mirrors
/
pulumi
mirror of https://github.com/pulumi/pulumi.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
pulumi/.github/workflows/ci-prepare-release.yml

171 lines
4.6 KiB
YAML
Raw Permalink Blame History

name: Prepare
permissions:
# To create a draft release
contents: write
on:
workflow_call:
inputs:
ref:
required: true
description: "GitHub ref to use"
type: string
version:
required: true
description: "Version to produce"
type: string
project:
required: true
description: "Project name, e.g.: the repository name"
type: string
release-notes:
required: true
description: "Release notes"
type: string
prerelease:
required: false
default: true
description: "Whether to create a prerelease"
type: boolean
draft:
required: false
default: true
description: "Whether to create a draft release"
type: boolean
env:
PULUMI_VERSION: ${{ inputs.version }}
jobs:
sign:
name: sign
if: false # TODO: Enable this job after signing key is configured.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: ${{ inputs.ref }}
- name: Install rsign2
uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0
with:
crate: rsign2
version: 0.6.1
- name: Install b3sum
uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0
with:
crate: b3sum
version: 1.3.0
- name: Download all artifacts
uses: actions/download-artifact@v2
with:
path: artifacts-tmp
- name: Flatten artifact directories
run: |
mkdir -p ./artifacts
mv ./artifacts-tmp/artifacts-*/* ./artifacts
- name: Checksums with BLAKE3
working-directory: artifacts
run: b3sum ./* | tee B3SUMS
- name: Checksums with SHA512
working-directory: artifacts
run: sha512sum ./* | tee SHA512SUMS
- name: Sign checksums
working-directory: artifacts
shell: bash
env:
RELEASE_KEY: ${{ secrets.RELEASE_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
version: ${{ inputs.version }}
run: |
set -u
echo "$RELEASE_KEY" > release.key
set -x
for algo in B3 SHA512; do
echo | rsign sign \
-p "${GITHUB_WORKSPACE}/.github/workflows/release.pub" \
-s release.key \
-t "${{ inputs.project }} v$version signed with automated key" \
-c 'see website for signing information' \
-x "${algo}SUMS.auto.minisig" \
"${algo}SUMS"
done
rm release.key
cat {B3,SHA512}SUMS.auto.minisig
- uses: actions/upload-artifact@v2
with:
name: artifacts-signatures
retention-days: 1
path: |
artifacts/*SUMS*
if-no-files-found: error
publish:
name: release
# needs: [sign]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: ${{ inputs.ref }}
- name: Get commit hash
id: commit-info
run: |
SHA=$(git rev-parse HEAD)
./.github/scripts/set-output sha "$SHA"
- name: Download all artifacts
uses: actions/download-artifact@v2
with:
path: artifacts-tmp
- name: Rename SDKs
run: |
(
cd artifacts-tmp/artifacts-dotnet-sdk
for file in *.nupkg ; do
mv -vT "$file" "sdk-dotnet-$file"
done
)
(
cd artifacts-tmp/artifacts-python-sdk
for file in *.whl ; do
mv -vT "$file" "sdk-python-$file"
done
)
(
cd artifacts-tmp/artifacts-nodejs-sdk
for file in *.tgz ; do
mv -vT "$file" "sdk-nodejs-$file"
done
)
- name: Flatten artifact directories
run: |
mkdir -p ./artifacts
mv ./artifacts-tmp/artifacts-*/* ./artifacts
- uses: ncipollo/release-action@3d2de22e3d0beab188d8129c27f103d8e91bf13a
with:
token: ${{ secrets.PULUMI_BOT_TOKEN }}
name: v${{ inputs.version }}
tag: v${{ inputs.version }}
commit: "${{ fromJSON(steps.commit-info.outputs.sha) }}"
draft: ${{ inputs.draft }}
prerelease: ${{ inputs.prerelease }}
allowUpdates: true
body: |
${{ inputs.release-notes }}
removeArtifacts: true
replacesArtifacts: true
artifactErrorsFailBuild: true
artifacts: |
artifacts/*
Reference in New Issue View Git Blame Copy Permalink