chore(deps): pin trusted workflows based on HashiCorp TSCCR (#3351) #1343
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
branches: | |
- main | |
- backport-release-* | |
workflow_dispatch: {} | |
env: | |
SENTRY_ORG: hashicorp | |
SENTRY_PROJECT: cdktf-cli | |
concurrency: | |
group: release | |
jobs: | |
prepare-release: | |
if: github.repository == 'hashicorp/terraform-cdk' | |
runs-on: ubuntu-latest | |
outputs: | |
tests: ${{ steps.build-test-matrix.outputs.tests }} | |
version: ${{ steps.get_version.outputs.version }} | |
release_status: ${{ steps.get_release_status.outputs.release }} | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform | |
env: | |
CHECKPOINT_DISABLE: "1" | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 # gives sentry access to all previous commits | |
- name: "Add Git safe.directory" # Go 1.18+ started embedding repo info in the build and e.g. building @cdktf/hcl2json fails without this | |
# The Sentry CLI also requires this, https://github.com/actions/checkout/issues/760 | |
run: git config --global --add safe.directory /__w/terraform-cdk/terraform-cdk | |
- name: ensure correct user | |
run: chown -R root /__w/terraform-cdk | |
- name: version | |
id: get_version | |
run: | | |
version=$(node -p "require('./package.json').version") | |
echo "version=${version}" >> $GITHUB_OUTPUT | |
- name: release status | |
id: get_release_status | |
run: | | |
status=$(sentry-cli releases list | grep -q 'cdktf-cli-${{ steps.get_version.outputs.version }} ' && echo 'released' || echo 'unreleased') | |
echo "Sentry returned: ${status}" | |
echo "release=${status}" >> $GITHUB_OUTPUT | |
env: | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }} | |
- name: Create a release | |
if: steps.get_release_status.outputs.release == 'unreleased' | |
run: sentry-cli releases new cdktf-cli-${{ steps.get_version.outputs.version }} | |
env: | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }} | |
- name: create bundle | |
run: | | |
yarn install --frozen-lockfile | |
tools/align-version.sh | |
yarn build | |
yarn package | |
env: | |
SENTRY_DSN: ${{ secrets.SENTRY_DSN }} | |
- name: Add sourcemap and commit info to sentry | |
if: steps.get_release_status.outputs.release == 'unreleased' | |
run: | | |
sentry-cli releases files cdktf-cli-${{ steps.get_version.outputs.version }} upload-sourcemaps ./packages/cdktf-cli/bundle | |
sentry-cli releases set-commits --auto cdktf-cli-${{ steps.get_version.outputs.version }} | |
env: | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }} | |
- name: Upload artifact | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: dist | |
path: dist | |
- name: Upload edge-provider bindings | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
if: ${{ !inputs.skip_setup }} | |
with: | |
name: edge-provider-bindings | |
path: packages/@cdktf/provider-generator/edge-provider-bindings | |
integration_test: | |
uses: ./.github/workflows/integration.yml | |
needs: | |
- prepare-release | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
with: | |
skip_setup: true | |
concurrency_group_prefix: release | |
secrets: inherit | |
provider_integration_test: | |
needs: | |
- prepare-release | |
uses: ./.github/workflows/provider-integration.yml | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
with: | |
concurrency_group_prefix: release | |
skip_setup: true | |
secrets: inherit | |
examples: | |
needs: | |
- prepare-release | |
uses: ./.github/workflows/examples.yml | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
with: | |
concurrency_group_prefix: release | |
secrets: inherit | |
linting: | |
needs: | |
- prepare-release | |
uses: ./.github/workflows/linting.yml | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
with: | |
concurrency_group_prefix: release | |
secrets: inherit | |
unit_test: | |
uses: ./.github/workflows/unit.yml | |
needs: | |
- prepare-release | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
strategy: | |
fail-fast: false | |
matrix: | |
package: | |
[ | |
cdktf, | |
cdktf-cli, | |
"@cdktf/hcl2cdk", | |
"@cdktf/hcl2json", | |
"@cdktf/provider-generator", | |
"@cdktf/provider-schema", | |
"@cdktf/commons", | |
"@cdktf/cli-core", | |
] | |
terraform_version: ["1.6.5", "1.5.5"] | |
with: | |
concurrency_group_prefix: release | |
package: ${{ matrix.package }} | |
terraform_version: ${{ matrix.terraform_version }} | |
secrets: inherit | |
release_github: | |
name: Release to Github | |
runs-on: ubuntu-latest | |
needs: | |
- prepare-release | |
- integration_test | |
- provider_integration_test | |
- unit_test | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: installing dependencies | |
run: | | |
yarn install --frozen-lockfile | |
- name: Download build artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: dist | |
- name: Release to github | |
run: yarn release-github | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
release_npm: | |
name: Release to Github Packages NPM regitry | |
runs-on: ubuntu-latest | |
needs: | |
- prepare-release | |
- integration_test | |
- provider_integration_test | |
- unit_test | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform | |
steps: | |
- name: Download build artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: dist | |
path: dist | |
- name: ensure correct user | |
run: chown -R root /__w/terraform-cdk | |
- name: Release | |
run: npx -p jsii-release jsii-release-npm | |
env: | |
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
release_pypi: | |
name: Release to PyPi | |
runs-on: ubuntu-latest | |
needs: | |
- prepare-release | |
- integration_test | |
- provider_integration_test | |
- unit_test | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform | |
