docs(pulumi): changelog for v2.22.8-pulumi.beta #14
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Pulumi Release | |
| on: | |
| push: | |
| tags: | |
| # Pulumi bridge releases use SemVer tags with a "-pulumi[.suffix]" prerelease | |
| # identifier, e.g. v2.22.3-pulumi.alpha. This keeps GoReleaser OSS happy | |
| # (valid SemVer) while distinguishing from TF provider tags ("v2.22.3"). | |
| # | |
| # The Pulumi Go SDK is versioned independently (major v0 — see | |
| # pulumi/sdk/go/VERSION). This release tag drives the provider binary | |
| # and Python wheel, while the Go SDK tag is derived as | |
| # sdk/go/v{VERSION}-pulumi[.suffix] inside the tag_go_sdk job. | |
| - "v*-pulumi*" | |
| permissions: | |
| contents: write | |
| id-token: write | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| # Never cancel a release mid-flight — a partial release leaves the GitHub | |
| # Release in an inconsistent state (binaries without signatures, tags | |
| # without wheels, etc.). | |
| cancel-in-progress: false | |
| jobs: | |
| prerequisites: | |
| name: Prerequisites | |
| uses: ./.github/workflows/pulumi-prerequisites.yml | |
| changelog_preflight: | |
| name: CHANGELOG Preflight | |
| needs: prerequisites | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Ensure CHANGELOG entry exists for tag | |
| # Fails the release if pulumi/CHANGELOG.md has no header/line | |
| # mentioning the tag — forces an explicit changelog update before | |
| # every tag push. | |
| run: | | |
| if ! grep -q "${GITHUB_REF_NAME}" pulumi/CHANGELOG.md; then | |
| echo "::error::No CHANGELOG entry for ${GITHUB_REF_NAME} in pulumi/CHANGELOG.md" | |
| exit 1 | |
| fi | |
| release_provider: | |
| name: Release Provider | |
| needs: [prerequisites, changelog_preflight] | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| # Full history required so goreleaser's github-native changelog | |
| # can walk commits since the previous tag. | |
| fetch-depth: 0 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: pulumi/provider/go.mod | |
| cache: true | |
| - name: Download schema artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: "schema*" | |
| path: pulumi/provider/cmd/pulumi-resource-mica/ | |
| merge-multiple: true | |
| - name: Download bridge-metadata artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: bridge-metadata | |
| path: pulumi/provider/cmd/pulumi-resource-mica/ | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| version: "~> v2" | |
| # workdir=pulumi so `dir: provider` in the config resolves to | |
| # pulumi/provider. Goreleaser writes artifacts to pulumi/dist/. | |
| workdir: pulumi | |
| args: release --clean --config .goreleaser.pulumi.yml | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Sign checksums with Cosign (keyless) | |
| working-directory: pulumi | |
| run: | | |
| VERSION="${GITHUB_REF_NAME#v}" | |
| cosign sign-blob --yes \ | |
| --output-signature "dist/pulumi-resource-mica_${VERSION}_SHA256SUMS.sig" \ | |
| --output-certificate "dist/pulumi-resource-mica_${VERSION}_SHA256SUMS.pem" \ | |
| "dist/pulumi-resource-mica_${VERSION}_SHA256SUMS" | |
| - name: Upload signatures to release | |
| working-directory: pulumi | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| VERSION="${GITHUB_REF_NAME#v}" | |
| gh release upload "${GITHUB_REF_NAME}" \ | |
| "dist/pulumi-resource-mica_${VERSION}_SHA256SUMS.sig" \ | |
| "dist/pulumi-resource-mica_${VERSION}_SHA256SUMS.pem" \ | |
| --clobber | |
| release_python_sdk: | |
| name: Release Python SDK | |
