-
Notifications
You must be signed in to change notification settings - Fork 1.1k
189 lines (172 loc) 路 5.25 KB
/
ci-prepare-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
name: Prepare
permissions:
# To create a draft release
contents: write
# To sign artifacts.
id-token: write
on:
workflow_call:
inputs:
ref:
required: true
description: "GitHub ref to use"
type: string
version:
required: true
description: "Version to produce"
type: string
project:
required: true
description: "Project name, e.g.: the repository name"
type: string
release-notes:
required: true
description: "Release notes"
type: string
prerelease:
required: false
default: true
description: "Whether to create a prerelease"
type: boolean
draft:
required: false
default: true
description: "Whether to create a draft release"
type: boolean
env:
PULUMI_VERSION: ${{ inputs.version }}
jobs:
sign:
name: sign
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: ${{ inputs.ref }}
- name: Install b3sum
uses: baptiste0928/cargo-install@bf6758885262d0e6f61089a9d8c8790d3ac3368f # v1.3.0
with:
crate: b3sum
version: 1.3.0
- uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
- name: Download all artifacts
uses: actions/download-artifact@v2
with:
path: artifacts.tmp
- name: Rename SDKs
# This step must match the rename SDKs step in the "publish" job below.
run: |
(
cd artifacts.tmp/artifacts-dotnet-sdk
for file in *.nupkg ; do
mv -vT "$file" "sdk-dotnet-$file"
done
)
(
cd artifacts.tmp/artifacts-python-sdk
for file in *.whl ; do
mv -vT "$file" "sdk-python-$file"
done
)
(
cd artifacts.tmp/artifacts-nodejs-sdk
for file in *.tgz ; do
mv -vT "$file" "sdk-nodejs-$file"
done
)
- name: Flatten artifact directories
run: |
mkdir -p ./artifacts
mv ./artifacts.tmp/artifacts-*/* ./artifacts
- name: Create sums.tmp
run: mkdir -p ./sums.tmp
# Each of these commands strips the ./ prefix to match existing (<=3.39) formatting.
- name: Checksums with SHA256
working-directory: artifacts
env:
version: ${{ inputs.version }}
run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../sums.tmp/pulumi-${version}-checksums.txt"
- name: Checksums with BLAKE3
working-directory: artifacts
run: b3sum ./* | sed 's/.\///' | tee ../sums.tmp/B3SUMS
- name: Checksums with SHA512
working-directory: artifacts
run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS
- name: Sign binaries and checksums
shell: bash
env:
version: ${{ inputs.version }}
run: |
ls -la
# Sign all artifacts and checksums:
for file in ./{artifacts,sums.tmp}/*; do
echo "$file"
COSIGN_EXPERIMENTAL=1 cosign sign-blob \
--bundle="./sums.tmp/${file}".sig \
"${file}"
done
- uses: actions/upload-artifact@v2
with:
name: artifacts-signatures
retention-days: 1
path: |
sums.tmp/*
if-no-files-found: error
publish:
name: release
needs: [sign]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: ${{ inputs.ref }}
- name: Get commit hash
id: commit-info
run: |
SHA=$(git rev-parse HEAD)
./.github/scripts/set-output sha "$SHA"
- name: Download all artifacts
uses: actions/download-artifact@v2
with:
path: artifacts.tmp
- name: Rename SDKs
# This step must match the rename SDKs step in the "sign" job above.
run: |
(
cd artifacts.tmp/artifacts-dotnet-sdk
for file in *.nupkg ; do
mv -vT "$file" "sdk-dotnet-$file"
done
)
(
cd artifacts.tmp/artifacts-python-sdk
for file in *.whl ; do
mv -vT "$file" "sdk-python-$file"
done
)
(
cd artifacts.tmp/artifacts-nodejs-sdk
for file in *.tgz ; do
mv -vT "$file" "sdk-nodejs-$file"
done
)
- name: Flatten artifact directories
run: |
mkdir -p ./artifacts
mv ./artifacts.tmp/artifacts-*/* ./artifacts
- uses: ncipollo/release-action@3d2de22e3d0beab188d8129c27f103d8e91bf13a
with:
token: ${{ secrets.PULUMI_BOT_TOKEN }}
name: v${{ inputs.version }}
tag: v${{ inputs.version }}
commit: "${{ fromJSON(steps.commit-info.outputs.sha) }}"
draft: ${{ inputs.draft }}
prerelease: ${{ inputs.prerelease }}
allowUpdates: true
body: |
${{ inputs.release-notes }}
removeArtifacts: true
replacesArtifacts: true
artifactErrorsFailBuild: true
artifacts: |
artifacts/*