name: Release Actions

permissions:
  # To create a PR
  contents: write
  pull-requests: write

on:
  workflow_call:
    inputs:
      ref:
        required: true
        description: "GitHub ref to use"
        type: string
      version:
        required: true
        description: "Version to produce"
        type: string
      branch_from_ref:
        required: false
        description: "Commit to branch from, if not the tag"
        type: string
      release-notes:
        required: true
        description: "Release notes to publish"
        type: string
      queue-merge:
        required: false
        default: false
        description: "Whether to queue the release for immediate merge"
        type: boolean
      run-dispatch-commands:
        required: false
        default: false
        # If version contains a '-', i.e.: a prerelease build, these commands are disabled until further notice.
        description: "Whether to run dispatch commands"
        type: boolean
      version-set:
        required: false
        description: "Set of language versions to use for builds, lints, releases, etc."
        type: string
        # Example provided for illustration, this value is derived by scripts/get-job-matrix.py build
        default: |
          {
            "dotnet": "6.0.x",
            "go": "1.18.x",
            "nodejs": "16.x",
            "python": "3.9.x"
          }


env:
  PULUMI_VERSION: ${{ inputs.version }}
  GIT_REF: ${{ inputs.ref }}
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_PROD_ACCESS_TOKEN }}
  PULUMI_TEST_OWNER: "moolumi"
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  PYPI_USERNAME: __token__
  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}

jobs:
  sdks:
    name: ${{ matrix.language }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        language: ["nodejs", "python", "go"]
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.ref }}
      - name: Set up Python ${{ fromJson(inputs.version-set).python }}
        if: ${{ matrix.language == 'python' }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ fromJson(inputs.version-set).python }}
          cache-dependency-path: sdk/python/requirements.txt
      - name: Install Python deps
        if: ${{ matrix.language == 'python' }}
        run: |
          python -m pip install --upgrade pip requests wheel urllib3 chardet twine
      - name: Set up Node ${{ fromJson(inputs.version-set).nodejs }}
        if: ${{ matrix.language == 'nodejs' }}
        uses: actions/setup-node@v4
        with:
          node-version: ${{ fromJson(inputs.version-set).nodejs }}
          registry-url: https://registry.npmjs.org
          always-auth: true
      - name: Download release artifacts
        if: ${{ matrix.language != 'go' }}
        run: |
          mkdir -p artifacts
          gh release download "v${PULUMI_VERSION}" --dir ./artifacts --pattern 'sdk-${{ matrix.language }}-*'
          find artifacts
      - name: Publish Packages
        run: |
          make -C sdk/${{ matrix.language}} publish

  s3-blobs:
    name: s3 blobs
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.ref }}
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-region: us-east-2
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          role-duration-seconds: 3600
          role-external-id: upload-pulumi-release
          role-session-name: pulumi@githubActions
          role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
      - name: Download release artifacts
        run: |
          mkdir -p artifacts
          gh release download "v${PULUMI_VERSION}" --dir ./artifacts --pattern 'pulumi-*'
          find artifacts
      - name: Publish Blobs
        run: |
          aws s3 sync artifacts s3://get.pulumi.com/releases/sdk --acl public-read

  pr:
    # Relies on the Go SDK being published to update pkg
    name: PR
    needs: [sdks]
    uses: ./.github/workflows/release-pr.yml
    permissions:
      contents: write
      pull-requests: write
    with:
      ref: ${{ inputs.ref }}
      version: ${{ inputs.version }}
      release-notes: ${{ inputs.release-notes }}
      queue-merge: ${{ inputs.queue-merge }}
    secrets: inherit

  dispatch:
    name: ${{ matrix.job.name }}
    if: inputs.run-dispatch-commands && !contains(inputs.version, '-')
    runs-on: ubuntu-latest
    needs: [pr]
    strategy:
      fail-fast: false
      matrix:
        job:
          - name: Update Templates Version
            run-command: pulumictl dispatch -r pulumi/templates -c update-templates "${PULUMI_VERSION}"
          - name: Chocolatey Update
            run-command: pulumictl create choco-deploy "${PULUMI_VERSION}"
          - name: Winget Update
            run-command: pulumictl winget-deploy
          - name: Build Package Docs
            run-command: pulumictl create cli-docs-build "${PULUMI_VERSION}"
          - name: Homebrew
            run-command: pulumictl create homebrew-bump "${PULUMI_VERSION}" "$(git rev-parse HEAD)"
          - name: Docker containers
            run-command: pulumictl dispatch -r pulumi/pulumi-docker-containers -c release-build "${PULUMI_VERSION}"
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.ref }}
      - name: Install Pulumictl
        uses: jaxxstorm/action-install-gh-release@v1.11.0
        env:
          GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
        with:
          repo: pulumi/pulumictl
          tag: v0.0.42
          cache: enable
      - name: Repository Dispatch
        run: ${{ matrix.job.run-command }}


  update-homebrew-tap:
    name: Update Homebrew Tap
    if: inputs.run-dispatch-commands && !contains(inputs.version, '-')
    needs: [dispatch]
    uses: ./.github/workflows/release-homebrew-tap.yml
    permissions:
      contents: read
    with:
      ref: ${{ inputs.ref }}
      version: ${{ inputs.version }}
      dry-run: false
    secrets: inherit