kiterun/pulumi-incus
2
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

initial commit

Browse Source
This commit is contained in:
Brandon Kalinowski
2025-04-18 13:26:52 -07:00
commit b78296ab5b
134 changed files with 11623 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
.github/actions/download-prerequisites/action.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Download the code generator binary
description: Downloads the code generator binary to `bin/`.
runs:
using: "composite"
steps:
- name: Download the prerequisites bin
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: prerequisites-bin
path: bin
- name: Restore executable permissions
shell: bash
run: chmod +x $(< bin/executables.txt)
- name: Remove executables list
shell: bash
run: rm bin/executables.txt
- name: Download schema-embed.json
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
# Use a pattern to avoid failing if the artifact doesn't exist
pattern: schema-embed.*
# Avoid creating directories for each artifact
merge-multiple: true
path: provider/cmd/pulumi-resource-xyz

23
.github/actions/download-provider/action.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
name: Download the provider binary
description: Downloads the provider binary to `bin/`.
runs:
using: "composite"
steps:
- name: Download pulumi-resource-xyz
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
pattern: pulumi-resource-xyz-*-linux-amd64.tar.gz
path: ${{ github.workspace }}/bin
merge-multiple: true
- name: Untar pulumi-resource-xyz
shell: bash
run: |
tar -zxf ${{ github.workspace }}/bin/*amd64.tar.gz -C ${{ github.workspace}}/bin
- name: Mark pulumi-resource-xyz as executable
shell: bash
run: |
find ${{ github.workspace }} -name "pulumi-*-xyz" -print -exec chmod +x {} \;

19
.github/actions/download-sdk/action.yml vendored Normal file
View File

@@ -0,0 +1,19 @@
name: Download SDK asset
description: Restores the SDK asset for a language.
inputs:
language:
required: true
description: One of nodejs, python, dotnet, go, java
runs:
using: "composite"
steps:
- name: Download ${{ inputs.language }} SDK
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
name: ${{ inputs.language }}-sdk.tar.gz
path: ${{ github.workspace}}/sdk/
- name: Uncompress SDK folder
shell: bash
run: tar -zxf ${{ github.workspace }}/sdk/${{ inputs.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ inputs.language }}

17
.github/actions/download-tfgen/action.yml vendored Normal file
View File

@@ -0,0 +1,17 @@
name: Download the tfgen binary
description: Downloads the tfgen binary to `bin/`.
runs:
using: "composite"
steps:
- name: Download pulumi-tfgen-xyz
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: pulumi-tfgen-xyz
path: ${{ github.workspace }}/bin
- name: Ensure pulumi-tfgen-xyz is executable
shell: bash
run: |
find ${{ github.workspace }} -name "pulumi-*-xyz" -print -exec chmod +x {} \;

91
.github/actions/setup-tools/action.yml vendored Normal file
View File

@@ -0,0 +1,91 @@
name: Setup tools
description: Installs Go, Pulumi, pulumictl, schema-tools, Node.JS, Python, dotnet and Java.
inputs:
tools:
description: |
Comma separated list of tools to install. The default of "all" installs all tools. Available tools are:
go
pulumicli
pulumictl
schema-tools
nodejs
python
dotnet
java
default: all
cache-go:
description: |
Whether to enable the GitHub cache for Go. Appropriate for disabling in
smaller jobs that typically completely before the "real" job has an
opportunity to populate the cache.
default: "true"
runs:
using: "composite"
steps:
- name: Install Go
if: inputs.tools == 'all' || contains(inputs.tools, 'go')
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
with:
go-version: "1.21.x"
cache-dependency-path: |
provider/*.sum
upstream/*.sum
sdk/go/*.sum
sdk/*.sum
*.sum
# TODO(https://github.com/actions/setup-go/issues/316): Restore but don't save the cache.
cache: ${{ inputs.cache-go }}
- name: Install pulumictl
if: inputs.tools == 'all' || contains(inputs.tools, 'pulumictl')
uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
with:
tag: v0.0.48
repo: pulumi/pulumictl
- name: Install Pulumi CLI
if: inputs.tools == 'all' || contains(inputs.tools, 'pulumicli')
uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6
with:
pulumi-version: "dev"
- name: Install Schema Tools
if: inputs.tools == 'all' || contains(inputs.tools, 'schema-tools')
uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
with:
repo: pulumi/schema-tools
- name: Setup Node
if: inputs.tools == 'all' || contains(inputs.tools, 'nodejs')
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
with:
node-version: 20.x
registry-url: https://registry.npmjs.org
- name: Setup DotNet
if: inputs.tools == 'all' || contains(inputs.tools, 'dotnet')
uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
dotnet-version: 8.0.x
- name: Setup Python
if: inputs.tools == 'all' || contains(inputs.tools, 'python')
uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
with:
python-version: 3.11.8
- name: Setup Java
if: inputs.tools == 'all' || contains(inputs.tools, 'java')
uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
with:
cache: gradle
distribution: temurin
java-version: 11
- name: Setup Gradle
if: inputs.tools == 'all' || contains(inputs.tools, 'java')
uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3
with:
gradle-version: 7.6

