# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: Publish

on:
  workflow_call:
    inputs:
      version:
        required: true
        type: string
      setLatestRelease:
        required: true
        type: boolean
      isPrerelease:
        required: true
        type: boolean
      skipGoSdk:
        default: false
        type: boolean
        description: Skip publishing & verifying the Go SDK
      skipJavaSdk:
        default: false
        type: boolean
        description: Skip publishing the Java SDK

env:
  IS_PRERELEASE: ${{ inputs.isPrerelease }}
  JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
  TF_APPEND_USER_AGENT: pulumi

jobs:
  publish:
    name: publish
    runs-on: ubuntu-latest
    steps:
    - name: Validate prerelease
      if: inputs.isPrerelease == false && (contains(inputs.version, '-') || contains(inputs.version, '+'))
      run: echo "Can't publish a prerelease version as a stable release. This is likely a bug in the calling workflow." && exit 1
    - name: Validate skipGoSdk
      if: inputs.skipGoSdk && inputs.isPrerelease == false
      run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
    - name: Checkout Repo
      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
        persist-credentials: false
    - id: esc-secrets
      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - name: Setup mise
      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
      env:
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
        version: 2025.11.6
        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        cache_save: false
    - name: Create dist directory
      run: mkdir -p dist
    - name: Download provider assets
      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        pattern: pulumi-resource-incus-v${{ inputs.version }}-*
        path: dist
        # Don't create a directory for each artifact
        merge-multiple: true
    - name: Download schema
      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        # Use a pattern to avoid failing if the artifact doesn't exist
        pattern: schema-embed.*
        # Avoid creating directories for each artifact
        merge-multiple: true
        path: dist
    - name: Calculate checksums
      working-directory: dist
      run: shasum ./*.tar.gz > "pulumi-incus_${{ inputs.version }}_checksums.txt"
    - name: Get Schema Change Summary
      id: schema-summary
      shell: bash
      run: |
        # Get latest stable release. Return only first column from result (tag).
        LAST_VERSION=$(gh release view --repo kiterun/pulumi-incus --json tagName -q .tagName || echo "No stable release" )
        {
          echo 'summary<<EOF'
          if [[ "$LAST_VERSION" != "No stable release" ]]; then
            schema-tools compare --provider="incus" --old-commit="$LAST_VERSION" --repository="github://api.git.kalinow.ski/kiterun" --new-commit="--local-path=provider/cmd/pulumi-resource-incus/schema.json"
          fi
          echo 'EOF'
        } >> "$GITHUB_OUTPUT"
    - name: Create GH Release
      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
      if: inputs.isPrerelease == false
      with:
        tag_name: v${{ inputs.version }}
        prerelease: ${{ inputs.isPrerelease }}
        # We keep pre-releases as drafts so they're not visible until we manually publish them.
        draft: ${{ inputs.isPrerelease }}
        # Explicitly set make_latest to account for backported releases
        make_latest: ${{ inputs.setLatestRelease }}
        body: ${{ steps.schema-summary.outputs.summary }}
        generate_release_notes: true
        files: dist/*
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  publish_sdk:
    name: publish_sdk
    needs: publish
    runs-on: ubuntu-latest
    outputs:
      python_version: ${{ steps.python_version.outputs.version }}
    steps:
    - name: Checkout Repo
      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
        # Persist credentials so we can push back to the repo
        persist-credentials: true
    - id: esc-secrets
      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - name: Setup mise
      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
      env:
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
        version: 2025.11.6
        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        # only saving the cache in the prerequisites job
        cache_save: false
    - name: Setup Node
      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
      with:
        # we don't set node-version because we install with mise.
        # this step is needed to setup npm auth
        registry-url: https://registry.npmjs.org
    - name: Publish SDKs
      if: inputs.skipJavaSdk == false
      uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23
      with:
        sdk: all,!java
        version: ${{ inputs.version }}
      env:
        PYPI_USERNAME: __token__
        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
    - name: Publish SDKs (except Java)
      if: inputs.skipJavaSdk == true
      uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23
      with:
        sdk: all,!java,!java
        version: ${{ inputs.version }}
      env:
        PYPI_USERNAME: __token__
        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
    - name: Download Go SDK
      uses: ./.github/actions/download-sdk
      with:
        language: go
    - uses: pulumi/publish-go-sdk-action@v1
      if: inputs.skipGoSdk == false
      with:
        repository: ${{ github.repository }}
        base-ref: ${{ github.sha }}
        source: sdk
        path: sdk
        version: ${{ inputs.version }}
        additive: false
        # Avoid including other language SDKs & artifacts in the commit
        files: |
          go.*
          go/**
          !*.tar.gz
    - name: Extract python version
      id: python_version
      working-directory: sdk/python
      run: |
        pip install toml-cli==0.7.0
        version=$(toml get --toml-path pyproject.toml project.version)
        echo "version=${version}" >> "$GITHUB_OUTPUT"

  clean_up_release_labels:
    name: Clean up release labels
    # Only run for non-prerelease, if the publish_go_sdk job was successful or skipped
    if: inputs.isPrerelease == false

    needs: publish_sdk
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
        persist-credentials: false
    - id: esc-secrets
      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - name: Clean up release labels
      uses: pulumi/action-release-by-pr-label@main
      with:
        command: "clean-up-release-labels"
        repo: ${{ github.repository }}
        commit: ${{ github.sha }}
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  verify_release:
    name: verify_release
    needs: publish_sdk
    permissions:
      contents: write
      id-token: write
    uses: ./.github/workflows/verify-release.yml
    secrets: inherit
    with:
      providerVersion: ${{ inputs.version }}
      skipGoSdk: ${{ inputs.skipGoSdk }}
      pythonVersion: ${{ needs.publish_sdk.outputs.python_version }}