Update module github.com/pulumi/pulumi/pkg/v3 to v3.215.0 #1670
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| permissions: write-all # Equivalent to default permissions plus id-token: write | |
| name: CI Build | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| pulumi_version: | |
| description: The version of Pulumi to use to build the Docker images. Full semver, e.g. "3.18.1". | |
| type: string | |
| repository_dispatch: | |
| types: | |
| - ci-build | |
| pull_request: | |
| paths-ignore: | |
| - "CONTRIBUTING.md" | |
| - "LICENSE" | |
| - "README.md" | |
| # "Push" is a somewhat unintuitive name - the event will fire after a PR is | |
| # merged to the main branch. | |
| push: | |
| branches: | |
| - "main" | |
| concurrency: | |
| # Use github.run_id on main branch | |
| # Use github.event.pull_request.number on pull requests, so it's unique per pull request | |
| # Use github.ref on other branches, so it's unique per branch | |
| group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.run_id || github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| # The organization in the Pulumi SaaS service against which the integration | |
| # tests will run: | |
| PULUMI_ORG: "pulumi-test" | |
| DOCKER_ORG: pulumi | |
| PULUMI_VERSION: ${{ github.event.inputs.pulumi_version || github.event.client_payload.ref }} | |
| # Do not depend on C library for the tests. | |
| CGO_ENABLED: "0" | |
| AWS_REGION: "us-west-2" | |
| # GCP | |
| GCP_SERVICE_ACCOUNT_EMAIL: "[email protected]" | |
| GCP_PROJECT_NAME: "pulumi-ci-gcp-provider" | |
| GCP_PROJECT_NUMBER: "895284651812" | |
| GCP_WORKLOAD_IDENTITY_POOL: "pulumi-ci" | |
| GCP_WORKLOAD_IDENTITY_PROVIDER: "pulumi-ci" | |
| GCP_REGION: "us-central1" | |
| GCP_ZONE: "us-central1-a" | |
| ESC_ACTION_OIDC_AUTH: true | |
| ESC_ACTION_OIDC_ORGANIZATION: pulumi | |
| ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization | |
| ESC_ACTION_ENVIRONMENT: imports/github-secrets | |
| ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: GITHUB_TOKEN=PULUMI_BOT_TOKEN,PULUMI_ACCESS_TOKEN,ARM_CLIENT_ID,ARM_CLIENT_SECRET,ARM_TENANT_ID,ARM_SUBSCRIPTION_ID | |
| # Automatically set labels like org.opencontainers.image.source on the docker images | |
| # https://docs.docker.com/build/building/variables/#buildx_git_labels | |
| BUILDX_GIT_LABELS: full | |
| jobs: | |
| comment-notification: | |
| if: github.event_name == 'repository_dispatch' && github.event.client_payload.github.payload.issue.number | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Fetch secrets from ESC | |
| id: esc-secrets | |
| uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1 | |
| - name: Create URL to the run output | |
| id: vars | |
| run: echo run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID >> "$GITHUB_OUTPUT" | |
| - name: Update with Result | |
| uses: peter-evans/create-or-update-comment@a35cf36e5301d70b76f316e867e7788a55a31dae # v1 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| repository: ${{ github.event.client_payload.github.payload.repository.full_name }} | |
| issue-number: ${{ github.event.client_payload.github.payload.issue.number }} | |
| body: | | |
| Please view the results of the Downstream Containers Tests [Here][1] | |
| [1]: ${{ steps.vars.outputs.run-url }} | |
| kitchen-sink: | |
| name: All SDKs image | |
| strategy: | |
| matrix: | |
| arch: ["arm64", "amd64"] | |
| variant: ["", "-nonroot"] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-24.04 | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| id-token: write | |
| steps: | |
| # If no version of Pulumi is supplied by the incoming event (e.g. in the | |
| # case of a PR or merge to main), we use the latest production version: | |
| - name: Fetch secrets from ESC | |
| id: esc-secrets | |
| uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1 | |
| - name: Set version to latest | |
| if: ${{ !env.PULUMI_VERSION }} | |
| run: | | |
| echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV | |
| - uses: actions/checkout@master | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| tool-cache: false | |
| - name: Setup docker buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 | |
| with: | |
| install: true | |
