wip

pulumi · Nov 22, 2023 · 5b61b62 · 5b61b62
1 parent 54c956a
commit 5b61b62
Show file tree

Hide file tree

Showing 4 changed files with 284 additions and 9 deletions.
diff --git a/.github/workflows/ci-build-binaries.yml b/.github/workflows/ci-build-binaries.yml
@@ -23,6 +23,11 @@ on:
         default: ubuntu-latest
         description: 'Build platform (i.e.: runs-on) for job'
         type: string
+      dev-version:
+        required: false
+        default: ${{ inputs.version }}
+        description: "Dev version to bake into the binary"
+        type: string
       version:
         required: true
         description: "Version to produce"
@@ -43,15 +48,15 @@ defaults:
 
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  PULUMI_VERSION: ${{ inputs.version }}
+  PULUMI_VERSION: ${{ inputs.dev-version }}
 
 jobs:
   build:
     name: ${{ inputs.os }}-${{ inputs.arch }}
     runs-on: ${{ inputs.build-platform }}
 
     env:
-      PULUMI_VERSION: ${{ inputs.version }}
+      PULUMI_VERSION: ${{ inputs.dev-version }}
 
     permissions:
       id-token: write
@@ -72,15 +77,15 @@ jobs:
           command -v tar
           tar --version
       - uses: actions/checkout@v3
-        with:
-          ref: ${{ inputs.ref }}
+        # with:
+        #   ref: ${{ inputs.ref }}
       - name: Configure Go Cache Key
         env:
-          CACHE_KEY: "${{ fromJson(inputs.version-set).go }}-${{ runner.os }}-${{ runner.arch }}"
+          CACHE_KEY: "v1.21.0-${{ runner.os }}-${{ runner.arch }}"
         run: echo "$CACHE_KEY" > .gocache.tmp
       - uses: actions/setup-go@v3
         with:
-          go-version: ${{ fromJson(inputs.version-set).go }}
+          go-version: 1.21.0
           cache: true
           cache-dependency-path: |
             pkg/go.sum
@@ -118,6 +123,7 @@ jobs:
           PULUMI_BUILD_MODE: ${{ inputs.enable-coverage && 'coverage' || 'normal' }}
         run: |
           set -euxo pipefail
+          echo $PULUMI_VERSION
           # Spurious, this command requires piping via stdin
           # shellcheck disable=SC2002
           cat .goreleaser.yml \

