pulumi-docker-build/.github/workflows/prerelease.yml

# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt

name: prerelease
on:
  push:
    tags:
    - v*.*.*-**
env:
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  GOVERSION: "1.21.x"
  NODEVERSION: "20.x"
  PYTHONVERSION: "3.11.8"
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
  GOOGLE_PROJECT: pulumi-ci-gcp-provider
  GOOGLE_PROJECT_NUMBER: "895284651812"
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
  IS_PRERELEASE: true

jobs:
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
        cache: 'true'
        github_token: ${{ secrets.GITHUB_TOKEN }}
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/schema-tools
    - name: Build codegen binaries
      run: make codegen
    - name: Build Schema
      run: make generate_schema
    - if: github.event_name == 'pull_request'
      name: Check Schema is Valid
      run: >-
        {
          echo 'SCHEMA_CHANGES<<EOF';

          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;

          echo 'EOF';
        } >> "$GITHUB_ENV"
      env:
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
      name: Comment on PR with Details of Schema Check
      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
      with:
        message: |
          ${{ env.SCHEMA_CHANGES }}
        comment-tag: schemaCheck
        github-token: ${{ secrets.GITHUB_TOKEN }}
    - if: contains(env.SCHEMA_CHANGES, 'Looking good! No breaking changes found.') &&
        github.actor == 'pulumi-bot'
      name: Add label if no breaking changes
      uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
      with:
        labels: impact/no-changelog-required
        number: ${{ github.event.issue.number }}
        github_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Build Provider
      run: make provider
    - name: Check worktree clean
      id: worktreeClean
      uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1
      with:
        allowed-changes: |-
          sdk/**/pulumi-plugin.json
          sdk/dotnet/*.*.csproj
          sdk/dotnet/version.txt
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
          **/mise.lock
          **/.config/mise.lock
          **/mise.*.lock
          **/.config/mise.*.lock
    - name: Commit SDK changes for Renovate
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit

        git config --global user.email "bot@pulumi.com"

        git config --global user.name "pulumi-bot"

        # Stash local changes and check out the PR's branch directly.

        git stash

        git fetch

        git checkout "origin/$HEAD_REF"


        # Apply and add our changes, but don't commit any files we expect to

        # always change due to versioning.

        git stash pop

        git add sdk

        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json

        git commit -m 'Commit SDK for Renovate'


        # Push with pulumi-bot credentials to trigger a re-run of the

        # workflow. https://github.com/orgs/community/discussions/25702

        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar provider binaries
      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
      env:
        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in building provider prerequisites
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  build_sdks:
    needs: prerequisites
    runs-on: pulumi-ubuntu-8core
    strategy:
      fail-fast: ${{ ! contains(github.actor, 'renovate') }}
      matrix:
        language:
        - nodejs
        - python
        - dotnet
        - go
        - java
    name: build_sdks
    permissions:
      pull-requests: write # For Renovate SDK updates.
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Download Provider Binary
      uses: ./.github/actions/download-provider
    - name: Generate SDK
      run: make generate_${{ matrix.language }}
    - name: Build SDK
      run: make build_${{ matrix.language }}
    - name: Check worktree clean
      id: worktreeClean
      uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1
      with:
        allowed-changes: |-
          sdk/**/pulumi-plugin.json
          sdk/dotnet/*.*.csproj
          sdk/dotnet/version.txt
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
          **/mise.lock
          **/.config/mise.lock
          **/mise.*.lock
          **/.config/mise.*.lock
    - name: Commit ${{ matrix.language }} SDK changes for Renovate
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit

        git config --global user.email "bot@pulumi.com"

        git config --global user.name "pulumi-bot"

        # Stash local changes and check out the PR's branch directly.

        git stash

        git fetch

        git checkout "origin/$HEAD_REF"


        # Apply and add our changes, but don't commit any files we expect to

        # always change due to versioning.

        git stash pop

        git add sdk

        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json

        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'


