chore(release): Add release pipeline for TypeScript

Signed-off-by: Alexander Dahmen <alexander.dahmen@inovex.de>

Author: Fyusel

.github/workflows/release.yaml

@@ -8,26 +8,36 @@ on:
 permissions:
   contents: write
   id-token: write
+  packages: write
 
 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.PR_TOKEN }}
   NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
-  NUGET_FEED_URL: https://api.nuget.org/v3/index.json
   PROVIDER: stackit
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
-  PYPI_USERNAME: "__token__"
-  PUBLISH_PYPI: true
-  PUBLISH_NPM: true
-  PUBLISH_NUGET: true
+  # TODO: change to true if ready to release
+  PUBLISH_NPM: false
+  #NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  #NUGET_FEED_URL: https://api.nuget.org/v3/index.json
+  #PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  #PYPI_PASSWORD: ${{ secrets.PYPI_PASSWORD }}
+  #PYPI_USERNAME: "__token__"
+  #PUBLISH_PYPI: true
+  #PUBLISH_NUGET: true
 jobs:
   publish_binary:
-    name: publish
+    name: Publish provider
     runs-on: ubuntu-latest
     steps:
+      # TODO: remove when this repo is made public
+      - name: Configure Git for Private Modules
+        run: |
+          git config --global url."https://oauth2:${{ secrets.PR_TOKEN }}@github.com".insteadOf "https://github.com"
+          # Sets GOPRIVATE and GONOSUMDB in order to use the git authetnication for go mod.
+          echo "GOPRIVATE=github.com/${{ github.repository }}/*,github.com/stackitcloud/*" >> $GITHUB_ENV
+          echo "GONOSUMDB=github.com/${{ github.repository }}/*,github.com/stackitcloud/*" >> $GITHUB_ENV
+      # TODO: remove end
       - name: Checkout Repo
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # tag=v4.2.2
       - name: Unshallow clone for tags
@@ -40,61 +50,44 @@ jobs:
         uses: ./.github/actions/gotools
         with:
           go-version: ${{ matrix.goversion }}
-      - name: Set PreRelease Version
-        run: echo "GORELEASER_CURRENT_TAG=v$(pulumictl get version --language generic)" >> $GITHUB_ENV
       - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
       - uses: anchore/sbom-action/download-syft@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # tag=v6.3.0
         with:
           args: -p 3 release --clean
           version: '~> v2'
-      - name: Create tag
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # tag=v8.0.0
-        with:
-          script: |
-            github.rest.git.createRef({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              ref: 'refs/tags/sdk/${{ github.ref_name }}',
-              sha: context.sha
-            })
     strategy:
       fail-fast: true
       matrix:
         goversion:
           - 1.24.x
   publish_sdk:
-    name: Publish SDKs
+    name: Publish SDKs to npm Registry, NuGet Gallery and Python Package Index
     runs-on: ubuntu-latest
     needs: publish_binary
     steps:
+      # TODO: remove when this repo is made public
+      - name: Configure Git for Private Modules
+        run: |
+          git config --global url."https://oauth2:${{ secrets.PR_TOKEN }}@github.com".insteadOf "https://github.com"
+          # Sets GOPRIVATE and GONOSUMDB in order to use the git authetnication for go mod.
+          echo "GOPRIVATE=github.com/${{ github.repository }}/*,github.com/stackitcloud/*" >> $GITHUB_ENV
+          echo "GONOSUMDB=github.com/${{ github.repository }}/*,github.com/stackitcloud/*" >> $GITHUB_ENV
+      # TODO: remove end
       - name: Checkout Repo
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # tag=v4.2.2
       - name: Unshallow clone for tags
         run: git fetch --prune --unshallow --tags
-      - name: Install pulumictl
-        uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # tag=v2.1.0
-        with:
-          repo: pulumi/pulumictl
-      - name: Install Pulumi CLI
-        uses: pulumi/action-install-pulumi-cli@b374ceb6168550de27c6eba92e01c1a774040e11 # tag=v2.0.0
       - name: Install Go Tools
         uses: ./.github/actions/gotools
         with:
           go-version: ${{ matrix.goversion }}
-      - name: Setup Node
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # tag=v6.0.0
-        with:
-          node-version: ${{matrix.nodeversion}}
-          registry-url: ${{env.NPM_REGISTRY_URL}}
-      - name: Setup DotNet
-        uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # tag=v5.0.0
+      - name: Install Pulumi Tools
+        uses: ./.github/actions/pulumitools
         with:
           dotnet-version: ${{matrix.dotnetverson}}
-      - name: Setup Python
-        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # tag=v6.0.0
-        with:
+          node-version: ${{matrix.nodeversion}}
           python-version: ${{matrix.pythonversion}}
       - name: Build SDK
         run: make build_${{ matrix.language }}
@@ -107,6 +100,9 @@ jobs:
               git diff
               exit 1
           fi
+      - if: ${{ matrix.language == 'nodejs' }}
+        name: Run type script unit tests
+        run: make test_ts
       - if: ${{ matrix.language == 'python' && env.PUBLISH_PYPI == 'true' }}
         name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # tag=v1.13.0
@@ -118,7 +114,8 @@ jobs:
         uses: JS-DevTools/npm-publish@7f8fe47b3bea1be0c3aec2b717c5ec1f3e03410b # tag=v4.1.1
         with:
           access: "public"
-          token: ${{ env.NPM_TOKEN }}
+          # old way, we want to use Trusted publishers
+          # token: ${{ env.NPM_TOKEN }}
           package: ${{github.workspace}}/sdk/nodejs/bin/package.json
           provenance: true
       - if: ${{ matrix.language == 'dotnet' && env.PUBLISH_NUGET == 'true' }}