| # Depend on release_provider so the GitHub release exists before we upload the wheel. | |
| needs: release_provider | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: pulumi/provider/go.mod | |
| cache: true | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Download schema artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: "schema*" | |
| path: pulumi/provider/cmd/pulumi-resource-mica/ | |
| merge-multiple: true | |
| - name: Download bridge-metadata artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: bridge-metadata | |
| path: pulumi/provider/cmd/pulumi-resource-mica/ | |
| # SKIP_TFGEN=1 + _from_schema: Python codegen + wheel build in one step | |
| # using the downloaded schema. Drops the old "Generate Python SDK" | |
| # step — its work is now a Make prereq of test_python_sdk_from_schema. | |
| - name: Build Python wheel (schema pre-fetched) | |
| working-directory: pulumi | |
| run: make SKIP_TFGEN=1 test_python_sdk_from_schema | |
| - name: Upload wheel to release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Asserts exactly one wheel is present — `ls | head -n1` would | |
| # silently pick the first of many on a dirty workspace. | |
| run: | | |
| shopt -s nullglob | |
| wheels=(pulumi/sdk/python/dist/pulumi_mica-*.whl) | |
| if [ ${#wheels[@]} -eq 0 ]; then | |
| echo "::error::No wheel matched pulumi/sdk/python/dist/pulumi_mica-*.whl" | |
| exit 1 | |
| fi | |
| if [ ${#wheels[@]} -gt 1 ]; then | |
| echo "::error::Multiple wheels found — expected exactly 1:" | |
| printf ' %s\n' "${wheels[@]}" | |
| exit 1 | |
| fi | |
| gh release upload "${GITHUB_REF_NAME}" "${wheels[0]}" --clobber | |
| tag_go_sdk: | |
| name: Tag Go SDK | |
| needs: release_provider | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Configure git identity | |
| # Annotated tags embed committer info. Use the standard | |
| # github-actions[bot] identity so the tag is attributable to the | |
| # workflow that created it. | |
| run: | | |
| git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git config user.name "github-actions[bot]" | |
| - name: Push Go SDK tag | |
| run: | | |
| # Go SDK is versioned independently from the provider (major v0 for | |
| # now — the module path has no /v2 suffix, so Go's semantic import | |
| # versioning rejects tags at v2+). The SDK version lives in | |
| # pulumi/sdk/go/VERSION; the release tag contributes only the | |
| # "-pulumi[.suffix]" prerelease portion, so: | |
| # VERSION=0.1.0 + tag v2.22.3-pulumi.alpha -> sdk/go/v0.1.0-pulumi.alpha | |
| # VERSION=0.1.0 + tag v2.22.3-pulumi -> sdk/go/v0.1.0-pulumi | |
| SDK_VERSION="$(tr -d '[:space:]' < pulumi/sdk/go/VERSION)" | |
| if ! [[ "${SDK_VERSION}" =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then | |
| echo "::error::pulumi/sdk/go/VERSION must be MAJOR.MINOR.PATCH, got: ${SDK_VERSION}" | |
| exit 1 | |
| fi | |
| if [ "${BASH_REMATCH[1]}" != "0" ]; then | |
| echo "::error::SDK MAJOR must be 0 (module path has no /vN suffix), got: ${SDK_VERSION}" | |
| exit 1 | |
| fi | |
| # SUFFIX = everything after "-pulumi" in the release tag. | |
| # v2.22.3-pulumi.alpha -> ".alpha" | |
| # v2.22.3-pulumi -> "" | |
| SUFFIX="${GITHUB_REF_NAME#*-pulumi}" | |
| GO_TAG="sdk/go/v${SDK_VERSION}-pulumi${SUFFIX}" | |
| echo "Go SDK tag: ${GO_TAG}" | |
| if git ls-remote --tags origin "refs/tags/${GO_TAG}" | grep -q .; then | |
| echo "Tag ${GO_TAG} already exists on remote — skipping (idempotent rerun)" | |
| exit 0 | |
| fi | |
| git tag -a "${GO_TAG}" "${GITHUB_SHA}" -m "Pulumi Go SDK ${GO_TAG#sdk/go/}" | |
| git push origin "${GO_TAG}" |