161 lines
6.9 KiB
Bash
Executable file
161 lines
6.9 KiB
Bash
Executable file
#!/bin/bash
|
|
# This is an entrypoint for our Docker image that does some minimal bootstrapping before executing.
|
|
|
|
set -e
|
|
|
|
# The default backend URL is the Pulumi Managed Service.
|
|
# To use one of the alternate supported backends, set the
|
|
# PULUMI_BACKEND_URL env var according to:
|
|
# https://www.pulumi.com/docs/intro/concepts/state/#to-a-self-managed-backend.
|
|
pulumi login $PULUMI_BACKEND_URL
|
|
|
|
# If the PULUMI_CI variable is set, we'll do some extra things to make common tasks easier.
|
|
if [ ! -z "$PULUMI_CI" ]; then
|
|
# Capture the PWD before we go and potentially change it.
|
|
ROOT=$(pwd)
|
|
|
|
# If the root of the Pulumi project isn't the root of the repo, CD into it.
|
|
if [ ! -z "$PULUMI_ROOT" ]; then
|
|
cd $PULUMI_ROOT
|
|
fi
|
|
|
|
# Detect the CI system and configure variables so that we get good Pulumi workflow and GitHub App support.
|
|
if [ ! -z "$GITHUB_WORKFLOW" ]; then
|
|
export PULUMI_CI_SYSTEM="GitHub"
|
|
export PULUMI_CI_BUILD_ID=
|
|
export PULUMI_CI_BUILD_TYPE=
|
|
export PULUMI_CI_BUILD_URL=
|
|
export PULUMI_CI_PULL_REQUEST_SHA="$GITHUB_SHA"
|
|
|
|
# For PR events, we want to take the ref of the target branch, not the current. This ensures, for
|
|
# instance, that a PR for a topic branch merging into `master` will use the `master` branch as the
|
|
# target for a preview. Note that for push events, we of course want to use the actual branch.
|
|
if [ "$PULUMI_CI" = "pr" ]; then
|
|
# Not all PR events warrant running a preview. Many of them pertain to changes in assignments and
|
|
# ownership, but we only want to run the preview if the action is "opened", "edited", or "synchronize".
|
|
PR_ACTION=$(jq -r ".action" < $GITHUB_EVENT_PATH)
|
|
if [ "$PR_ACTION" != "opened" ] && [ "$PR_ACTION" != "edited" ] && [ "$PR_ACTION" != "synchronize" ]; then
|
|
echo -e "PR event ($PR_ACTION) contains no changes and does not warrant a Pulumi Preview"
|
|
echo -e "Skipping Pulumi action altogether..."
|
|
exit 0
|
|
fi
|
|
|
|
BRANCH=$(jq -r ".pull_request.base.ref" < $GITHUB_EVENT_PATH)
|
|
else
|
|
BRANCH="$GITHUB_REF"
|
|
fi
|
|
BRANCH=$(echo $BRANCH | sed "s/refs\/heads\///g")
|
|
fi
|
|
|
|
# Respect the branch mappings file for stack selection. Note that this is *not* required, but if the file
|
|
# is missing, the caller of this script will need to pass `-s <stack-name>` to specify the stack explicitly.
|
|
if [ ! -z "$BRANCH" ]; then
|
|
if [ -z "$PULUMI_STACK_NAME" ]; then
|
|
if [ -e $ROOT/.pulumi/ci.json ]; then
|
|
PULUMI_STACK_NAME=$(cat $ROOT/.pulumi/ci.json | jq -r ".\"$BRANCH\"")
|
|
else
|
|
# If there's no stack mapping file, we are on master, and there's a single stack, use it.
|
|
PULUMI_STACK_NAME=$(pulumi stack ls | awk 'FNR == 2 {print $1}' | sed 's/\*//g')
|
|
fi
|
|
fi
|
|
|
|
if [ ! -z "$PULUMI_STACK_NAME" ] && [ "$PULUMI_STACK_NAME" != "null" ]; then
|
|
pulumi stack select $PULUMI_STACK_NAME
|
|
else
|
|
echo -e "No stack configured for branch '$BRANCH'"
|
|
echo -e ""
|
|
echo -e "To configure this branch, please"
|
|
echo -e "\t1) Run 'pulumi stack init <stack-name>'"
|
|
echo -e "\t2) Associated the stack with the branch by adding"
|
|
echo -e "\t\t{"
|
|
echo -e "\t\t\t\"$BRANCH\": \"<stack-name>\""
|
|
echo -e "\t\t}"
|
|
echo -e "\tto your .pulumi/ci.json file"
|
|
echo -e ""
|
|
echo -e "For now, exiting cleanly without doing anything..."
