Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Create dev release | |
permissions: | |
# To create a draft release | |
contents: write | |
# To sign artifacts. | |
id-token: write | |
on: | |
workflow_call: | |
inputs: | |
ref: | |
required: true | |
description: "GitHub ref to use" | |
type: string | |
project: | |
required: true | |
description: "Project name, e.g.: the repository name" | |
type: string | |
workflow_dispatch: | |
inputs: | |
ref: | |
required: true | |
description: "GitHub ref to use" | |
type: string | |
project: | |
required: true | |
description: "Project name, e.g.: the repository name" | |
type: string | |
push: | |
branches: | |
- 'tg/release-dev-releases' | |
jobs: | |
gather-info: | |
name: gather-info | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Git describe | |
id: ghd | |
uses: proudust/gh-describe@v1 | |
outputs: | |
describe: "${{ steps.ghd.outputs.describe }}" | |
build-release: | |
name: build-release | |
needs: [gather-info] | |
strategy: | |
fail-fast: true | |
matrix: | |
os: ["linux", "darwin"] | |
arch: ["amd64", "arm64"] | |
build-platform: ["ubuntu-latest"] | |
uses: ./.github/workflows/ci-build-binaries.yml | |
with: | |
ref: ${{ inputs.ref }} | |
version: 3.94.1 #TODO | |
dev-version: ${{ needs.gather-info.outputs.describe }} | |
os: ${{ matrix.os }} | |
arch: ${{ matrix.arch }} | |
build-platform: ${{ matrix.build-platform }} | |
version-set: v1.21.0 | |
enable-coverage: false | |
secrets: inherit | |
# TODO: refactor use same thing as ci-prepare-release | |
sign: | |
name: sign | |
runs-on: ubuntu-latest | |
needs: [build-release] | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: ${{ inputs.ref }} | |
- name: Install b3sum | |
uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0 | |
with: | |
crate: b3sum | |
version: 1.3.0 | |
- uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 | |
- name: Download all artifacts | |
uses: actions/download-artifact@v2 | |
with: | |
path: artifacts.tmp | |
- name: Name artifacts | |
run: | | |
find ./artifacts.tmp | |
- name: Flatten artifact directories | |
run: | | |
mkdir -p ./artifacts | |
mv ./artifacts.tmp/artifacts-*/* ./artifacts | |
- name: Create sums.tmp | |
run: mkdir -p ./sums.tmp ./sigs.tmp | |
# Each of these commands strips the ./ prefix to match existing (<=3.39) formatting. | |
- name: Checksums with SHA256 | |
working-directory: artifacts | |
env: | |
version: ${{ inputs.version }} | |
run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../sums.tmp/pulumi-${version}-checksums.txt" | |
- name: Checksums with BLAKE3 | |
working-directory: artifacts | |
run: b3sum ./* | sed 's/.\///' | tee ../sums.tmp/B3SUMS | |
- name: Checksums with SHA512 | |
working-directory: artifacts | |
run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS | |
- name: Sign binaries and checksums | |
shell: bash | |
env: | |
version: ${{ inputs.version }} | |
run: | | |
ls -la | |
# Sign all artifacts and checksums: | |
for dir in "artifacts" "sums.tmp"; do | |
pushd "$dir" | |
for file in ./*; do | |
echo "$file" | |
COSIGN_EXPERIMENTAL=1 cosign sign-blob --yes \ | |
--bundle="../sigs.tmp/${file}".sig \ | |
"${file}" | |
done | |
popd | |
done | |
# flatten to a single directory to upload: | |
mv sums.tmp/* sigs.tmp | |
- name: Check directories | |
run: | | |
find ./artifacts | |
find ./sigs.tmp | |
tar xvzf artifacts/pulumi-3.94.1-SNAPSHOT-linux-x64.tar.gz | |
find pulumi | |
find ./artifacts | |
./pulumi/pulumi about | |
- uses: actions/upload-artifact@v2 | |
with: | |
name: artifacts-signatures | |
retention-days: 1 | |
path: | | |
sigs.tmp/* | |
if-no-files-found: error | |
s3-blobs: | |
name: s3 blobs | |
runs-on: ubuntu-latest | |
needs: [sign] | |
steps: | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-region: us-east-2 | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
role-duration-seconds: 3600 | |
role-external-id: upload-pulumi-release | |
role-session-name: pulumi@githubActions | |
role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} | |
- name: Make artifacts directory | |
run: | | |
mkdir -p artifacts | |
- name: Get signatures | |
uses: actions/download-artifact@v2 | |
with: | |
path: artifacts | |
name: artifacts-signatures | |
- name: Get artifacts | |
uses: actions/download-artifact@v2 | |
with: | |
path: artifacts | |
name: artifacts | |
- name: Find artifacts | |
run: | | |
find artifacts | |
# - name: Download release artifacts | |
# run: | | |
# mkdir -p artifacts | |
# gh release download "v${PULUMI_VERSION}" --dir ./artifacts --pattern 'pulumi-*' | |
# find artifacts | |
# - name: Publish Blobs | |
# run: | | |
# aws s3 sync artifacts s3://get.pulumi.com/releases/sdk --acl public-read | |
# publish: | |
# name: release | |
# needs: [sign] | |
# runs-on: ubuntu-latest | |
# steps: | |
# - uses: actions/checkout@v3 | |
# with: | |
# ref: ${{ inputs.ref }} | |
# - name: Get commit hash | |
# id: commit-info | |
# run: | | |
# SHA=$(git rev-parse HEAD) | |
# ./.github/scripts/set-output sha "$SHA" | |
# - name: Download all artifacts | |
# uses: actions/download-artifact@v2 | |
# with: | |
# path: artifacts.tmp | |
# - name: Rename SDKs | |
# # This step must match the rename SDKs step in the "sign" job above. | |
# run: | | |
# ( | |
# cd artifacts.tmp/artifacts-python-sdk | |
# for file in *.whl ; do | |
# mv -vT "$file" "sdk-python-$file" | |
# done | |
# ) | |
# ( | |
# cd artifacts.tmp/artifacts-nodejs-sdk | |
# for file in *.tgz ; do | |
# mv -vT "$file" "sdk-nodejs-$file" | |
# done | |
# ) | |
# - name: Flatten artifact directories | |
# run: | | |
# mkdir -p ./artifacts | |
# mv ./artifacts.tmp/artifacts-*/* ./artifacts | |
# - uses: ncipollo/release-action@3d2de22e3d0beab188d8129c27f103d8e91bf13a | |
# with: | |
# token: ${{ secrets.PULUMI_BOT_TOKEN }} | |
# name: v${{ inputs.version }} | |
# tag: v${{ inputs.version }} | |
# commit: "${{ fromJSON(steps.commit-info.outputs.sha) }}" | |
# draft: ${{ inputs.draft }} | |
# prerelease: ${{ inputs.prerelease }} | |
# allowUpdates: true | |
# body: | | |
# ${{ inputs.release-notes }} | |
# removeArtifacts: true | |
# replacesArtifacts: true | |
# artifactErrorsFailBuild: true | |
# artifacts: | | |
# artifacts/* |