From 85ac325cc1bbb026a7e95e660db304956049e103 Mon Sep 17 00:00:00 2001
From: Justin Van Patten <jvp@justinvp.com>
Date: Fri, 2 Jun 2023 16:23:14 -0700
Subject: [PATCH] feat: Download CLI if preinstalled version is known bad

Sometimes a release of the CLI contains a bug that is bad enough that we'd prefer users avoid using that version, to avoid the issue. For example, a bug that could cause stack corruption. We'd like to have a holistic way to "taint" a bad release, but in the meantime, one tactical change is to have the action prefer downloading a more recent version of the CLI if the version that is preinstalled has known issues. For now, the list is hardcoded, but in the future it could be stored in a centralized location that the action could check.
---
 CHANGELOG.md           |  2 ++
 src/libs/pulumi-cli.ts | 25 +++++++++++++++++++++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 24bcea70..79eb8d8a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## HEAD (Unreleased)
 
+- feat: Download CLI if preinstalled version has a known issue.
+
 --
 
 ## 4.3.0 (2023-05-12)
diff --git a/src/libs/pulumi-cli.ts b/src/libs/pulumi-cli.ts
index a15c7850..e6c0d122 100644
--- a/src/libs/pulumi-cli.ts
+++ b/src/libs/pulumi-cli.ts
@@ -7,6 +7,22 @@ import * as semver from 'semver';
 import * as exec from './exec';
 import { getVersionObject } from './libs/get-version';
 
+/**
+ * Returns true if the version is known to have issues and should not be used
+ * if already installed on the runner. Instead, proceed to downloading the CLI.
+ */
+function isKnownBadVersion(version: string): boolean {
+  const knownBadVersions = new Set([
+    // The following versions have a regression with the `--target` and
+    // `--target-replace` flags that may cause stack corruption when used.
+    // See: https://github.com/pulumi/pulumi/issues/12964
+    '3.66.0',
+    '3.67.0',
+    '3.67.1',
+  ]);
+  return knownBadVersions.has(version);
+}
+
 export async function getVersion(): Promise<string | undefined> {
   const res = await exec.exec('pulumi', ['version']);
 
@@ -58,8 +74,13 @@ export async function downloadCli(range: string): Promise<void> {
     const runnerVersion = await getVersion();
 
     if (runnerVersion) {
-      // Check if runner version matches
-      if (semver.satisfies(runnerVersion, range)) {
+      if (isKnownBadVersion(runnerVersion)) {
+        // If the version on the runner is known bad, proceed to downloading the CLI to get
+        // a more recent version.
+        core.info(
+          `Pulumi version ${runnerVersion} has a known issue. Proceeding to download`,
+        );
+      } else if (semver.satisfies(runnerVersion, range)) {
         // If runner version matches, skip downloading CLI by exiting the function
         core.info(
           `Pulumi version ${runnerVersion} is already installed on this machine. Skipping download`,