Skip to content

chore(deps): pin trusted workflows based on HashiCorp TSCCR (#3700) #1529

chore(deps): pin trusted workflows based on HashiCorp TSCCR (#3700)

chore(deps): pin trusted workflows based on HashiCorp TSCCR (#3700) #1529

Workflow file for this run

name: Release
on:
push:
branches:
- main
- backport-release-*
workflow_dispatch: {}
env:
SENTRY_ORG: hashicorp
SENTRY_PROJECT: cdktf-cli
concurrency:
group: release
jobs:
prepare-release:
if: github.repository == 'hashicorp/terraform-cdk'
runs-on: ubuntu-latest
outputs:
tests: ${{ steps.build-test-matrix.outputs.tests }}
version: ${{ steps.get_version.outputs.version }}
release_status: ${{ steps.get_release_status.outputs.release }}
container:
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
env:
CHECKPOINT_DISABLE: "1"
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0 # gives sentry access to all previous commits
- name: "Add Git safe.directory" # Go 1.18+ started embedding repo info in the build and e.g. building @cdktf/hcl2json fails without this
# The Sentry CLI also requires this, https://github.com/actions/checkout/issues/760
run: git config --global --add safe.directory /__w/terraform-cdk/terraform-cdk
- name: ensure correct user
run: chown -R root /__w/terraform-cdk
- name: version
id: get_version
run: |
version=$(node -p "require('./package.json').version")
echo "version=${version}" >> $GITHUB_OUTPUT
- name: release status
id: get_release_status
run: |
status=$(sentry-cli releases list | grep -q 'cdktf-cli-${{ steps.get_version.outputs.version }} ' && echo 'released' || echo 'unreleased')
echo "Sentry returned: ${status}"
echo "release=${status}" >> $GITHUB_OUTPUT
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }}
- name: Create a release
if: steps.get_release_status.outputs.release == 'unreleased'
run: sentry-cli releases new cdktf-cli-${{ steps.get_version.outputs.version }}
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }}
- name: create bundle
run: |
yarn install --frozen-lockfile
tools/align-version.sh
yarn build
yarn package
env:
SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
- name: Add sourcemap and commit info to sentry
if: steps.get_release_status.outputs.release == 'unreleased'
run: |
sentry-cli releases files cdktf-cli-${{ steps.get_version.outputs.version }} upload-sourcemaps ./packages/cdktf-cli/bundle
sentry-cli releases set-commits --auto cdktf-cli-${{ steps.get_version.outputs.version }}
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }}
- name: Upload artifact
uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
with:
name: dist
path: dist
- name: Upload edge-provider bindings
uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
if: ${{ !inputs.skip_setup }}
with:
name: edge-provider-bindings
path: packages/@cdktf/provider-generator/edge-provider-bindings
integration_test:
uses: ./.github/workflows/integration.yml
needs:
- prepare-release
if: needs.prepare-release.outputs.release_status == 'unreleased'
with:
skip_setup: true
concurrency_group_prefix: release
secrets: inherit
provider_integration_test:
needs:
- prepare-release
uses: ./.github/workflows/provider-integration.yml
if: needs.prepare-release.outputs.release_status == 'unreleased'
with:
concurrency_group_prefix: release
skip_setup: true
secrets: inherit
examples:
needs:
- prepare-release
uses: ./.github/workflows/examples.yml
if: needs.prepare-release.outputs.release_status == 'unreleased'
with:
concurrency_group_prefix: release
secrets: inherit
linting:
needs:
- prepare-release
uses: ./.github/workflows/linting.yml
if: needs.prepare-release.outputs.release_status == 'unreleased'
with:
concurrency_group_prefix: release
secrets: inherit
unit_test:
uses: ./.github/workflows/unit.yml
needs:
- prepare-release
if: needs.prepare-release.outputs.release_status == 'unreleased'
strategy:
fail-fast: false
matrix:
package:
[
cdktf,
cdktf-cli,
"@cdktf/hcl2cdk",
"@cdktf/hcl2json",
"@cdktf/provider-generator",
"@cdktf/provider-schema",
"@cdktf/commons",
"@cdktf/cli-core",
]
terraform_version: ["1.6.5", "1.5.5"]
with:
concurrency_group_prefix: release
package: ${{ matrix.package }}
terraform_version: ${{ matrix.terraform_version }}
secrets: inherit
release_github:
name: Release to Github
runs-on: ubuntu-latest
needs:
- prepare-release
- integration_test
- provider_integration_test
- unit_test
if: needs.prepare-release.outputs.release_status == 'unreleased'
container:
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: installing dependencies
run: |
yarn install --frozen-lockfile
- name: Download build artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: dist
- name: Release to github
run: yarn release-github
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release_npm:
name: Release to Github Packages NPM regitry
runs-on: ubuntu-latest
needs:
- prepare-release
- integration_test
- provider_integration_test
- unit_test
if: needs.prepare-release.outputs.release_status == 'unreleased'
container:
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
steps:
- name: Download build artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: dist
path: dist
- name: ensure correct user
run: chown -R root /__w/terraform-cdk
- name: Release
