:
version: ${{ steps.provider-version.outputs.version }}
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
id: provider-version
with:
major-version: 1
set-env: 'PROVIDER_VERSION'
- name: Cache examples generation
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: |
.pulumi/examples-cache
key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }}
- name: Setup tools
uses: ./.github/actions/setup-tools
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
tools: go, pulumictl, pulumicli, schema-tools
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
# only saving the cache in the prerequisites job
cache_save: true
- name: Setup Go Cache
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
with:
cache-dependency-path: |
provider/*.sum
upstream/*.sum
sdk/go/*.sum
sdk/*.sum
*.sum
- name: Prepare local workspace before restoring previously built files
run: make prepare_local_workspace
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate schema
run: make schema
- name: Build provider binary
run: make provider
- name: Unit-test provider code
run: make test_provider
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
env:
CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
- if: inputs.is_pr
name: Check Schema is Valid
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
{
echo "SCHEMA_CHANGES<<$EOF";
schema-tools compare -r github://api.github.com/brandonkal -p incus -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-incus/schema.json;
schema-tools compare -r github://api.github.com/kiterun -p incus -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-incus/schema.json;
echo "$EOF";
} >> "$GITHUB_ENV"
- if: inputs.is_pr && inputs.is_automated == false && github.actor != 'dependabot[bot]'

97
.github/workflows/publish.yml vendored
View File

@@ -7,6 +7,9 @@ on:
version:
required: true
type: string
setLatestRelease:
required: true
type: boolean
isPrerelease:
required: true
type: boolean
@@ -21,21 +24,17 @@ on:
env:
IS_PRERELEASE: ${{ inputs.isPrerelease }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
TF_APPEND_USER_AGENT: pulumi
jobs:
@@ -50,25 +49,31 @@ jobs:
if: inputs.skipGoSdk && inputs.isPrerelease == false
run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- name: Setup tools
uses: ./.github/actions/setup-tools
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
tools: pulumictl, pulumicli, go, schema-tools
cache-go: false
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
cache_save: false
- name: Create dist directory
run: mkdir -p dist
- name: Download provider assets
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
pattern: pulumi-resource-incus-v${{ inputs.version }}-*
path: dist
# Don't create a directory for each artifact
merge-multiple: true
- name: Download schema
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
# Use a pattern to avoid failing if the artifact doesn't exist
pattern: schema-embed.*
@@ -83,22 +88,24 @@ jobs:
shell: bash
run: |
# Get latest stable release. Return only first column from result (tag).
LAST_VERSION=$(gh release view --repo brandonkal/pulumi-incus --json tagName -q .tagName || echo "No stable release" )
LAST_VERSION=$(gh release view --repo kiterun/pulumi-incus --json tagName -q .tagName || echo "No stable release" )
{
echo 'summary<<EOF'
if [[ "$LAST_VERSION" != "No stable release" ]]; then
schema-tools compare --provider="incus" --old-commit="$LAST_VERSION" --repository="github://api.github.com/brandonkal" --new-commit="--local-path=provider/cmd/pulumi-resource-incus/schema.json"
schema-tools compare --provider="incus" --old-commit="$LAST_VERSION" --repository="github://api.github.com/kiterun" --new-commit="--local-path=provider/cmd/pulumi-resource-incus/schema.json"
fi
echo 'EOF'
} >> "$GITHUB_OUTPUT"
- name: Create GH Release
uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
if: inputs.isPrerelease == false
with:
tag_name: v${{ inputs.version }}
prerelease: ${{ inputs.isPrerelease }}
# We keep pre-releases as drafts so they're not visible until we manually publish them.
draft: ${{ inputs.isPrerelease }}
# Explicitly set make_latest to account for backported releases
make_latest: ${{ inputs.setLatestRelease }}
body: ${{ steps.schema-summary.outputs.summary }}
generate_release_notes: true
files: dist/*
@@ -113,27 +120,58 @@ jobs:
python_version: ${{ steps.python_version.outputs.version }}
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
# Persist credentials so we can push back to the repo
persist-credentials: true
- name: Setup tools
uses: ./.github/actions/setup-tools
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
tools: pulumictl, pulumicli, dotnet, go, nodejs, python
cache-go: false
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
# only saving the cache in the prerequisites job
cache_save: false
- name: Setup Node
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
with:
# we don't set node-version because we install with mise.
# this step is needed to setup npm auth
registry-url: https://registry.npmjs.org
- name: Publish SDKs
if: inputs.skipJavaSdk == false
uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21
uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23
with:
sdk: all,!java
version: ${{ inputs.version }}
env:
PYPI_USERNAME: __token__
PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
- name: Publish SDKs (except Java)
if: inputs.skipJavaSdk == true
uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21
uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23
with:
sdk: all,!java,!java
version: ${{ inputs.version }}
env:
PYPI_USERNAME: __token__
PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
- name: Download Go SDK
uses: ./.github/actions/download-sdk
with:
@@ -169,9 +207,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Clean up release labels
uses: pulumi/action-release-by-pr-label@main
with:

