# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt

name: "Build SDK"

on:
  workflow_call:
    inputs:
      version:
        required: true
        type: string

env:
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  TF_APPEND_USER_AGENT: pulumi
  PROVIDER_VERSION: ${{ inputs.version }}

jobs:
  build_sdk:
    name: build_sdk
    runs-on: ubuntu-latest
    strategy:
      # We normally fail fast unless this is a PR from Renovate in which case
      # we'll always build all SDKs in case there are any changes to commit.
      fail-fast: ${{ ! contains(github.actor, 'renovate') }}
      matrix:
        language:
        - go
        - nodejs
    permissions:
      contents: write # For Renovate SDKs.
      id-token: write # For ESC secrets.
    steps:
      - name: Checkout Repo
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          persist-credentials: false      
      - id: esc-secrets
        name: Map environment to ESC outputs
        uses: ./.github/actions/esc-action
      - name: Cache examples generation
        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            .pulumi/examples-cache
          key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }}
      - name: Setup mise
        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
        env:
          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
        with:
          version: 2025.11.6
          github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
          # only saving the cache in the prerequisites job
          cache_save: false
      - name: Setup Go Cache
        if: matrix.language == 'go' || contains(matrix.language, 'go')
        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
        with:
          cache-dependency-path: |
            provider/*.sum
            upstream/*.sum
            sdk/go/*.sum
            sdk/*.sum
            *.sum
      - name: Prepare local workspace
        run: make prepare_local_workspace
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Download prerequisites
        uses: ./.github/actions/download-prerequisites
      - name: Update path
        run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
      - name: Restore makefile progress
        run: make --touch provider schema
      - name: Build SDK
        run: make build_${{ matrix.language }}

      - name: Check worktree clean
        id: worktreeClean
        uses: pulumi/git-status-check-action@v1
        with:
          # Keep these in sync with the Renovate step below to avoid them getting checked in.
          allowed-changes: |
            sdk/**/pulumi-plugin.json
            sdk/dotnet/*.csproj
            sdk/go/**/pulumiUtilities.go
            sdk/nodejs/package.json
            sdk/python/pyproject.toml
            sdk/java/build.gradle
      - name: Commit ${{ matrix.language }} SDK changes for Renovate
        # If the worktree is dirty and this is a Renovate PR to bump
        # dependencies, commit the updated SDK and push it back to the PR. The
        # job will still be marked as a failure.
        if: failure() && steps.worktreeClean.outcome == 'failure' && contains(github.actor, 'renovate') && github.event_name == 'pull_request'
        shell: bash
        run: |
          git diff --quiet -- sdk && echo "no changes to sdk" && exit

          git config --global user.email "bot@pulumi.com"
          git config --global user.name "pulumi-bot"

          # Stash local changes and check out the PR's branch directly.
          git stash
          git fetch
          git checkout "origin/$HEAD_REF"

          # Apply and add our changes, but don't commit any files we expect to
          # always change due to versioning.
          git stash pop
          git add sdk
          git reset \
              sdk/python/*/pulumi-plugin.json \
              sdk/python/pyproject.toml \
              sdk/dotnet/pulumi-plugin.json \
              sdk/dotnet/Pulumi.*.csproj \
              sdk/go/*/pulumi-plugin.json \
              sdk/go/*/internal/pulumiUtilities.go \
              sdk/nodejs/package.json
          git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'

          # Push with pulumi-bot credentials to trigger a re-run of the
          # workflow. https://github.com/orgs/community/discussions/25702
          git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \
              "HEAD:$HEAD_REF"
        env:
          # head_ref is untrusted so it's recommended to pass via env var to
          # avoid injections.
          HEAD_REF: ${{ github.head_ref }}

      - name: Upload SDK
        uses: ./.github/actions/upload-sdk
        with:
          language: ${{ matrix.language }}