[internal] Update GitHub Actions workflow files (#257)

.github/workflows/build_provider.yml

@@ -0,0 +1,76 @@
+name: "Build Provider"
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+
+jobs:
+  build_provider:
+    name: Build ${{ matrix.platform.os }}-${{ matrix.platform.arch }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        platform:
+          - os: linux
+            arch: amd64
+          - os: linux
+            arch: arm64
+          - os: darwin
+            arch: amd64
+          - os: darwin
+            arch: arm64
+          - os: windows
+            arch: amd64
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Setup tools
+        uses: ./.github/actions/setup-tools
+        with:
+          tools: pulumictl, go
+      - name: Prepare for build
+        shell: bash
+        # This installs plugins and prepares upstream
+        # We have to run tfgen in order to generate the cmd/pulumi-resource-xyz/schema_embed.json file.
+        run: make tfgen
+      - name: Calc provider path
+        id: provider_path
+        run: |
+          {
+            echo -n "PROVIDER_PATH="
+            echo "provider"
+          } >> "$GITHUB_OUTPUT"
+      - name: Calc ldflags
+        id: ldflags
+        run: |
+          {
+            echo -n "LDFLAGS="
+            echo -n "-X github.com/pulumi/pulumi-xyz/${{ steps.provider_path.outputs.PROVIDER_PATH }}/pkg/version.Version=v${{ inputs.version }}"
+            echo ""
+          } >> "$GITHUB_OUTPUT"
+      - name: Go build
+        shell: bash
+        working-directory: provider
+        env:
+          GOOS: ${{ matrix.platform.os }}
+          GOARCH: ${{ matrix.platform.arch }}
+          PARALLELISM: >-
+            -p 2
+        # YAML `>` will join consecutive lines with a space
+        run: go build ${{ env.PARALLELISM }} -o ${{ github.workspace }}/bin/${{ matrix.platform.os }}-${{ matrix.platform.arch }}/pulumi-resource-xyz -ldflags "${{ steps.ldflags.outputs.LDFLAGS }}" github.com/pulumi/pulumi-xyz/${{ steps.provider_path.outputs.PROVIDER_PATH }}/cmd/pulumi-resource-xyz
+      - name: Package provider binary
+        shell: bash
+        run: >
+          tar --gzip -cf bin/pulumi-resource-xyz-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
+          README.md LICENSE
+          -C bin/${{ matrix.platform.os }}-${{ matrix.platform.arch }} pulumi-resource-xyz
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: pulumi-resource-xyz-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
+          path: bin/pulumi-resource-xyz-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
+          retention-days: 30

.github/workflows/master.yml

@@ -28,6 +28,13 @@ jobs:
       is_pr: ${{ github.event_name == 'pull_request' }}
       is_automated: ${{ github.actor == 'dependabot[bot]' }}
 
+  build_provider:
+    uses: ./.github/workflows/build_provider.yml
+    needs: prerequisites
+    secrets: inherit
+    with:
+      version: ${{ needs.prerequisites.outputs.version }}
+
   build_sdk:
     name: build_sdk
     needs: prerequisites
@@ -87,6 +94,7 @@ jobs:
     name: publish
     needs:
       - prerequisites
+      - build_provider
       - test
       - license_check
     uses: ./.github/workflows/publish.yml

.github/workflows/prerelease.yml

@@ -29,6 +29,13 @@ jobs:
       is_pr: ${{ github.event_name == 'pull_request' }}
       is_automated: ${{ github.actor == 'dependabot[bot]' }}
 
+  build_provider:
+    uses: ./.github/workflows/build_provider.yml
+    needs: prerequisites
+    secrets: inherit
+    with:
+      version: ${{ needs.prerequisites.outputs.version }}
+
   build_sdk:
     name: build_sdk
     needs: prerequisites
@@ -50,6 +57,7 @@ jobs:
     name: publish
     needs:
       - prerequisites
+      - build_provider
       - test
       - license_check
     uses: ./.github/workflows/publish.yml

