name: Release on: push: branches: - main - backport-release-* workflow_dispatch: {} env: SENTRY_ORG: hashicorp SENTRY_PROJECT: cdktf-cli concurrency: group: release jobs: prepare-release: if: github.repository == 'hashicorp/terraform-cdk' runs-on: ubuntu-latest outputs: tests: ${{ steps.build-test-matrix.outputs.tests }} version: ${{ steps.get_version.outputs.version }} release_status: ${{ steps.get_release_status.outputs.release }} container: image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform env: CHECKPOINT_DISABLE: "1" steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 # gives sentry access to all previous commits - name: "Add Git safe.directory" # Go 1.18+ started embedding repo info in the build and e.g. building @cdktf/hcl2json fails without this # The Sentry CLI also requires this, https://github.com/actions/checkout/issues/760 run: git config --global --add safe.directory /__w/terraform-cdk/terraform-cdk - name: ensure correct user run: chown -R root /__w/terraform-cdk - name: version id: get_version run: | version=$(node -p "require('./package.json').version") echo "version=${version}" >> $GITHUB_OUTPUT - name: release status id: get_release_status run: | status=$(sentry-cli releases list | grep -q 'cdktf-cli-${{ steps.get_version.outputs.version }} ' && echo 'released' || echo 'unreleased') echo "Sentry returned: ${status}" echo "release=${status}" >> $GITHUB_OUTPUT env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }} - name: Create a release if: steps.get_release_status.outputs.release == 'unreleased' run: sentry-cli releases new cdktf-cli-${{ steps.get_version.outputs.version }} env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }} - name: create bundle run: | yarn install --frozen-lockfile tools/align-version.sh yarn build yarn package env: SENTRY_DSN: ${{ secrets.SENTRY_DSN }} - name: Add sourcemap and commit info to sentry if: steps.get_release_status.outputs.release == 'unreleased' run: | sentry-cli releases files cdktf-cli-${{ steps.get_version.outputs.version }} upload-sourcemaps ./packages/cdktf-cli/bundle sentry-cli releases set-commits --auto cdktf-cli-${{ steps.get_version.outputs.version }} env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }} - name: Upload artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dist path: dist - name: Upload edge-provider bindings uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ !inputs.skip_setup }} with: name: edge-provider-bindings path: packages/@cdktf/provider-generator/edge-provider-bindings integration_test: uses: ./.github/workflows/integration.yml needs: - prepare-release if: needs.prepare-release.outputs.release_status == 'unreleased' with: skip_setup: true concurrency_group_prefix: release secrets: inherit provider_integration_test: needs: - prepare-release uses: ./.github/workflows/provider-integration.yml if: needs.prepare-release.outputs.release_status == 'unreleased' with: concurrency_group_prefix: release skip_setup: true secrets: inherit examples: needs: - prepare-release uses: ./.github/workflows/examples.yml if: needs.prepare-release.outputs.release_status == 'unreleased' with: concurrency_group_prefix: release secrets: inherit linting: needs: - prepare-release uses: ./.github/workflows/linting.yml if: needs.prepare-release.outputs.release_status == 'unreleased' with: concurrency_group_prefix: release secrets: inherit unit_test: uses: ./.github/workflows/unit.yml needs: - prepare-release if: needs.prepare-release.outputs.release_status == 'unreleased' strategy: fail-fast: false matrix: package: [ cdktf, cdktf-cli, "@cdktf/hcl2cdk", "@cdktf/hcl2json", "@cdktf/provider-generator", "@cdktf/provider-schema", "@cdktf/commons", "@cdktf/cli-core", ] terraform_version: ["1.6.5", "1.5.5"] with: concurrency_group_prefix: release package: ${{ matrix.package }} terraform_version: ${{ matrix.terraform_version }} secrets: inherit release_github: name: Release to Github runs-on: ubuntu-latest needs: - prepare-release - integration_test - provider_integration_test - unit_test if: needs.prepare-release.outputs.release_status == 'unreleased' container: image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: installing dependencies run: | yarn install --frozen-lockfile - name: Download build artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dist - name: Release to github run: yarn release-github env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} release_npm: name: Release to Github Packages NPM regitry runs-on: ubuntu-latest needs: - prepare-release - integration_test - provider_integration_test - unit_test if: needs.prepare-release.outputs.release_status == 'unreleased' container: image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform steps: - name: Download build artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dist path: dist - name: ensure correct user run: chown -R root /__w/terraform-cdk - name: Release run: npx -p publib publib-npm env: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} release_pypi: name: Release to PyPi runs-on: ubuntu-latest needs: - prepare-release - integration_test - provider_integration_test - unit_test if: needs.prepare-release.outputs.release_status == 'unreleased' container: image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform steps: - name: Download build artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dist path: dist - name: ensure correct user run: chown -R root /__w/terraform-cdk # We use twine directly for publishing instead of publib-pypi # Publib-pypi does the same twine command (https://github.com/cdklabs/publib/blob/main/bin/publib-pypi) # but also tries to install twine which is already globally # available in the docker image we use. It upgrades twine, # introducing risks of breaking changes. (Though not likely, twine is ancient) # We can not keep the install since the update to python 3.11 in the docker image # forbids global installs since the global pip is system managed. # Running this install in a virtualenv would be possible but would require # changes for the publib-pypi script. This is the easiest solution for now. - name: Release run: | cd dist/python twine upload --verbose --skip-existing * env: TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }} TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} release_maven: name: Release to Maven runs-on: ubuntu-latest needs: - prepare-release - integration_test - provider_integration_test - unit_test if: needs.prepare-release.outputs.release_status == 'unreleased' container: image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform steps: - name: Download build artifacts uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dist path: dist - name: ensure correct user run: chown -R root /__w/terraform-cdk - name: Release run: npx -p publib publib-maven env: MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }} MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} MAVEN_ENDPOINT: https://hashicorp.oss.sonatype.org MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} MAVEN_GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSPHRASE }} MAVEN_STAGING_PROFILE_ID: ${{ secrets.MAVEN_STAGING_PROFILE_ID }} MAVEN_OPTS: "--add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED" # See https://stackoverflow.com/questions/70153962/nexus-staging-maven-plugin-maven-deploy-failed-an-api-incompatibility-was-enco release_nuget: name: Release to NuGet runs-on: ubuntu-latest needs: - prepare-release - integration_test - provider_integration_test - unit_test if: needs.prepare-release.outputs.release_status == 'unreleased' container: image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform steps: - name: Download dist uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dist path: dist - name: ensure correct user run: chown -R root /__w/terraform-cdk - name: Release run: npx -p publib publib-nuget env: NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} release_golang: name: Release Go to Github Repo runs-on: ubuntu-latest needs: - prepare-release - integration_test - provider_integration_test - unit_test if: needs.prepare-release.outputs.release_status == 'unreleased' container: image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform steps: - name: Download dist uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dist path: dist - name: ensure correct user run: chown -R root /__w/terraform-cdk - name: Release run: npx -p publib publib-golang env: GITHUB_TOKEN: ${{ secrets.TERRAFORM_CDK_GO_REPO_GITHUB_TOKEN }} GIT_USER_NAME: "CDK for Terraform Team" GIT_USER_EMAIL: "github-team-tf-cdk@hashicorp.com" release_sentry: name: Finalize the sentry release runs-on: ubuntu-latest needs: - prepare-release - integration_test - provider_integration_test - unit_test if: needs.prepare-release.outputs.release_status == 'unreleased' container: image: docker.mirror.hashicorp.services/hashicorp/jsii-terraform steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: version id: get_version run: | version=$(node -p "require('./package.json').version") echo "version=${version}" >> $GITHUB_OUTPUT - name: release status id: get_release_status run: | status=$(sentry-cli releases list | grep 'cdktf-cli-${{ steps.get_version.outputs.version }} ' | grep -q 'unreleased' && echo "unreleased" || echo "released") echo "Sentry returned: ${status}" echo "release=${status}" >> $GITHUB_OUTPUT env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }} - name: Finalize the release if: steps.get_release_status.outputs.release == 'unreleased' run: sentry-cli releases finalize cdktf-cli-${{ steps.get_version.outputs.version }} env: SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_TOKEN }} report: name: Report status runs-on: ubuntu-latest if: ${{ failure() }} needs: - examples - integration_test - provider_integration_test - linting - prepare-release - release_github - release_golang - release_maven - release_npm - release_nuget - release_pypi - release_sentry - unit_test steps: - name: Send failures to Slack uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0 with: webhook: ${{ secrets.FAILURE_SLACK_WEBHOOK_URL }} webhook-type: webhook-trigger payload: | { "name": "main", "run_url": "https://github.com/hashicorp/terraform-cdk/actions/runs/${{ github.run_id }}" }