Build/Push pulumi/actions container with new SDK releases (#2646)

* Build/Push pulumi/actions container with new SDK releases

* Address PR feedback

.gitignore

@@ -5,7 +5,6 @@
 **/.vscode/
 coverage.cov
 *.coverprofile
-**/dist
 
 /.idea/
 *.iml

dist/actions/Dockerfile

@@ -0,0 +1,30 @@
+ARG PULUMI_VERSION=latest
+FROM pulumi/pulumi:${PULUMI_VERSION}
+# Extend the base pulumi/pulumi container at a specific version. "latest"
+# will always correspond to the most recently released SDK.
+
+# Label things so it lights up in GitHub Actions!
+LABEL "com.github.actions.name"="Pulumi"
+LABEL "com.github.actions.description"="Deploy apps and infra to your favorite cloud!"
+LABEL "com.github.actions.icon"="cloud-lightning"
+LABEL "com.github.actions.color"="purple"
+
+# pulumi/actions contains documentation, examples. The actual container image is at
+# https://github.com/pulumi/pulumi.
+LABEL "repository"="https://github.com/pulumi/actions"
+LABEL "homepage"="http://pulumi.io/reference/gh-actions.html"
+
+# Install deps not already included in base container image.
+RUN apt-get update -y && \
+  apt-get install -y jq
+
+# Copy the entrypoint script.
+COPY ./entrypoint.sh /usr/bin/pulumi-action
+
+# The app directory should contain the Pulumi program and is the pwd for the CLI.
+WORKDIR /app
+VOLUME ["/app"]
+
+# This image uses a thin wrapper over the Pulumi CLI as its entrypoint. As a result, you may run commands
+# simply by running `docker run pulumi/pulumi up` to run the program mounted in the `/app` volume location.
+ENTRYPOINT ["/usr/bin/pulumi-action", "--non-interactive"]

dist/actions/entrypoint.sh

@@ -0,0 +1,109 @@
+#!/bin/bash
+# This is an entrypoint for our Docker image that does some minimal bootstrapping before executing.
+
+set -e
+
+# If the PULUMI_CI variable is set, we'll do some extra things to make common tasks easier.
+if [ ! -z "$PULUMI_CI" ]; then
+    # Capture the PWD before we go and potentially change it.
+    ROOT=$(pwd)
+
+    # If the root of the Pulumi project isn't the root of the repo, CD into it.
+    if [ ! -z "$PULUMI_ROOT" ]; then
+        cd $PULUMI_ROOT
+    fi
+
+    # Detect the CI system and configure variables so that we get good Pulumi workflow and GitHub App support.
+    if [ ! -z "$GITHUB_WORKFLOW" ]; then
+        export PULUMI_CI_SYSTEM="GitHub"
+        export PULUMI_CI_BUILD_ID=
+        export PULUMI_CI_BUILD_TYPE=
+        export PULUMI_CI_BUILD_URL=
+        export PULUMI_CI_PULL_REQUEST_SHA="$GITHUB_SHA"
+
+        # For PR events, we want to take the ref of the target branch, not the current. This ensures, for
+        # instance, that a PR for a topic branch merging into `master` will use the `master` branch as the
+        # target for a preview. Note that for push events, we of course want to use the actual branch.
+        if [ "$PULUMI_CI" = "pr" ]; then
+            # Not all PR events warrant running a preview. Many of them pertain to changes in assignments and
+            # ownership, but we only want to run the preview if the action is "opened", "edited", or "synchronize".
+            PR_ACTION=$(jq -r ".action" < $GITHUB_EVENT_PATH)
+            if [ "$PR_ACTION" != "opened" ] && [ "$PR_ACTION" != "edited" ] && [ "$PR_ACTION" != "synchronize" ]; then
+                echo -e "PR event ($PR_ACTION) contains no changes and does not warrant a Pulumi Preview"
+                echo -e "Skipping Pulumi action altogether..."
+                exit 0
+            fi
+
+            BRANCH=$(jq -r ".pull_request.base.ref" < $GITHUB_EVENT_PATH)
+        else
+            BRANCH="$GITHUB_REF"
+        fi
+        BRANCH=$(echo $BRANCH | sed "s/refs\/heads\///g")
+    fi
+
+    # Respect the branch mappings file for stack selection. Note that this is *not* required, but if the file
+    # is missing, the caller of this script will need to pass `-s <stack-name>` to specify the stack explicitly.
+    if [ ! -z "$BRANCH" ]; then
+        if [ -e $ROOT/.pulumi/ci.json ]; then
+            PULUMI_STACK_NAME=$(cat $ROOT/.pulumi/ci.json | jq -r ".\"$BRANCH\"")
+        else
+            # If there's no stack mapping file, we are on master, and there's a single stack, use it.
+            PULUMI_STACK_NAME=$(pulumi stack ls | awk 'FNR == 2 {print $1}' | sed 's/\*//g')
+        fi
+
+        if [ ! -z "$PULUMI_STACK_NAME" ] && [ "$PULUMI_STACK_NAME" != "null" ]; then
+            pulumi stack select $PULUMI_STACK_NAME
+        else
+            echo -e "No stack configured for branch '$BRANCH'"
+            echo -e ""
+            echo -e "To configure this branch, please"
+            echo -e "\t1) Run 'pulumi stack init <stack-name>'"
+            echo -e "\t2) Associated the stack with the branch by adding"
+            echo -e "\t\t{"
+            echo -e "\t\t\t\"$BRANCH\": \"<stack-name>\""
+            echo -e "\t\t}"
+            echo -e "\tto your .pulumi/ci.json file"
+            echo -e ""
+            echo -e "For now, exiting cleanly without doing anything..."
+            exit 0
+        fi
+    fi
+fi
+
+# For Google, we need to authenticate with a service principal for certain authentication operations.
+if [ ! -z "$GOOGLE_CREDENTIALS" ]; then
+    GCLOUD_KEYFILE="$(mktemp).json"
+    echo "$GOOGLE_CREDENTIALS" > $GCLOUD_KEYFILE
+    gcloud auth activate-service-account --key-file=$GCLOUD_KEYFILE
+fi
+
+# Next, lazily install packages if required.
+if [ -e package.json ] && [ ! -d node_modules ]; then
+    npm install
+fi
+
+# Now just pass along all arguments to the Pulumi CLI.
+OUTPUT=$(sh -c "pulumi --non-interactive $*" 2>&1)
+EXIT_CODE=$?
+
+echo "#### :tropical_drink: \`pulumi ${@:2}\`"
+echo "$OUTPUT"
+
+# If the GitHub action stems from a Pull Request event, we may optionally leave a comment if the
+# COMMENT_ON_PR is set.
+COMMENTS_URL=$(cat $GITHUB_EVENT_PATH | jq -r .pull_request.comments_url)
+if [ ! -z $COMMENTS_URL ] && [ ! -z $COMMENT_ON_PR ]; then
+    if [ -z $GITHUB_TOKEN ]; then
+        echo "ERROR: COMMENT_ON_PR was set, but GITHUB_TOKEN is not set."
+    else
+        COMMENT="#### :tropical_drink: \`pulumi ${@:2}\`
+\`\`\`
+$OUTPUT
+\`\`\`"
+        PAYLOAD=$(echo '{}' | jq --arg body "$COMMENT" '.body = $body')
+        echo "Commenting on PR $COMMENTS_URL"
+        curl -s -S -H "Authorization: token $GITHUB_TOKEN" -H "Content-Type: application/json" --data "$PAYLOAD" "$COMMENTS_URL"
+    fi
+fi
+
+exit $EXIT_CODE