.github/workflows/publish.yml

@@ -59,7 +59,7 @@ jobs:
     - name: Setup tools
       uses: ./.github/actions/setup-tools
       with:
-        tools: pulumictl, pulumicli, go
+        tools: pulumictl, pulumicli, go, schema-tools
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
@@ -70,25 +70,44 @@ jobs:
         role-external-id: upload-pulumi-release
         role-session-name: xyz@githubActions
         role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
-    - name: Run GoReleaser
+    - name: Create dist directory
+      run: mkdir -p dist
+    - name: Download provider assets
+      uses: actions/download-artifact@v4
+      with:
+        pattern: pulumi-resource-xyz-v${{ inputs.version }}-*
+        path: dist
+        # Don't create a directory for each artifact
+        merge-multiple: true
+    - name: Calculate checksums
+      working-directory: dist
+      run: shasum ./*.tar.gz > pulumi-xyz_${{ inputs.version }}_checksums.txt
+    - name: Get Schema Change Summary
+      id: schema-summary
+      shell: bash
+      run: |
+        # Get latest stable release. Return only first column from result (tag).
+        LAST_VERSION=$(gh release view --repo pulumi/pulumi-xyz --json tagName -q .tagName)
+        {
+          echo 'summary<<EOF'
+          schema-tools compare --provider="xyz" --old-commit="$LAST_VERSION" --new-commit="--local-path=provider/cmd/pulumi-resource-xyz/schema.json"
+          echo 'EOF'
+        } >> "$GITHUB_OUTPUT"
+    - name: Upload Provider Binaries
+      run: aws s3 cp dist s3://get.pulumi.com/releases/plugins/ --recursive
+    - name: Create GH Release
+      uses: softprops/action-gh-release@v1
       if: inputs.isPrerelease == false
-      uses: goreleaser/goreleaser-action@v5
-      env:
-        GORELEASER_CURRENT_TAG: v${{ inputs.version }}
-        PROVIDER_VERSION: ${{ inputs.version }}
       with:
-        args: -p 3 release --rm-dist --timeout 60m0s
-        version: latest
-    - name: Run GoReleaser (prerelease)
-      if: inputs.isPrerelease == true
-      uses: goreleaser/goreleaser-action@v5
+        tag_name: v${{ inputs.version }}
+        prerelease: ${{ inputs.isPrerelease }}
+        # We keep pre-releases as drafts so they're not visible until we manually publish them.
+        draft: ${{ inputs.isPrerelease }}
+        body: ${{ steps.schema-summary.outputs.summary }}
+        generate_release_notes: true
+        files: dist/*
       env:
-        GORELEASER_CURRENT_TAG: v${{ inputs.version }}
-        PROVIDER_VERSION: ${{ inputs.version }}
-      with:
-        args: -p 3 -f .goreleaser.prerelease.yml --rm-dist --skip-validate --timeout
-          60m0s
-        version: latest
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
 
   publish_sdk:
     name: publish_sdk

.github/workflows/release.yml

@@ -28,6 +28,13 @@ jobs:
       is_pr: ${{ github.event_name == 'pull_request' }}
       is_automated: ${{ github.actor == 'dependabot[bot]' }}
 
+  build_provider:
+    uses: ./.github/workflows/build_provider.yml
+    needs: prerequisites
+    secrets: inherit
+    with:
+      version: ${{ needs.prerequisites.outputs.version }}
+
   build_sdk:
     name: build_sdk
     needs: prerequisites
@@ -49,6 +56,7 @@ jobs:
     name: publish
     needs:
       - prerequisites
+      - build_provider
       - test
       - license_check
     uses: ./.github/workflows/publish.yml

.github/workflows/run-acceptance-tests.yml

@@ -36,6 +36,13 @@ jobs:
       is_pr: ${{ github.event_name == 'pull_request' }}
       is_automated: ${{ github.actor == 'dependabot[bot]' }}
 
+  build_provider:
+    uses: ./.github/workflows/build_provider.yml
+    needs: prerequisites
+    secrets: inherit
+    with:
+      version: ${{ needs.prerequisites.outputs.version }}
+
   build_sdk:
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository