# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt name: run-acceptance-tests on: repository_dispatch: types: - run-acceptance-tests-command pull_request: paths-ignore: - CHANGELOG.md workflow_dispatch: {} env: PROVIDER: docker-build TRAVIS_OS_NAME: linux GOVERSION: "1.21.x" NODEVERSION: "20.x" PYTHONVERSION: "3.11.8" DOTNETVERSION: "8.0.x" JAVAVERSION: "11" GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci GOOGLE_PROJECT: pulumi-ci-gcp-provider GOOGLE_PROJECT_NUMBER: "895284651812" GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget PULUMI_PULUMI_ENABLE_JOURNALING: "true" TF_APPEND_USER_AGENT: pulumi PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} jobs: comment-notification: if: github.event_name == 'repository_dispatch' runs-on: ubuntu-latest name: comment-notification steps: - name: Checkout Repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: lfs: true persist-credentials: false ref: ${{ env.PR_COMMIT_SHA }} - name: Create URL to the run output id: vars run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" - name: Update with Result uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} issue-number: ${{ github.event.client_payload.github.payload.issue.number }} body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}" prerequisites: runs-on: ubuntu-latest name: prerequisites permissions: id-token: write # For ESC secrets. pull-requests: write # For schema check comment. steps: - name: Checkout Repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: lfs: true persist-credentials: false ref: ${{ env.PR_COMMIT_SHA }} - env: ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false" ESC_ACTION_OIDC_AUTH: "true" ESC_ACTION_OIDC_ORGANIZATION: pulumi ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 id: app-auth with: app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 with: set-env: PROVIDER_VERSION env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Setup Tools uses: ./.github/actions/setup-tools with: cache: 'true' github_token: ${{ steps.app-auth.outputs.token }} - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0 with: repo: pulumi/schema-tools - name: Build codegen binaries run: make codegen - name: Build Schema run: make generate_schema - if: github.event_name == 'pull_request' name: Check Schema is Valid run: >- { echo 'SCHEMA_CHANGES<> "$GITHUB_ENV" env: GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' name: Comment on PR with Details of Schema Check uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: message: | ${{ env.SCHEMA_CHANGES }} comment-tag: schemaCheck github-token: ${{ secrets.GITHUB_TOKEN }} - if: contains(env.SCHEMA_CHANGES, 'Looking good! No breaking changes found.') && github.actor == 'pulumi-bot' name: Add label if no breaking changes uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3 with: labels: impact/no-changelog-required number: ${{ github.event.issue.number }} github_token: ${{ secrets.GITHUB_TOKEN }} - name: Build Provider run: make provider - name: Check worktree clean id: worktreeClean uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1 with: allowed-changes: |- sdk/**/pulumi-plugin.json sdk/dotnet/*.*.csproj sdk/dotnet/version.txt sdk/go/**/pulumiUtilities.go sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle # This worktree check is a safeguard against someone forgetting to # re-build and commit locally, but we handle that commit automatically in # the case of dependency bumps. continue-on-error: ${{ contains(github.actor, 'renovate') }} - name: Commit SDK changes for Renovate if: steps.worktreeClean.outcome == 'failure' && contains(github.actor, 'renovate') && github.event_name == 'pull_request' shell: bash run: > git config --global user.email "bot@pulumi.com" git config --global user.name "pulumi-bot" # Stash local changes and check out the PR's branch directly. git stash git fetch git checkout "origin/$HEAD_REF" # Apply and add our changes, but don't commit any files we expect to # always change due to versioning. git stash pop git add sdk provider/cmd/pulumi-resource-docker-build/schema.json git reset sdk/python/*/pulumi-plugin.json \ sdk/python/pyproject.toml \ sdk/dotnet/pulumi-plugin.json \ sdk/dotnet/*.*.csproj \ sdk/dotnet/version.txt \ sdk/go/*/pulumi-plugin.json \ sdk/go/*/internal/pulumiUtilities.go \ sdk/nodejs/package.json git commit -m 'Commit SDK for Renovate' # Push with pulumi-bot credentials to trigger a re-run of the # workflow. https://github.com/orgs/community/discussions/25702 git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" env: HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar provider binaries run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }} pulumi-gen-${{ env.PROVIDER}} - name: Upload artifacts uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: pulumi-${{ env.PROVIDER }}-provider.tar.gz path: ${{ github.workspace }}/bin/provider.tar.gz - name: Test Provider Library run: make test_provider env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload coverage reports to Codecov uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 env: CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0 with: author_name: Failure in building provider prerequisites fields: repo,commit,author,action status: ${{ job.status }} env: SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository build_sdks: needs: prerequisites runs-on: pulumi-ubuntu-8core strategy: fail-fast: ${{ ! contains(github.actor, 'renovate') }} matrix: language: - nodejs - python - dotnet - go - java name: build_sdks permissions: contents: read id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: lfs: true persist-credentials: false ref: ${{ env.PR_COMMIT_SHA }} - env: ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false" ESC_ACTION_OIDC_AUTH: "true" ESC_ACTION_OIDC_ORGANIZATION: pulumi ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 id: app-auth with: app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 with: set-env: PROVIDER_VERSION env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Setup Tools uses: ./.github/actions/setup-tools with: github_token: ${{ steps.app-auth.outputs.token }} - name: Download provider uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: pulumi-${{ env.PROVIDER }}-provider.tar.gz path: ${{ github.workspace }}/bin - name: UnTar provider binaries run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin - name: Restore Binary Permissions run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; - name: Generate SDK run: make generate_${{ matrix.language }} - name: Build SDK run: make build_${{ matrix.language }} - name: Check worktree clean id: worktreeClean uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1 with: allowed-changes: |- sdk/**/pulumi-plugin.json sdk/dotnet/*.