15
.github/actions/upload-bin/action.yml vendored Normal file
View File

@@ -0,0 +1,15 @@
name: Upload bin assets
description: Uploads the provider and tfgen binaries to `bin/`.
runs:
using: "composite"
steps:
- name: Tar provider binaries
shell: bash
run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace }}/bin/ pulumi-resource-xyz pulumi-tfgen-xyz
- name: Upload artifacts
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: xyz-provider.tar.gz
path: ${{ github.workspace }}/bin/provider.tar.gz
retention-days: 30

23
.github/actions/upload-prerequisites/action.yml vendored Normal file
View File

@@ -0,0 +1,23 @@
name: Upload SDK asset
description: Upload the SDK for a specific language as an asset for the workflow.
runs:
using: "composite"
steps:
- name: Capture executable permissions
shell: bash
run: find bin -type f -executable > bin/executables.txt
- name: Upload prerequisites bin
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: prerequisites-bin
path: bin/*
retention-days: 30
- name: Upload schema-embed.json
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: schema-embed.json
path: provider/cmd/pulumi-resource-xyz/schema-embed.json
retention-days: 30

20
.github/actions/upload-sdk/action.yml vendored Normal file
View File

@@ -0,0 +1,20 @@
name: Upload SDK asset
description: Upload the SDK for a specific language as an asset for the workflow.
inputs:
language:
required: true
description: One of nodejs, python, dotnet, go, java
runs:
using: "composite"
steps:
- name: Compress SDK folder
shell: bash
run: tar -zcf sdk/${{ inputs.language }}.tar.gz -C sdk/${{ inputs.language }} .
- name: Upload artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: ${{ inputs.language }}-sdk.tar.gz
path: ${{ github.workspace}}/sdk/${{ inputs.language }}.tar.gz
retention-days: 30

97
.github/workflows/build_provider.yml vendored Normal file
View File

@@ -0,0 +1,97 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: "Build Provider"
on:
workflow_call:
inputs:
version:
required: true
type: string
description: Version of the provider to build
matrix:
required: false
type: string
default: |
{
"platform": [
{"os": "linux", "arch": "amd64"},
{"os": "linux", "arch": "arm64"},
{"os": "darwin", "arch": "amd64"},
{"os": "darwin", "arch": "arm64"},
{"os": "windows", "arch": "amd64"}
]
}
jobs:
build_provider:
name: Build ${{ matrix.platform.os }}-${{ matrix.platform.arch }}
runs-on: ubuntu-latest
env:
PROVIDER_VERSION: ${{ inputs.version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
strategy:
fail-fast: true
matrix: ${{ fromJSON(inputs.matrix) }}
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
# Without ldid cross-compiling Node binaries on a Linux worker intended to work on darwin-arm64 fails to sign the
# binaries properly and they do not work as expected. See https://github.com/pulumi/pulumi-awsx/issues/1490
- uses: MOZGIII/install-ldid-action@v1
with:
tag: v2.1.5-procursus2
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: pulumictl, go
# use per-platform/arch caches instead since we are doing cross-builds
cache-go: false
# Based on https://github.com/actions/cache/blob/main/examples.md#go---modules
- name: Get GOCACHE
id: gocache
shell: bash
run: |
echo "path=$(go env GOCACHE)" >> "${GITHUB_OUTPUT}"
- name: Get GOMODCACHE
id: gomodcache
shell: bash
run: |
echo "path=$(go env GOMODCACHE)" >> "${GITHUB_OUTPUT}"
- name: Go Cache
uses: actions/cache@v4
with:
path: |
${{ steps.gocache.outputs.path }}
${{ steps.gomodcache.outputs.path }}
key: go-provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}-${{ hashFiles('provider/go.sum') }}
restore-keys: |
go-provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}-
- name: Prepare local workspace before restoring previously built
run: make prepare_local_workspace
- name: Restore prerequisites
uses: ./.github/actions/download-prerequisites
- name: Restore makefile progress
# This mirrors the targets completed in the prerequisites job
run: make --touch provider schema
- name: Build provider
run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}"
env:
AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
- name: Package provider
run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
- name: Upload artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: pulumi-resource-xyz-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
path: bin/pulumi-resource-xyz-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
retention-days: 30

