diff --git a/.config/mise.toml b/.config/mise.toml index f93067e..a733aa2 100644 --- a/.config/mise.toml +++ b/.config/mise.toml @@ -3,11 +3,12 @@ [env] _.source = "{{config_root}}/scripts/get-versions.sh" +PULUMI_HOME = "{{config_root}}/.pulumi" [tools] # Runtimes -# TODO: we may not need `get_env` once https://github.com/jdx/mise/discussions/6339 is fixed +# TODO: we may not need 'get_env' once https://github.com/jdx/mise/discussions/6339 is fixed go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}" node = '20.19.5' python = '3.11.8' @@ -17,12 +18,15 @@ java = 'corretto-11' # Executable tools pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}" -"github:pulumi/pulumictl" = 'latest' -"github:pulumi/schema-tools" = "latest" -gradle = '7.6' +"github:pulumi/pulumictl" = '0.0.50' +"github:pulumi/schema-tools" = "0.6.0" +"aqua:gradle/gradle-distributions" = '7.6.6' golangci-lint = "1.64.8" # See note about about overrides if you need to customize this. "npm:yarn" = "1.22.22" [settings] experimental = true # Required for Go binaries (e.g. pulumictl). -lockfile = true +lockfile = false + +[plugins] +vfox-pulumi = "https://github.com/pulumi/vfox-pulumi" diff --git a/.github/actions/setup-tools/action.yml b/.github/actions/setup-tools/action.yml index ea48463..897b5fa 100644 --- a/.github/actions/setup-tools/action.yml +++ b/.github/actions/setup-tools/action.yml @@ -14,14 +14,16 @@ runs: using: "composite" steps: - name: Setup mise - uses: jdx/mise-action@d16887ba50704baed7de72bd1e82e04391e4457a # v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 cache_save: ${{ inputs.cache }} github_token: ${{ inputs.github_token }} - name: Setup Go Cache - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: cache: ${{ inputs.cache }} cache-dependency-path: | @@ -32,7 +34,7 @@ runs: *.sum - name: Setup Node - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: # we don't set node-version because we install with mise. # this step is needed to setup npm auth diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 794a1a7..8898f0f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,7 +47,7 @@ jobs: pull-requests: write # For schema check comment. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -122,54 +122,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar provider binaries run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ @@ -218,7 +170,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -259,54 +211,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar SDK folder run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} . @@ -335,7 +239,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -380,7 +284,7 @@ jobs: id-token: write # For ESC secrets and Pulumi access token OIDC. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -477,7 +381,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -510,7 +414,7 @@ jobs: swap-storage: true large-packages: false - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 @@ -550,7 +454,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -570,7 +474,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Checkout Scripts Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: path: ci-scripts repository: pulumi/scripts @@ -631,7 +535,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index aafa0eb..f3c6ec5 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -14,6 +14,7 @@ env: GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io + PULUMI_PULUMI_ENABLE_JOURNALING: "true" jobs: command-dispatch-for-testing: @@ -24,7 +25,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - env: @@ -36,7 +37,7 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4 + - uses: peter-evans/slash-command-dispatch@5c11dc7efead556e3bdabf664302212f79eb26fa # v5 with: commands: | run-acceptance-tests diff --git a/.github/workflows/community-moderation.yml b/.github/workflows/community-moderation.yml index 6532d5b..af6fd31 100644 --- a/.github/workflows/community-moderation.yml +++ b/.github/workflows/community-moderation.yml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - id: schema_changed diff --git a/.github/workflows/export-repo-secrets.yml b/.github/workflows/export-repo-secrets.yml index 0039709..93f70f2 100644 --- a/.github/workflows/export-repo-secrets.yml +++ b/.github/workflows/export-repo-secrets.yml @@ -8,7 +8,7 @@ jobs: steps: - name: Generate a GitHub token id: generate-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: 1256780 # Export Secrets GitHub App private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }} diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 8c91e22..6656c35 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -36,7 +36,7 @@ jobs: name: prerequisites steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -111,54 +111,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar provider binaries run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ @@ -207,7 +159,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -248,54 +200,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit ${{ matrix.language }} SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit ${{ matrix.language }} SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar SDK folder run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} . @@ -333,7 +237,7 @@ jobs: id-token: write # For ESC secrets and Pulumi access token OIDC. