Tag Release Workflow #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Tag Release Workflow | |
| on: | |
| push: | |
| tags: | |
| - '*' # Trigger on any tag push. | |
| workflow_dispatch: # Allows manual triggering of the workflow | |
| jobs: | |
| distribute-release: | |
| permissions: | |
| id-token: write | |
| contents: read | |
| runs-on: ubuntu-latest | |
| ### Set variables for the given component. | |
| ### See https://github.com/pulumi-pequod/pequod-policies/shared-github-actions/action.yml for the full list of supported inputs. | |
| env: | |
| # Need to manage the list of component types that this component repo provides. | |
| # FUTURE HOPE: Deduce this by parsing the component code or, better yet, be able to get this | |
| # via a Pulumi Cloud API after publishing. | |
| COMPONENT_TYPES: '["cloudfront-s3-cdk:index:CloudFrontS3"]' | |
| PULUMI_ORG: 'pequod' # The Pulumi organization to publish the component to. | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} # Checkout the specific tag that triggered the workflow | |
| fetch-depth: 0 # Ensures the build matches the git tag. | |
| - name: Authenticate to Pulumi | |
| uses: pulumi/auth-actions@v1 | |
| with: | |
| organization: ${{ env.PULUMI_ORG }} | |
| requested-token-type: urn:pulumi:token-type:access_token:organization | |
| scope: admin | |
| # Determine the version to use - either the triggered tag or latest tag for manual runs | |
| - name: Determine Component Version | |
| id: version | |
| run: | | |
| if [[ "${{ github.event_name }}" == "push" ]]; then | |
| # For tag pushes, use the tag that triggered the workflow | |
| VERSION="${{ github.ref_name }}" | |
| echo "Using triggered tag: $VERSION" | |
| else | |
| # For manual runs, get the latest tag | |
| VERSION=$(git tag --sort=-version:refname | head -1) | |
| echo "Manual run: Using latest tag: $VERSION" | |
| fi | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| # Publish if this is a tag push. | |
| - name: Publish Component to Pulumi Org | |
| if: github.event_name == 'push' | |
| run: | | |
| echo "Publishing latest component version to the ${{ env.PULUMI_ORG }} Pulumi org." | |
| pulumi package publish https://github.com/${{ github.repository }} --publisher ${{ env.PULUMI_ORG }} | |
| # Update the policy config with the new component version regardless of if this is | |
| # a triggered or manual run. | |
| # Uses composite action in the pequod-policies repository to update the policy config. | |
| - name: Update Policy Config | |
| uses: pulumi-pequod/pequod-policies/shared-github-actions/component-version-policy-config@main | |
| with: | |
| pulumi_org: ${{ env.PULUMI_ORG }} | |
| component_types: ${{ env.COMPONENT_TYPES }} | |
| component_version: ${{ steps.version.outputs.version }} | |