28
.github/workflows/pull-request.yml vendored
View File

@@ -1,32 +1,25 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
name: Comment on community PRs
on:
pull_request_target: {}
jobs:
comment-on-pr:
if: github.event.pull_request.head.repo.full_name != github.repository
name: comment-on-pr
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Comment PR
uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
with:
@@ -35,6 +28,3 @@ jobs:
PR is now waiting for a maintainer to run the acceptance tests.
**Note for the maintainer:** To run the acceptance tests, please comment */run-acceptance-tests* on the PR
name: pull-request
on:
pull_request_target: {}

27
.github/workflows/release.yml vendored
View File

@@ -7,24 +7,19 @@ on:
- "!v*.*.*-**"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
jobs:
prerequisites:
permissions:
contents: read
pull-requests: write
id-token: write # For ESC secrets.
uses: ./.github/workflows/prerequisites.yml
secrets: inherit
with:
@@ -36,6 +31,9 @@ jobs:
uses: ./.github/workflows/build_provider.yml
needs: prerequisites
secrets: inherit
permissions:
contents: read
id-token: write # For ESC secrets.
with:
version: ${{ needs.prerequisites.outputs.version }}
@@ -44,6 +42,9 @@ jobs:
needs: prerequisites
uses: ./.github/workflows/build_sdk.yml
secrets: inherit
permissions:
contents: write # For Renovate SDKs.
id-token: write # For ESC secrets.
with:
version: ${{ needs.prerequisites.outputs.version }}
@@ -72,6 +73,8 @@ jobs:
with:
version: ${{ needs.prerequisites.outputs.version }}
isPrerelease: false
# Only tags on the default branch should set the release as `latest`; backported releases (tagged on a feature branch) should not.
setLatestRelease: ${{ github.event.base_ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
test:
uses: ./.github/workflows/test.yml

22
.github/workflows/resync-build.yml vendored
View File

@@ -2,32 +2,36 @@
name: "Resync Build Workflows"
on:
schedule:
# 3 AM UTC ~ 8 PM PDT / 7 PM PST every Tuesday.
- cron: 0 3 * * TUE
workflow_dispatch:
permissions:
contents: write
pull-requests: write
env:
GITHUB_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
jobs:
upgrade_provider:
name: pull-workflow-changes
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@v4
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
with:
# Persist credentials so pull-workflow-changes can push a new branch.
persist-credentials: true
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
version: 2025.11.6
github_token: ${{ secrets.GITHUB_TOKEN }}
# only saving the cache in the prerequisites job
cache_save: false
- name: Regenerate the workflow files via https://github.com/pulumi/ci-mgmt
run: |
make ci-mgmt
- name: Create PR (no linked issue)
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
with:
author: pulumi-bot <bot@pulumi.com>
base: main
@@ -39,3 +43,5 @@ jobs:
labels: impact/no-changelog-required
title: Regenerate Github Actions workflows for pulumi-incus
token: ${{ env.GITHUB_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}

31
.github/workflows/run-acceptance-tests.yml vendored
View File

@@ -12,21 +12,11 @@ on:
env:
PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
# This should cancel any previous runs of the same workflow on the same branch which are still running.
@@ -41,10 +31,11 @@ jobs:
permissions:
contents: read
pull-requests: write
id-token: write # For ESC secrets.
uses: ./.github/workflows/prerequisites.yml
secrets: inherit
with:
default_branch: ${{ github.event.repository.default_branch }}
default_branch: ${{ github.event.pull_request.base.ref }}
is_pr: ${{ github.event_name == 'pull_request' }}
is_automated: ${{ github.actor == 'dependabot[bot]' }}
@@ -52,6 +43,9 @@ jobs:
uses: ./.github/workflows/build_provider.yml
needs: prerequisites
secrets: inherit
permissions:
contents: read
id-token: write # For ESC secrets.
with:
version: ${{ needs.prerequisites.outputs.version }}
matrix: |
@@ -69,6 +63,9 @@ jobs:
needs: prerequisites
uses: ./.github/workflows/build_sdk.yml
secrets: inherit
permissions:
contents: write # For Renovate SDKs.
id-token: write # For ESC secrets.
with:
version: ${{ needs.prerequisites.outputs.version }}
@@ -79,11 +76,15 @@ jobs:
pull-requests: write
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- id: run-url
name: Create URL to the run output
run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT"
- name: Update with Result
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
with:
body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}"
issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
@@ -108,7 +109,7 @@ jobs:
- lint
runs-on: ubuntu-latest
steps:
- uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
- uses: guibranco/github-status-action-v2@631f55ea0251f0fb284525ad86c30e9f7a8dd284 # v1.1.14
with:
authToken: ${{ secrets.GITHUB_TOKEN }}
# Write an explicit status check called "Sentinel" which will only pass if this code really runs.

53
.github/workflows/test.yml vendored
View File

@@ -12,21 +12,13 @@ on:
env:
PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
MISE_ENV: test
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
jobs:
@@ -39,24 +31,45 @@ jobs:
PROVIDER_VERSION: ${{ inputs.version }}
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
ref: ${{ env.PR_COMMIT_SHA }}
persist-credentials: false
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Checkout p/examples
if: matrix.testTarget == 'pulumiExamples'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
repository: pulumi/examples
path: p-examples
- name: Setup tools
uses: ./.github/actions/setup-tools
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_ENV: test
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
tools: pulumictl, pulumicli, ${{ matrix.language }}
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
# also save this cache since we are using a different mise env.
cache_save: true
- name: Prepare local workspace
run: make prepare_local_workspace
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Download bin
uses: ./.github/actions/download-provider
- name: Setup Go Cache
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
if: matrix.language == 'go' || contains(matrix.language, 'go')
with:
cache-dependency-path: |
provider/*.sum
upstream/*.sum
sdk/go/*.sum
sdk/*.sum
*.sum
- name: Download SDK
uses: ./.github/actions/download-sdk
with:
@@ -75,15 +88,17 @@ jobs:
- name: Run tests
if: matrix.testTarget == 'local'
run: cd examples && go test -v -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -skip TestPulumiExamples -parallel 4 .
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run pulumi/examples tests
if: matrix.testTarget == 'pulumiExamples'
run: cd examples && go test -v -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -run TestPulumiExamples -parallel 4 .
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
strategy:
fail-fast: false
matrix:
language:
- dotnet
- go
- nodejs
- python
testTarget: [local]

47
.github/workflows/upgrade-bridge.yml vendored
View File

@@ -49,29 +49,24 @@ on:
required: false
type: boolean
default: false
patch-release:
description: Whether to create a patch release
required: false
type: boolean
default: false
permissions:
contents: write
issues: write
pull-requests: write
id-token: write # For ESC secrets.
env:
GH_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
jobs:
@@ -80,16 +75,24 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- name: Setup tools
uses: ./.github/actions/setup-tools
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
tools: pulumictl, pulumicli, dotnet, go, nodejs, python
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
# only saving the cache in the prerequisites job
cache_save: false
- name: Call upgrade provider action
if: github.event_name == 'workflow_dispatch'
uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15
uses: pulumi/pulumi-upgrade-provider-action@e247104aede3eb4641f48c8ad0ea9de9346f2457 # v0.0.18
with:
kind: ${{ inputs.kind }}
email: bot@pulumi.com
@@ -100,9 +103,12 @@ jobs:
pr-reviewers: ${{ inputs.pr-reviewers }}
pr-description: ${{ inputs.pr-description }}
pr-title-prefix: ${{ inputs.pr-title-prefix }}
patch-release: ${{ github.event.client_payload.patch-release }}
env:
GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
- name: Call upgrade provider action
if: github.event_name == 'repository_dispatch'
uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15
uses: pulumi/pulumi-upgrade-provider-action@e247104aede3eb4641f48c8ad0ea9de9346f2457 # v0.0.18
with:
kind: ${{ github.event.client_payload.kind || 'bridge' }}
email: bot@pulumi.com
@@ -113,3 +119,6 @@ jobs:
pr-reviewers: ${{ github.event.client_payload.pr-reviewers }}
pr-description: ${{ github.event.client_payload.pr-description }}
pr-title-prefix: ${{ github.event.client_payload.pr-title-prefix }}
patch-release: ${{ github.event.client_payload.patch-release }}
env:
GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}