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -430,7 +334,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -463,7 +367,7 @@ jobs: swap-storage: true large-packages: false - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 @@ -503,7 +407,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -523,7 +427,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Checkout Scripts Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: path: ci-scripts repository: pulumi/scripts @@ -585,7 +489,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -635,7 +539,7 @@ jobs: needs: publish_sdk steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - id: version diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index d481da3..f935603 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -10,7 +10,7 @@ jobs: name: comment-on-pr steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - name: Comment PR diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 661764c..add72ca 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,7 +39,7 @@ jobs: pull-requests: write # For schema check comment. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -62,7 +62,7 @@ jobs: uses: ./.github/actions/setup-tools with: cache: 'true' - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 @@ -114,54 +114,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar provider binaries run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ @@ -210,7 +162,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -232,7 +184,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - name: Download Provider Binary uses: ./.github/actions/download-provider - name: Generate SDK @@ -251,54 +203,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar SDK folder run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} . @@ -336,7 +240,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -358,7 +262,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - name: Download Provider Binary uses: ./.github/actions/download-provider - name: Download SDK @@ -433,7 +337,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -455,7 +359,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - name: Clear GitHub Actions Ubuntu runner disk space uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 with: @@ -466,7 +370,7 @@ jobs: swap-storage: true large-packages: false - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 @@ -506,7 +410,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -526,7 +430,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Checkout Scripts Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: path: ci-scripts repository: pulumi/scripts @@ -534,7 +438,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - name: Download python SDK uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -588,7 +492,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -610,7 +514,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - name: Download java SDK uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -638,7 +542,7 @@ jobs: needs: publish_sdk steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - id: version @@ -674,7 +578,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: diff --git a/.github/workflows/release_command.yml b/.github/workflows/release_command.yml index 4e2450d..21fad2a 100644 --- a/.github/workflows/release_command.yml +++ b/.github/workflows/release_command.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - env: diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 7810df6..f828277 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -32,6 +32,7 @@ env: GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io + PULUMI_PULUMI_ENABLE_JOURNALING: "true" PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} jobs: comment-notification: @@ -40,7 +41,7 @@ jobs: name: comment-notification steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -65,7 +66,7 @@ jobs: pull-requests: write # For schema check comment. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -90,7 +91,7 @@ jobs: uses: ./.github/actions/setup-tools with: cache: 'true' - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 @@ -142,8 +143,12 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle + # This worktree check is a safeguard against someone forgetting to + # re-build and commit locally, but we handle that commit automatically in + # the case of dependency bumps. + continue-on-error: ${{ contains(github.actor, 'renovate') }} - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && + if: steps.worktreeClean.outcome == 'failure' && contains(github.actor, 'renovate') && github.event_name == 'pull_request' shell: bash @@ -240,7 +245,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -264,7 +269,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - name: Download provider uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -292,8 +297,9 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle + continue-on-error: ${{ contains(github.actor, 'renovate') }} - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && + if: steps.worktreeClean.outcome == 'failure' && contains(github.actor, 'renovate') && github.event_name == 'pull_request' shell: bash @@ -379,7 +385,7 @@ jobs: id-token: write steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -403,7 +409,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - name: Download provider uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -490,7 +496,7 @@ jobs: name: sentinel steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -525,7 +531,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false diff --git a/.github/workflows/weekly-pulumi-update.yml b/.github/workflows/weekly-pulumi-update.yml index 3de934d..ae8a935 100644 --- a/.github/workflows/weekly-pulumi-update.yml +++ b/.github/workflows/weekly-pulumi-update.yml @@ -29,6 +29,7 @@ env: GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io + PULUMI_PULUMI_ENABLE_JOURNALING: "true" jobs: weekly-pulumi-update: @@ -36,7 +37,7 @@ jobs: permissions: write-all steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: diff --git a/.goreleaser.yml b/.goreleaser.yml index 2ae51d6..9bb8131 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,5 +1,4 @@ # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt - project_name: pulumi-docker-build builds: - id: build-provider