From a80a31c7f3bb5ce784f2fe344cbcc24c4176a1f7 Mon Sep 17 00:00:00 2001 From: Alexander Dahmen Date: Fri, 21 Nov 2025 10:55:38 +0100 Subject: [PATCH] chore(release): Add release pipeline for TypeScript Signed-off-by: Alexander Dahmen --- .github/workflows/release.yaml | 81 ++++++++++++++++------------------ .goreleaser.yaml | 5 +-- RELEASE.md | 29 ++++++++++++ go.work.sum | 1 + 4 files changed, 71 insertions(+), 45 deletions(-) create mode 100644 RELEASE.md diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ce38e94..fc0b9a2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,28 +8,38 @@ on: permissions: contents: write id-token: write + packages: write env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.PR_TOKEN }} NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - NUGET_FEED_URL: https://api.nuget.org/v3/index.json PROVIDER: stackit PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. - PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} - PYPI_USERNAME: "__token__" - PUBLISH_PYPI: true - PUBLISH_NPM: true - PUBLISH_NUGET: true + # TODO: change to true if ready to release + PUBLISH_NPM: false + #NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + #NUGET_FEED_URL: https://api.nuget.org/v3/index.json + #PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + #PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }} + #PYPI_USERNAME: "__token__" + #PUBLISH_PYPI: true + #PUBLISH_NUGET: true jobs: publish_binary: - name: publish + name: Publish provider runs-on: ubuntu-latest steps: + # TODO: remove when this repo is made public + - name: Configure Git for Private Modules + run: | + git config --global url."https://oauth2:${{ secrets.PR_TOKEN }}@github.com".insteadOf "https://github.com" + # Sets GOPRIVATE and GONOSUMDB in order to use the git authentication for go mod. + echo "GOPRIVATE=github.com/${{ github.repository }}/*,github.com/stackitcloud/*" >> $GITHUB_ENV + echo "GONOSUMDB=github.com/${{ github.repository }}/*,github.com/stackitcloud/*" >> $GITHUB_ENV + # TODO: remove end - name: Checkout Repo - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # tag=v4.2.2 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # tag=v4.2.2 - name: Unshallow clone for tags run: git fetch --prune --unshallow --tags - name: Install pulumictl @@ -40,8 +50,6 @@ jobs: uses: ./.github/actions/gotools with: go-version: ${{ matrix.goversion }} - - name: Set PreRelease Version - run: echo "GORELEASER_CURRENT_TAG=v$(pulumictl get version --language generic)" >> $GITHUB_ENV - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - uses: anchore/sbom-action/download-syft@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 - name: Run GoReleaser @@ -49,52 +57,37 @@ jobs: with: args: -p 3 release --clean version: '~> v2' - - name: Create tag - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # tag=v8.0.0 - with: - script: | - github.rest.git.createRef({ - owner: context.repo.owner, - repo: context.repo.repo, - ref: 'refs/tags/sdk/${{ github.ref_name }}', - sha: context.sha - }) strategy: fail-fast: true matrix: goversion: - 1.24.x publish_sdk: - name: Publish SDKs + name: Publish SDKs to npm Registry, NuGet Gallery and Python Package Index runs-on: ubuntu-latest needs: publish_binary steps: + # TODO: remove when this repo is made public + - name: Configure Git for Private Modules + run: | + git config --global url."https://oauth2:${{ secrets.PR_TOKEN }}@github.com".insteadOf "https://github.com" + # Sets GOPRIVATE and GONOSUMDB in order to use the git authentication for go mod. + echo "GOPRIVATE=github.com/${{ github.repository }}/*,github.com/stackitcloud/*" >> $GITHUB_ENV + echo "GONOSUMDB=github.com/${{ github.repository }}/*,github.com/stackitcloud/*" >> $GITHUB_ENV + # TODO: remove end - name: Checkout Repo - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # tag=v4.2.2 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # tag=v4.2.2 - name: Unshallow clone for tags run: git fetch --prune --unshallow --tags - - name: Install pulumictl - uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # tag=v2.1.0 - with: - repo: pulumi/pulumictl - - name: Install Pulumi CLI - uses: pulumi/action-install-pulumi-cli@b374ceb6168550de27c6eba92e01c1a774040e11 # tag=v2.0.0 - name: Install Go Tools uses: ./.github/actions/gotools with: go-version: ${{ matrix.goversion }} - - name: Setup Node - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # tag=v6.1.0 - with: - node-version: ${{matrix.nodeversion}} - registry-url: ${{env.NPM_REGISTRY_URL}} - - name: Setup DotNet - uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # tag=v5.0.1 + - name: Install Pulumi Tools + uses: ./.github/actions/pulumitools with: dotnet-version: ${{matrix.dotnetverson}} - - name: Setup Python - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # tag=v6.1.0 - with: + node-version: ${{matrix.nodeversion}} python-version: ${{matrix.pythonversion}} - name: Build SDK run: make build_${{ matrix.language }} @@ -107,6 +100,9 @@ jobs: git diff exit 1 fi + - if: ${{ matrix.language == 'nodejs' }} + name: Run type script unit tests + run: make test_ts - if: ${{ matrix.language == 'python' && env.PUBLISH_PYPI == 'true' }} name: Publish package to PyPI uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # tag=v1.13.0 @@ -118,7 +114,8 @@ jobs: uses: JS-DevTools/npm-publish@7f8fe47b3bea1be0c3aec2b717c5ec1f3e03410b # tag=v4.1.1 with: access: "public" - token: ${{ env.NPM_TOKEN }} + # old way, we want to use Trusted publishers + # token: ${{ env.NPM_TOKEN }} package: ${{github.workspace}}/sdk/nodejs/bin/package.json provenance: true - if: ${{ matrix.language == 'dotnet' && env.PUBLISH_NUGET == 'true' }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index b4e6ee5..29e48c6 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -27,15 +27,14 @@ signs: - cmd: cosign env: - COSIGN_EXPERIMENTAL=1 - certificate: '${artifact}.pem' + signature: '${artifact}.sig' args: - sign-blob - '-y' - - '--output-certificate=${certificate}' + - "--output-signature=${signature}" - '--bundle=${signature}' - '${artifact}' artifacts: all - output: true sboms: - artifacts: archive diff --git a/RELEASE.md b/RELEASE.md new file mode 100644 index 0000000..45baecb --- /dev/null +++ b/RELEASE.md @@ -0,0 +1,29 @@ +# Release + +## Release cycle + +Upstream terraform provider: [terraform-provider-stackit](https://github.com/stackitcloud/terraform-provider-stackit) + +This Pulumi provider will be updated as fast as possible to keep the delta between the Pulumi Bridge and the upstream Terraform provider small. +The release cycle of the Terraform provider is about every two weeks. Depending on the adjustments made it will take some time +to update the Pulumi provider as well. Examples needs to be added/adjusted, Unit tests and acceptance tests have to be added or adjusted accordingly. + +The version of the Pulumi provider is the same as the one for the Terraform provider e.g. if the latest version of the Terraform provider is +`v0.70.0` the there will be a corresponding Pulumi version with `v0.70.0`. + + +## Release creation + +> [!IMPORTANT] +> Consider informing / syncing with the team before creating a new release. + +1. Check out latest main branch on your machine +2. Create the following git tags: + - `VERSION="vX.X.X"; git tag "$VERSION" && git tag "provider/pkg/version/$VERSION" && git tag "provider/shim/$VERSION"` +3. Push the git tag: `git push origin --tags` +4. The [release pipeline](https://github.com/stackitcloud/pulumi-stackit/actions/workflows/release.yaml) will build the release and publish it on GitHub +5. Ensure the release was created properly using the + - [GitHub releases page](https://github.com/stackitcloud/pulumi-stackit/releases) + - [Pulumi registry](https://www.pulumi.com/registry/packages) +6. Ensure the packages where properly published (e.g. to npm) + - [npm](https://www.npmjs.com/) diff --git a/go.work.sum b/go.work.sum index 6abaec1..5600ceb 100644 --- a/go.work.sum +++ b/go.work.sum @@ -523,6 +523,7 @@ golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053 h1:dHQOQddU4YHS5gY33/6klKjq7Gp3WwMyOXGNp5nzRj8= golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053/go.mod h1:+nZKN+XVh4LCiA9DV3ywrzN4gumyCnKjau3NGb9SGoE= golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 h1:LvzTn0GQhWuvKH/kVRS3R3bVAsdQWI7hvfLHGgh9+lU= golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=