124
.github/workflows/build_sdk.yml vendored Normal file
View File

@@ -0,0 +1,124 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: "Build SDK"
on:
workflow_call:
inputs:
version:
required: true
type: string
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
PROVIDER_VERSION: ${{ inputs.version }}
jobs:
build_sdk:
name: build_sdk
runs-on: ubuntu-latest
strategy:
# We normally fail fast unless this is a PR from Renovate in which case
# we'll always build all SDKs in case there are any changes to commit.
fail-fast: ${{ ! contains(github.actor, 'renovate') }}
matrix:
language:
- dotnet
- go
- nodejs
- python
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Cache examples generation
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
with:
path: |
.pulumi/examples-cache
key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }}
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: pulumictl, pulumicli, ${{ matrix.language }}
- name: Prepare local workspace
run: make prepare_local_workspace
- name: Download prerequisites
uses: ./.github/actions/download-prerequisites
- name: Update path
run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Restore makefile progress
run: make --touch provider schema
- name: Build SDK
run: make build_${{ matrix.language }}
- name: Check worktree clean
id: worktreeClean
uses: pulumi/git-status-check-action@v1
with:
# Keep these in sync with the Renovate step below to avoid them getting checked in.
allowed-changes: |
sdk/**/pulumi-plugin.json
sdk/dotnet/*.csproj
sdk/go/**/pulumiUtilities.go
sdk/nodejs/package.json
sdk/python/pyproject.toml
- name: Commit ${{ matrix.language }} SDK changes for Renovate
# If the worktree is dirty and this is a Renovate PR to bump
# dependencies, commit the updated SDK and push it back to the PR. The
# job will still be marked as a failure.
if: failure() && steps.worktreeClean.outcome == 'failure' && contains(github.actor, 'renovate') && github.event_name == 'pull_request'
shell: bash
run: |
git diff --quiet -- sdk && echo "no changes to sdk" && exit
git config --global user.email "bot@pulumi.com"
git config --global user.name "pulumi-bot"
# Stash local changes and check out the PR's branch directly.
git stash
git fetch
git checkout "origin/$HEAD_REF"
# Apply and add our changes, but don't commit any files we expect to
# always change due to versioning.
git stash pop
git add sdk
git reset \
sdk/python/*/pulumi-plugin.json \
sdk/python/pyproject.toml \
sdk/dotnet/pulumi-plugin.json \
sdk/dotnet/Pulumi.*.csproj \
sdk/go/*/pulumi-plugin.json \
sdk/go/*/internal/pulumiUtilities.go \
sdk/nodejs/package.json
git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
# Push with pulumi-bot credentials to trigger a re-run of the
# workflow. https://github.com/orgs/community/discussions/25702
git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \
"HEAD:$HEAD_REF"
env:
# head_ref is untrusted so it's recommended to pass via env var to
# avoid injections.
HEAD_REF: ${{ github.head_ref }}
- name: Upload SDK
uses: ./.github/actions/upload-sdk
with:
language: ${{ matrix.language }}

63
.github/workflows/license.yml vendored Normal file
View File

@@ -0,0 +1,63 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: license_check
on:
workflow_call:
inputs: {}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
license_check:
name: License Check
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: go
cache-go: false
- run: make prepare_local_workspace
continue-on-error: true
- uses: pulumi/license-check-action@main
with:
module-path: provider
ignore-modules: >-
github.com/aead/chacha20,
github.com/apache/arrow/go/v12,
github.com/apache/thrift/lib/go/thrift,
github.com/cloudflare/circl,
github.com/golang,
github.com/gorhill/cronexpr,
github.com/in-toto/in-toto-golang,
github.com/jmespath/go-jmespath,
github.com/keybase/go-crypto,
github.com/klauspost/compress,
github.com/mattn/go-localereader,
github.com/modern-go/reflect2,
github.com/pierrec/lz4,
github.com/pjbgf/sha1cd,
github.com/pulumi,
github.com/segmentio/asm,
golang.org

54
.github/workflows/lint.yml vendored Normal file
View File

@@ -0,0 +1,54 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: lint
on:
workflow_call:
inputs: {}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
lint:
name: lint
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install go
uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
with:
# The versions of golangci-lint and setup-go here cross-depend and need to update together.
go-version: 1.23
# Either this action or golangci-lint needs to disable the cache
cache: false
- name: disarm go:embed directives to enable lint
continue-on-error: true # this fails if there are no go:embed directives
run: |
git grep -l 'go:embed' -- provider | xargs sed -i 's/go:embed/ goembed/g'
- name: prepare workspace
continue-on-error: true
run: make prepare_local_workspace
- name: golangci-lint
uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
with:
version: v1.64.6
working-directory: provider

20
.github/workflows/main-post-build.yml vendored Normal file
View File

@@ -0,0 +1,20 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: "Main post-build"
on:
workflow_call:
inputs:
version:
type: string
required: true
jobs:
post_build:
name: post_build
runs-on: ubuntu-latest
if: false
steps:
- name: Placeholder
shell: bash
run: echo "This is a placeholder job to ensure that the post_build job is always present"

