feat: add SIGNING_KEY and PASSWORD env variables & secrets #67
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
tags: | |
- v*.*.* | |
permissions: | |
contents: write | |
id-token: write | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} | |
NUGET_FEED_URL: https://api.nuget.org/v3/index.json | |
PROVIDER: ovh | |
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. | |
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget | |
PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} | |
PYPI_USERNAME: "__token__" | |
PUBLISH_REPO_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} | |
PUBLISH_REPO_USERNAME: ${{ secrets.SONATYPE_USERNAME }} | |
# Include only last 8 hex digits of the key ID included, due tolimitations of gradle. | |
SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }} | |
# Obtained by `gpg --armor --export-secret-key [email protected]`. | |
SIGNING_KEY: ${{ secrets.SIGNING_KEY }} | |
# Aka passphrase for the GPG key. | |
SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} | |
PUBLISH_PYPI: true | |
PUBLISH_NPM: true | |
PUBLISH_NUGET: true | |
PUBLISH_NRM: true | |
jobs: | |
publish_binary: | |
name: publish | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3 | |
- name: Unshallow clone for tags | |
run: git fetch --prune --unshallow --tags | |
- name: Install Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0 | |
with: | |
go-version: ${{matrix.goversion}} | |
- name: Install pulumictl | |
run: | | |
wget https://github.com/pulumi/pulumictl/releases/download/v0.0.42/pulumictl-v0.0.42-linux-amd64.tar.gz -O /tmp/pulumictl-v0.0.42-linux-amd64.tar.gz | |
tar -xvf /tmp/pulumictl-v0.0.42-linux-amd64.tar.gz -C /tmp | |
mv /tmp/pulumictl /usr/local/bin | |
- name: Get version | |
run: pulumictl get version --language generic | |
- name: Set PreRelease Version | |
run: echo "GORELEASER_CURRENT_TAG=v$(pulumictl get version --language generic)" >> $GITHUB_ENV | |
- uses: sigstore/[email protected] | |
- uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 | |
- name: Run GoReleaser | |
uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # tag=v4.4.0 | |
with: | |
args: -p 3 release --clean | |
version: latest | |
- name: Create tag | |
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # tag=v6.4.1 | |
with: | |
script: | | |
github.rest.git.createRef({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
ref: 'refs/tags/sdk/${{ github.ref_name }}', | |
sha: context.sha | |
}) | |
strategy: | |
fail-fast: true | |
matrix: | |
goversion: | |
- 1.21.x | |
publish_sdk: | |
name: Publish SDKs | |
runs-on: ubuntu-latest | |
needs: publish_binary | |
steps: | |
- name: Checkout Repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3 | |
- name: Unshallow clone for tags | |
run: git fetch --prune --unshallow --tags | |
- name: Install Go | |
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0 | |
with: | |
go-version: ${{ matrix.goversion }} | |
- name: Install pulumictl | |
uses: jaxxstorm/action-install-gh-release@c5ead9a448b4660cf1e7866ee22e4dc56538031a # tag=v1.10.0 | |
with: | |
repo: pulumi/pulumictl | |
- name: Install Pulumi CLI | |
uses: pulumi/action-install-pulumi-cli@b374ceb6168550de27c6eba92e01c1a774040e11 # tag=v2.0.0 | |
- name: Setup Node | |
uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # tag=v3.7.0 | |
with: | |
node-version: ${{matrix.nodeversion}} | |
registry-url: ${{env.NPM_REGISTRY_URL}} | |
- name: Setup DotNet | |
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # tag=v2.1.0 | |
with: | |
dotnet-version: ${{matrix.dotnetverson}} | |
- name: Setup Python | |
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # tag=v4.2.0 | |
with: | |
python-version: ${{matrix.pythonversion}} | |
- name: Setup Java | |
uses: actions/setup-java@v3 | |
with: | |
cache: gradle | |
distribution: temurin | |
java-version: ${{ matrix.javaversion }} | |
- name: Build SDK | |
run: make build_${{ matrix.language }} | |
- name: Check worktree clean | |
run: | | |
git update-index -q --refresh | |
if ! git diff-files --quiet; then | |
>&2 echo "error: working tree is not clean, aborting!" | |
git status | |
git diff | |
exit 1 | |
fi | |
- if: ${{ matrix.language == 'python' && env.PUBLISH_PYPI == 'true' }} | |
name: Publish package to PyPI | |
uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e # tag=v1.8.10 | |
with: | |
user: ${{ env.PYPI_USERNAME }} | |
password: ${{ env.PYPI_PASSWORD }} | |
packages-dir: ${{github.workspace}}/sdk/python/bin/dist | |
skip-existing: true | |
- if: ${{ matrix.language == 'nodejs' && env.PUBLISH_NPM == 'true' }} | |
uses: JS-DevTools/[email protected] | |
with: | |
access: "public" | |
token: ${{ env.NPM_TOKEN }} | |
package: ${{github.workspace}}/sdk/nodejs/bin/package.json | |
provenance: true | |
strategy: upgrade | |
- if: ${{ matrix.language == 'dotnet' && env.PUBLISH_NUGET == 'true' }} | |
name: publish nuget package | |
run: | | |
dotnet nuget push ${{github.workspace}}/sdk/dotnet/bin/Debug/*.nupkg -s ${{ env.NUGET_FEED_URL }} -k ${{ env.NUGET_PUBLISH_KEY }} --skip-duplicate | |
echo "done publishing packages" | |
- if: ${{ matrix.language == 'java' && env.PUBLISH_NRM == 'true' }} | |
name: Set PACKAGE_VERSION to Env for Java SDK | |
run: echo "PACKAGE_VERSION=$(pulumictl get version --language generic)" >> | |
$GITHUB_ENV | |
- if: ${{ matrix.language == 'java' && env.PUBLISH_NRM == 'true' }} | |
name: Publish Java SDK | |
uses: gradle/gradle-build-action@v3 | |
with: | |
arguments: publishToSonatype closeAndReleaseSonatypeStagingRepository | |
build-root-directory: ./sdk/java | |
gradle-version: 8.3 | |
strategy: | |
fail-fast: true | |
matrix: | |
dotnetversion: | |
- 3.1.301 | |
goversion: | |
- 1.21.x | |
language: | |
# - nodejs | |
# - python | |
# - go | |
# - dotnet | |
- java | |
nodeversion: | |
- 18.x | |
pythonversion: | |
- "3.9" | |
javaversion: | |
- "21" |