.goreleaser.yaml

@@ -27,15 +27,15 @@ signs:
   - cmd: cosign
     env:
       - COSIGN_EXPERIMENTAL=1
-    certificate: '${artifact}.pem'
+    signature: '${artifact}.sig'
     args:
       - sign-blob
       - '-y'
-      - '--output-certificate=${certificate}'
+      - '--verbose'
+      - "--output-signature=${signature}"
       - '--bundle=${signature}'
       - '${artifact}'
     artifacts: all
-    output: true
 
 sboms:
   - artifacts: archive

RELEASE.md

@@ -0,0 +1,23 @@
+# Release
+
+## Release cycle
+
+A release should be created at least every 2 weeks.
+
+## Release creation
+
+> [!IMPORTANT]
+> Consider informing / syncing with the team before creating a new release.
+
+1. Check out latest main branch on your machine
+2. Create the following git tags: 
+    - `git tag provider/pkg/version/vX.X.X`
+    - `git tag provider/shim/vX.X.X`
+    - `git tag vX.X.X`
+3. Push the git tag: `git push origin --tags`
+4. The [release pipeline](https://github.com/stackitcloud/pulumi-stackit/actions/workflows/release.yaml) will build the release and publish it on GitHub
+5. Ensure the release was created properly using the 
+    - [GitHub releases page](https://github.com/stackitcloud/pulumi-stackit/releases)
+    - [Pulumi registry](https://www.pulumi.com/registry/packages)
+6. Ensure the packages where properly published (e.g. to npm)
+    - [npm](https://www.npmjs.com/)

go.work.sum

@@ -523,9 +523,12 @@ golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053 h1:dHQOQddU4YHS5gY33/6klKjq7Gp3WwMyOXGNp5nzRj8=
 golang.org/x/telemetry v0.0.0-20250908211612-aef8a434d053/go.mod h1:+nZKN+XVh4LCiA9DV3ywrzN4gumyCnKjau3NGb9SGoE=
 golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 h1:LvzTn0GQhWuvKH/kVRS3R3bVAsdQWI7hvfLHGgh9+lU=
 golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
+golang.org/x/telemetry v0.0.0-20251111182119-bc8e575c7b54 h1:E2/AqCUMZGgd73TQkxUMcMla25GB9i/5HOdLr+uH7Vo=
+golang.org/x/telemetry v0.0.0-20251111182119-bc8e575c7b54/go.mod h1:hKdjCMrbv9skySur+Nek8Hd0uJ0GuxJIoIX2payrIdQ=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=