steps: | |
- name: Download build artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: dist | |
path: dist | |
- name: ensure correct user | |
run: chown -R root /__w/terraform-cdk | |
- name: Release | |
run: npx -p jsii-release jsii-release-pypi | |
env: | |
TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }} | |
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} | |
release_maven: | |
name: Release to Maven | |
runs-on: ubuntu-latest | |
needs: | |
- prepare-release | |
- integration_test | |
- provider_integration_test | |
- unit_test | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform | |
steps: | |
- name: Download build artifacts | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: dist | |
path: dist | |
- name: ensure correct user | |
run: chown -R root /__w/terraform-cdk | |
- name: Release | |
run: npx -p jsii-release jsii-release-maven | |
env: | |
MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }} | |
MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} | |
MAVEN_ENDPOINT: https://hashicorp.oss.sonatype.org | |
MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} | |
MAVEN_GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSPHRASE }} | |
MAVEN_STAGING_PROFILE_ID: ${{ secrets.MAVEN_STAGING_PROFILE_ID }} | |
MAVEN_OPTS: "--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED" # See https://stackoverflow.com/questions/70153962/nexus-staging-maven-plugin-maven-deploy-failed-an-api-incompatibility-was-enco | |
release_nuget: | |
name: Release to NuGet | |
runs-on: ubuntu-latest | |
needs: | |
- prepare-release | |
- integration_test | |
- provider_integration_test | |
- unit_test | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform | |
steps: | |
- name: Download dist | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: dist | |
path: dist | |
- name: ensure correct user | |
run: chown -R root /__w/terraform-cdk | |
- name: Release | |
run: npx -p jsii-release jsii-release-nuget | |
env: | |
NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} | |
release_golang: | |
name: Release Go to Github Repo | |
runs-on: ubuntu-latest | |
needs: | |
- prepare-release | |
- integration_test | |
- provider_integration_test | |
- unit_test | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform | |
steps: | |
- name: Download dist | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: dist | |
path: dist | |
- name: ensure correct user | |
run: chown -R root /__w/terraform-cdk | |
- name: Release | |
run: npx -p jsii-release jsii-release-golang | |
env: | |
GITHUB_TOKEN: ${{ secrets.TERRAFORM_CDK_GO_REPO_GITHUB_TOKEN }} | |
GIT_USER_NAME: "CDK for Terraform Team" | |
GIT_USER_EMAIL: "[email protected]" | |
release_sentry: | |
name: Finalize the sentry release | |
runs-on: ubuntu-latest | |
needs: | |
- prepare-release | |
- integration_test | |
- provider_integration_test | |
- unit_test | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
container: | |
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: version | |
id: get_version | |
run: | | |
version=$(node -p "require('./package.json').version") | |
echo "version=${version}" >> $GITHUB_OUTPUT | |
- name: release status | |
id: get_release_status | |
run: | | |
status=$(sentry-cli releases list | grep 'cdktf-cli-${{ steps.get_version.outputs.version }} ' | grep -q 'unreleased' && echo "unreleased" || echo "released") | |
echo "Sentry returned: ${status}" | |
echo "release=${status}" >> $GITHUB_OUTPUT | |
env: | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }} | |
- name: Finalize the release | |
if: steps.get_release_status.outputs.release == 'unreleased' | |
run: sentry-cli releases finalize cdktf-cli-${{ steps.get_version.outputs.version }} | |
env: | |
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }} | |
release_homebrew: | |
name: Release to Homebrew | |
runs-on: ubuntu-latest | |
needs: | |
- prepare-release | |
- release_npm | |
if: needs.prepare-release.outputs.release_status == 'unreleased' | |
steps: | |
# extract version number from package.json | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: version | |
id: get_version | |
run: | | |
version=$(node -p "require('./package.json').version") | |
echo "version=${version}" >> $GITHUB_OUTPUT | |
# A PR will be sent to github.com/Homebrew/homebrew-core to update this formula: | |
- uses: mislav/bump-homebrew-formula-action@b3327118b2153c82da63fd9cbf58942146ee99f0 # v3.1 | |
with: | |
formula-name: cdktf | |
download-url: https://registry.npmjs.org/cdktf-cli/-/cdktf-cli-${{ steps.get_version.outputs.version }}.tgz | |
commit-message: | | |
cdktf ${{ steps.get_version.outputs.version }} | |
Refer to https://github.com/hashicorp/terraform-cdk/releases/tag/v${{ steps.get_version.outputs.version }} for more details | |
base-branch: master # Branch in https://github.com/Homebrew/homebrew-core | |
tag-name: v${{ steps.get_version.outputs.version }} | |
env: | |
COMMITTER_TOKEN: ${{ secrets.HOMEBREW_COMMITTER_TOKEN }} | |
report: | |
name: Report status | |
runs-on: ubuntu-latest | |
if: ${{ failure() }} | |
needs: | |
- examples | |
- integration_test | |
- provider_integration_test | |
- linting | |
- prepare-release | |
- release_github | |
- release_golang | |
- release_homebrew | |
- release_maven | |
- release_npm | |
- release_nuget | |
- release_pypi | |
- release_sentry | |
- unit_test | |
steps: | |
- name: Send failures to Slack | |
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
with: | |
payload: | | |
{ | |
"name": "main", | |
"run_url": "https://github.com/hashicorp/terraform-cdk/actions/runs/${{ github.run_id }}" | |
} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.FAILURE_SLACK_WEBHOOK_URL }} |