36
.github/workflows/upgrade-provider.yml vendored
View File

@@ -22,14 +22,19 @@ on:
# 3 AM UTC ~ 8 PM PDT / 7 PM PST daily. Time chosen to run during off hours.
- cron: 0 3 * * *
env:
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
PULUMI_PULUMI_ENABLE_JOURNALING: "true"
TF_APPEND_USER_AGENT: pulumi
permissions:
contents: write
issues: write
pull-requests: write
env:
GH_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
id-token: write # For ESC secrets.
jobs:
upgrade_provider:
@@ -37,14 +42,22 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
# Persist credentials so upgrade-provider can push a new branch.
persist-credentials: true
- name: Setup tools
uses: ./.github/actions/setup-tools
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
tools: pulumictl, pulumicli, dotnet, go, nodejs, python
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
# only saving the cache in the prerequisites job
cache_save: false
- name: Install upgrade-provider
run: go install github.com/pulumi/upgrade-provider@${{ inputs.upgradeProviderVersion || 'main' }}
shell: bash
@@ -60,6 +73,7 @@ jobs:
run: upgrade-provider "$REPO" --kind=check-upstream-version
env:
REPO: ${{ github.repository }}
GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
shell: bash
- name: Calculate target version
id: target_version
@@ -71,7 +85,7 @@ jobs:
id: upgrade_provider
if: steps.target_version.outputs.version != ''
continue-on-error: true
uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15
uses: pulumi/pulumi-upgrade-provider-action@e247104aede3eb4641f48c8ad0ea9de9346f2457 # v0.0.18
with:
kind: provider
email: bot@pulumi.com
@@ -79,10 +93,14 @@ jobs:
automerge: true
target-version: ${{ steps.target_version.outputs.version }}
allow-missing-docs: true
env:
GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
- name: Comment on upgrade issue if automated PR failed
if: steps.upgrade_provider.outcome == 'failure'
shell: bash
run: |
issue_number=$(gh issue list --search "pulumiupgradeproviderissue" --repo "${{ github.repository }}" --json=number --jq=".[0].number")
gh issue comment "${issue_number}" --repo "${{ github.repository }}" --body "Failed to create automatic PR: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/"
env:
GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}

46
.github/workflows/verify-release.yml vendored
View File

@@ -37,21 +37,17 @@ on:
required: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
TF_APPEND_USER_AGENT: pulumi
jobs:
@@ -74,10 +70,32 @@ jobs:
- name: Configure Git to checkout files with long names
run: git config --global core.longpaths true
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- name: Setup tools
uses: ./.github/actions/setup-tools
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Setup Node
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
with:
tools: pulumicli, dotnet, go, nodejs, python
node-version: 20.x
registry-url: https://registry.npmjs.org
- name: Install Go
uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
with:
go-version: "1.21.x"
cache-dependency-path: |
provider/*.sum
upstream/*.sum
sdk/go/*.sum
sdk/*.sum
*.sum
cache: true
- name: Set Go Toolchain to auto explicitly
run: |
echo "GOTOOLCHAIN=auto" >> "$GITHUB_ENV"
- name: Install Pulumi CLI
uses: pulumi/actions@8582a9e8cc630786854029b4e09281acd6794b58 # v6
with:
pulumi-version: "dev"

2
.golangci.yml
View File

@@ -33,5 +33,5 @@ linters-settings:
- blank # Blank section: contains all blank imports.
- default # Default section: contains all imports that could not be matched to another section type.
- prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix.
- prefix(git.kalinow.ski/nimbus/pulumi-incus) # Custom section: local imports
- prefix(github.com/kiterun/pulumi-incus) # Custom section: local imports
custom-order: true

75
Makefile
View File

@@ -1,13 +1,12 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
PACK := incus
ORG := nimbus
PROJECT := git.kalinow.ski/$(ORG)/pulumi-$(PACK)
ORG := kiterun
PROJECT := github.com/$(ORG)/pulumi-$(PACK)
PROVIDER_PATH := provider
VERSION_PATH := $(PROVIDER_PATH)/pkg/version.Version
CODEGEN := pulumi-tfgen-$(PACK)
PROVIDER := pulumi-resource-$(PACK)
JAVA_GEN := pulumi-java-gen
TESTPARALLELISM := 10
GOTESTARGS := ""
WORKING_DIR := $(shell pwd)
@@ -41,19 +40,36 @@ LDFLAGS=$(LDFLAGS_PROJ_VERSION) $(LDFLAGS_UPSTREAM_VERSION) $(LDFLAGS_EXTRAS) $(
_ := $(shell mkdir -p .make bin .pulumi/bin)
# Build the provider and all SDKs and install ready for testing
build: install_plugins provider build_sdks install_sdks
build: .make/mise_install provider build_sdks install_sdks
build: | mise_env
# Keep aliases for old targets to ensure backwards compatibility
development: build
only_build: build
# Prepare the workspace for building the provider and SDKs
# Importantly this is run by CI ahead of restoring the bin directory and resuming SDK builds
prepare_local_workspace: install_plugins upstream
prepare_local_workspace: .make/mise_install upstream
prepare_local_workspace: | mise_env
# Creates all generated files which need to be committed
generate: generate_sdks schema
generate_sdks: generate_go generate_nodejs
build_sdks: build_go build_nodejs
install_sdks: install_go_sdk install_nodejs_sdk
.PHONY: development only_build build generate generate_sdks build_sdks install_sdks
.PHONY: development only_build build generate generate_sdks build_sdks install_sdks mise_install mise_env
# Installs all necessary tools with mise and records completion in a sentinel
# file so dependent targets can participate in make's caching behaviour. The
# environment is refreshed via an order-only prerequisite so it still runs on
# every invocation without invalidating the sentinel.
mise_install: .make/mise_install | mise_env
mise_env:
@mise env -q > /dev/null
.make/mise_install:
@mise install -q
@touch $@
help:
@echo "Usage: make [target]"
@@ -80,7 +96,7 @@ help:
@echo ""
@echo "Internal Targets (automatically run as dependencies of other targets)"
@echo " prepare_local_workspace Prepare for building"
@echo " install_plugins Install plugin dependencies"
@echo " mise_install Install tools with mise"
@echo " upstream Initialize the upstream submodule, if present"
@echo ""
@echo "Language-Specific Targets"
@@ -88,7 +104,7 @@ help:
@echo " build_[language] Build the SDK to check correctness"
@echo " install_[language]_sdk Install the SDK ready for testing"
@echo ""
@echo " [language] = dotnet go nodejs python"
@echo " [language] = go nodejs"
@echo ""
.PHONY: help
@@ -98,8 +114,8 @@ GEN_ENVS := PULUMI_HOME=$(GEN_PULUMI_HOME) PULUMI_CONVERT_EXAMPLES_CACHE_DIR=$(G
generate_dotnet: .make/generate_dotnet
build_dotnet: .make/build_dotnet
.make/generate_dotnet: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
.make/generate_dotnet: .make/install_plugins bin/$(CODEGEN)
.make/generate_dotnet: .make/mise_install bin/$(CODEGEN)
.make/generate_dotnet: | mise_env
$(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) dotnet --out sdk/dotnet/
cd sdk/dotnet/ && \
printf "module fake_dotnet_module // Exclude this directory from Go tools\n\ngo 1.17\n" > go.mod && \
@@ -112,8 +128,8 @@ build_dotnet: .make/build_dotnet
generate_go: .make/generate_go
build_go: .make/build_go
.make/generate_go: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
.make/generate_go: .make/install_plugins bin/$(CODEGEN)
.make/generate_go: .make/mise_install bin/$(CODEGEN)
.make/generate_go: | mise_env
$(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) go --out sdk/go/
@touch $@
.make/build_go: .make/generate_go
@@ -123,10 +139,10 @@ build_go: .make/build_go
generate_java: .make/generate_java
build_java: .make/build_java
.make/generate_java: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
.make/generate_java: PACKAGE_VERSION := $(PROVIDER_VERSION)
