name: Release Actions permissions: # To create a PR contents: write pull-requests: write on: workflow_call: inputs: ref: required: true description: "GitHub ref to use" type: string version: required: true description: "Version to produce" type: string branch_from_ref: required: false description: "Commit to branch from, if not the tag" type: string release-notes: required: true description: "Release notes to publish" type: string queue-merge: required: false default: false description: "Whether to queue the release for immediate merge" type: boolean run-dispatch-commands: required: false default: false # If version contains a '-', i.e.: a prerelease build, these commands are disabled until further notice. description: "Whether to run dispatch commands" type: boolean version-set: required: false description: "Set of language versions to use for builds, lints, releases, etc." type: string # Example provided for illustration, this value is derived by scripts/get-job-matrix.py build default: | { "dotnet": "6.0.x", "go": "1.18.x", "nodejs": "16.x", "python": "3.9.x" } env: PULUMI_VERSION: ${{ inputs.version }} GIT_REF: ${{ inputs.ref }} GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_PROD_ACCESS_TOKEN }} PULUMI_TEST_OWNER: "moolumi" NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} PYPI_USERNAME: __token__ PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} jobs: sdks: name: ${{ matrix.language }} runs-on: ubuntu-latest strategy: fail-fast: false matrix: language: ["nodejs", "python", "go"] steps: - name: Checkout Repo uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} - name: Set up Python ${{ fromJson(inputs.version-set).python }} if: ${{ matrix.language == 'python' }} uses: actions/setup-python@v5 with: python-version: ${{ fromJson(inputs.version-set).python }} cache-dependency-path: sdk/python/requirements.txt - name: Install Python deps if: ${{ matrix.language == 'python' }} run: | python -m pip install --upgrade pip requests wheel urllib3 chardet twine - name: Set up Node ${{ fromJson(inputs.version-set).nodejs }} if: ${{ matrix.language == 'nodejs' }} uses: actions/setup-node@v4 with: node-version: ${{ fromJson(inputs.version-set).nodejs }} registry-url: https://registry.npmjs.org always-auth: true - name: Download release artifacts if: ${{ matrix.language != 'go' }} run: | mkdir -p artifacts gh release download "v${PULUMI_VERSION}" --dir ./artifacts --pattern 'sdk-${{ matrix.language }}-*' find artifacts - name: Publish Packages run: | make -C sdk/${{ matrix.language}} publish s3-blobs: name: s3 blobs runs-on: ubuntu-latest steps: - name: Checkout Repo uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} role-duration-seconds: 3600 role-external-id: upload-pulumi-release role-session-name: pulumi@githubActions role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} - name: Download release artifacts run: | mkdir -p artifacts gh release download "v${PULUMI_VERSION}" --dir ./artifacts --pattern 'pulumi-*' find artifacts - name: Publish Blobs run: | aws s3 sync artifacts s3://get.pulumi.com/releases/sdk --acl public-read pr: # Relies on the Go SDK being published to update pkg name: PR needs: [sdks] uses: ./.github/workflows/release-pr.yml permissions: contents: write pull-requests: write with: ref: ${{ inputs.ref }} version: ${{ inputs.version }} release-notes: ${{ inputs.release-notes }} queue-merge: ${{ inputs.queue-merge }} secrets: inherit dispatch: name: ${{ matrix.job.name }} if: inputs.run-dispatch-commands && !contains(inputs.version, '-') runs-on: ubuntu-latest needs: [pr] strategy: fail-fast: false matrix: job: - name: Update Templates Version run-command: pulumictl dispatch -r pulumi/templates -c update-templates "${PULUMI_VERSION}" - name: Chocolatey Update run-command: pulumictl create choco-deploy "${PULUMI_VERSION}" - name: Winget Update run-command: pulumictl winget-deploy - name: Build Package Docs run-command: pulumictl create cli-docs-build "${PULUMI_VERSION}" - name: Homebrew run-command: pulumictl create homebrew-bump "${PULUMI_VERSION}" "$(git rev-parse HEAD)" - name: Docker containers run-command: pulumictl dispatch -r pulumi/pulumi-docker-containers -c release-build "${PULUMI_VERSION}" steps: - name: Checkout Repo uses: actions/checkout@v4 with: ref: ${{ inputs.ref }} - name: Install Pulumictl uses: jaxxstorm/action-install-gh-release@v1.11.0 env: GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} with: repo: pulumi/pulumictl tag: v0.0.42 cache: enable - name: Repository Dispatch run: ${{ matrix.job.run-command }} update-homebrew-tap: name: Update Homebrew Tap if: inputs.run-dispatch-commands && !contains(inputs.version, '-') needs: [dispatch] uses: ./.github/workflows/release-homebrew-tap.yml permissions: contents: read with: ref: ${{ inputs.ref }} version: ${{ inputs.version }} dry-run: false secrets: inherit