121
.github/workflows/main.yml vendored Normal file
View File

@@ -0,0 +1,121 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
prerequisites:
uses: ./.github/workflows/prerequisites.yml
secrets: inherit
with:
default_branch: ${{ github.event.repository.default_branch }}
is_pr: ${{ github.event_name == 'pull_request' }}
is_automated: ${{ github.actor == 'dependabot[bot]' }}
build_provider:
uses: ./.github/workflows/build_provider.yml
needs: prerequisites
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
build_sdk:
name: build_sdk
needs: prerequisites
uses: ./.github/workflows/build_sdk.yml
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
post_build:
name: post_build
needs: prerequisites
uses: ./.github/workflows/main-post-build.yml
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
lint:
name: lint
uses: ./.github/workflows/lint.yml
secrets: inherit
license_check:
name: License Check
uses: ./.github/workflows/license.yml
secrets: inherit
publish:
name: publish
permissions:
contents: write
id-token: write
needs:
- prerequisites
- build_provider
- test
- license_check
uses: ./.github/workflows/publish.yml
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
isPrerelease: true
skipGoSdk: true
skipJavaSdk: true
tag_release_if_labeled_needs_release:
name: Tag release if labeled as needs-release
needs: publish
runs-on: ubuntu-latest
steps:
- name: check if this commit needs release
if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
uses: pulumi/action-release-by-pr-label@main
with:
command: "release-if-needed"
repo: ${{ github.repository }}
commit: ${{ github.sha }}
slack_channel: ${{ secrets.RELEASE_OPS_SLACK_CHANNEL }}
env:
RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
test:
uses: ./.github/workflows/test.yml
needs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
name: main
on:
workflow_dispatch: {}
push:
branches:
- main
paths-ignore:
- "**.md"
tags-ignore:
- v*
- sdk/*
- "**"

87
.github/workflows/prerelease.yml vendored Normal file
View File

@@ -0,0 +1,87 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
env:
IS_PRERELEASE: true
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
prerequisites:
uses: ./.github/workflows/prerequisites.yml
secrets: inherit
with:
default_branch: ${{ github.event.repository.default_branch }}
is_pr: ${{ github.event_name == 'pull_request' }}
is_automated: ${{ github.actor == 'dependabot[bot]' }}
build_provider:
uses: ./.github/workflows/build_provider.yml
needs: prerequisites
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
build_sdk:
name: build_sdk
needs: prerequisites
uses: ./.github/workflows/build_sdk.yml
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
lint:
name: lint
uses: ./.github/workflows/lint.yml
secrets: inherit
license_check:
name: License Check
uses: ./.github/workflows/license.yml
secrets: inherit
publish:
name: publish
permissions:
contents: write
id-token: write
needs:
- prerequisites
- build_provider
- test
- license_check
uses: ./.github/workflows/publish.yml
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
isPrerelease: true
test:
uses: ./.github/workflows/test.yml
needs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
name: prerelease
on:
push:
tags:
- v*.*.*-**

100
.github/workflows/prerequisites.yml vendored Normal file
View File

@@ -0,0 +1,100 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: "Prerequisites"
on:
workflow_call:
inputs:
is_pr:
type: boolean
required: true
is_automated:
type: boolean
required: true
default_branch:
type: string
required: true
outputs:
version:
description: "Provider version being built"
value: ${{ jobs.prerequisites.outputs.version }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
prerequisites:
name: prerequisites
runs-on: ubuntu-latest
outputs:
version: ${{ steps.provider-version.outputs.version }}
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
id: provider-version
with:
major-version: 1
set-env: 'PROVIDER_VERSION'
- name: Cache examples generation
uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
with:
path: |
.pulumi/examples-cache
key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }}
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: go, pulumictl, pulumicli, schema-tools
- name: Prepare local workspace before restoring previously built files
run: make prepare_local_workspace
- name: Generate schema
run: make schema
- name: Build provider binary
run: make provider
- name: Unit-test provider code
run: make test_provider
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
- if: inputs.is_pr
name: Check Schema is Valid
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
{
echo "SCHEMA_CHANGES<<$EOF";
schema-tools compare -r github://api.github.com/pulumi -p xyz -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-xyz/schema.json;
echo "$EOF";
} >> "$GITHUB_ENV"
- if: inputs.is_pr && inputs.is_automated == false && github.actor != 'dependabot[bot]'
name: Comment on PR with Details of Schema Check
uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
comment-tag: schemaCheck
message: >+
${{ env.SCHEMA_CHANGES }}
Maintainer note: consult the [runbook](https://github.com/pulumi/platform-providers-team/blob/main/playbooks/tf-provider-updating.md) for dealing with any breaking changes.
- name: Upload artifacts
uses: ./.github/actions/upload-prerequisites