| - name: Build ${{ env.PULUMI_VERSION }}${{ matrix.variant }}-${{ matrix.arch }} | |
| run: | | |
| docker build \ | |
| -f docker/pulumi/Dockerfile \ | |
| --platform linux/${{ matrix.arch }} \ | |
| -t ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.variant }}-${{ matrix.arch }} \ | |
| --target $(if [ "${{ matrix.variant }}" = "-nonroot" ]; then echo "nonroot"; else echo "base"; fi) \ | |
| --build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \ | |
| --load \ | |
| docker/pulumi | |
| - name: Image Info | |
| run: | | |
| docker image ls ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.variant }}-${{ matrix.arch }} | |
| docker history ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.variant }}-${{ matrix.arch }} | |
| - name: Install go | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 | |
| with: | |
| go-version: "1.22" | |
| cache-dependency-path: tests/go.sum | |
| - name: Compile tests | |
| working-directory: tests | |
| run: | | |
| GOOS=linux GOARCH=${{ matrix.arch }} go test -c -o /tmp/pulumi-test-containers ./... | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-duration-seconds: 14400 # 4 hours | |
| role-session-name: pulumi-docker-containers@githubActions | |
| role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }} | |
| - name: Authenticate with Google Cloud | |
| uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2 | |
| with: | |
| service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }} | |
| workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL }}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f" # v2 | |
| - name: Tests | |
| # Note we use /src/pulumi-test-containers as entrypoint and not bash to avoid bash | |
| # changing the environment in some way. | |
| run: | | |
| set -exo pipefail | |
| chmod o+r $GOOGLE_APPLICATION_CREDENTIALS | |
| docker run \ | |
| -e RUN_CONTAINER_TESTS=true \ | |
| -e IMAGE_VARIANT=pulumi${{ matrix.variant }} \ | |
| -e PULUMI_ACCESS_TOKEN=${PULUMI_ACCESS_TOKEN} \ | |
| -e PULUMI_ORG=${PULUMI_ORG} \ | |
| -e ARM_CLIENT_ID=${ARM_CLIENT_ID} \ | |
| -e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \ | |
| -e ARM_TENANT_ID=${ARM_TENANT_ID} \ | |
| -e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \ | |
| -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ | |
| -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ | |
| -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ | |
| -e AWS_REGION=${AWS_REGION} \ | |
| -e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \ | |
| -e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \ | |
| -e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \ | |
| --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \ | |
| --volume /tmp:/src \ | |
| --entrypoint /src/pulumi-test-containers \ | |
| ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}${{ matrix.variant }}-${{ matrix.arch }} \ | |
| -test.parallel=8 -test.timeout=1h -test.v | |
| provider-build-environment: | |
| name: Provider Build Environment image | |
| strategy: | |
| matrix: | |
| arch: ["arm64", "amd64"] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-24.04 | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| id-token: write | |
| steps: | |
| # If no version of Pulumi is supplied by the incoming event (e.g. in the | |
| # case of a PR or merge to main), we use the latest production version: | |
| - name: Fetch secrets from ESC | |
| id: esc-secrets | |
| uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1 | |
| - name: Set version to latest | |
| if: ${{ !env.PULUMI_VERSION }} | |
| run: | | |
| echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV | |
| - uses: actions/checkout@master | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@main | |
| with: | |
| tool-cache: false | |
| - name: Setup docker buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 | |
| with: | |
| install: true | |
| - name: Build | |
| run: | | |
| docker build \ | |
| -f docker/pulumi/Dockerfile \ | |
| --platform linux/${{ matrix.arch }} \ | |
| -t ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-${{ matrix.arch }} \ | |
| --target build-environment \ | |
| --build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \ | |
| --load \ | |
| docker/pulumi | |
| - name: Image Info | |
