kiterun/pulumi-incus
2
0
Fork 0
Code Issues Pull Requests Packages Releases Activity
Files
0419f548d26d65a8e88556095137241c432f893f
pulumi-incus/.github/workflows/publish.yml

237 lines
9.0 KiB
YAML
Raw Blame History

# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
name: Publish
on:
workflow_call:
inputs:
version:
required: true
type: string
setLatestRelease:
required: true
type: boolean
isPrerelease:
required: true
type: boolean
skipGoSdk:
default: false
type: boolean
description: Skip publishing & verifying the Go SDK
skipJavaSdk:
default: false
type: boolean
description: Skip publishing the Java SDK
env:
IS_PRERELEASE: ${{ inputs.isPrerelease }}
JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_API: https://api.pulumi-staging.io
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
TF_APPEND_USER_AGENT: pulumi
jobs:
publish:
name: publish
runs-on: ubuntu-latest
steps:
- name: Validate prerelease
if: inputs.isPrerelease == false && (contains(inputs.version, '-') || contains(inputs.version, '+'))
run: echo "Can't publish a prerelease version as a stable release. This is likely a bug in the calling workflow." && exit 1
- name: Validate skipGoSdk
if: inputs.skipGoSdk && inputs.isPrerelease == false
run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
- name: Checkout Repo
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
cache_save: false
- name: Create dist directory
run: mkdir -p dist
- name: Download provider assets
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
pattern: pulumi-resource-incus-v${{ inputs.version }}-*
path: dist
# Don't create a directory for each artifact
merge-multiple: true
- name: Download schema
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
# Use a pattern to avoid failing if the artifact doesn't exist
pattern: schema-embed.*
# Avoid creating directories for each artifact
merge-multiple: true
path: dist
- name: Calculate checksums
working-directory: dist
run: shasum ./*.tar.gz > "pulumi-incus_${{ inputs.version }}_checksums.txt"
- name: Get Schema Change Summary
id: schema-summary
shell: bash
run: |
# Get latest stable release. Return only first column from result (tag).
LAST_VERSION=$(gh release view --repo kiterun/pulumi-incus --json tagName -q .tagName || echo "No stable release" )
{
echo 'summary<<EOF'
if [[ "$LAST_VERSION" != "No stable release" ]]; then
schema-tools compare --provider="incus" --old-commit="$LAST_VERSION" --repository="github://api.git.kalinow.ski/kiterun" --new-commit="--local-path=provider/cmd/pulumi-resource-incus/schema.json"
fi
echo 'EOF'
} >> "$GITHUB_OUTPUT"
- name: Create GH Release
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
if: inputs.isPrerelease == false
with:
tag_name: v${{ inputs.version }}
prerelease: ${{ inputs.isPrerelease }}
# We keep pre-releases as drafts so they're not visible until we manually publish them.
draft: ${{ inputs.isPrerelease }}
# Explicitly set make_latest to account for backported releases
make_latest: ${{ inputs.setLatestRelease }}
body: ${{ steps.schema-summary.outputs.summary }}
generate_release_notes: true
files: dist/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
publish_sdk:
name: publish_sdk
needs: publish
runs-on: ubuntu-latest
outputs:
python_version: ${{ steps.python_version.outputs.version }}
steps:
- name: Checkout Repo
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
# Persist credentials so we can push back to the repo
persist-credentials: true
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Setup mise
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
env:
MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
with:
version: 2025.11.6
github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
# only saving the cache in the prerequisites job
cache_save: false
- name: Setup Node
uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
with:
# we don't set node-version because we install with mise.
# this step is needed to setup npm auth
registry-url: https://registry.npmjs.org
- name: Publish SDKs
if: inputs.skipJavaSdk == false
uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23
with:
sdk: all,!java
version: ${{ inputs.version }}
env:
PYPI_USERNAME: __token__
PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
- name: Publish SDKs (except Java)
if: inputs.skipJavaSdk == true
uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23
with:
sdk: all,!java,!java
version: ${{ inputs.version }}
env:
PYPI_USERNAME: __token__
PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
- name: Download Go SDK
uses: ./.github/actions/download-sdk
with:
language: go
- uses: pulumi/publish-go-sdk-action@v1
if: inputs.skipGoSdk == false
with:
repository: ${{ github.repository }}
base-ref: ${{ github.sha }}
source: sdk
path: sdk
version: ${{ inputs.version }}
additive: false
# Avoid including other language SDKs & artifacts in the commit
files: |
go.*
go/**
!*.tar.gz
- name: Extract python version
id: python_version
working-directory: sdk/python
run: |
pip install toml-cli==0.7.0
version=$(toml get --toml-path pyproject.toml project.version)
echo "version=${version}" >> "$GITHUB_OUTPUT"
clean_up_release_labels:
name: Clean up release labels
# Only run for non-prerelease, if the publish_go_sdk job was successful or skipped
if: inputs.isPrerelease == false
needs: publish_sdk
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- id: esc-secrets
name: Map environment to ESC outputs
uses: ./.github/actions/esc-action
- name: Clean up release labels
uses: pulumi/action-release-by-pr-label@main
with:
command: "clean-up-release-labels"
repo: ${{ github.repository }}
commit: ${{ github.sha }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
verify_release:
name: verify_release
needs: publish_sdk
permissions:
contents: write
id-token: write
uses: ./.github/workflows/verify-release.yml
secrets: inherit
with:
providerVersion: ${{ inputs.version }}
skipGoSdk: ${{ inputs.skipGoSdk }}
pythonVersion: ${{ needs.publish_sdk.outputs.python_version }}
Reference in New Issue View Git Blame Copy Permalink