195
.github/workflows/publish.yml vendored Normal file
View File

@@ -0,0 +1,195 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: Publish
on:
workflow_call:
inputs:
version:
required: true
type: string
isPrerelease:
required: true
type: boolean
skipGoSdk:
default: false
type: boolean
description: Skip publishing & verifying the Go SDK
skipJavaSdk:
default: false
type: boolean
description: Skip publishing the Java SDK
env:
IS_PRERELEASE: ${{ inputs.isPrerelease }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
publish:
name: publish
runs-on: ubuntu-latest
steps:
- name: Validate prerelease
if: inputs.isPrerelease == false && (contains(inputs.version, '-') || contains(inputs.version, '+'))
run: echo "Can't publish a prerelease version as a stable release. This is likely a bug in the calling workflow." && exit 1
- name: Validate skipGoSdk
if: inputs.skipGoSdk && inputs.isPrerelease == false
run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: pulumictl, pulumicli, go, schema-tools
cache-go: false
- name: Create dist directory
run: mkdir -p dist
- name: Download provider assets
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
pattern: pulumi-resource-xyz-v${{ inputs.version }}-*
path: dist
# Don't create a directory for each artifact
merge-multiple: true
- name: Download schema
uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
with:
# Use a pattern to avoid failing if the artifact doesn't exist
pattern: schema-embed.*
# Avoid creating directories for each artifact
merge-multiple: true
path: dist
- name: Calculate checksums
working-directory: dist
run: shasum ./*.tar.gz > "pulumi-xyz_${{ inputs.version }}_checksums.txt"
- name: Get Schema Change Summary
id: schema-summary
shell: bash
run: |
# Get latest stable release. Return only first column from result (tag).
LAST_VERSION=$(gh release view --repo pulumi/pulumi-xyz --json tagName -q .tagName || echo "No stable release" )
{
echo 'summary<<EOF'
if [[ "$LAST_VERSION" != "No stable release" ]]; then
schema-tools compare --provider="xyz" --old-commit="$LAST_VERSION" --repository="github://api.github.com/pulumi" --new-commit="--local-path=provider/cmd/pulumi-resource-xyz/schema.json"
fi
echo 'EOF'
} >> "$GITHUB_OUTPUT"
- name: Create GH Release
uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2
if: inputs.isPrerelease == false
with:
tag_name: v${{ inputs.version }}
prerelease: ${{ inputs.isPrerelease }}
# We keep pre-releases as drafts so they're not visible until we manually publish them.
draft: ${{ inputs.isPrerelease }}
body: ${{ steps.schema-summary.outputs.summary }}
generate_release_notes: true
files: dist/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish_sdk:
name: publish_sdk
needs: publish
runs-on: ubuntu-latest
outputs:
python_version: ${{ steps.python_version.outputs.version }}
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# Persist credentials so we can push back to the repo
persist-credentials: true
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: pulumictl, pulumicli, dotnet, go, nodejs, python
cache-go: false
- name: Publish SDKs
if: inputs.skipJavaSdk == false
uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21
with:
sdk: all,!java
version: ${{ inputs.version }}
- name: Publish SDKs (except Java)
if: inputs.skipJavaSdk == true
uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21
with:
sdk: all,!java,!java
version: ${{ inputs.version }}
- name: Download Go SDK
uses: ./.github/actions/download-sdk
with:
language: go
- uses: pulumi/publish-go-sdk-action@v1
if: inputs.skipGoSdk == false
with:
repository: ${{ github.repository }}
base-ref: ${{ github.sha }}
source: sdk
path: sdk
version: ${{ inputs.version }}
additive: false
# Avoid including other language SDKs & artifacts in the commit
files: |
go.*
go/**
!*.tar.gz
- name: Extract python version
id: python_version
working-directory: sdk/python
run: |
pip install toml-cli==0.7.0
version=$(toml get --toml-path pyproject.toml project.version)
echo "version=${version}" >> "$GITHUB_OUTPUT"
clean_up_release_labels:
name: Clean up release labels
# Only run for non-prerelease, if the publish_go_sdk job was successful or skipped
if: inputs.isPrerelease == false
needs: publish_sdk
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Clean up release labels
uses: pulumi/action-release-by-pr-label@main
with:
command: "clean-up-release-labels"
repo: ${{ github.repository }}
commit: ${{ github.sha }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
verify_release:
name: verify_release
needs: publish_sdk
permissions:
contents: write
id-token: write
uses: ./.github/workflows/verify-release.yml
secrets: inherit
with:
providerVersion: ${{ inputs.version }}
skipGoSdk: ${{ inputs.skipGoSdk }}
pythonVersion: ${{ needs.publish_sdk.outputs.python_version }}

40
.github/workflows/pull-request.yml vendored Normal file
View File

@@ -0,0 +1,40 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
comment-on-pr:
if: github.event.pull_request.head.repo.full_name != github.repository
name: comment-on-pr
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Comment PR
uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
message: >
PR is now waiting for a maintainer to run the acceptance tests.
**Note for the maintainer:** To run the acceptance tests, please comment */run-acceptance-tests* on the PR
name: pull-request
on:
pull_request_target: {}