.make/generate_java: .make/install_plugins bin/pulumi-java-gen .make/schema
PULUMI_HOME=$(GEN_PULUMI_HOME) PULUMI_CONVERT_EXAMPLES_CACHE_DIR=$(GEN_PULUMI_CONVERT_EXAMPLES_CACHE_DIR) bin/$(JAVA_GEN) generate --schema provider/cmd/$(PROVIDER)/schema.json --out sdk/java --build gradle-nexus
.make/generate_java: .make/mise_install bin/$(CODEGEN)
.make/generate_java: | mise_env
$(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) java --out sdk/java/
printf "module fake_java_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/java/go.mod
@touch $@
.make/build_java: PACKAGE_VERSION := $(PROVIDER_VERSION)
@@ -139,23 +155,23 @@ build_java: .make/build_java
generate_nodejs: .make/generate_nodejs
build_nodejs: .make/build_nodejs
.make/generate_nodejs: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
.make/generate_nodejs: .make/install_plugins bin/$(CODEGEN)
.make/generate_nodejs: .make/mise_install bin/$(CODEGEN)
.make/generate_nodejs: | mise_env
$(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) nodejs --out sdk/nodejs/
printf "module fake_nodejs_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/nodejs/go.mod
@touch $@
.make/build_nodejs: .make/generate_nodejs
cd sdk/nodejs/ && \
pnpm install && \
pnpm tsc && \
cp ../../README.md ../../LICENSE* package.json pnpm-lock.yaml ./bin/
yarn install && \
yarn run tsc && \
cp ../../README.md ../../LICENSE package.json yarn.lock ./bin/
@touch $@
.PHONY: generate_nodejs build_nodejs
generate_python: .make/generate_python
build_python: .make/build_python
.make/generate_python: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
.make/generate_python: .make/install_plugins bin/$(CODEGEN)
.make/generate_python: .make/mise_install bin/$(CODEGEN)
.make/generate_python: | mise_env
$(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) python --out sdk/python/
printf "module fake_python_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/python/go.mod
cp README.md sdk/python/
@@ -175,6 +191,7 @@ clean:
rm -rf sdk/{dotnet,nodejs,go,python}
rm -rf bin/*
rm -rf .make/*
rm -rf "$(GEN_PULUMI_CONVERT_EXAMPLES_CACHE_DIR)"
if dotnet nuget list source | grep "$(WORKING_DIR)/nuget"; then \
dotnet nuget remove source "$(WORKING_DIR)/nuget" \
; fi
@@ -192,7 +209,7 @@ install_go_sdk:
install_java_sdk:
install_nodejs_sdk: .make/install_nodejs_sdk
.make/install_nodejs_sdk: .make/build_nodejs
pnpm link --global $(WORKING_DIR)/sdk/nodejs/bin
yarn link --cwd $(WORKING_DIR)/sdk/nodejs/bin
@touch $@
install_python_sdk:
.PHONY: install_dotnet_sdk install_go_sdk install_java_sdk install_nodejs_sdk install_python_sdk
@@ -235,12 +252,12 @@ schema: .make/schema
# This does actually have dependencies, but we're keeping it around for backwards compatibility for now
tfgen_no_deps: .make/schema
.make/schema: export PULUMI_HOME := $(WORKING_DIR)/.pulumi
.make/schema: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
.make/schema: export PULUMI_CONVERT := $(PULUMI_CONVERT)
.make/schema: export PULUMI_CONVERT_EXAMPLES_CACHE_DIR := $(WORKING_DIR)/.pulumi/examples-cache
.make/schema: export PULUMI_DISABLE_AUTOMATIC_PLUGIN_ACQUISITION := $(PULUMI_CONVERT)
.make/schema: export PULUMI_MISSING_DOCS_ERROR := $(PULUMI_MISSING_DOCS_ERROR)
.make/schema: bin/$(CODEGEN) .make/install_plugins .make/upstream
.make/schema: bin/$(CODEGEN) .make/mise_install .make/upstream
.make/schema: | mise_env
$(WORKING_DIR)/bin/$(CODEGEN) schema --out provider/cmd/$(PROVIDER)
(cd provider && VERSION=$(PROVIDER_VERSION) go generate cmd/$(PROVIDER)/main.go)
@touch $@
@@ -257,13 +274,6 @@ upstream: .make/upstream
@touch $@
.PHONY: upstream
bin/pulumi-java-gen: PULUMI_JAVA_VERSION := $(shell cat .pulumi-java-gen.version)
bin/pulumi-java-gen: PLAT := $(shell go version | sed -En "s/go version go.* (.*)\/(.*)/\1-\2/p")
bin/pulumi-java-gen: PULUMI_JAVA_URL := "https://github.com/pulumi/pulumi-java/releases/download/v$(PULUMI_JAVA_VERSION)/pulumi-language-java-v$(PULUMI_JAVA_VERSION)-$(PLAT).tar.gz"
bin/pulumi-java-gen:
wget -q -O - "$(PULUMI_JAVA_URL)" | tar -xzf - -C $(WORKING_DIR)/bin pulumi-java-gen
@touch bin/pulumi-language-java
# To make an immediately observable change to .ci-mgmt.yaml:
#
# - Edit .ci-mgmt.yaml
@@ -278,7 +288,6 @@ debug_tfgen:
dlv --listen=:2345 --headless=true --api-version=2 exec $(WORKING_DIR)/bin/$(CODEGEN) -- schema --out provider/cmd/$(PROVIDER)
.PHONY: debug_tfgen
include scripts/plugins.mk
include scripts/crossbuild.mk
# Permit providers to extend the Makefile with provider-specific Make includes.