        # Push with pulumi-bot credentials to trigger a re-run of the

        # workflow. https://github.com/orgs/community/discussions/25702

        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure while building SDKs
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  test:
    runs-on: pulumi-ubuntu-8core
    needs:
    - build_sdks
    strategy:
      fail-fast: true
      matrix:
        language:
        - nodejs
        - python
        - dotnet
        - go
        - java
        - yaml
    name: test
    permissions:
      contents: read
      id-token: write # For ESC secrets and Pulumi access token OIDC.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Download Provider Binary
      uses: ./.github/actions/download-provider
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
      uses: ./.github/actions/download-sdk
      with:
        language: ${{ matrix.language }}
    - name: Update path
      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
    - name: Install Node dependencies
      run: yarn global add typescript
    - run: dotnet nuget add source ${{ github.workspace }}/nuget
    - name: Install Python deps
      run: |-
        pip3 install virtualenv==20.0.23
        pip3 install pipenv
    - name: Install dependencies
      if: ${{ matrix.language != 'yaml' }}
      run: make install_${{ matrix.language}}_sdk
    - name: Generate Pulumi Access Token
      id: generate_pulumi_token
      uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
      with:
        organization: pulumi
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
        environment: logins/pulumi-ci
    - name: Authenticate to Google Cloud
      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
      with:
        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
          }}/locations/global/workloadIdentityPools/${{
          env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{
          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
    - name: Setup gcloud auth
      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      with:
        install_components: gke-gcloud-auth-plugin
    - name: Install gotestfmt
      uses: GoTestTools/gotestfmt-action@v2
      with:
        version: v2.5.0
        token: ${{ secrets.GITHUB_TOKEN }}
    - name: Run tests
      run: >-
        set -euo pipefail

        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in SDK tests
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish:
    runs-on: ubuntu-latest
    needs: test
    name: publish
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Clear GitHub Actions Ubuntu runner disk space
      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
      with:
        tool-cache: false
        dotnet: false
        android: true
        haskell: true
        swap-storage: true
        large-packages: false
    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
      with:
        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
        role-duration-seconds: 7200
        role-session-name: ${{ env.PROVIDER }}@githubActions
        role-external-id: upload-pulumi-release
        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
      env:
        GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
      with:
        args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
        version: latest
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing binaries
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_sdk:
    runs-on: ubuntu-latest
    needs: publish
    name: publish_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        path: ci-scripts
        repository: pulumi/scripts
    - run: echo "ci-scripts" >> .git/info/exclude
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Download python SDK
      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
    - name: Uncompress python SDK
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
    - name: Uncompress dotnet SDK
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
    - name: Uncompress nodejs SDK
      run: tar -zxf ${{github.workspace}}/sdk/nodejs.tar.gz -C
        ${{github.workspace}}/sdk/nodejs
    - name: Install Twine
      run: python -m pip install twine==5.0.0
    - name: Publish SDKs
      run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
      env:
        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        PYPI_PUBLISH_ARTIFACTS: all
        PYPI_USERNAME: __token__
        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing SDK
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_java_sdk:
    runs-on: ubuntu-latest
    continue-on-error: true
    needs: publish
    name: publish_java_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Download java SDK
      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: java-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
    - name: Uncompress java SDK
      run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
        ${{github.workspace}}/sdk/java
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
      with:
        gradle-version: "7.6"
    - name: Publish Java SDK
      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
      env:
        PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
  publish_go_sdk:
    runs-on: ubuntu-latest
    name: publish-go-sdk
    needs: publish_sdk
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Download go SDK
      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: go-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
    - name: Uncompress go SDK
      run: tar -zxf ${{github.workspace}}/sdk/go.tar.gz -C
        ${{github.workspace}}/sdk/go
    - name: Publish Go SDK
      uses: pulumi/publish-go-sdk-action@v1
      with:
        repository: ${{ github.repository }}
        base-ref: ${{ github.sha }}
        source: sdk/go/dockerbuild
        path: sdk/go/dockerbuild
        version: ${{ steps.version.outputs.version }}
        additive: false
        files: "**"