| run: | | |
| docker image ls ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-${{ matrix.arch }} | |
| docker history ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-${{ matrix.arch }} | |
| - name: Install go | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 | |
| with: | |
| go-version: "1.22" | |
| cache-dependency-path: tests/go.sum | |
| - name: Compile tests | |
| working-directory: tests | |
| run: | | |
| GOOS=linux GOARCH=${{ matrix.arch }} go test -c -o /tmp/pulumi-test-containers ./... | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-duration-seconds: 14400 # 4 hours | |
| role-session-name: pulumi-docker-containers@githubActions | |
| role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }} | |
| - name: Authenticate with Google Cloud | |
| uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2 | |
| with: | |
| service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }} | |
| workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL }}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f" # v2 | |
| - name: Tests | |
| run: | | |
| docker run \ | |
| -e RUN_CONTAINER_TESTS=true \ | |
| -e IMAGE_VARIANT=pulumi \ | |
| -e PULUMI_ACCESS_TOKEN=${PULUMI_ACCESS_TOKEN} \ | |
| -e PULUMI_ORG=${PULUMI_ORG} \ | |
| -e ARM_CLIENT_ID=${ARM_CLIENT_ID} \ | |
| -e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \ | |
| -e ARM_TENANT_ID=${ARM_TENANT_ID} \ | |
| -e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \ | |
| -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ | |
| -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ | |
| -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ | |
| -e AWS_REGION=${AWS_REGION} \ | |
| -e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \ | |
| -e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \ | |
| -e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \ | |
| --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \ | |
| --volume /tmp:/src \ | |
| --entrypoint /src/pulumi-test-containers \ | |
| ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-${{ matrix.arch }} \ | |
| -test.parallel=8 -test.timeout=1h -test.v | |
| base: | |
| name: Base image | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: ["debian", "ubi"] | |
| steps: | |
| # If no version of Pulumi is supplied by the incoming event (e.g. in the | |
| # case of a PR or merge to main), we use the latest production version: | |
| - name: Fetch secrets from ESC | |
| id: esc-secrets | |
| uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1 | |
| - name: Set version to latest | |
| if: ${{ !env.PULUMI_VERSION }} | |
| run: | | |
| echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV | |
| - uses: actions/checkout@master | |
| - name: Setup docker buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 | |
| with: | |
| install: true | |
| - name: Build | |
| run: | | |
| docker build \ | |
| -f docker/base/Dockerfile.${{ matrix.os }} \ | |
| --platform linux/arm64,linux/amd64 \ | |
| . \ | |
| -t ${{ env.DOCKER_ORG }}/pulumi-base:${{ env.PULUMI_VERSION }}-${{ matrix.os }} \ | |
| --build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \ | |
| define-matrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.define-matrix.outputs.matrix }} | |
| steps: | |
| - name: Fetch secrets from ESC | |
| id: esc-secrets | |
| uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1 | |
| - uses: actions/checkout@master | |
| - name: Define Matrix | |
| id: define-matrix | |
| run: | | |
| echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py) >> "$GITHUB_OUTPUT" | |
| debian-sdk: | |
| name: Debian SDK images | |
| needs: define-matrix | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON(needs.define-matrix.outputs.matrix) }} | |
| runs-on: ${{ matrix.runner }} | |
| permissions: | |
| id-token: write | |
| steps: | |
| # If no version of Pulumi is supplied by the incoming event (e.g. in the | |
| # case of a PR or merge to main), we use the latest production version: | |
| - name: Fetch secrets from ESC | |
| id: esc-secrets | |
| uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1 | |
| - name: Set version to latest | |
| if: ${{ !env.PULUMI_VERSION }} | |
| run: | | |
| echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV | |
| - name: Set image name | |
| run: | | |
| echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-${{ matrix.arch }}" >> $GITHUB_ENV | |
| - uses: actions/checkout@master | |
| - name: Setup docker buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 | |
| with: | |
| install: true | |
| - name: Build | |
| run: | | |
| docker build \ | |
| -f docker/${{ matrix.sdk }}/Dockerfile.debian \ | |
| --platform linux/${{ matrix.arch }} \ | |
| -t ${{ env.IMAGE_NAME }} \ | |
| --build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \ | |
| --build-arg LANGUAGE_VERSION=${{ matrix.language_version }} \ | |
| docker/${{ matrix.sdk }} \ | |
| --load | |
| - name: Image Info | |
| run: | | |
| docker image ls ${{ env.IMAGE_NAME }} | |
| docker history ${{ env.IMAGE_NAME }} | |
| - name: Install go | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 | |
| with: | |
| go-version: "1.22" | |
| cache-dependency-path: tests/go.sum | |
| - name: Compile tests | |
| working-directory: tests | |
| run: | | |
| GOOS=linux GOARCH=${{ matrix.arch }} go test -c -o /tmp/pulumi-test-containers ./... | |
| - name: Set SDKS_TO_TEST (dotnet) | |
| if: ${{ matrix.sdk == 'dotnet' }} | |
| run: echo "SDKS_TO_TEST=csharp" >> $GITHUB_ENV | |
| - name: Set SDKS_TO_TEST (nodejs) | |
| if: ${{ matrix.sdk == 'nodejs' }} | |
| run: echo "SDKS_TO_TEST=typescript" >> $GITHUB_ENV | |
| - name: Set SDKS_TO_TEST (default) | |
| if: ${{ matrix.sdk != 'dotnet' && matrix.sdk != 'nodejs' }} | |
| run: echo "SDKS_TO_TEST=${{ matrix.sdk}}" >> $GITHUB_ENV | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-duration-seconds: 14400 # 4 hours | |
| role-session-name: pulumi-docker-containers@githubActions | |
| role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }} | |
| - name: Authenticate with Google Cloud | |
| uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2 | |
| with: | |
| service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }} | |
| workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL }}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f" # v2 | |
| - name: Tests | |
| run: | | |
| docker run \ | |
| -e RUN_CONTAINER_TESTS=true \ | |
| -e IMAGE_VARIANT=pulumi-debian-${{ matrix.sdk }} \ | |
| -e LANGUAGE_VERSION=${{ matrix.language_version }} \ | |
| -e SDKS_TO_TEST=${SDKS_TO_TEST} \ | |
| -e PULUMI_ACCESS_TOKEN=${PULUMI_ACCESS_TOKEN} \ | |
| -e PULUMI_ORG=${PULUMI_ORG} \ | |
| -e ARM_CLIENT_ID=${ARM_CLIENT_ID} \ | |
| -e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \ | |
| -e ARM_TENANT_ID=${ARM_TENANT_ID} \ | |
| -e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \ | |
| -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ | |
| -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ | |
| -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ | |
| -e AWS_REGION=${AWS_REGION} \ | |
| -e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \ | |
| -e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \ | |
| -e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \ | |
| --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \ | |
| --volume /tmp:/src \ | |
| --entrypoint /src/pulumi-test-containers \ | |
| --platform ${{ matrix.arch }} \ | |
| ${{ env.IMAGE_NAME }} \ | |
| -test.parallel=8 -test.timeout=1h -test.v -test.run "TestPulumiTemplateTests|TestEnvironment" | |
| define-ubi-matrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.define-matrix-sdk-manifests.outputs.matrix }} | |
| steps: | |
| - name: Fetch secrets from ESC | |
| id: esc-secrets | |
| uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1 | |
| - uses: actions/checkout@master | |
| - name: Define Matrix for UBI SDK Manifests | |
| id: define-matrix-sdk-manifests | |
| run: | | |
| echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py --no-arch) >> "$GITHUB_OUTPUT" | |
| ubi-sdk: | |
| name: UBI SDK images | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| needs: define-ubi-matrix | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON(needs.define-ubi-matrix.outputs.matrix) }} | |
| steps: | |
| # If no version of Pulumi is supplied by the incoming event (e.g. in the | |
| # case of a PR or merge to main), we use the latest production version: | |