3
mise.toml Normal file
View File

@@ -0,0 +1,3 @@
# Overwrites mise configuration at .config/mise.toml
[tools]
pulumictl = "v0.0.48"

9
scripts/crossbuild.mk
View File

@@ -19,6 +19,8 @@ bin/darwin-arm64/$(PROVIDER): GOOS := darwin
bin/darwin-arm64/$(PROVIDER): GOARCH := arm64
bin/windows-amd64/$(PROVIDER).exe: GOOS := windows
bin/windows-amd64/$(PROVIDER).exe: GOARCH := amd64
bin/windows-arm64/$(PROVIDER).exe: GOOS := windows
bin/windows-arm64/$(PROVIDER).exe: GOARCH := arm64
bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar
$(call build_provider_cmd,$(GOOS),$(GOARCH),$(WORKING_DIR)/$@)
@@ -26,7 +28,7 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar
@# Test variables set by joining with | between and looking for || showing at least one variable is empty.
@# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails.
@set -e; \
if [[ "${GOOS}-${GOARCH}" = "windows-amd64" && "${SKIP_SIGNING}" != "true" ]]; then \
if [[ "${GOOS}" = "windows" && "${SKIP_SIGNING}" != "true" ]]; then \
if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \
echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \
echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \
@@ -58,13 +60,15 @@ provider-linux-arm64: bin/linux-arm64/$(PROVIDER)
provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER)
provider-darwin-arm64: bin/darwin-arm64/$(PROVIDER)
provider-windows-amd64: bin/windows-amd64/$(PROVIDER).exe
.PHONY: provider-linux-amd64 provider-linux-arm64 provider-darwin-amd64 provider-darwin-arm64 provider-windows-amd64
provider-windows-arm64: bin/windows-arm64/$(PROVIDER).exe
.PHONY: provider-linux-amd64 provider-linux-arm64 provider-darwin-amd64 provider-darwin-arm64 provider-windows-amd64 provider-windows-arm64
bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-amd64.tar.gz: bin/linux-amd64/$(PROVIDER)
bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.gz: bin/linux-arm64/$(PROVIDER)
bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz: bin/darwin-amd64/$(PROVIDER)
bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz: bin/darwin-arm64/$(PROVIDER)
bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz: bin/windows-amd64/$(PROVIDER).exe
bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-arm64.tar.gz: bin/windows-arm64/$(PROVIDER).exe
bin/$(PROVIDER)-v$(PROVIDER_VERSION)-%.tar.gz:
@mkdir -p dist
@# $< is the last dependency (the binary path from above) e.g. bin/linux-amd64/pulumi-resource-xyz
@@ -76,5 +80,6 @@ provider_dist-linux-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.
provider_dist-darwin-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz
provider_dist-darwin-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz
provider_dist-windows-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz
provider_dist-windows-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-arm64.tar.gz
provider_dist: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64
.PHONY: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64 provider_dist

