Reapplied pulumi/ci-mgmt

Signed-off-by: Ringo De Smet <ringo@de-smet.name>

.ci-mgmt.yaml

@@ -5,7 +5,6 @@ major-version: 0
 providerDefaultBranch: main
 upstreamProviderOrg: paultyng
 publishRegistry: false
-enableAutoRelease: false
 plugins:
   - name: terraform
     version: "1.0.19"
@@ -22,7 +21,6 @@ license:
   ignore:
     # Don't check for the license of the local shim package
     - github.com/paultyng/terraform-provider-unifi/shim
-pr-assign: ringods
 toolVersions:
   go: "1.22.x"
 pulumiConvert: 1

.github/actions/download-bin/action.yml

@@ -1,16 +1,23 @@
-name: Download binary assets
-description: Downloads the provider and tfgen binaries to `bin/`.
+name: Download the provider binary
+description: Downloads the provider binary to `bin/`.
 
 runs:
   using: "composite"
   steps:
-    - name: Download provider + tfgen binaries
-      uses: actions/download-artifact@v4
+
+    - name: Download pulumi-resource-unifi
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
-        name: unifi-provider.tar.gz
+        pattern: pulumi-resource-unifi-*-linux-amd64.tar.gz
         path: ${{ github.workspace }}/bin
-    - name: Untar provider binaries
+        merge-multiple: true
+
+    - name: Untar pulumi-resource-unifi
+      shell: bash
+      run: |
+        tar -zxf ${{ github.workspace }}/bin/*amd64.tar.gz -C ${{ github.workspace}}/bin
+
+    - name: Mark pulumi-resource-unifi as executable
       shell: bash
       run: |
-        tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin
         find ${{ github.workspace }} -name "pulumi-*-unifi" -print -exec chmod +x {} \;

.github/actions/download-sdk/action.yml

@@ -10,7 +10,7 @@ runs:
   using: "composite"
   steps:
     - name: Download ${{ inputs.language }} SDK
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         name: ${{ inputs.language }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/

.github/actions/download-tfgen/action.yml

@@ -0,0 +1,17 @@
+name: Download the tfgen binary
+description: Downloads the tfgen binary to `bin/`.
+
+runs:
+  using: "composite"
+  steps:
+
+    - name: Download pulumi-tfgen-unifi
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      with:
+        name: pulumi-tfgen-unifi
+        path: ${{ github.workspace }}/bin
+
+    - name: Ensure pulumi-tfgen-unifi is executable
+      shell: bash
+      run: |
+        find ${{ github.workspace }} -name "pulumi-*-unifi" -print -exec chmod +x {} \;

.github/actions/setup-tools/action.yml

@@ -14,68 +14,78 @@ inputs:
         dotnet
         java
     default: all
+  cache-go:
+    description: |
+      Whether to enable the GitHub cache for Go. Appropriate for disabling in
+      smaller jobs that typically completely before the "real" job has an
+      opportunity to populate the cache.
+    default: "true"
 
 runs:
   using: "composite"
   steps:
     - name: Install Go
       if: inputs.tools == 'all' || contains(inputs.tools, 'go')
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
       with:
         go-version: "1.22.x"
         cache-dependency-path: |
           provider/*.sum
           upstream/*.sum
+          sdk/go/*.sum
           sdk/*.sum
+          *.sum
+        # TODO(https://github.com/actions/setup-go/issues/316): Restore but don't save the cache.
+        cache: ${{ inputs.cache-go }}
 
     - name: Install pulumictl
       if: inputs.tools == 'all' || contains(inputs.tools, 'pulumictl')
-      uses: jaxxstorm/action-install-gh-release@v1.11.0
+      uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0
       with:
         tag: v0.0.46
         repo: pulumi/pulumictl
 
     - name: Install Pulumi CLI
       if: inputs.tools == 'all' || contains(inputs.tools, 'pulumicli')
-      uses: pulumi/actions@v5
+      uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952 # v6
       with:
         pulumi-version: "dev"
 
     - name: Install Schema Tools
       if: inputs.tools == 'all' || contains(inputs.tools, 'schema-tools')
-      uses: jaxxstorm/action-install-gh-release@v1.11.0
+      uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0
       with:
         repo: pulumi/schema-tools
 
     - name: Setup Node
       if: inputs.tools == 'all' || contains(inputs.tools, 'nodejs')
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4
       with:
         node-version: 20.x
         registry-url: https://registry.npmjs.org
 
     - name: Setup DotNet
       if: inputs.tools == 'all' || contains(inputs.tools, 'dotnet')
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4
       with:
         dotnet-version: 6.0.x
 
     - name: Setup Python
       if: inputs.tools == 'all' || contains(inputs.tools, 'python')
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5
       with:
         python-version: 3.11.8
 
     - name: Setup Java
       if: inputs.tools == 'all' || contains(inputs.tools, 'java')
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
       with:
         cache: gradle
         distribution: temurin
         java-version: 11
 
     - name: Setup Gradle
       if: inputs.tools == 'all' || contains(inputs.tools, 'java')
-      uses: gradle/gradle-build-action@v3
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3
       with:
         gradle-version: 7.6

.github/actions/upload-sdk/action.yml

@@ -13,7 +13,7 @@ runs:
       shell: bash
       run: tar -zcf sdk/${{ inputs.language }}.tar.gz -C sdk/${{ inputs.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
       with:
         name: ${{ inputs.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ inputs.language }}.tar.gz

