Update GitHub Actions workflows.

.github/workflows/lint.yml

@@ -50,7 +50,7 @@ jobs:
       continue-on-error: true
       run: make prepare_local_workspace
     - name: golangci-lint
-      uses: golangci/golangci-lint-action@0adbc47a5910e47adb692df88187ec8c73c76778 # v6
+      uses: golangci/golangci-lint-action@818ec4d51a1feacefc42ff1b3ec25d4962690f39 # v6
       with:
         version: v1.60
         working-directory: provider

.github/workflows/run-acceptance-tests.yml

@@ -41,6 +41,7 @@ jobs:
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     permissions:
+      contents: read
       pull-requests: write
     uses: ./.github/workflows/prerequisites.yml
     secrets: inherit

.golangci.yml

@@ -19,6 +19,8 @@ linters:
   - unused
   enable-all: false
 issues:
+  exclude-dirs:
+  - pkg/vendored
   exclude-files:
   - schema.go
   - pulumiManifest.go

Makefile

@@ -203,15 +203,6 @@ install_nodejs_sdk: .make/install_nodejs_sdk
 install_python_sdk:
 .PHONY: install_dotnet_sdk install_go_sdk install_java_sdk install_nodejs_sdk install_python_sdk
 
-# Install Pulumi plugins required for CODEGEN to resolve references
-install_plugins: .make/install_plugins
-.make/install_plugins: export PULUMI_HOME := $(WORKING_DIR)/.pulumi
-.make/install_plugins: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
-.make/install_plugins: .pulumi/bin/pulumi
-	.pulumi/bin/pulumi plugin install converter terraform 1.0.16
-	@touch $@
-.PHONY: install_plugins
-
 lint_provider: provider
 	cd provider && golangci-lint run --path-prefix provider -c ../.golangci.yml
 # `lint_provider.fix` is a utility target meant to be run manually
@@ -288,110 +279,13 @@ ci-mgmt: .ci-mgmt.yaml
 	go run github.com/pulumi/ci-mgmt/provider-ci@master generate
 .PHONY: ci-mgmt
 
-# Because some codegen depends on the version of the CLI used, we install a local CLI
-# version pinned to the same version as `provider/go.mod`.
-#
-# This logic compares the version of .pulumi/bin/pulumi already installed. If it matches
-# the desired version, we just print. Otherwise we (re)install pulumi at the desired
-# version.
-.pulumi/bin/pulumi: .pulumi/version
-	@if [ -x .pulumi/bin/pulumi ] && [ "v$$(cat .pulumi/version)" = "$$(.pulumi/bin/pulumi version)" ]; then \
-		echo "pulumi/bin/pulumi version: v$$(cat .pulumi/version)"; \
-		touch $@; \
-	else \
-		curl -fsSL https://get.pulumi.com | \
-			HOME=$(WORKING_DIR) sh -s -- --version "$$(cat .pulumi/version)"; \
-	fi
-
-# Compute the version of Pulumi to use by inspecting the Go dependencies of the provider.
-.pulumi/version: provider/go.mod
-	cd provider && go list -f "{{slice .Version 1}}" -m github.com/pulumi/pulumi/pkg/v3 | tee ../$@
-
 # Start debug server for tfgen
 debug_tfgen:
 	dlv  --listen=:2345 --headless=true --api-version=2  exec $(WORKING_DIR)/bin/$(CODEGEN) -- schema --out provider/cmd/$(PROVIDER)
 .PHONY: debug_tfgen
 
-# Provider cross-platform build & packaging
-
-# Set these variables to enable signing of the windows binary
-AZURE_SIGNING_CLIENT_ID ?=
-AZURE_SIGNING_CLIENT_SECRET ?=
-AZURE_SIGNING_TENANT_ID ?=
-AZURE_SIGNING_KEY_VAULT_URI ?=
-SKIP_SIGNING ?=
-
-# These targets assume that the schema-embed.json exists - it's generated by tfgen.
-# We disable CGO to ensure that the binary is statically linked.
-bin/linux-amd64/$(PROVIDER): GOOS := linux
-bin/linux-amd64/$(PROVIDER): GOARCH := amd64
-bin/linux-arm64/$(PROVIDER): GOOS := linux
-bin/linux-arm64/$(PROVIDER): GOARCH := arm64
-bin/darwin-amd64/$(PROVIDER): GOOS := darwin
-bin/darwin-amd64/$(PROVIDER): GOARCH := amd64
-bin/darwin-arm64/$(PROVIDER): GOOS := darwin
-bin/darwin-arm64/$(PROVIDER): GOARCH := arm64
-bin/windows-amd64/$(PROVIDER).exe: GOOS := windows
-bin/windows-amd64/$(PROVIDER).exe: GOARCH := amd64
-bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar
-	$(call build_provider_cmd,$(GOOS),$(GOARCH),$(WORKING_DIR)/$@)
-
-	@# Only sign windows binary if fully configured.
-	@# Test variables set by joining with | between and looking for || showing at least one variable is empty.
-	@# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails.
-	@set -e; \
-	if [[ "${GOOS}-${GOARCH}" = "windows-amd64" && "${SKIP_SIGNING}" != "true" ]]; then \
-		if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \
-			echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \
-			echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \
-			if [[ "${CI}" == "true" ]]; then exit 1; fi; \
-		else \
-			mv $@ [email protected]; \
-			az login --service-principal \
-				--username "${AZURE_SIGNING_CLIENT_ID}" \
-				--password "${AZURE_SIGNING_CLIENT_SECRET}" \
-				--tenant "${AZURE_SIGNING_TENANT_ID}" \
-				--output none; \
-			ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \
-			java -jar bin/jsign-6.0.jar \
-				--storetype AZUREKEYVAULT \
-				--keystore "PulumiCodeSigning" \
-				--url "${AZURE_SIGNING_KEY_VAULT_URI}" \
-				--storepass "$${ACCESS_TOKEN}" \
-				[email protected]; \
-			mv [email protected] $@; \
-			az logout; \
-		fi; \
-	fi
-
-bin/jsign-6.0.jar:
-	wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar
-
-provider-linux-amd64: bin/linux-amd64/$(PROVIDER)
-provider-linux-arm64: bin/linux-arm64/$(PROVIDER)
-provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER)
-provider-darwin-arm64: bin/darwin-arm64/$(PROVIDER)
-provider-windows-amd64: bin/windows-amd64/$(PROVIDER).exe
-.PHONY: provider-linux-amd64 provider-linux-arm64 provider-darwin-amd64 provider-darwin-arm64 provider-windows-amd64
-
-bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-amd64.tar.gz: bin/linux-amd64/$(PROVIDER)
-bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.gz: bin/linux-arm64/$(PROVIDER)
-bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz: bin/darwin-amd64/$(PROVIDER)
-bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz: bin/darwin-arm64/$(PROVIDER)
-bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz: bin/windows-amd64/$(PROVIDER).exe
-bin/$(PROVIDER)-v$(PROVIDER_VERSION)-%.tar.gz:
-	@mkdir -p dist
-	@# $< is the last dependency (the binary path from above) e.g. bin/linux-amd64/pulumi-resource-xyz
-	@# $@ is the current target e.g. bin/pulumi-resource-xyz-v1.2.3-linux-amd64.tar.gz
-	tar --gzip -cf $@ README.md LICENSE -C $$(dirname $<) .
-
-provider_dist-linux-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-amd64.tar.gz
-provider_dist-linux-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.gz
-provider_dist-darwin-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz
-provider_dist-darwin-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz
-provider_dist-windows-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz
-provider_dist: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64
-.PHONY: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64 provider_dist
+include scripts/plugins.mk
+include scripts/crossbuild.mk
 