55
scripts/get-versions.sh Executable file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bash
set -euo pipefail
# This script can be simplified to use go when https://github.com/jdx/mise/discussions/6374 is fixed
# e.g. go list -m -f '{{.GoVersion}}'
module_path="github.com/pulumi/pulumi/pkg/v3"
go_mod_path="provider"
gomod="go.mod"
if [[ "$go_mod_path" != "" && "$go_mod_path" != "." ]]; then
gomod="$go_mod_path/$gomod"
fi
if [[ ! -f "$gomod" ]]; then
echo "missing $gomod" >&2
exit 1
fi
raw_version=$(awk -v module="$module_path" '
$1 == module || $2 == module {
for (i = 1; i <= NF; i++) {
if ($i ~ /^v[0-9]/) {
sub(/^v/, "", $i)
print $i
exit
}
}
}
' "$gomod")
if [[ -z "${raw_version:-}" ]]; then
echo "failed to determine Pulumi version from $gomod" >&2
exit 1
fi
echo "PULUMI_VERSION_MISE=$raw_version"
export PULUMI_VERSION_MISE=$raw_version
# Prefer the toolchain directive if present, otherwise fall back to the `go` version line
go_toolchain=$(awk '/^toolchain[[:space:]]+go[0-9]/{ print $2; exit }' "$gomod")
if [[ -n "${go_toolchain:-}" ]]; then
go_version=${go_toolchain#go}
else
go_version=$(awk '/^go[[:space:]]+[0-9]/{ print $2; exit }' "$gomod")
fi
if [[ -z "${go_version:-}" ]]; then
echo "failed to determine Go version from $gomod" >&2
exit 1
fi
echo "GO_VERSION_MISE=$go_version"
export GO_VERSION_MISE=$go_version

27
scripts/plugins.mk
View File

@@ -1,27 +0,0 @@
# Install Pulumi and plugins required at build time.
install_plugins: .make/install_plugins
.make/install_plugins: export PULUMI_HOME := $(WORKING_DIR)/.pulumi
.make/install_plugins: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
.make/install_plugins: .pulumi/bin/pulumi
.pulumi/bin/pulumi plugin install converter terraform 1.0.16
@touch $@
.PHONY: install_plugins
# Because some codegen depends on the version of the CLI used, we install a local CLI
# version pinned to the same version as the provider `go.mod`.
#
# This logic compares the version of .pulumi/bin/pulumi already installed. If it matches
# the desired version, we just print. Otherwise we (re)install pulumi at the desired
# version.
.pulumi/bin/pulumi: .pulumi/version
@if [ -x .pulumi/bin/pulumi ] && [ "v$$(cat .pulumi/version)" = "$$(.pulumi/bin/pulumi version)" ]; then \
echo "pulumi/bin/pulumi version: v$$(cat .pulumi/version)"; \
touch $@; \
else \
curl -fsSL https://get.pulumi.com | \
HOME=$(WORKING_DIR) sh -s -- --version "$$(cat .pulumi/version)"; \
fi
# Compute the version of Pulumi to use by inspecting the Go dependencies of the provider.
.pulumi/version: provider/go.mod
(cd provider && go list -f "{{slice .Version 1}}" -m github.com/pulumi/pulumi/pkg/v3) | tee $@