.github/workflows/build_provider.yml

@@ -1,3 +1,5 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
 name: "Build Provider"
 
 on:
@@ -14,6 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       PROVIDER_VERSION: ${{ inputs.version }}
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
       fail-fast: true
       matrix:
@@ -30,28 +33,40 @@ jobs:
             arch: amd64
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:
           tools: pulumictl, go
+      - name: Prepare local workspace before restoring previously built
+        run: make prepare_local_workspace
       - name: Download schema-embed.json
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           # Use a pattern to avoid failing if the artifact doesn't exist
           pattern: schema-embed.*
           # Avoid creating directories for each artifact
           merge-multiple: true
-          path: provider/cmd/pulumi-resource-unifi/schema-embed.json
-      - name: Prepare for build
-        # This installs plugins and prepares upstream
-        run: make upstream
-      - name: Build & package provider
+          path: provider/cmd/pulumi-resource-unifi
+      - name: Restore makefile progress
+        run: make --touch provider schema
+
+      - name: Build provider
+        run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}"
+        env:
+          AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+          AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+          AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+          AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+          SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+
+      - name: Package provider
         run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
+
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: pulumi-resource-unifi-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
           path: bin/pulumi-resource-unifi-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz

.github/workflows/build_sdk.yml

@@ -1,3 +1,5 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
 name: "Build SDK"
 
 on:
@@ -31,7 +33,9 @@ jobs:
     name: build_sdk
     runs-on: ubuntu-latest
     strategy:
-      fail-fast: true
+      # We normally fail fast unless this is a PR from Renovate in which case
+      # we'll always build all SDKs in case there are any changes to commit.
+      fail-fast: ${{ ! contains(github.actor, 'renovate') }}
       matrix:
         language:
         - dotnet
@@ -40,11 +44,11 @@ jobs:
         - python
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
       - name: Cache examples generation
-        uses: actions/cache@v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
         with:
           path: |
             .pulumi/examples-cache
@@ -53,23 +57,67 @@ jobs:
         uses: ./.github/actions/setup-tools
         with:
           tools: pulumictl, pulumicli, ${{ matrix.language }}
-      - name: Download bin
-        uses: ./.github/actions/download-bin
-      - name: Install plugins
-        run: make install_plugins
+      - name: Prepare local workspace
+        run: make prepare_local_workspace
+      - name: Download tfgen
+        uses: ./.github/actions/download-tfgen
       - name: Update path
         run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+      - name: Restore makefile progress
+        run: make --touch provider schema
       - name: Build SDK
         run: make build_${{ matrix.language }}
       - name: Check worktree clean
+        id: worktreeClean
         uses: pulumi/git-status-check-action@v1
         with:
+          # Keep these in sync with the Renovate step below to avoid them getting checked in.
           allowed-changes: |
             sdk/**/pulumi-plugin.json
             sdk/dotnet/*.csproj
             sdk/go/**/pulumiUtilities.go
             sdk/nodejs/package.json
             sdk/python/pyproject.toml
+      - name: Commit ${{ matrix.language }} SDK changes for Renovate
+        # If the worktree is dirty and this is a Renovate PR to bump
+        # dependencies, commit the updated SDK and push it back to the PR. The
+        # job will still be marked as a failure.
+        if: failure() && steps.worktreeClean.outcome == 'failure' && contains(github.actor, 'renovate') && github.event_name == 'pull_request'
+        shell: bash
+        run: |
+          git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+          git config --global user.email "bot@pulumi.com"
+          git config --global user.name "pulumi-bot"
+
+          # Stash local changes and check out the PR's branch directly.
+          git stash
+          git fetch
+          git checkout "origin/$HEAD_REF"
+
+          # Apply and add our changes, but don't commit any files we expect to
+          # always change due to versioning.
+          git stash pop
+          git add sdk
+          git reset \
+              sdk/python/*/pulumi-plugin.json \
+              sdk/python/pyproject.toml \
+              sdk/dotnet/pulumi-plugin.json \
+              sdk/dotnet/Pulumi.*.csproj \
+              sdk/go/*/pulumi-plugin.json \
+              sdk/go/*/internal/pulumiUtilities.go \
+              sdk/nodejs/package.json
+          git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+          # Push with pulumi-bot credentials to trigger a re-run of the
+          # workflow. https://github.com/orgs/community/discussions/25702
+          git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \
+              "HEAD:$HEAD_REF"
+        env:
+          # head_ref is untrusted so it's recommended to pass via env var to
+          # avoid injections.
+          HEAD_REF: ${{ github.head_ref }}
+
       - name: Upload SDK
         uses: ./.github/actions/upload-sdk
         with:

.github/workflows/license.yml

@@ -1,4 +1,4 @@
-# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 
 name: license_check
 
@@ -30,14 +30,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:
           tools: go
-      - run: make upstream
+          cache-go: false
+      - run: make prepare_local_workspace
+        continue-on-error: true
       - uses: pulumi/license-check-action@main
         with:
           module-path: provider

.github/workflows/lint.yml

@@ -1,4 +1,4 @@
-# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 
 name: lint
 
@@ -30,11 +30,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         persist-credentials: false
     - name: Install go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
       with:
         # The versions of golangci-lint and setup-go here cross-depend and need to update together.
         go-version: 1.23
@@ -44,11 +44,11 @@ jobs:
       continue-on-error: true # this fails if there are no go:embed directives
       run: |
         git grep -l 'go:embed' -- provider | xargs sed -i 's/go:embed/ goembed/g'
-    - name: prepare upstream
+    - name: prepare workspace
       continue-on-error: true
-      run: make upstream
+      run: make prepare_local_workspace
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@v6
+      uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6
       with:
         version: v1.60
         working-directory: provider