From b1931760d22f56f8a40465ed72fed8ca5dd02e19 Mon Sep 17 00:00:00 2001 From: pulumi-bot Date: Tue, 10 Dec 2024 03:32:37 +0000 Subject: [PATCH 1/2] Regenerate workflows for pulumi-acme --- .github/actions/download-bin/action.yml | 19 ++++++++----- .github/actions/download-tfgen/action.yml | 17 ++++++++++++ .github/actions/setup-tools/action.yml | 4 +-- .github/workflows/build_provider.yml | 31 +++++++++++++++++++++- .github/workflows/build_sdk.yml | 6 ++--- .github/workflows/main.yml | 1 + .github/workflows/prerelease.yml | 1 + .github/workflows/prerequisites.yml | 16 ++++++----- .github/workflows/pull-request.yml | 4 +-- .github/workflows/release.yml | 1 + .github/workflows/run-acceptance-tests.yml | 1 + Makefile | 10 +++---- upstream.sh | 10 +++++-- 13 files changed, 94 insertions(+), 27 deletions(-) create mode 100644 .github/actions/download-tfgen/action.yml diff --git a/.github/actions/download-bin/action.yml b/.github/actions/download-bin/action.yml index c6f85c5..3cc9939 100644 --- a/.github/actions/download-bin/action.yml +++ b/.github/actions/download-bin/action.yml @@ -1,16 +1,23 @@ -name: Download binary assets -description: Downloads the provider and tfgen binaries to `bin/`. +name: Download the provider binary +description: Downloads the provider binary to `bin/`. runs: using: "composite" steps: - - name: Download provider + tfgen binaries + + - name: Download pulumi-resource-acme uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: - name: acme-provider.tar.gz + pattern: pulumi-resource-acme-*-linux-amd64.tar.gz path: ${{ github.workspace }}/bin - - name: Untar provider binaries + merge-multiple: true + + - name: Untar pulumi-resource-acme + shell: bash + run: | + tar -zxf ${{ github.workspace }}/bin/*amd64.tar.gz -C ${{ github.workspace}}/bin + + - name: Mark pulumi-resource-acme as executable shell: bash run: | - tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin find ${{ github.workspace }} -name "pulumi-*-acme" -print -exec chmod +x {} \; diff --git a/.github/actions/download-tfgen/action.yml b/.github/actions/download-tfgen/action.yml new file mode 100644 index 0000000..2b9b04b --- /dev/null +++ b/.github/actions/download-tfgen/action.yml @@ -0,0 +1,17 @@ +name: Download the tfgen binary +description: Downloads the tfgen binary to `bin/`. + +runs: + using: "composite" + steps: + + - name: Download pulumi-tfgen-acme + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: pulumi-tfgen-acme + path: ${{ github.workspace }}/bin + + - name: Ensure pulumi-tfgen-acme is executable + shell: bash + run: | + find ${{ github.workspace }} -name "pulumi-*-acme" -print -exec chmod +x {} \; diff --git a/.github/actions/setup-tools/action.yml b/.github/actions/setup-tools/action.yml index 6a711d4..13f8158 100644 --- a/.github/actions/setup-tools/action.yml +++ b/.github/actions/setup-tools/action.yml @@ -30,7 +30,7 @@ runs: - name: Install pulumictl if: inputs.tools == 'all' || contains(inputs.tools, 'pulumictl') - uses: jaxxstorm/action-install-gh-release@71d17cb091aa850acb2a1a4cf87258d183eb941b # v1.11.0 + uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0 with: tag: v0.0.46 repo: pulumi/pulumictl @@ -43,7 +43,7 @@ runs: - name: Install Schema Tools if: inputs.tools == 'all' || contains(inputs.tools, 'schema-tools') - uses: jaxxstorm/action-install-gh-release@71d17cb091aa850acb2a1a4cf87258d183eb941b # v1.11.0 + uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0 with: repo: pulumi/schema-tools diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml index daff0b7..d826e07 100644 --- a/.github/workflows/build_provider.yml +++ b/.github/workflows/build_provider.yml @@ -14,6 +14,7 @@ jobs: runs-on: ubuntu-latest env: PROVIDER_VERSION: ${{ inputs.version }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} strategy: fail-fast: true matrix: @@ -49,8 +50,36 @@ jobs: path: provider/cmd/pulumi-resource-acme - name: Restore makefile progress run: make --touch provider schema - - name: Build & package provider + + - name: Build provider + if: matrix.platform.os != 'windows' + run: make bin/${{ matrix.platform.os }}-${{ matrix.platform.arch }}/pulumi-resource-acme + + - name: Build windows provider + if: matrix.platform.os == 'windows' + run: make bin/${{ matrix.platform.os }}-${{ matrix.platform.arch }}/pulumi-resource-acme.exe + + - name: Sign windows provider + if: matrix.platform.os == 'windows' + run: | + az login --service-principal \ + -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \ + -p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \ + -t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \ + -o none; + + wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar; + + java -jar jsign-6.0.jar \ + --storetype AZUREKEYVAULT \ + --keystore "PulumiCodeSigning" \ + --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \ + --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \ + bin/windows-amd64/pulumi-resource-acme.exe; + + - name: Package provider run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }} + - name: Upload artifacts uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: diff --git a/.github/workflows/build_sdk.yml b/.github/workflows/build_sdk.yml index a6407cb..805d82a 100644 --- a/.github/workflows/build_sdk.yml +++ b/.github/workflows/build_sdk.yml @@ -44,7 +44,7 @@ jobs: with: persist-credentials: false - name: Cache examples generation - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 with: path: | .pulumi/examples-cache @@ -55,8 +55,8 @@ jobs: tools: pulumictl, pulumicli, ${{ matrix.language }} - name: Prepare local workspace run: make prepare_local_workspace - - name: Download bin - uses: ./.github/actions/download-bin + - name: Download tfgen + uses: ./.github/actions/download-tfgen - name: Update path run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - name: Restore makefile progress diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3f1c009..8a9debd 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -129,6 +129,7 @@ jobs: name: test needs: - prerequisites + - build_provider - build_sdk permissions: contents: read diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index fd4e668..5ea8dad 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -70,6 +70,7 @@ jobs: name: test needs: - prerequisites + - build_provider - build_sdk permissions: contents: read diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml index 61d49b3..df175b3 100644 --- a/.github/workflows/prerequisites.yml +++ b/.github/workflows/prerequisites.yml @@ -51,7 +51,7 @@ jobs: with: set-env: 'PROVIDER_VERSION' - name: Cache examples generation - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 with: path: | .pulumi/examples-cache @@ -79,18 +79,22 @@ jobs: } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false name: Comment on PR with Details of Schema Check - uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 + uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - comment_tag: schemaCheck + github-token: ${{ secrets.GITHUB_TOKEN }} + comment-tag: schemaCheck message: >+ ${{ env.SCHEMA_CHANGES }} Maintainer note: consult the [runbook](https://github.com/pulumi/platform-providers-team/blob/main/playbooks/tf-provider-updating.md) for dealing with any breaking changes. - - name: Upload bin - uses: ./.github/actions/upload-bin + - name: Upload pulumi-tfgen-acme + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: pulumi-tfgen-acme + path: ${{ github.workspace }}/bin/pulumi-tfgen-acme + retention-days: 30 - name: Upload schema-embed.json uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 732be73..99f8d80 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -28,9 +28,9 @@ jobs: with: persist-credentials: false - name: Comment PR - uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0 + uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ secrets.GITHUB_TOKEN }} message: > PR is now waiting for a maintainer to run the acceptance tests. diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bada405..f0706d0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -76,6 +76,7 @@ jobs: name: test needs: - prerequisites + - build_provider - build_sdk permissions: contents: read diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index d9de347..bc56a0f 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -118,6 +118,7 @@ jobs: name: test needs: - prerequisites + - build_provider - build_sdk permissions: contents: read diff --git a/Makefile b/Makefile index 1c138e7..6af17a2 100644 --- a/Makefile +++ b/Makefile @@ -95,7 +95,7 @@ GEN_ENVS := PULUMI_HOME=$(GEN_PULUMI_HOME) PULUMI_CONVERT_EXAMPLES_CACHE_DIR=$(G generate_dotnet: .make/generate_dotnet build_dotnet: .make/build_dotnet .make/generate_dotnet: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) -.make/generate_dotnet: bin/$(TFGEN) +.make/generate_dotnet: .make/install_plugins bin/$(TFGEN) $(GEN_ENVS) $(WORKING_DIR)/bin/$(TFGEN) dotnet --out sdk/dotnet/ cd sdk/dotnet/ && \ printf "module fake_dotnet_module // Exclude this directory from Go tools\n\ngo 1.17\n" > go.mod && \ @@ -109,7 +109,7 @@ build_dotnet: .make/build_dotnet generate_go: .make/generate_go build_go: .make/build_go .make/generate_go: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) -.make/generate_go: bin/$(TFGEN) +.make/generate_go: .make/install_plugins bin/$(TFGEN) $(GEN_ENVS) $(WORKING_DIR)/bin/$(TFGEN) go --out sdk/go/ @touch $@ .make/build_go: .make/generate_go @@ -121,7 +121,7 @@ generate_java: .make/generate_java build_java: .make/build_java .make/generate_java: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) .make/generate_java: PACKAGE_VERSION := $(VERSION_GENERIC) -.make/generate_java: bin/pulumi-java-gen .make/schema +.make/generate_java: .make/install_plugins bin/pulumi-java-gen .make/schema PULUMI_HOME=$(GEN_PULUMI_HOME) PULUMI_CONVERT_EXAMPLES_CACHE_DIR=$(GEN_PULUMI_CONVERT_EXAMPLES_CACHE_DIR) bin/$(JAVA_GEN) generate --schema provider/cmd/$(PROVIDER)/schema.json --out sdk/java --build gradle-nexus printf "module fake_java_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/java/go.mod @touch $@ @@ -136,7 +136,7 @@ build_java: .make/build_java generate_nodejs: .make/generate_nodejs build_nodejs: .make/build_nodejs .make/generate_nodejs: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) -.make/generate_nodejs: bin/$(TFGEN) +.make/generate_nodejs: .make/install_plugins bin/$(TFGEN) $(GEN_ENVS) $(WORKING_DIR)/bin/$(TFGEN) nodejs --out sdk/nodejs/ printf "module fake_nodejs_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/nodejs/go.mod @touch $@ @@ -151,7 +151,7 @@ build_nodejs: .make/build_nodejs generate_python: .make/generate_python build_python: .make/build_python .make/generate_python: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) -.make/generate_python: bin/$(TFGEN) +.make/generate_python: .make/install_plugins bin/$(TFGEN) $(GEN_ENVS) $(WORKING_DIR)/bin/$(TFGEN) python --out sdk/python/ printf "module fake_python_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/python/go.mod cp README.md sdk/python/ diff --git a/upstream.sh b/upstream.sh index 87593cd..ce90039 100755 --- a/upstream.sh +++ b/upstream.sh @@ -138,11 +138,14 @@ apply_patches() { # Iterating over the patches folder in sorted order, # apply the patch using a 3-way merge strategy. This mirrors the default behavior of 'git merge' cd upstream + # Allow directory to be empty + shopt -s nullglob for patch in ../patches/*.patch; do if ! git apply --3way "${patch}" --allow-empty; then err_failed_to_apply "$(basename "${patch}")" fi done + shopt -u nullglob } clean_rebases() { @@ -227,13 +230,16 @@ checkout() { # Create a new branch 'pulumi/patch-checkout' which will contain the commits for each patch git checkout -B pulumi/patch-checkout + # Allow directory to be empty + shopt -s nullglob for patch in ../patches/*.patch; do if ! git am --3way "${patch}"; then err_failed_to_apply "$(basename "${patch}")" fi done + shopt -u nullglob - cat < Date: Tue, 10 Dec 2024 08:50:15 +0100 Subject: [PATCH 2/2] Only sign when secrets have been configured --- .github/workflows/build_provider.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml index d826e07..8ec32a3 100644 --- a/.github/workflows/build_provider.yml +++ b/.github/workflows/build_provider.yml @@ -15,6 +15,7 @@ jobs: env: PROVIDER_VERSION: ${{ inputs.version }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SIGN: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }} strategy: fail-fast: true matrix: @@ -60,7 +61,7 @@ jobs: run: make bin/${{ matrix.platform.os }}-${{ matrix.platform.arch }}/pulumi-resource-acme.exe - name: Sign windows provider - if: matrix.platform.os == 'windows' + if: matrix.platform.os == 'windows' && env.SIGN == 'true' run: | az login --service-principal \ -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \