Test master & release workflow on PR merge (#1059)

- Use a merge queue to ensure XYZ is able to be released with the latest
ci-mgmt changes before the change is committed into master to be rolled
out to all other providers.
- The next step here would be to auto-tag the release and verify that
also completes correctly.

.github/workflows/merge.yml

@@ -0,0 +1,102 @@
+name: Merge Queue
+
+on:
+  merge_group: {}
+  workflow_dispatch: {}
+
+jobs:
+  deploy:
+    uses: ./.github/workflows/update-workflows.yml
+    secrets: inherit
+    with:
+      bridged: true
+      provider_name: xyz
+      automerge: true
+      downstream_test: true
+      skip_closing_prs: true
+      caller_workflow: "pull-request"
+
+  await_release:
+    name: Await release
+    runs-on: ubuntu-latest
+    needs: deploy
+    if: needs.deploy.outputs.pull_request_created == 'true'
+    env:
+      GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+    steps:
+      # Open PR to XYZ
+      # Set to auto-merge & minor auto-release
+      # Wait for merge
+      # Wait for main build success
+      # Wait for release workflow success
+      - name: Await PR opened for pulumi-xyz
+        run: |
+          echo Await PR opened for pulumi-xyz
+          until gh search prs --repo pulumi/pulumi-xyz --match body "This PR was automatically generated by the pull-request workflow in the pulumi/ci-mgmt repo, from commit ${{ github.sha }}."  --json url | grep url; do sleep 30; done;
+
+      - name: Find PR number
+        id: pr_number
+        run: |
+          number=$(gh search prs --repo pulumi/pulumi-xyz --match body "This PR was automatically generated by the pull-request workflow in the pulumi/ci-mgmt repo, from commit ${{ github.sha }}."  --json number --jq '.[0].number')
+          echo "PR number is $number"
+          echo "number=${number}" >> "${GITHUB_OUTPUT}"
+
+      - name: Add needs-release label
+        run: gh pr edit --repo "pulumi/pulumi-xyz" "${{ steps.pr_number.outputs.number }}" --add-label "needs-release/patch"
+
+      - name: Await first checks started
+        # Wait for at least 3 checks to be started before we start waiting for them to finish.
+        # There's a couple of quick checks like comment notification and changelog which are started before the PR checks.
+        run: while [[ $(gh pr checks --repo "pulumi/pulumi-xyz" "${{ steps.pr_number.outputs.number }}" | wc -l) -le 2 ]]; do sleep 1; done
+
+      - name: Await PR codegen tests succeed.
+        run: gh pr checks --repo "pulumi/pulumi-xyz" "${{ steps.pr_number.outputs.number }}" --watch --fail-fast
+
+      - name: Await PR merged
+        run: while [[ $(gh pr view --repo "pulumi/pulumi-xyz" "${{ steps.pr_number.outputs.number }}" --json "state" --jq ".state") == "OPEN" ]]; do sleep 1; done
+        timeout-minutes: 5
+
+      - name: Get merge commit
+        id: merge_commit
+        run: |
+          merge_commit_oid=$(gh pr view --repo "pulumi/pulumi-xyz" "${{ steps.pr_number.outputs.number }}" --json "mergeCommit" --jq ".mergeCommit.oid")
+          if [[ -z "${merge_commit_oid}" ]]; then
+            echo "Failed to get merge commit"
+            exit 1
+          fi
+          echo "Merge commit oid is ${merge_commit_oid}"
+          echo "oid=${merge_commit_oid}" >> "${GITHUB_OUTPUT}"
+
+      - name: Await main build start
+        id: main_build
+        run: |
+          until (gh run list --repo "pulumi/pulumi-xyz" --workflow main --json headSha | grep -q "${{ steps.merge_commit.outputs.oid }}"); do sleep 1; done
+          database_id=$(gh run list --repo "pulumi/pulumi-xyz" --workflow main --json "number,headSha,databaseId" | jq '.[] | select(.headSha == "${{ steps.merge_commit.outputs.oid }}") | .databaseId')
+          echo "Main build started with database id ${database_id}"
+          echo "id=${database_id}" >> "${GITHUB_OUTPUT}"
+        timeout-minutes: 5
+
+      - name: Await main build success
+        run: gh run watch --repo "pulumi/pulumi-xyz" "${{ steps.main_build.outputs.id }}" --exit-status
+
+      - name: Get tag for release
+        id: release_tag
+        timeout-minutes: 5
+        run: |
+          until (git ls-remote --tags "https://github.com/pulumi/pulumi-xyz.git" | grep -q "${{ steps.merge_commit.outputs.oid }}"); do sleep 1; done
+          # Also handle annotated tags in the format refs/tags/v0.1.0^{}
+          tag=$(git ls-remote --tags "https://github.com/pulumi/pulumi-xyz.git" | grep "${{ steps.merge_commit.outputs.oid }}" | cut -d '/' -f 3 | sed -E 's/\^\{\}$//')
+          echo "Tag for release is ${tag}"
+          echo "tag=${tag}" >> "${GITHUB_OUTPUT}"
+
+      - name: Wait for release workflow run
+        id: release_workflow
+        timeout-minutes: 5
+        run: |
+          until (gh run list --repo "pulumi/pulumi-xyz" --workflow release --branch "${{ steps.release_tag.outputs.tag }}" --json headBranch | grep -q "${{ steps.release_tag.outputs.tag }}"); do sleep 1; done
+          database_id=$(gh run list --repo "pulumi/pulumi-xyz" --workflow release --branch "${{ steps.release_tag.outputs.tag }}" --json "databaseId" --jq '.[0].databaseId')
+          echo "Release workflow started with id ${database_id}"
+          echo "id=${database_id}" >> "${GITHUB_OUTPUT}"
+
+      - name: Await release workflow success
+        run: gh run watch --repo "pulumi/pulumi-xyz" "${{ steps.release_workflow.outputs.id }}" --exit-status