Reapplied pulumi/ci-mgmt

pulumiverse · Nov 5, 2024 · efba3b1 · efba3b1
1 parent 155c2f7
commit efba3b1
Show file tree

Hide file tree

Showing 16 changed files with 185 additions and 34 deletions.
diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml
@@ -31,6 +31,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:

diff --git a/.github/workflows/build_sdk.yml b/.github/workflows/build_sdk.yml
@@ -41,6 +41,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Cache examples generation
         uses: actions/cache@v4
         with:

diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml
@@ -31,6 +31,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -31,6 +31,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Install go
       uses: actions/setup-go@v5
       with:

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -56,6 +56,8 @@ jobs:
         swap-storage: false
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
@@ -136,6 +138,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -80,6 +80,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml
@@ -44,6 +44,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: pulumi/provider-version-action@v1
       id: provider-version
       with:
@@ -76,7 +78,7 @@ jobs:
         EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
         {
           echo "SCHEMA_CHANGES<<$EOF";
-          schema-tools compare -r github://api.github.com/pulumiverse -p grafana -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-grafana/schema.json;
+          schema-tools compare -r github://api.github.com/pulumiverse -p grafana -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-grafana/schema.json;
           echo "$EOF";
         } >> "$GITHUB_ENV"
     - if: inputs.is_pr && inputs.is_automated == false

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -47,6 +47,8 @@ jobs:
       run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:
@@ -62,7 +64,7 @@ jobs:
         merge-multiple: true
     - name: Calculate checksums
       working-directory: dist
-      run: shasum ./*.tar.gz > pulumi-grafana_${{ inputs.version }}_checksums.txt
+      run: shasum ./*.tar.gz > "pulumi-grafana_${{ inputs.version }}_checksums.txt"
     - name: Get Schema Change Summary
       id: schema-summary
       shell: bash
@@ -97,6 +99,9 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        # Persist credentials so we can push back to the repo
+        persist-credentials: true
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:
@@ -135,6 +140,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Clean up release labels
       uses: pulumi/action-release-by-pr-label@main
       with:

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -25,6 +25,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Comment PR
       uses: thollander/actions-comment-pull-request@v2
       with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -86,6 +86,8 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:

diff --git a/.github/workflows/resync-build.yml b/.github/workflows/resync-build.yml
@@ -26,11 +26,15 @@ jobs:
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4
+      with:
+        # Persist credentials so we can push a new branch.
+        persist-credentials: true
     - name: Checkout repo
       uses: actions/checkout@v4
       with:
         path: ci-mgmt
         repository: pulumi/ci-mgmt
+        persist-credentials: false
     - id: run-url
       name: Create URL to the run output
       run:  echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT"

diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml
@@ -130,6 +130,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         ref: ${{ env.PR_COMMIT_SHA }}
+        persist-credentials: false
     - name: Checkout p/examples
       if: matrix.testTarget == 'pulumiExamples'
       uses: actions/checkout@v4