run: npx -p publib publib-npm
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
release_pypi:
name: Release to PyPi
runs-on: ubuntu-latest
needs:
- prepare-release
- integration_test
- provider_integration_test
- unit_test
if: needs.prepare-release.outputs.release_status == 'unreleased'
container:
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
steps:
- name: Download build artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: dist
path: dist
- name: ensure correct user
run: chown -R root /__w/terraform-cdk
# We use twine directly for publishing instead of publib-pypi
# Publib-pypi does the same twine command (https://github.com/cdklabs/publib/blob/main/bin/publib-pypi)
# but also tries to install twine which is already globally
# available in the docker image we use. It upgrades twine,
# introducing risks of breaking changes. (Though not likely, twine is ancient)
# We can not keep the install since the update to python 3.11 in the docker image
# forbids global installs since the global pip is system managed.
# Running this install in a virtualenv would be possible but would require
# changes for the publib-pypi script. This is the easiest solution for now.
- name: Release
run: |
cd dist/python
twine upload --verbose --skip-existing *
env:
TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }}
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
release_maven:
name: Release to Maven
runs-on: ubuntu-latest
needs:
- prepare-release
- integration_test
- provider_integration_test
- unit_test
if: needs.prepare-release.outputs.release_status == 'unreleased'
container:
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
steps:
- name: Download build artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: dist
path: dist
- name: ensure correct user
run: chown -R root /__w/terraform-cdk
- name: Release
run: npx -p publib publib-maven
env:
MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
MAVEN_ENDPOINT: https://hashicorp.oss.sonatype.org
MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
MAVEN_GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSPHRASE }}
MAVEN_STAGING_PROFILE_ID: ${{ secrets.MAVEN_STAGING_PROFILE_ID }}
MAVEN_OPTS: "--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED" # See https://stackoverflow.com/questions/70153962/nexus-staging-maven-plugin-maven-deploy-failed-an-api-incompatibility-was-enco
release_nuget:
name: Release to NuGet
runs-on: ubuntu-latest
needs:
- prepare-release
- integration_test
- provider_integration_test
- unit_test
if: needs.prepare-release.outputs.release_status == 'unreleased'
container:
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
steps:
- name: Download dist
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: dist
path: dist
- name: ensure correct user
run: chown -R root /__w/terraform-cdk
- name: Release
run: npx -p publib publib-nuget
env:
NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
release_golang:
name: Release Go to Github Repo
runs-on: ubuntu-latest
needs:
- prepare-release
- integration_test
- provider_integration_test
- unit_test
if: needs.prepare-release.outputs.release_status == 'unreleased'
container:
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
steps:
- name: Download dist
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: dist
path: dist
- name: ensure correct user
run: chown -R root /__w/terraform-cdk
- name: Release
run: npx -p publib publib-golang
env:
GITHUB_TOKEN: ${{ secrets.TERRAFORM_CDK_GO_REPO_GITHUB_TOKEN }}
GIT_USER_NAME: "CDK for Terraform Team"
GIT_USER_EMAIL: "[email protected]"
release_sentry:
name: Finalize the sentry release
runs-on: ubuntu-latest
needs:
- prepare-release
- integration_test
- provider_integration_test
- unit_test
if: needs.prepare-release.outputs.release_status == 'unreleased'
container:
image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: version
id: get_version
run: |
version=$(node -p "require('./package.json').version")
echo "version=${version}" >> $GITHUB_OUTPUT
- name: release status
id: get_release_status
run: |
status=$(sentry-cli releases list | grep 'cdktf-cli-${{ steps.get_version.outputs.version }} ' | grep -q 'unreleased' && echo "unreleased" || echo "released")
echo "Sentry returned: ${status}"
echo "release=${status}" >> $GITHUB_OUTPUT
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }}
- name: Finalize the release
if: steps.get_release_status.outputs.release == 'unreleased'
run: sentry-cli releases finalize cdktf-cli-${{ steps.get_version.outputs.version }}
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }}
report:
name: Report status
runs-on: ubuntu-latest
if: ${{ failure() }}
needs:
- examples
- integration_test
- provider_integration_test
- linting
- prepare-release
- release_github
- release_golang
- release_maven
- release_npm
- release_nuget
- release_pypi
- release_sentry
- unit_test
steps:
- name: Send failures to Slack
uses: slackapi/slack-github-action@70cd7be8e40a46e8b0eced40b0de447bdb42f68e # v1.26.0
with:
payload: |
{
"name": "main",
"run_url": "https://github.com/hashicorp/terraform-cdk/actions/runs/${{ github.run_id }}"
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.FAILURE_SLACK_WEBHOOK_URL }}