Update GitHub Actions workflows. (#582)

This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 57219950805273c97b591da6e009acfbf6a74430.

Author: pulumi-bot

.github/workflows/master.yml

@@ -88,63 +88,16 @@ jobs:
       - prerequisites
       - test
       - license_check
-    runs-on: ubuntu-latest
-    steps:
-    - name: Free Disk Space (Ubuntu)
-      uses: jlumbroso/[email protected]
-      with:
-        # this might remove tools that are actually needed,
-        # if set to "true" but frees about 6 GB
-        tool-cache: false
-        swap-storage: false
-    - name: Checkout Repo
-      uses: actions/checkout@v4
-    - name: Setup tools
-      uses: ./.github/actions/setup-tools
-      with:
-        tools: pulumictl, pulumicli, go
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        role-duration-seconds: 7200
-        role-external-id: upload-pulumi-release
-        role-session-name: fastly@githubActions
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
-    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v5
-      env:
-        GORELEASER_CURRENT_TAG: v${{ needs.prerequisites.outputs.version }}
-        PROVIDER_VERSION: ${{ needs.prerequisites.outputs.version }}
-      with:
-        args: -p 3 -f .goreleaser.prerelease.yml --rm-dist --skip-validate --timeout
-          60m0s
-        version: latest
-
-  publish_sdk:
-    name: publish_sdk
-    needs:
-      - prerequisites
-      - publish
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@v4
-    - name: Setup tools
-      uses: ./.github/actions/setup-tools
-      with:
-        tools: pulumicli, pulumictl, go, node, dotnet, python, java
-    - name: Publish SDKs
-      uses: pulumi/[email protected]
-      with:
-        sdk: all
-        version: ${{ needs.prerequisites.outputs.version }}
+    uses: ./.github/workflows/publish.yml
+    secrets: inherit
+    with:
+      version: ${{ needs.prerequisites.outputs.version }}
+      isPrerelease: true
+      skipGoSdk: true
 
   tag_release_if_labeled_needs_release:
     name: Tag release if labeled as needs-release
-    needs: publish_sdk
+    needs: publish
     runs-on: ubuntu-latest
     steps:
     - name: check if this commit needs release
@@ -211,6 +164,7 @@ jobs:
         - java
 name: master
 on:
+  workflow_dispatch: {}
   push:
     branches:
     - master

.github/workflows/prerelease.yml

@@ -51,89 +51,12 @@ jobs:
       - prerequisites
       - test
       - license_check
-    runs-on: ubuntu-latest
-    steps:
-    - name: Free Disk Space (Ubuntu)
-      uses: jlumbroso/[email protected]
-      with:
-        # this might remove tools that are actually needed,
-        # if set to "true" but frees about 6 GB
-        tool-cache: false
-        swap-storage: false
-    - name: Checkout Repo
-      uses: actions/checkout@v4
-    - name: Setup tools
-      uses: ./.github/actions/setup-tools
-      with:
-        tools: pulumictl, pulumicli, go
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        role-duration-seconds: 7200
-        role-external-id: upload-pulumi-release
-        role-session-name: fastly@githubActions
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
-    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v5
-      env:
-        GORELEASER_CURRENT_TAG: v${{ needs.prerequisites.outputs.version }}
-        PROVIDER_VERSION: ${{ needs.prerequisites.outputs.version }}
-      with:
-        args: -p 3 -f .goreleaser.prerelease.yml --rm-dist --skip-validate --timeout
-          60m0s
-        version: latest
-  publish_sdk:
-    name: publish_sdk
-    needs: 
-      - prerequisites
-      - publish
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@v4
-    - name: Setup tools
-      uses: ./.github/actions/setup-tools
-      with:
-        tools: pulumicli, pulumictl, go, node, dotnet, python, java
-    - name: Publish SDKs
-      uses: pulumi/[email protected]
-      with:
-        sdk: all
-        version: ${{ needs.prerequisites.outputs.version }}
-  publish_go_sdk:
-    name: publish_go_sdk
-    needs: 
-      - prerequisites
-      - publish_sdk
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@v4
-    - name: Download Go SDK
-      uses: actions/download-artifact@v4
-      with:
-        name: go-sdk.tar.gz
-        path: ${{ github.workspace }}/sdk/
-    - name: Uncompress Go SDK
-      run: tar -zxf ${{ github.workspace }}/sdk/go.tar.gz -C
-        ${{ github.workspace }}/sdk/go
-      shell: bash
-    - uses: pulumi/publish-go-sdk-action@v1
-      with:
-        repository: ${{ github.repository }}
-        base-ref: ${{ github.sha }}
-        source: sdk
-        path: sdk
-        version: ${{ needs.prerequisites.outputs.version }}
-        additive: false
-        # Avoid including other language SDKs & artifacts in the commit
-        files: |
-          go.*
-          go/**
-          !*.tar.gz
+    uses: ./.github/workflows/publish.yml
+    secrets: inherit
+    with:
+      version: ${{ needs.prerequisites.outputs.version }}
+      isPrerelease: true
+
   test:
     name: test
     needs: 
@@ -184,19 +107,6 @@ jobs:
         - dotnet
         - go
         - java
-  verify-release:
-    name: verify-release
-    needs:
-      - prerequisites
-      - publish
-      - publish_sdk
-      - publish_go_sdk
-    uses: ./.github/workflows/verify-release.yml
-    secrets: inherit
-    with:
-      providerVersion: ${{ needs.prerequisites.outputs.version }}
-      # Prelease is run often but we only have 5 concurrent macos runners, so we only test after the stable release.
-      enableMacosRunner: false
 
 name: prerelease
 on:

.github/workflows/publish.yml

@@ -0,0 +1,174 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+name: Publish
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+      isPrerelease:
+        required: true
+        type: boolean
+      skipGoSdk:
+        default: false
+        type: boolean
+        description: Skip publishing & verifying the Go SDK
+
+env:
+  IS_PRERELEASE: ${{ inputs.isPrerelease }}
+  FASTLY_API_KEY: ${{ secrets.FASTLY_API_KEY }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PYPI_USERNAME: __token__
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  TF_APPEND_USER_AGENT: pulumi
+
+jobs:
+  publish:
+    name: publish
+    runs-on: ubuntu-latest
+    steps:
+    - name: Validate prerelease
+      if: inputs.isPrerelease == false && (contains(inputs.version, '-') || contains(inputs.version, '+'))
+      run: echo "Can't publish a prerelease version as a stable release. This is likely a bug in the calling workflow." && exit 1
+    - name: Validate skipGoSdk
+      if: inputs.skipGoSdk && inputs.isPrerelease == false
+      run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
+    - name: Free Disk Space (Ubuntu)
+      uses: jlumbroso/[email protected]
+      with:
+        # this might remove tools that are actually needed,
+        # if set to "true" but frees about 6 GB
+        tool-cache: false
+        swap-storage: false
+    - name: Checkout Repo
+      uses: actions/checkout@v4
+    - name: Setup tools
+      uses: ./.github/actions/setup-tools
+      with:
+        tools: pulumictl, pulumicli, go
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-region: us-east-2
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        role-duration-seconds: 7200
+        role-external-id: upload-pulumi-release
+        role-session-name: fastly@githubActions
+        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+    - name: Run GoReleaser
+      if: inputs.isPrerelease == false
+      uses: goreleaser/goreleaser-action@v5
+      env:
+        GORELEASER_CURRENT_TAG: v${{ inputs.version }}
+        PROVIDER_VERSION: ${{ inputs.version }}
+      with:
+        args: -p 3 release --rm-dist --timeout 60m0s
+        version: latest
+    - name: Run GoReleaser (prerelease)
+      if: inputs.isPrerelease == true
+      uses: goreleaser/goreleaser-action@v5
+      env:
+        GORELEASER_CURRENT_TAG: v${{ inputs.version }}
+        PROVIDER_VERSION: ${{ inputs.version }}
+      with:
+        args: -p 3 -f .goreleaser.prerelease.yml --rm-dist --skip-validate --timeout
+          60m0s
+        version: latest
+
+  publish_sdk:
+    name: publish_sdk
+    needs: publish
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v4
+    - name: Setup tools
+      uses: ./.github/actions/setup-tools
+      with:
+        tools: pulumictl, pulumicli, go, node, dotnet, python, java
+    - name: Publish SDKs
+      uses: pulumi/[email protected]
+      with:
+        sdk: all
+        version: ${{ inputs.version }}
+    - name: Download Go SDK
+      uses: ./.github/actions/download-sdk
+      with:
+        language: go
+    - uses: pulumi/publish-go-sdk-action@v1
+      if: inputs.skipGoSdk == false
+      with:
+        repository: ${{ github.repository }}
+        base-ref: ${{ github.sha }}
+        source: sdk
+        path: sdk
+        version: ${{ inputs.version }}
+        additive: false
+        # Avoid including other language SDKs & artifacts in the commit
+        files: |
+          go.*
+          go/**
+          !*.tar.gz
+  create_docs_build:
+    name: create_docs_build
+    needs: publish_sdk
+    # Only run for non-prerelease, if the publish_go_sdk job was successful or skipped
+    if: inputs.isPrerelease == false
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dispatch Metadata build
+        uses: peter-evans/repository-dispatch@v3
+        with:
+          token: ${{ secrets.PULUMI_BOT_TOKEN }}
+          repository: pulumi/registry
+          event-type: resource-provider
+          client-payload: |-
+            {
+              "project": "${{ github.repository }}",
+              "project-shortname": "fastly",
+              "ref": "${{ github.ref_name }}"
+            }
+
+  clean_up_release_labels:
+    name: Clean up release labels
+    # Only run for non-prerelease, if the publish_go_sdk job was successful or skipped
+    if: inputs.isPrerelease == false
+    needs: create_docs_build
+    
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v4
+    - name: Clean up release labels
+      uses: pulumi/action-release-by-pr-label@main
+      with:
+        command: "clean-up-release-labels"
+        repo: ${{ github.repository }}
+        commit: ${{ github.sha }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  verify_release:
+    name: verify_release
+    needs: publish_sdk
+    uses: ./.github/workflows/verify-release.yml
+    secrets: inherit
+    with:
+      providerVersion: ${{ inputs.version }}
+      # Prelease is run often but we only have 5 concurrent macos runners, so we only test after the stable release.
+      enableMacosRunner: ${{ inputs.isPrerelease == false }}
+      skipGoSdk: ${{ inputs.skipGoSdk }}