*.csproj sdk/dotnet/version.txt sdk/go/**/pulumiUtilities.go sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle continue-on-error: ${{ contains(github.actor, 'renovate') }} - name: Commit SDK changes for Renovate if: steps.worktreeClean.outcome == 'failure' && contains(github.actor, 'renovate') && github.event_name == 'pull_request' shell: bash run: > git config --global user.email "bot@pulumi.com" git config --global user.name "pulumi-bot" # Stash local changes and check out the PR's branch directly. git stash git fetch git checkout "origin/$HEAD_REF" # Apply and add our changes, but don't commit any files we expect to # always change due to versioning. git stash pop git add sdk provider/cmd/pulumi-resource-docker-build/schema.json git reset sdk/python/*/pulumi-plugin.json \ sdk/python/pyproject.toml \ sdk/dotnet/pulumi-plugin.json \ sdk/dotnet/*.*.csproj \ sdk/dotnet/version.txt \ sdk/go/*/pulumi-plugin.json \ sdk/go/*/internal/pulumiUtilities.go \ sdk/nodejs/package.json git commit -m 'Commit SDK for Renovate' # Push with pulumi-bot credentials to trigger a re-run of the # workflow. https://github.com/orgs/community/discussions/25702 git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" env: HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar SDK folder run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} . - name: Upload artifacts uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ matrix.language }}-sdk.tar.gz path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz retention-days: 30 - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0 with: author_name: Failure while building SDKs fields: repo,commit,author,action status: ${{ job.status }} env: SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository test: runs-on: pulumi-ubuntu-8core needs: - build_sdks strategy: fail-fast: true matrix: language: - nodejs - python - dotnet - go - java - yaml name: test permissions: contents: read id-token: write steps: - name: Checkout Repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: lfs: true persist-credentials: false ref: ${{ env.PR_COMMIT_SHA }} - env: ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false" ESC_ACTION_OIDC_AUTH: "true" ESC_ACTION_OIDC_ORGANIZATION: pulumi ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 id: app-auth with: app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 with: set-env: PROVIDER_VERSION env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Setup Tools uses: ./.github/actions/setup-tools with: github_token: ${{ steps.app-auth.outputs.token }} - name: Download provider uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: pulumi-${{ env.PROVIDER }}-provider.tar.gz path: ${{ github.workspace }}/bin - name: UnTar provider binaries run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin - name: Restore Binary Permissions run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \; - name: Download SDK if: ${{ matrix.language != 'yaml' }} uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ matrix.language }}-sdk.tar.gz path: ${{ github.workspace}}/sdk/ - name: UnTar SDK folder if: ${{ matrix.language != 'yaml' }} run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{ github.workspace}}/sdk/${{ matrix.language}} - name: Update path run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" - name: Install Node dependencies run: yarn global add typescript - run: dotnet nuget add source ${{ github.workspace }}/nuget - name: Install Python deps run: |- pip3 install virtualenv==20.0.23 pip3 install pipenv - name: Install dependencies if: ${{ matrix.language != 'yaml' }} run: make install_${{ matrix.language}}_sdk - name: Generate Pulumi Access Token id: generate_pulumi_token uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1 with: organization: pulumi requested-token-type: urn:pulumi:token-type:access_token:organization export-environment-variables: false - name: Export AWS Credentials uses: pulumi/esc-action@197ccaa42ab49560ce838a3010eb8345ce086896 env: PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }} with: environment: logins/pulumi-ci - name: Authenticate to Google Cloud uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0 with: workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/${{ env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{ env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }} service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }} - name: Setup gcloud auth uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1 with: install_components: gke-gcloud-auth-plugin - name: Install gotestfmt uses: GoTestTools/gotestfmt-action@v2 with: version: v2.5.0 token: ${{ secrets.GITHUB_TOKEN }} - name: Run tests run: >- set -euo pipefail cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 . env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0 with: author_name: Failure in SDK tests fields: repo,commit,author,action status: ${{ job.status }} env: SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository sentinel: runs-on: ubuntu-latest name: sentinel steps: - name: Checkout Repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: lfs: true persist-credentials: false ref: ${{ env.PR_COMMIT_SHA }} - env: ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false" ESC_ACTION_OIDC_AUTH: "true" ESC_ACTION_OIDC_ORGANIZATION: pulumi ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Mark workflow as successful uses: guibranco/github-status-action-v2@e8a8fa568b768f554cfe1d34e27e917aed4c6127 # v1.2.1 with: authToken: ${{ secrets.GITHUB_TOKEN }} context: Sentinel state: success description: Sentinel checks passed sha: ${{ github.event.pull_request.head.sha || github.sha }} permissions: statuses: write id-token: write # For ESC secrets. if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository needs: - test - prerequisites - lint lint: if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository name: lint uses: ./.github/workflows/lint.yml secrets: inherit