diff --git a/.github/workflows/build_sdk.yml b/.github/workflows/build_sdk.yml index 58cdbb67..4740c8fe 100644 --- a/.github/workflows/build_sdk.yml +++ b/.github/workflows/build_sdk.yml @@ -34,7 +34,9 @@ jobs: name: build_sdk runs-on: ubuntu-latest strategy: - fail-fast: true + # We normally fail fast unless this is a PR from Renovate in which case + # we'll always build all SDKs in case there are any changes to commit. + fail-fast: ${{ ! contains(github.actor, 'renovate') }} matrix: language: - nodejs @@ -68,14 +70,52 @@ jobs: - name: Build SDK run: make build_${{ matrix.language }} - name: Check worktree clean + id: worktreeClean uses: pulumi/git-status-check-action@v1 with: + # Keep these in sync with the Renovate step below to avoid them getting checked in. allowed-changes: | sdk/**/pulumi-plugin.json sdk/dotnet/*.csproj sdk/go/**/pulumiUtilities.go sdk/nodejs/package.json sdk/python/pyproject.toml + - name: Commit ${{ matrix.language }} SDK changes for Renovate + # If the worktree is dirty and this is a Renovate PR to bump + # dependencies, commit the updated SDK and push it back to the PR. The + # job will still be marked as a failure. + if: failure() && steps.worktreeClean.outcome == 'failure' && contains(github.actor, 'renovate') + shell: bash + run: | + git config --global user.email "bot@pulumi.com" + git config --global user.name "pulumi-bot" + + # Stash local changes and check out the PR's branch directly. + git stash + git fetch + git checkout "origin/$HEAD_REF" + + # Apply and add our changes, but don't commit any files we expect to + # always change due to versioning. + git stash pop + git add sdk + git reset \ + sdk/python/*/pulumi-plugin.json \ + sdk/dotnet/Pulumi.*.csproj \ + sdk/go/*/internal/pulumiUtilities.go \ + sdk/nodejs/package.json \ + sdk/python/pyproject.toml + git commit -m 'Commit ${{ matrix.language }} SDK for Renovate' + + # Push with pulumi-bot credentials to trigger a re-run of the + # workflow. https://github.com/orgs/community/discussions/25702 + git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \ + "HEAD:$HEAD_REF" + env: + # head_ref is untrusted so it's recommended to pass via env var to + # avoid injections. + HEAD_REF: ${{ github.head_ref }} + - name: Upload SDK uses: ./.github/actions/upload-sdk with: