feat: Download CLI if preinstalled version is known bad (#956)

Sometimes a release of the CLI contains a bug that is bad enough that we'd prefer users avoid using that version, to avoid the issue. For example, a bug that could cause stack corruption. We'd like to have a holistic way to "taint" a bad release, but in the meantime, one tactical change is to have the action prefer downloading a more recent version of the CLI if the version that is preinstalled has known issues. For now, the list is hardcoded, but in the future it could be stored in a centralized location that the action could check.
pulumi · Jun 4, 2023 · 668a21e · 668a21e
1 parent 8b366c4
commit 668a21e
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 2 deletions.
diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
@@ -48,6 +48,35 @@ jobs:
     outputs:
       changed: ${{ steps.changes.outputs.dist }}
 
+  test-install-only-without-removal-of-pre-installed-pulumi:
+    needs: install-and-build
+    if:
+      ${{ needs.install-and-build.outputs.changed == 'true' || github.event_name
+      == 'workflow_dispatch' }}
+    runs-on: ${{ matrix.os }}
+    name: Install-only without removal of pre-installed Pulumi on ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Download dist artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: dist
+          path: dist
+
+      # If no action is specified, just install.
+      - uses: ./
+        env:
+          PULUMI_CONFIG_PASSPHRASE: not-a-secret
+        with:
+          config-map: '{name: {value: my-pet, secret: false}}'
+
+      - run: pulumi version
+
   test-install-only:
     needs: install-and-build
     if:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## HEAD (Unreleased)
 
+- feat: Download CLI if preinstalled version has a known issue.
+  ([#956](https://github.com/pulumi/actions/pull/956))
+
 --
 
 ## 4.3.0 (2023-05-12)

diff --git a/src/libs/pulumi-cli.ts b/src/libs/pulumi-cli.ts
@@ -7,6 +7,22 @@ import * as semver from 'semver';
 import * as exec from './exec';
 import { getVersionObject } from './libs/get-version';
 
+/**
+ * Returns true if the version is known to have issues and should not be used
+ * if already installed on the runner. Instead, proceed to downloading the CLI.
+ */
+function isKnownBadVersion(version: string): boolean {
+  const knownBadVersions = new Set([
+    // The following versions have a regression with the `--target` and
+    // `--target-replace` flags that may cause stack corruption when used.
+    // See: https://github.com/pulumi/pulumi/issues/12964
+    '3.66.0',
+    '3.67.0',
+    '3.67.1',
+  ]);
+  return knownBadVersions.has(version);
+}
+
 export async function getVersion(): Promise<string | undefined> {
   const res = await exec.exec('pulumi', ['version']);
 
@@ -58,8 +74,13 @@ export async function downloadCli(range: string): Promise<void> {
     const runnerVersion = await getVersion();
 
     if (runnerVersion) {
-      // Check if runner version matches
-      if (semver.satisfies(runnerVersion, range)) {
+      if (isKnownBadVersion(runnerVersion)) {
+        // If the version on the runner is known bad, proceed to downloading the CLI to get
+        // a more recent version.
+        core.info(
+          `Pulumi version ${runnerVersion} has a known issue. Proceeding to download`,
+        );
+      } else if (semver.satisfies(runnerVersion, range)) {
         // If runner version matches, skip downloading CLI by exiting the function
         core.info(
           `Pulumi version ${runnerVersion} is already installed on this machine. Skipping download`,