diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index f0f3ce6..e28ef70 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -41,6 +41,7 @@ jobs: if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository permissions: + contents: read pull-requests: write uses: ./.github/workflows/prerequisites.yml secrets: inherit diff --git a/.golangci.yml b/.golangci.yml index 3e8d566..aa76d7b 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -19,6 +19,8 @@ linters: - unused enable-all: false issues: + exclude-dirs: + - pkg/vendored exclude-files: - schema.go - pulumiManifest.go diff --git a/Makefile b/Makefile index 5cd7d32..06e2123 100644 --- a/Makefile +++ b/Makefile @@ -197,17 +197,6 @@ install_nodejs_sdk: .make/install_nodejs_sdk install_python_sdk: .PHONY: install_dotnet_sdk install_go_sdk install_java_sdk install_nodejs_sdk install_python_sdk -# Install Pulumi plugins required for CODEGEN to resolve references -install_plugins: .make/install_plugins -.make/install_plugins: export PULUMI_HOME := $(WORKING_DIR)/.pulumi -.make/install_plugins: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH) -.make/install_plugins: .pulumi/bin/pulumi - .pulumi/bin/pulumi plugin install resource random 4.8.2 - .pulumi/bin/pulumi plugin install resource std 1.6.2 - .pulumi/bin/pulumi plugin install converter terraform 1.0.15 - @touch $@ -.PHONY: install_plugins - lint_provider: provider cd provider && golangci-lint run --path-prefix provider -c ../.golangci.yml # `lint_provider.fix` is a utility target meant to be run manually @@ -284,110 +273,13 @@ ci-mgmt: .ci-mgmt.yaml go run github.com/pulumi/ci-mgmt/provider-ci@master generate .PHONY: ci-mgmt -# Because some codegen depends on the version of the CLI used, we install a local CLI -# version pinned to the same version as `provider/go.mod`. -# -# This logic compares the version of .pulumi/bin/pulumi already installed. If it matches -# the desired version, we just print. Otherwise we (re)install pulumi at the desired -# version. -.pulumi/bin/pulumi: .pulumi/version - @if [ -x .pulumi/bin/pulumi ] && [ "v$$(cat .pulumi/version)" = "$$(.pulumi/bin/pulumi version)" ]; then \ - echo "pulumi/bin/pulumi version: v$$(cat .pulumi/version)"; \ - touch $@; \ - else \ - curl -fsSL https://get.pulumi.com | \ - HOME=$(WORKING_DIR) sh -s -- --version "$$(cat .pulumi/version)"; \ - fi - -# Compute the version of Pulumi to use by inspecting the Go dependencies of the provider. -.pulumi/version: provider/go.mod - cd provider && go list -f "{{slice .Version 1}}" -m github.com/pulumi/pulumi/pkg/v3 | tee ../$@ - # Start debug server for tfgen debug_tfgen: dlv --listen=:2345 --headless=true --api-version=2 exec $(WORKING_DIR)/bin/$(CODEGEN) -- schema --out provider/cmd/$(PROVIDER) .PHONY: debug_tfgen -# Provider cross-platform build & packaging - -# Set these variables to enable signing of the windows binary -AZURE_SIGNING_CLIENT_ID ?= -AZURE_SIGNING_CLIENT_SECRET ?= -AZURE_SIGNING_TENANT_ID ?= -AZURE_SIGNING_KEY_VAULT_URI ?= -SKIP_SIGNING ?= - -# These targets assume that the schema-embed.json exists - it's generated by tfgen. -# We disable CGO to ensure that the binary is statically linked. -bin/linux-amd64/$(PROVIDER): GOOS := linux -bin/linux-amd64/$(PROVIDER): GOARCH := amd64 -bin/linux-arm64/$(PROVIDER): GOOS := linux -bin/linux-arm64/$(PROVIDER): GOARCH := arm64 -bin/darwin-amd64/$(PROVIDER): GOOS := darwin -bin/darwin-amd64/$(PROVIDER): GOARCH := amd64 -bin/darwin-arm64/$(PROVIDER): GOOS := darwin -bin/darwin-arm64/$(PROVIDER): GOARCH := arm64 -bin/windows-amd64/$(PROVIDER).exe: GOOS := windows -bin/windows-amd64/$(PROVIDER).exe: GOARCH := amd64 -bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar - $(call build_provider_cmd,$(GOOS),$(GOARCH),$(WORKING_DIR)/$@) - - @# Only sign windows binary if fully configured. - @# Test variables set by joining with | between and looking for || showing at least one variable is empty. - @# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails. - @set -e; \ - if [[ "${GOOS}-${GOARCH}" = "windows-amd64" && "${SKIP_SIGNING}" != "true" ]]; then \ - if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \ - echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \ - echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \ - if [[ "${CI}" == "true" ]]; then exit 1; fi; \ - else \ - mv $@ $@.unsigned; \ - az login --service-principal \ - --username "${AZURE_SIGNING_CLIENT_ID}" \ - --password "${AZURE_SIGNING_CLIENT_SECRET}" \ - --tenant "${AZURE_SIGNING_TENANT_ID}" \ - --output none; \ - ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \ - java -jar bin/jsign-6.0.jar \ - --storetype AZUREKEYVAULT \ - --keystore "PulumiCodeSigning" \ - --url "${AZURE_SIGNING_KEY_VAULT_URI}" \ - --storepass "$${ACCESS_TOKEN}" \ - $@.unsigned; \ - mv $@.unsigned $@; \ - az logout; \ - fi; \ - fi - -bin/jsign-6.0.jar: - wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar - -provider-linux-amd64: bin/linux-amd64/$(PROVIDER) -provider-linux-arm64: bin/linux-arm64/$(PROVIDER) -provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER) -provider-darwin-arm64: bin/darwin-arm64/$(PROVIDER) -provider-windows-amd64: bin/windows-amd64/$(PROVIDER).exe -.PHONY: provider-linux-amd64 provider-linux-arm64 provider-darwin-amd64 provider-darwin-arm64 provider-windows-amd64 - -bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-amd64.tar.gz: bin/linux-amd64/$(PROVIDER) -bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.gz: bin/linux-arm64/$(PROVIDER) -bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz: bin/darwin-amd64/$(PROVIDER) -bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz: bin/darwin-arm64/$(PROVIDER) -bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz: bin/windows-amd64/$(PROVIDER).exe -bin/$(PROVIDER)-v$(PROVIDER_VERSION)-%.tar.gz: - @mkdir -p dist - @# $< is the last dependency (the binary path from above) e.g. bin/linux-amd64/pulumi-resource-xyz - @# $@ is the current target e.g. bin/pulumi-resource-xyz-v1.2.3-linux-amd64.tar.gz - tar --gzip -cf $@ README.md LICENSE -C $$(dirname $<) . - -provider_dist-linux-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-amd64.tar.gz -provider_dist-linux-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.gz -provider_dist-darwin-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz -provider_dist-darwin-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz -provider_dist-windows-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz -provider_dist: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64 -.PHONY: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64 provider_dist +include scripts/plugins.mk +include scripts/crossbuild.mk # Permit providers to extend the Makefile with provider-specific Make includes. include $(wildcard .mk/*.mk)