 # Permit providers to extend the Makefile with provider-specific Make includes.
 include $(wildcard .mk/*.mk)

scripts/crossbuild.mk

@@ -0,0 +1,80 @@
+# Provider cross-platform build & packaging
+
+# Set these variables to enable signing of the windows binary
+AZURE_SIGNING_CLIENT_ID ?=
+AZURE_SIGNING_CLIENT_SECRET ?=
+AZURE_SIGNING_TENANT_ID ?=
+AZURE_SIGNING_KEY_VAULT_URI ?=
+SKIP_SIGNING ?=
+
+# These targets assume that the schema-embed.json exists - it's generated by tfgen.
+# We disable CGO to ensure that the binary is statically linked.
+bin/linux-amd64/$(PROVIDER): GOOS := linux
+bin/linux-amd64/$(PROVIDER): GOARCH := amd64
+bin/linux-arm64/$(PROVIDER): GOOS := linux
+bin/linux-arm64/$(PROVIDER): GOARCH := arm64
+bin/darwin-amd64/$(PROVIDER): GOOS := darwin
+bin/darwin-amd64/$(PROVIDER): GOARCH := amd64
+bin/darwin-arm64/$(PROVIDER): GOOS := darwin
+bin/darwin-arm64/$(PROVIDER): GOARCH := arm64
+bin/windows-amd64/$(PROVIDER).exe: GOOS := windows
+bin/windows-amd64/$(PROVIDER).exe: GOARCH := amd64
+bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar
+	$(call build_provider_cmd,$(GOOS),$(GOARCH),$(WORKING_DIR)/$@)
+
+	@# Only sign windows binary if fully configured.
+	@# Test variables set by joining with | between and looking for || showing at least one variable is empty.
+	@# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails.
+	@set -e; \
+	if [[ "${GOOS}-${GOARCH}" = "windows-amd64" && "${SKIP_SIGNING}" != "true" ]]; then \
+		if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \
+			echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \
+			echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \
+			if [[ "${CI}" == "true" ]]; then exit 1; fi; \
+		else \
+			mv $@ [email protected]; \
+			az login --service-principal \
+				--username "${AZURE_SIGNING_CLIENT_ID}" \
+				--password "${AZURE_SIGNING_CLIENT_SECRET}" \
+				--tenant "${AZURE_SIGNING_TENANT_ID}" \
+				--output none; \
+			ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \
+			java -jar bin/jsign-6.0.jar \
+				--storetype AZUREKEYVAULT \
+				--keystore "PulumiCodeSigning" \
+				--url "${AZURE_SIGNING_KEY_VAULT_URI}" \
+				--storepass "$${ACCESS_TOKEN}" \
+				[email protected]; \
+			mv [email protected] $@; \
+			az logout; \
+		fi; \
+	fi
+
+bin/jsign-6.0.jar:
+	wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar
+
+provider-linux-amd64: bin/linux-amd64/$(PROVIDER)
+provider-linux-arm64: bin/linux-arm64/$(PROVIDER)
+provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER)
+provider-darwin-arm64: bin/darwin-arm64/$(PROVIDER)
+provider-windows-amd64: bin/windows-amd64/$(PROVIDER).exe
+.PHONY: provider-linux-amd64 provider-linux-arm64 provider-darwin-amd64 provider-darwin-arm64 provider-windows-amd64
+
+bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-amd64.tar.gz: bin/linux-amd64/$(PROVIDER)
+bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.gz: bin/linux-arm64/$(PROVIDER)
+bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz: bin/darwin-amd64/$(PROVIDER)
+bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz: bin/darwin-arm64/$(PROVIDER)
+bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz: bin/windows-amd64/$(PROVIDER).exe
+bin/$(PROVIDER)-v$(PROVIDER_VERSION)-%.tar.gz:
+	@mkdir -p dist
+	@# $< is the last dependency (the binary path from above) e.g. bin/linux-amd64/pulumi-resource-xyz
+	@# $@ is the current target e.g. bin/pulumi-resource-xyz-v1.2.3-linux-amd64.tar.gz
+	tar --gzip -cf $@ README.md LICENSE -C $$(dirname $<) .
+
+provider_dist-linux-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-amd64.tar.gz
+provider_dist-linux-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.gz
+provider_dist-darwin-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz
+provider_dist-darwin-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz
+provider_dist-windows-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz
+provider_dist: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64
+.PHONY: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64 provider_dist

scripts/plugins.mk

@@ -0,0 +1,27 @@
+# Install Pulumi and plugins required at build time.
+install_plugins: .make/install_plugins
+.make/install_plugins: export PULUMI_HOME := $(WORKING_DIR)/.pulumi
+.make/install_plugins: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
+.make/install_plugins: .pulumi/bin/pulumi
+	.pulumi/bin/pulumi plugin install converter terraform 1.0.16
+	@touch $@
+.PHONY: install_plugins
+
+# Because some codegen depends on the version of the CLI used, we install a local CLI
+# version pinned to the same version as the provider `go.mod`.
+#
+# This logic compares the version of .pulumi/bin/pulumi already installed. If it matches
+# the desired version, we just print. Otherwise we (re)install pulumi at the desired
+# version.
+.pulumi/bin/pulumi: .pulumi/version
+	@if [ -x .pulumi/bin/pulumi ] && [ "v$$(cat .pulumi/version)" = "$$(.pulumi/bin/pulumi version)" ]; then \
+		echo "pulumi/bin/pulumi version: v$$(cat .pulumi/version)"; \
+		touch $@; \
+	else \
+		curl -fsSL https://get.pulumi.com | \
+			HOME=$(WORKING_DIR) sh -s -- --version "$$(cat .pulumi/version)"; \
+	fi
+
+# Compute the version of Pulumi to use by inspecting the Go dependencies of the provider.
+.pulumi/version: provider/go.mod
+	(cd provider && go list -f "{{slice .Version 1}}" -m github.com/pulumi/pulumi/pkg/v3) | tee $@