87
.github/workflows/release.yml vendored Normal file
View File

@@ -0,0 +1,87 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: release
on:
push:
tags:
- v*.*.*
- "!v*.*.*-**"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
prerequisites:
uses: ./.github/workflows/prerequisites.yml
secrets: inherit
with:
default_branch: ${{ github.event.repository.default_branch }}
is_pr: ${{ github.event_name == 'pull_request' }}
is_automated: ${{ github.actor == 'dependabot[bot]' }}
build_provider:
uses: ./.github/workflows/build_provider.yml
needs: prerequisites
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
build_sdk:
name: build_sdk
needs: prerequisites
uses: ./.github/workflows/build_sdk.yml
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
lint:
name: lint
uses: ./.github/workflows/lint.yml
secrets: inherit
license_check:
name: License Check
uses: ./.github/workflows/license.yml
secrets: inherit
publish:
name: publish
permissions:
contents: write
pull-requests: write
id-token: write
needs:
- prerequisites
- build_provider
- test
- license_check
uses: ./.github/workflows/publish.yml
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
isPrerelease: false
test:
uses: ./.github/workflows/test.yml
needs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}

41
.github/workflows/resync-build.yml vendored Normal file
View File

@@ -0,0 +1,41 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: "Resync Build Workflows"
on:
schedule:
# 3 AM UTC ~ 8 PM PDT / 7 PM PST every Tuesday.
- cron: 0 3 * * TUE
permissions:
contents: write
pull-requests: write
env:
GITHUB_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
jobs:
upgrade_provider:
name: pull-workflow-changes
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@v4
with:
# Persist credentials so pull-workflow-changes can push a new branch.
persist-credentials: true
- name: Regenerate the workflow files via https://github.com/pulumi/ci-mgmt
run: |
make ci-mgmt
- name: Create PR (no linked issue)
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
author: pulumi-bot <bot@pulumi.com>
base: main
body: This pull request was generated automatically by the resync-build workflow
in this repository.
branch: chore/resync-${{ github.run_id }}
commit-message: Regenerate workflows for pulumi-xyz
committer: pulumi-bot <bot@pulumi.com>
labels: impact/no-changelog-required
title: Regenerate Github Actions workflows for pulumi-xyz
token: ${{ env.GITHUB_TOKEN }}

142
.github/workflows/run-acceptance-tests.yml vendored Normal file
View File

@@ -0,0 +1,142 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: run-acceptance-tests
on:
pull_request:
paths-ignore:
- CHANGELOG.md
repository_dispatch:
types:
- run-acceptance-tests-command
env:
PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
# This should cancel any previous runs of the same workflow on the same branch which are still running.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
prerequisites:
if: github.event_name == 'repository_dispatch' ||
github.event.pull_request.head.repo.full_name == github.repository
permissions:
contents: read
pull-requests: write
uses: ./.github/workflows/prerequisites.yml
secrets: inherit
with:
default_branch: ${{ github.event.repository.default_branch }}
is_pr: ${{ github.event_name == 'pull_request' }}
is_automated: ${{ github.actor == 'dependabot[bot]' }}
build_provider:
uses: ./.github/workflows/build_provider.yml
needs: prerequisites
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
matrix: |
{
"platform": [
{"os": "linux", "arch": "amd64"},
{"os": "windows", "arch": "amd64"}
]
}
build_sdk:
if: github.event_name == 'repository_dispatch' ||
github.event.pull_request.head.repo.full_name == github.repository
name: build_sdk
needs: prerequisites
uses: ./.github/workflows/build_sdk.yml
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
comment-notification:
if: github.event_name == 'repository_dispatch'
name: comment-notification
permissions:
pull-requests: write
runs-on: ubuntu-latest
steps:
- id: run-url
name: Create URL to the run output
run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT"
- name: Update with Result
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
with:
body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}"
issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
token: ${{ secrets.GITHUB_TOKEN }}
lint:
if: github.event_name == 'repository_dispatch' ||
github.event.pull_request.head.repo.full_name == github.repository
name: lint
uses: ./.github/workflows/lint.yml
secrets: inherit
sentinel:
name: sentinel
if: github.event_name == 'repository_dispatch' ||
github.event.pull_request.head.repo.full_name == github.repository
permissions:
statuses: write
needs:
- test
- build_provider
- license_check
- lint
runs-on: ubuntu-latest
steps:
- uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
with:
authToken: ${{secrets.GITHUB_TOKEN}}
# Write an explicit status check called "Sentinel" which will only pass if this code really runs.
# This should always be a required check for PRs.
context: 'Sentinel'
description: 'All required checks passed'
state: 'success'
# Write to the PR commit SHA if it's available as we don't want the merge commit sha,
# otherwise use the current SHA for any other type of build.
sha: ${{ github.event.pull_request.head.sha || github.sha }}
test:
# Don't run tests on PRs from forks.
if: github.event_name == 'repository_dispatch' ||
github.event.pull_request.head.repo.full_name == github.repository
uses: ./.github/workflows/test.yml
needs:
- prerequisites
- build_provider
- build_sdk
permissions:
contents: read
id-token: write
secrets: inherit
with:
version: ${{ needs.prerequisites.outputs.version }}
license_check:
name: License Check
uses: ./.github/workflows/license.yml
secrets: inherit