|
|
exit 0
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# For Google, we need to authenticate with a service principal for certain authentication operations.
|
|
if [ ! -z "$GOOGLE_CREDENTIALS" ]; then
|
|
export GOOGLE_APPLICATION_CREDENTIALS="$(mktemp).json"
|
|
# Check if GOOGLE_CREDENTIALS is base64 encoded
|
|
if [[ $GOOGLE_CREDENTIALS =~ ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$ ]]; then
|
|
echo "$GOOGLE_CREDENTIALS"|base64 -d > $GOOGLE_APPLICATION_CREDENTIALS
|
|
# unset for other gcloud commands using this variable.
|
|
unset GOOGLE_CREDENTIALS
|
|
else
|
|
echo "$GOOGLE_CREDENTIALS" > $GOOGLE_APPLICATION_CREDENTIALS
|
|
fi
|
|
gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS
|
|
gcloud --quiet auth configure-docker $GOOGLE_DOCKER_HOSTNAME_LIST
|
|
fi
|
|
|
|
# Next, run npm install. We always call this, as
|
|
# previous calls (stack select, login, preview) will run the
|
|
# npm scripts that install plugins; plugin installation directory
|
|
# is outside of the persisted filesystem (GitHub Actions).
|
|
# So we need to run this everytime to ensure the plugins are
|
|
# always available. This shouldn't cause a performance hit,
|
|
# as the node_modules/lock file will be persisted across runs.
|
|
#
|
|
# Similarly, run yarn install as applicable for the same reasons.
|
|
if [ -e package.json ]; then
|
|
if [ -f yarn.lock ] || [ ! -z $USE_YARN ]; then
|
|
yarn install
|
|
else
|
|
# Set npm auth token if one is provided.
|
|
if [ ! -z "$NPM_AUTH_TOKEN" ]; then
|
|
echo "//registry.npmjs.org/:_authToken=$NPM_AUTH_TOKEN" > ~/.npmrc
|
|
fi
|
|
if [ -f package-lock.json ] || [ -f npm-shrinkwrap.json ]; then
|
|
npm ci
|
|
else
|
|
npm install
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
# If the user is running the Python SDK, we will need to install their requirements as well.
|
|
if [ -e requirements.txt ]; then
|
|
# Check if should use venv
|
|
PULUMI_VENV=$(cat Pulumi.yaml | grep "virtualenv:" | cut -d':' -f2)
|
|
if [ -z $PULUMI_VENV ]; then
|
|
pip3 install -r requirements.txt
|
|
else
|
|
python3 -m venv $PULUMI_VENV
|
|
$PULUMI_VENV/bin/python -m pip install --upgrade pip setuptools wheel
|
|
$PULUMI_VENV/bin/python -m pip install -r requirements.txt
|
|
fi
|
|
fi
|
|
|
|
# Now just pass along all arguments to the Pulumi CLI, sending the output to a file for
|
|
# later use. Note that we exit immediately on failure (under set -e), so we `tee` stdout, but
|
|
# allow errors to be surfaced in the Actions log.
|
|
PULUMI_COMMAND="pulumi $*"
|
|
OUTPUT_FILE=$(mktemp)
|
|
echo "#### :tropical_drink: \`$PULUMI_COMMAND\`"
|
|
bash -c "$PULUMI_COMMAND" | tee $OUTPUT_FILE
|
|
EXIT_CODE=${PIPESTATUS[0]}
|
|
|
|
# If the GitHub action stems from a Pull Request event, we may optionally leave a comment if the
|
|
# COMMENT_ON_PR is set.
|
|
COMMENTS_URL=$(cat $GITHUB_EVENT_PATH | jq -r .pull_request.comments_url)
|
|
if [ ! -z $COMMENTS_URL ] && [ ! -z $COMMENT_ON_PR ]; then
|
|
if [ -z $GITHUB_TOKEN ]; then
|
|
echo "ERROR: COMMENT_ON_PR was set, but GITHUB_TOKEN is not set."
|
|
else
|
|
COMMENT="#### :tropical_drink: \`$PULUMI_COMMAND\`
|
|
\`\`\`
|
|
$(cat $OUTPUT_FILE)
|
|
\`\`\`"
|
|
PAYLOAD=$(echo '{}' | jq --arg body "$COMMENT" '.body = $body')
|
|
echo "Commenting on PR $COMMENTS_URL"
|
|
curl -s -S -H "Authorization: token $GITHUB_TOKEN" -H "Content-Type: application/json" --data "$PAYLOAD" "$COMMENTS_URL"
|
|
fi
|
|
fi
|
|
|
|
exit $EXIT_CODE
|