diff --git a/.github/workflows/upgrade-bridge.yml b/.github/workflows/upgrade-bridge.yml
@@ -1,25 +1,100 @@
-name: Upgrade bridge
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
+name: Upgrade bridge
 on:
+  repository_dispatch:
+    types:
+      - upgrade-bridge
+      - upgrade-bridge-test
   workflow_dispatch:
-  schedule:
-    # At 05:00 on Monday
-    - cron: 0 5 * * 1
+    inputs:
+      kind:
+        description: Overrides the kind of upgrade. Must be one of `all`, `bridge`, `provider`, `code`, `pf`, or `pulumi`.
+        required: false
+        type: string
+        default: "bridge"
+      target-bridge-version:
+        description: pulumi-terraform-bridge version or hash reference
+        required: false
+        type: string
+        default: "latest"
+      target-pulumi-version:
+        description: |
+             Set the version of `pulumi/pkg` and `pulumi/sdk` to depend on for bridged providers. Currently,
+             these versions inform the linked runtime and SDK generation in all languages except Java. Valid
+             options are:
+             - "": Use the same version as pulumi-terraform-bridge
+             - A go version such as "v3.90.1"
+             - A commit SHA in pulumi/pulumi such as "ac71ebc1d34e5ccfd1a7fed61e6ff43a3160f3cb"
+        required: false
+        type: string
+        default: ""
+      pr-reviewers:
+        description: Reviewers to assign to the auto-opened pull request
+        required: false
+        type: string
+        default: ""
+      pr-description:
+        description: Extra description to add to the auto-opened pull request
+        required: false
+        type: string
+        default: ""
+      pr-title-prefix:
+        description: Prefix to add to the auto-opened pull request title
+        required: false
+        type: string
+        default: ""
+      automerge:
+        description: Mark created PR for auto-merging?
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+env:
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
-  upgrade_bridge:
-    name: upgrade-bridge
+  upgrade_provider:
+    name: upgrade-provider
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
     steps:
-      - name: Call upgrade provider action
-        uses: pulumi/[email protected]
-        with:
-          kind: bridge
-          email: [email protected]
-          username: "Ringo De Smet"
-        env:
-          GH_TOKEN: ${{ secrets.UPGRADE_PROVIDER_TOKEN }}
+    - name: Checkout Repo
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - name: Setup tools
+      uses: ./.github/actions/setup-tools
+      with:
+        tools: pulumictl, pulumicli, dotnet, go, nodejs, python
+    - name: Call upgrade provider action
+      if: github.event_name == 'workflow_dispatch'
+      uses: pulumi/[email protected]
+      with:
+        kind: ${{ inputs.kind }}
+        email: [email protected]
+        username: pulumi-bot
+        automerge: ${{ inputs.automerge }}
+        target-bridge-version: ${{ inputs.target-bridge-version }}
+        target-pulumi-version: ${{ inputs.target-pulumi-version }}
+        pr-reviewers: ${{ inputs.pr-reviewers }}
+        pr-description: ${{ inputs.pr-description }}
+        pr-title-prefix: ${{ inputs.pr-title-prefix }}
+    - name: Call upgrade provider action
+      if: github.event_name == 'repository_dispatch'
+      uses: pulumi/[email protected]
+      with:
+        kind: ${{ github.event.client_payload.kind || 'bridge' }}
+        email: [email protected]
+        username: pulumi-bot
+        automerge: ${{ github.event.client_payload.automerge }}
+        target-pulumi-version: ${{ github.event.client_payload.target-pulumi-version }}
+        target-bridge-version: ${{ github.event.client_payload.target-bridge-version }}
+        pr-reviewers: ${{ github.event.client_payload.pr-reviewers }}
+        pr-description: ${{ github.event.client_payload.pr-description }}
+        pr-title-prefix: ${{ github.event.client_payload.pr-title-prefix }}
diff --git a/.github/workflows/upgrade-provider.yml b/.github/workflows/upgrade-provider.yml
@@ -1,25 +1,67 @@
-name: Upgrade provider
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
+name: Upgrade provider
 on:
   workflow_dispatch:
+    inputs:
+      version:
+        description: |
+          The version of the upstream provider to upgrade to, without the 'v' prefix
+          
+          If no version is specified, it will be inferred from the upstream provider's release tags.
+        required: false
+        type: string
   schedule:
-    # At 05:00 on Wednesday
-    - cron: 0 5 * * 3
+    # 3 AM UTC ~ 8 PM PDT / 7 PM PST daily. Time chosen to run during off hours.
+    - cron: 0 3 * * *
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+env:
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
   upgrade_provider:
     name: upgrade-provider
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
     steps:
-      - name: Call upgrade provider action
-        uses: pulumi/[email protected]
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+        with:
+          # Persist credentials so upgrade-provider can push a new branch.
+          persist-credentials: true
+      - name: Setup tools
+        uses: ./.github/actions/setup-tools
         with:
-          kind: provider
-          email: [email protected]
-          username: "Ringo De Smet"
+          tools: pulumictl, pulumicli, dotnet, go, nodejs, python
+      - name: Install upgrade-provider
+        run: go install github.com/pulumi/upgrade-provider@main
+        shell: bash
+      - name: "Set up git identity"
+        run: |
+          git config --global user.name '[email protected]'
+          git config --global user.email '[email protected]'
+        shell: bash
+      - name: Create issues for new upstream version
+        if: inputs.version == ''
+        id: upstream_version
+        # This step outputs `latest_version` if there is a pending upgrade
+        run: upgrade-provider "$REPO" --kind=check-upstream-version
         env:
-          GH_TOKEN: ${{ secrets.UPGRADE_PROVIDER_TOKEN }}
+          REPO: ${{ github.repository }}
+        shell: bash
+      - name: Calculate target version
+        id: target_version
+        # Prefer the manually specified version if it exists
+        # upstream_version will be empty if the provider is up-to-date
+        run: echo "version=${{ github.event.inputs.version || steps.upstream_version.outputs.latest_version }}" >> "$GITHUB_OUTPUT"
+        shell: bash
+      - name: Attempt provider upgrade
+        # Only attempt the upgrade if we have a target version
+        if: steps.target_version.outputs.version != ''
+        run: upgrade-provider "${{ github.repository }}" --kind="all" --target-version="${{ steps.target_version.outputs.version }}" 
+        shell: bash
diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml
@@ -70,6 +70,8 @@ jobs:
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:

diff --git a/.upgrade-config.yml b/.upgrade-config.yml
@@ -3,5 +3,5 @@
 ---
 upstream-provider-name: terraform-provider-grafana
 upstream-provider-org: grafana
-pulumi-infer-version: true
 remove-plugins: true
+pr-reviewers: ringods