| - name: Fetch secrets from ESC | |
| id: esc-secrets | |
| uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1 | |
| - name: Set version to latest | |
| if: ${{ !env.PULUMI_VERSION }} | |
| run: | | |
| echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV | |
| - name: Set image name | |
| run: | | |
| echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-ubi" >> $GITHUB_ENV | |
| - uses: actions/checkout@master | |
| - name: Setup docker buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 | |
| with: | |
| install: true | |
| - name: Build | |
| # We only build UBI for amd64 due to arm64 builds hanging on `npm | |
| # install -g yarn` with no additional output, plus the apparent | |
| # requirement of a paid subscription in order to file a bug with RedHat. | |
| run: | | |
| docker build \ | |
| -f docker/${{ matrix.sdk }}/Dockerfile.ubi \ | |
| --platform linux/amd64 \ | |
| -t ${{ env.IMAGE_NAME }} \ | |
| --build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \ | |
| --build-arg LANGUAGE_VERSION=${{ matrix.language_version }} \ | |
| docker/${{ matrix.sdk }} \ | |
| --load | |
| - name: Image Info | |
| run: | | |
| docker image ls ${{ env.IMAGE_NAME }} | |
| docker history ${{ env.IMAGE_NAME }} | |
| - name: Install go | |
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 | |
| with: | |
| go-version: "1.22" | |
| cache-dependency-path: tests/go.sum | |
| - name: Compile tests | |
| working-directory: tests | |
| run: | | |
| GOOS=linux GOARCH=amd64 go test -c -o /tmp/pulumi-test-containers ./... | |
| - name: Set SDKS_TO_TEST (dotnet) | |
| if: ${{ matrix.sdk == 'dotnet' }} | |
| run: echo "SDKS_TO_TEST=csharp" >> $GITHUB_ENV | |
| - name: Set SDKS_TO_TEST (nodejs) | |
| if: ${{ matrix.sdk == 'nodejs' }} | |
| run: echo "SDKS_TO_TEST=typescript" >> $GITHUB_ENV | |
| - name: Set SDKS_TO_TEST (default) | |
| if: ${{ matrix.sdk != 'dotnet' && matrix.sdk != 'nodejs' }} | |
| run: echo "SDKS_TO_TEST=${{ matrix.sdk}}" >> $GITHUB_ENV | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-duration-seconds: 14400 # 4 hours | |
| role-session-name: pulumi-docker-containers@githubActions | |
| role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }} | |
| - name: Authenticate with Google Cloud | |
| uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2 | |
| with: | |
| service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }} | |
| workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL }}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }} | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f" # v2 | |
| - name: Tests | |
| run: | | |
| docker run \ | |
| -e RUN_CONTAINER_TESTS=true \ | |
| -e IMAGE_VARIANT=pulumi-ubi-${{ matrix.sdk }} \ | |
| -e LANGUAGE_VERSION=${{ matrix.language_version }} \ | |
| -e SDKS_TO_TEST=${SDKS_TO_TEST} \ | |
| -e PULUMI_ACCESS_TOKEN=${PULUMI_ACCESS_TOKEN} \ | |
| -e PULUMI_ORG=${PULUMI_ORG} \ | |
| -e ARM_CLIENT_ID=${ARM_CLIENT_ID} \ | |
| -e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \ | |
| -e ARM_TENANT_ID=${ARM_TENANT_ID} \ | |
| -e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \ | |
| -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ | |
| -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ | |
| -e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \ | |
| -e AWS_REGION=${AWS_REGION} \ | |
| -e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \ | |
| -e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \ | |
| -e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \ | |
| --mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \ | |
| --volume /tmp:/src \ | |
| --entrypoint /src/pulumi-test-containers \ | |
| ${{ env.IMAGE_NAME }} \ | |
| -test.parallel=8 -test.timeout=1h -test.v -test.run "TestPulumiTemplateTests|TestEnvironment" | |
| ci-ok: | |
| name: ci-ok | |
| needs: [kitchen-sink, provider-build-environment, base, debian-sdk, ubi-sdk] | |
| if: always() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Fetch secrets from ESC | |
| id: esc-secrets | |
| uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1 | |
| - name: CI succeeded | |
| run: | | |
| if [[ "${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}" == "true" ]]; then | |
| exit 1 | |
| fi | |
| exit 0 |