89
.github/workflows/test.yml vendored Normal file
View File

@@ -0,0 +1,89 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: "Test Provider"
on:
workflow_call:
inputs:
version:
required: true
type: string
description: Version of the provider to test
env:
PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
test:
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
env:
PROVIDER_VERSION: ${{ inputs.version }}
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ env.PR_COMMIT_SHA }}
persist-credentials: false
- name: Checkout p/examples
if: matrix.testTarget == 'pulumiExamples'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: pulumi/examples
path: p-examples
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: pulumictl, pulumicli, ${{ matrix.language }}
- name: Prepare local workspace
run: make prepare_local_workspace
- name: Download bin
uses: ./.github/actions/download-provider
- name: Download SDK
uses: ./.github/actions/download-sdk
with:
language: ${{ matrix.language }}
- name: Restore makefile progress
run: make --touch provider schema build_${{ matrix.language }}
- name: Update path
run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Install Python deps
if: matrix.language == 'python'
run: |-
pip3 install virtualenv==20.0.23
pip3 install pipenv
- name: Install dependencies
run: make install_${{ matrix.language}}_sdk
- name: Run tests
if: matrix.testTarget == 'local'
run: cd examples && go test -v -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -skip TestPulumiExamples -parallel 4 .
- name: Run pulumi/examples tests
if: matrix.testTarget == 'pulumiExamples'
run: cd examples && go test -v -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -run TestPulumiExamples -parallel 4 .
strategy:
fail-fast: false
matrix:
language:
- dotnet
- go
- nodejs
- python
testTarget: [local]

115
.github/workflows/upgrade-bridge.yml vendored Normal file
View File

@@ -0,0 +1,115 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: Upgrade bridge
on:
repository_dispatch:
types:
- upgrade-bridge
- upgrade-bridge-test
workflow_dispatch:
inputs:
kind:
description: Overrides the kind of upgrade. Must be one of `all`, `bridge`, `provider`, `code`, `pf`, or `pulumi`.
required: false
type: string
default: "bridge"
target-bridge-version:
description: pulumi-terraform-bridge version or hash reference
required: false
type: string
default: "latest"
target-pulumi-version:
description: |
Set the version of `pulumi/pkg` and `pulumi/sdk` to depend on for bridged providers. Currently,
these versions inform the linked runtime and SDK generation in all languages except Java. Valid
options are:
- "": Use the same version as pulumi-terraform-bridge
- A go version such as "v3.90.1"
- A commit SHA in pulumi/pulumi such as "ac71ebc1d34e5ccfd1a7fed61e6ff43a3160f3cb"
required: false
type: string
default: ""
pr-reviewers:
description: Reviewers to assign to the auto-opened pull request
required: false
type: string
default: ""
pr-description:
description: Extra description to add to the auto-opened pull request
required: false
type: string
default: ""
pr-title-prefix:
description: Prefix to add to the auto-opened pull request title
required: false
type: string
default: ""
automerge:
description: Mark created PR for auto-merging?
required: false
type: boolean
default: false
permissions:
contents: write
issues: write
pull-requests: write
env:
GH_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
upgrade_provider:
name: upgrade-provider
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: pulumictl, pulumicli, dotnet, go, nodejs, python
- name: Call upgrade provider action
if: github.event_name == 'workflow_dispatch'
uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15
with:
kind: ${{ inputs.kind }}
email: bot@pulumi.com
username: pulumi-bot
automerge: ${{ inputs.automerge }}
target-bridge-version: ${{ inputs.target-bridge-version }}
target-pulumi-version: ${{ inputs.target-pulumi-version }}
pr-reviewers: ${{ inputs.pr-reviewers }}
pr-description: ${{ inputs.pr-description }}
pr-title-prefix: ${{ inputs.pr-title-prefix }}
- name: Call upgrade provider action
if: github.event_name == 'repository_dispatch'
uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15
with:
kind: ${{ github.event.client_payload.kind || 'bridge' }}
email: bot@pulumi.com
username: pulumi-bot
automerge: ${{ github.event.client_payload.automerge }}
target-pulumi-version: ${{ github.event.client_payload.target-pulumi-version }}
target-bridge-version: ${{ github.event.client_payload.target-bridge-version }}
pr-reviewers: ${{ github.event.client_payload.pr-reviewers }}
pr-description: ${{ github.event.client_payload.pr-description }}
pr-title-prefix: ${{ github.event.client_payload.pr-title-prefix }}

