Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Create dev release | |
| permissions: | |
| # To create a draft release | |
| contents: write | |
| # To sign artifacts. | |
| id-token: write | |
| on: | |
| workflow_call: | |
| inputs: | |
| version: | |
| required: true | |
| description: "Version to use for the release" | |
| type: string | |
| ref: | |
| required: true | |
| description: "GitHub ref to use" | |
| type: string | |
| project: | |
| required: true | |
| description: "Project name, e.g.: the repository name" | |
| type: string | |
| push: | |
| branches: | |
| - 'tg/release-dev-releases' | |
| jobs: | |
| gather-info: | |
| name: gather-info | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Git describe | |
| id: ghd | |
| uses: proudust/gh-describe@v1 | |
| outputs: | |
| describe: "${{ steps.ghd.outputs.describe }}" | |
| build-release: | |
| name: build-release | |
| needs: [gather-info] | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| os: ["linux", "darwin"] | |
| arch: ["amd64", "arm64"] | |
| build-platform: ["ubuntu-latest"] | |
| uses: ./.github/workflows/ci-build-binaries.yml | |
| with: | |
| ref: ${{ inputs.ref }} | |
| version: 3.94.1 #TODO | |
| dev-version: ${{ needs.gather-info.outputs.describe }} | |
| os: ${{ matrix.os }} | |
| arch: ${{ matrix.arch }} | |
| build-platform: ${{ matrix.build-platform }} | |
| version-set: v1.21.0 | |
| enable-coverage: false | |
| secrets: inherit | |
| # TODO: refactor use same thing as ci-prepare-release | |
| sign: | |
| name: sign | |
| runs-on: ubuntu-latest | |
| needs: [build-release] | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ inputs.ref }} | |
| - name: Install b3sum | |
| uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0 | |
| with: | |
| crate: b3sum | |
| version: 1.3.0 | |
| - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v2 | |
| with: | |
| path: artifacts.tmp | |
| - name: Name artifacts | |
| run: | | |
| find ./artifacts.tmp | |
| - name: Flatten artifact directories | |
| run: | | |
| mkdir -p ./artifacts | |
| mv ./artifacts.tmp/artifacts-*/* ./artifacts | |
| - name: Create sums.tmp | |
| run: mkdir -p ./sums.tmp ./sigs.tmp | |
| # Each of these commands strips the ./ prefix to match existing (<=3.39) formatting. | |
| - name: Checksums with SHA256 | |
| working-directory: artifacts | |
| env: | |
| version: ${{ inputs.version }} | |
| run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../sums.tmp/pulumi-${version}-checksums.txt" | |
| - name: Checksums with BLAKE3 | |
| working-directory: artifacts | |
| run: b3sum ./* | sed 's/.\///' | tee ../sums.tmp/B3SUMS | |
| - name: Checksums with SHA512 | |
| working-directory: artifacts | |
| run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS | |
| - name: Sign binaries and checksums | |
| shell: bash | |
| env: | |
| version: ${{ inputs.version }} | |
| run: | | |
| ls -la | |
| # Sign all artifacts and checksums: | |
| for dir in "artifacts" "sums.tmp"; do | |
| pushd "$dir" | |
| for file in ./*; do | |
| echo "$file" | |
| COSIGN_EXPERIMENTAL=1 cosign sign-blob --yes \ | |
| --bundle="../sigs.tmp/${file}".sig \ | |
| "${file}" | |
| done | |
| popd | |
| done | |
| # flatten to a single directory to upload: | |
| mv sums.tmp/* sigs.tmp | |
| - name: Check directories | |
| run: | | |
| find ./artifacts | |
| find ./sigs.tmp | |
| - uses: actions/upload-artifact@v2 | |
| with: | |
| name: artifacts | |
| retention-days: 1 | |
| path: | | |
| sigs.tmp/* | |
| artifacts/* | |
| if-no-files-found: error | |
| s3-blobs: | |
| name: s3 blobs | |
| runs-on: ubuntu-latest | |
| needs: [sign] | |
| steps: | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-region: us-east-2 | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| role-duration-seconds: 3600 | |
| role-external-id: upload-pulumi-release | |
| role-session-name: pulumi@githubActions | |
| role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} | |
| - name: Make artifacts directory | |
| run: | | |
| mkdir -p artifacts.tmp | |
| - name: Download artifacts from previous step | |
| uses: actions/download-artifact@v2 | |
| with: | |
| path: artifacts.tmp | |
| - name: Flatten artifact directories | |
| run: | | |
| mkdir -p ./artifacts | |
| mv ./artifacts.tmp/artifacts-*/* ./artifacts | |
| - name: Flatten signatures directories | |
| run: | | |
| mv ./artifacts.tmp/sigs-*/* ./artifacts | |
| - name: Find artifacts | |
| run: | | |
| find artifacts | |
| - name: Rename artifacts | |
| run: | | |
| #TODO | |
| ls | |
| # ( | |
| # cd artifacts | |
| # for file in *.sig ; do | |
| # mv -vT "$file" "pulumi-$file" | |
| # done | |
| # ) | |
| # - name: Download release artifacts | |
| # run: | | |
| # mkdir -p artifacts | |
| # gh release download "v${PULUMI_VERSION}" --dir ./artifacts --pattern 'pulumi-*' | |
| # find artifacts | |
| # - name: Publish Blobs | |
| # run: | | |
| # aws s3 sync artifacts s3://get.pulumi.com/releases/sdk --acl public-read | |
| # publish: | |
| # name: release | |
| # needs: [sign] | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - uses: actions/checkout@v3 | |
| # with: | |
| # ref: ${{ inputs.ref }} | |
| # - name: Get commit hash | |
| # id: commit-info | |
| # run: | | |
| # SHA=$(git rev-parse HEAD) | |
| # ./.github/scripts/set-output sha "$SHA" | |
| # - name: Download all artifacts | |
| # uses: actions/download-artifact@v2 | |
| # with: | |
| # path: artifacts.tmp | |
| # - name: Rename SDKs | |
| # # This step must match the rename SDKs step in the "sign" job above. | |
| # run: | | |
| # ( | |
| # cd artifacts.tmp/artifacts-python-sdk | |
| # for file in *.whl ; do | |
| # mv -vT "$file" "sdk-python-$file" | |
| # done | |
| # ) | |
| # ( | |
| # cd artifacts.tmp/artifacts-nodejs-sdk | |
| # for file in *.tgz ; do | |
| # mv -vT "$file" "sdk-nodejs-$file" | |
| # done | |
| # ) | |
| # - name: Flatten artifact directories | |
| # run: | | |
| # mkdir -p ./artifacts | |
| # mv ./artifacts.tmp/artifacts-*/* ./artifacts | |
| # - uses: ncipollo/release-action@3d2de22e3d0beab188d8129c27f103d8e91bf13a | |
| # with: | |
| # token: ${{ secrets.PULUMI_BOT_TOKEN }} | |
| # name: v${{ inputs.version }} | |
| # tag: v${{ inputs.version }} | |
| # commit: "${{ fromJSON(steps.commit-info.outputs.sha) }}" | |
| # draft: ${{ inputs.draft }} | |
| # prerelease: ${{ inputs.prerelease }} | |
| # allowUpdates: true | |
| # body: | | |
| # ${{ inputs.release-notes }} | |
| # removeArtifacts: true | |
| # replacesArtifacts: true | |
| # artifactErrorsFailBuild: true | |
| # artifacts: | | |
| # artifacts/* |