dist/docker/Dockerfile

@@ -1,11 +1,8 @@
 FROM python:3.7-slim
+# TODO[pulumi/pulumi#1986]: consider switching to, or supporting, Alpine Linux for smaller image sizes.
 
-LABEL "com.github.actions.name"="Pulumi"
-LABEL "com.github.actions.description"="Deploy apps and infra to your favorite cloud!"
-LABEL "com.github.actions.icon"="cloud-lightning"
-LABEL "com.github.actions.color"="purple"
 LABEL "repository"="https://github.com/pulumi/pulumi"
-LABEL "homepage"="http://pulumi.io/reference/gh-actions.html"
+LABEL "homepage"="http://pulumi.io/"
 LABEL "maintainer"="Pulumi Team <team@pulumi.com>"
 
 # Install deps all in one step

scripts/build-and-publish-docker

@@ -30,10 +30,23 @@ if [[ "${CLI_VERSION}" == *-* ]]; then
     exit 0    
 fi
 
-echo "Building and publishing pulumi/pulumi:${CLI_VERSION}"
-docker build --build-arg PULUMI_VERSION="${CLI_VERSION}" -t "pulumi/pulumi:${CLI_VERSION}" -t "pulumi/pulumi:latest" "${SCRIPT_DIR}/../dist/docker"
-
 docker login -u "${DOCKER_HUB_USER}" -p "${DOCKER_HUB_PASSWORD}"
+
+echo "Building and publishing pulumi/pulumi:${CLI_VERSION}"
+docker build --build-arg PULUMI_VERSION="${CLI_VERSION}" \
+    -t "pulumi/pulumi:${CLI_VERSION}" \
+    -t "pulumi/pulumi:latest" \
+    "${SCRIPT_DIR}/../dist/docker"
 docker push "pulumi/pulumi:${CLI_VERSION}"
 docker push "pulumi/pulumi:latest"
+
+# Pulumi container optimized for GitHub Actions.
+echo "Building and publishing pulumi/actions:${CLI_VERSION}"
+docker build --build-arg PULUMI_VERSION="${CLI_VERSION}" \
+    -t "pulumi/actions:${CLI_VERSION}" \
+    -t "pulumi/actions:latest" \
+    "${SCRIPT_DIR}/../dist/actions"
+docker push "pulumi/actions:${CLI_VERSION}"
+docker push "pulumi/actions:latest"
+
 docker logout