diff --git a/.github/workflows/ci-dev-release.yml b/.github/workflows/ci-dev-release.yml
@@ -0,0 +1,255 @@
+name: Create dev release
+
+permissions:
+  # To create a draft release
+  contents: write
+  # To sign artifacts.
+  id-token: write
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        description: "Version to use for the release"
+        type: string
+      ref:
+        required: true
+        description: "GitHub ref to use"
+        type: string
+      project:
+        required: true
+        description: "Project name, e.g.: the repository name"
+        type: string
+  push:
+    branches:
+      - 'tg/release-dev-releases'
+
+jobs:
+  gather-info:
+    name: gather-info
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Git describe
+        id: ghd
+        uses: proudust/gh-describe@v1
+    outputs:
+      describe: "${{ steps.ghd.outputs.describe }}"
+
+  build-release:
+    name: build-release
+    needs: [gather-info]
+    strategy:
+      fail-fast: true
+      matrix:
+        os: ["linux", "darwin"]
+        arch: ["amd64", "arm64"]
+        build-platform: ["ubuntu-latest"]
+    uses: ./.github/workflows/ci-build-binaries.yml
+    with:
+      ref: ${{ inputs.ref }}
+      version: 3.94.1 #TODO
+      dev-version: ${{ needs.gather-info.outputs.describe }}
+      os: ${{ matrix.os }}
+      arch: ${{ matrix.arch }}
+      build-platform: ${{ matrix.build-platform }}
+      version-set: v1.21.0
+      enable-coverage: false
+    secrets: inherit
+
+
+  # TODO: refactor use same thing as ci-prepare-release
+  sign:
+    name: sign
+    runs-on: ubuntu-latest
+    needs: [build-release]
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Install b3sum
+        uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0
+        with:
+          crate: b3sum
+          version: 1.3.0
+
+      - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v2
+        with:
+          path: artifacts.tmp
+      - name: Name artifacts
+        run: |
+          find ./artifacts.tmp
+
+      - name: Flatten artifact directories
+        run: |
+          mkdir -p ./artifacts
+          mv ./artifacts.tmp/artifacts-*/* ./artifacts
+
+      - name: Create sums.tmp
+        run: mkdir -p ./sums.tmp ./sigs.tmp
+
+        # Each of these commands strips the ./ prefix to match existing (<=3.39) formatting.
+      - name: Checksums with SHA256
+        working-directory: artifacts
+        env:
+          version: ${{ inputs.version }}
+        run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../sums.tmp/pulumi-${version}-checksums.txt"
+
+      - name: Checksums with BLAKE3
+        working-directory: artifacts
+        run: b3sum ./* | sed 's/.\///' | tee ../sums.tmp/B3SUMS
+
+      - name: Checksums with SHA512
+        working-directory: artifacts
+        run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS
+
+      - name: Sign binaries and checksums
+        shell: bash
+        env:
+          version: ${{ inputs.version }}
+        run: |
+          ls -la
+          # Sign all artifacts and checksums:
+          for dir in "artifacts" "sums.tmp"; do
+            pushd "$dir"
+            for file in ./*; do
+                echo "$file"
+                COSIGN_EXPERIMENTAL=1 cosign sign-blob --yes \
+                  --bundle="../sigs.tmp/${file}".sig  \
+                  "${file}"
+            done
+            popd
+          done
+
+          # flatten to a single directory to upload:
+          mv sums.tmp/* sigs.tmp
+
+      - name: Check directories
+        run: |
+          find ./artifacts
+          find ./sigs.tmp
+          tar xvzf artifacts/pulumi-3.94.1-SNAPSHOT-linux-x64.tar.gz
+          find pulumi
+          find ./artifacts
+          ./pulumi/pulumi about
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: artifacts
+          retention-days: 1
+          path: |
+            sigs.tmp/*
+            artifacts/*
+          if-no-files-found: error
+
+
+  s3-blobs:
+    name: s3 blobs
+    runs-on: ubuntu-latest
+    needs: [sign]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-region: us-east-2
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-duration-seconds: 3600
+          role-external-id: upload-pulumi-release
+          role-session-name: pulumi@githubActions
+          role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+      - name: Make artifacts directory
+        run: |
+          mkdir -p artifacts.tmp
+      - name: Download artifacts from previous step
+        uses: actions/download-artifact@v2
+        with:
+          path: artifacts.tmp
+      - name: Flatten artifact directories
+        run: |
+          mkdir -p ./artifacts
+          mv ./artifacts.tmp/artifacts-*/* ./artifacts
+
+      - name: Find artifacts
+        run: |
+          find artifacts
+      - name: Rename artifacts
+        run: |
+          #TODO
+          ls
+          # (
+          #   cd artifacts
+          #   for file in *.sig ; do
+          #     mv -vT "$file" "pulumi-$file"
+          #   done
+          # )
+      # - name: Download release artifacts
+      #   run: |
+      #     mkdir -p artifacts
+      #     gh release download "v${PULUMI_VERSION}" --dir ./artifacts --pattern 'pulumi-*'
+      #     find artifacts
+      # - name: Publish Blobs
+      #   run: |
+      #     aws s3 sync artifacts s3://get.pulumi.com/releases/sdk --acl public-read
+
+  # publish:
+  #   name: release
+  #   needs: [sign]
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #       with:
+  #         ref: ${{ inputs.ref }}
+  #     - name: Get commit hash
+  #       id: commit-info
+  #       run: |
+  #         SHA=$(git rev-parse HEAD)
+  #         ./.github/scripts/set-output sha "$SHA"
+  #     - name: Download all artifacts
+  #       uses: actions/download-artifact@v2
+  #       with:
+  #         path: artifacts.tmp
+  #     - name: Rename SDKs
+  #       # This step must match the rename SDKs step in the "sign" job above.
+  #       run: |
+  #         (
+  #           cd artifacts.tmp/artifacts-python-sdk
+  #           for file in *.whl ; do
+  #             mv -vT "$file" "sdk-python-$file"
+  #           done
+  #         )
+  #         (
+  #           cd artifacts.tmp/artifacts-nodejs-sdk
+  #           for file in *.tgz ; do
+  #             mv -vT "$file" "sdk-nodejs-$file"
+  #           done
+  #         )
+  #     - name: Flatten artifact directories
+  #       run: |
+  #         mkdir -p ./artifacts
+  #         mv ./artifacts.tmp/artifacts-*/* ./artifacts
+  #     - uses: ncipollo/release-action@3d2de22e3d0beab188d8129c27f103d8e91bf13a
+  #       with:
+  #         token: ${{ secrets.PULUMI_BOT_TOKEN }}
+  #         name: v${{ inputs.version }}
+  #         tag: v${{ inputs.version }}
+  #         commit: "${{ fromJSON(steps.commit-info.outputs.sha) }}"
+  #         draft: ${{ inputs.draft }}
+  #         prerelease: ${{ inputs.prerelease }}
+  #         allowUpdates: true
+
+  #         body: |
+  #           ${{ inputs.release-notes }}
+
+  #         removeArtifacts: true
+  #         replacesArtifacts: true
+  #         artifactErrorsFailBuild: true
+  #         artifacts: |
+  #           artifacts/*
diff --git a/.github/workflows/on-merge.yml b/.github/workflows/on-merge.yml
@@ -56,9 +56,23 @@ jobs:
       project: ${{ github.repository }}
     secrets: inherit
 
+  dev-release:
+    name: dev-release
+    needs: [info, ci]
+    uses: ./.github/workflows/ci-dev-release.yml
+    permissions:
+      contents: write
+      # To sign artifacts.
+      id-token: write
+    with:
+      ref: ${{ github.ref }}
+      version: ${{ needs.info.outputs.version }}
+      project: ${{ github.repository }}
+    secrets: inherit
+
   ci-ok:
     name: ci-ok
-    needs: [ci, prepare-release]
+    needs: [ci, prepare-release, dev-release]
     if: always() # always report a status
     runs-on: ubuntu-latest
     steps:

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -16,7 +16,7 @@ builds:
   goarch: ['amd64', 'arm64']
   goamd64: ['v1']
   ldflags:
-    - -X github.com/pulumi/pulumi/pkg/v3/version.Version={{.Tag}}
+    - -X github.com/pulumi/pulumi/pkg/v3/version.Version={{.Env.PULUMI_VERSION}}
   mod_timestamp: '{{ .CommitTimestamp }}'
 - <<: *pulumibin
   id: pulumi-language-go
@@ -54,7 +54,7 @@ archives:
     - src: bin/{{ .Os }}-{{ .Arch }}/*
       dst: '.'
       strip_parent: true
-  name_template: "{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
+  name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Os }}-{{ .Arch }}"
 
 snapshot:
   name_template: "{{ .Version }}-SNAPSHOT"