mirrors
/
pulumi
mirror of https://github.com/pulumi/pulumi.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
pulumi/.github/workflows/ci-prepare-release.yml

180 lines
5.0 KiB
YAML
Raw Permalink Blame History

name: Prepare
permissions:
# To create a draft release
contents: write
on:
workflow_call:
inputs:
ref:
required: true
description: "GitHub ref to use"
type: string
version:
required: true
description: "Version to produce"
type: string
project:
required: true
description: "Project name, e.g.: the repository name"
type: string
release-notes:
required: true
description: "Release notes"
type: string
prerelease:
required: false
default: true
description: "Whether to create a prerelease"
type: boolean
draft:
required: false
default: true
description: "Whether to create a draft release"
type: boolean
env:
PULUMI_VERSION: ${{ inputs.version }}
jobs:
sign:
name: sign
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: ${{ inputs.ref }}
- name: Install rsign2
uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0
with:
crate: rsign2
version: 0.6.1
- name: Install b3sum
uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0
with:
crate: b3sum
version: 1.3.0
- name: Download all artifacts
uses: actions/download-artifact@v2
with:
path: artifacts.tmp
- name: Flatten artifact directories
run: |
mkdir -p ./artifacts
mkdir -p ./sums.tmp
mv ./artifacts.tmp/artifacts-*/* ./artifacts
# Each of these commands strips the ./ prefix to match existing (<=3.39) formatting.
- name: Checksums with SHA256
working-directory: artifacts
env:
version: ${{ inputs.version }}
run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../sums.tmp/pulumi-${version}-checksums.txt"
- name: Checksums with BLAKE3
working-directory: artifacts
run: b3sum ./* | sed 's/.\///' | tee ../sums.tmp/B3SUMS
- name: Checksums with SHA512
working-directory: artifacts
run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS
- name: Sign checksums
working-directory: sums.tmp
# Requires a signing key to be configured.
if: false
shell: bash
env:
# RELEASE_KEY: ${{ secrets.RELEASE_KEY }}
version: ${{ inputs.version }}
run: |
set -u
releaseKey="$(mktemp -d)/release.key"
echo "$RELEASE_KEY" > "${releaseKey}"
set -x
for file in *; do
echo | rsign sign \
-p "${GITHUB_WORKSPACE}/.github/workflows/release.pub" \
-s "${releaseKey}" \
-t "${{ inputs.project }} v$version signed with automated key" \
-c 'see website for signing information' \
-x "${file}.auto.minisig" \
"${file}"
done
rm "${releaseKey}"
cat ./*.auto.minisig
- uses: actions/upload-artifact@v2
with:
name: artifacts-signatures
retention-days: 1
path: |
sums.tmp/*
if-no-files-found: error
publish:
name: release
needs: [sign]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: ${{ inputs.ref }}
- name: Get commit hash
id: commit-info
run: |
SHA=$(git rev-parse HEAD)
./.github/scripts/set-output sha "$SHA"
- name: Download all artifacts
uses: actions/download-artifact@v2
with:
path: artifacts.tmp
- name: Rename SDKs
run: |
(
cd artifacts.tmp/artifacts-dotnet-sdk
for file in *.nupkg ; do
mv -vT "$file" "sdk-dotnet-$file"
done
)
(
cd artifacts.tmp/artifacts-python-sdk
for file in *.whl ; do
mv -vT "$file" "sdk-python-$file"
done
)
(
cd artifacts.tmp/artifacts-nodejs-sdk
for file in *.tgz ; do
mv -vT "$file" "sdk-nodejs-$file"
done
)
- name: Flatten artifact directories
run: |
mkdir -p ./artifacts
mv ./artifacts.tmp/artifacts-*/* ./artifacts
- uses: ncipollo/release-action@3d2de22e3d0beab188d8129c27f103d8e91bf13a
with:
token: ${{ secrets.PULUMI_BOT_TOKEN }}
name: v${{ inputs.version }}
tag: v${{ inputs.version }}
commit: "${{ fromJSON(steps.commit-info.outputs.sha) }}"
draft: ${{ inputs.draft }}
prerelease: ${{ inputs.prerelease }}
allowUpdates: true
body: |
${{ inputs.release-notes }}
removeArtifacts: true
replacesArtifacts: true
artifactErrorsFailBuild: true
artifacts: |
artifacts/*
Reference in New Issue View Git Blame Copy Permalink