88
.github/workflows/upgrade-provider.yml vendored Normal file
View File

@@ -0,0 +1,88 @@
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: Upgrade provider
on:
workflow_dispatch:
inputs:
version:
description: |
The version of the upstream provider to upgrade to, without the 'v' prefix
If no version is specified, it will be inferred from the upstream provider's release tags.
required: false
type: string
upgradeProviderVersion:
description: |
Version of upgrade-provider to use. This must be a valid git reference in the pulumi/upgrade-provider repo. Defaults to "main"
See https://go.dev/ref/mod#versions for valid versions. E.g. "v0.1.0", "main", "da25dec".
default: main
type: string
schedule:
# 3 AM UTC ~ 8 PM PDT / 7 PM PST daily. Time chosen to run during off hours.
- cron: 0 3 * * *
permissions:
contents: write
issues: write
pull-requests: write
env:
GH_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
upgrade_provider:
name: upgrade-provider
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
# Persist credentials so upgrade-provider can push a new branch.
persist-credentials: true
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: pulumictl, pulumicli, dotnet, go, nodejs, python
- name: Install upgrade-provider
run: go install github.com/pulumi/upgrade-provider@${{ inputs.upgradeProviderVersion || 'main' }}
shell: bash
- name: "Set up git identity"
run: |
git config --global user.name 'bot@pulumi.com'
git config --global user.email 'bot@pulumi.com'
shell: bash
- name: Create issues for new upstream version
if: inputs.version == ''
id: upstream_version
# This step outputs `latest_version` if there is a pending upgrade
run: upgrade-provider "$REPO" --kind=check-upstream-version
env:
REPO: ${{ github.repository }}
shell: bash
- name: Calculate target version
id: target_version
# Prefer the manually specified version if it exists
# upstream_version will be empty if the provider is up-to-date
run: echo "version=${{ github.event.inputs.version || steps.upstream_version.outputs.latest_version }}" >> "$GITHUB_OUTPUT"
shell: bash
- name: Call upgrade provider action
id: upgrade_provider
if: steps.target_version.outputs.version != ''
continue-on-error: true
uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15
with:
kind: provider
email: bot@pulumi.com
username: pulumi-bot
automerge: true
target-version: ${{ steps.target_version.outputs.version }}
allow-missing-docs: true
- name: Comment on upgrade issue if automated PR failed
if: steps.upgrade_provider.outcome == 'failure'
shell: bash
run: |
issue_number=$(gh issue list --search "pulumiupgradeproviderissue" --repo "${{ github.repository }}" --json=number --jq=".[0].number")
gh issue comment "${issue_number}" --repo "${{ github.repository }}" --body "Failed to create automatic PR: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/"

83
.github/workflows/verify-release.yml vendored Normal file
View File

@@ -0,0 +1,83 @@
name: "Verify Release"
on:
workflow_dispatch:
inputs:
providerVersion:
description: "The version of the provider to verify"
required: true
type: string
enableMacRunner:
description: "Enable the MacOS runner in addition to Linux and Windows. Defaults to 'false'."
required: false
type: boolean
skipGoSdk:
description: "Skip the Go SDK verification. Defaults to 'false'. Enable this when verifying a pre-release for which we don't publish the Go SDK (for PRs and the default branch)."
required: false
type: boolean
default: false
pythonVersion:
description: "Optional python SDK version to verify. Defaults to inputs.providerVersion."
type: string
required: false
workflow_call:
inputs:
providerVersion:
description: "The version of the provider to verify"
required: true
type: string
skipGoSdk:
description: "Skip the Go SDK verification. Defaults to 'false'. This is used when we're not publishing a Go SDK on the default branch build."
required: false
type: boolean
default: false
pythonVersion:
description: "Optional python SDK version to verify. Defaults to inputs.providerVersion."
type: string
required: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
PYPI_USERNAME: __token__
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
TF_APPEND_USER_AGENT: pulumi
jobs:
verify-release:
name: verify-release
# We don't have any release verification configurations, so we never run this workflow.
# Configure your .ci-mgmt.yaml files to include the release verification configurations e.g.
# releaseVerification:
# nodejs: path/to/nodejs/project
# python: path/to/python/project
# dotnet: path/to/dotnet/project
# go: path/to/go/project
if: false
strategy:
matrix:
# We don't have any release verification configurations, so we only run on Linux to print warnings to help users configure the release verification.
runner: ["ubuntu-latest"]
runs-on: ${{ matrix.runner }}
steps:
- name: Configure Git to checkout files with long names
run: git config --global core.longpaths true
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Setup tools
uses: ./.github/actions/setup-tools
with:
tools: pulumicli, dotnet, go, nodejs, python