Release Notes

v0.5.0 (2026-05-06)

Feature release exposing the project deploy key as a Pulumi output, plus Makefile portability improvements and CI enhancements.

New Features

Expose project deploy key as publicKey output

Project now exposes a publicKey output containing the SSH deploy key generated by Lagoon during project creation. This allows you to programmatically add the deploy key to your Git repository without needing the Lagoon CLI or UI — essential for fully automated infrastructure-as-code workflows.

project = lagoon.Project("my-project",
    lagoon.ProjectArgs(
        name="my-project",
        git_url="git@github.com:org/repo.git",
        deploytarget_id=1,
        production_environment="main",
        branches="main",
    )
)

# Use the deploy key output to configure the Git repository
pulumi.export("deploy_key", project.public_key)

Build and CI

  • Makefile portability: Fixed 14 sed commands for BSD/macOS compatibility
  • Pulumi CLI version pinning: SDK generation targets enforce the version pinned in .pulumiversion to prevent codegen drift
  • AI review for fork PRs: Switched to pull_request_target trigger so the review workflow runs on external contributor PRs
  • Schema change documentation: Added “Making Schema Changes” guidance to CONTRIBUTING.md and the PR template

Dependency Updates

  • golangci-lint v2.12.2
  • Pulumi GitHub Actions v7
  • npm dependency updates

v0.4.1 (2026-05-01)

Patch release fixing the provider replace cascade that caused every resource to be replaced on every pulumi up when config inputs were re-evaluated.

Bug Fixes

Fix provider replace cascade on config changes

The provider now implements DiffConfig to prevent unnecessary provider replacements when configuration values change. Previously, any change to jwtSecret, token, apiUrl, or other config fields triggered a provider replace, which cascaded into replacing every resource associated with the provider.

No provider config change requires a replace — changing credentials or the API URL only affects how the provider authenticates, not which resources it manages. The diff also normalizes whitespace so trailing newlines in secrets are not detected as changes. Empty jwtAudience and "api.dev" are treated as equivalent, matching the runtime default.

v0.4.0 (2026-05-01)

Feature release adding user resource management: full CRUD for Lagoon users, group role assignments, and platform role assignments.

New Resources

lagoon:lagoon:User — Full CRUD for Lagoon users via the GraphQL API. Uses email as the primary identifier. Supports optional firstName, lastName, and comment fields with in-place updates.

lagoon:lagoon:UserGroupAssignment — Assigns a user to a Lagoon group with a specific role (GUEST, REPORTER, DEVELOPER, MAINTAINER, or OWNER). Role changes are applied in-place via Lagoon’s upsert semantics.

lagoon:lagoon:UserPlatformRole — Assigns a platform-level role (OWNER or VIEWER) to a user. Both fields are force-new; changing either triggers a replace.

import pulumi
import pulumi_lagoon as lagoon

admin_user = lagoon.User("lagoonadmin",
    lagoon.UserArgs(
        email="admin@lagoon.example.com",
        first_name="Lagoon",
        last_name="Admin",
    )
)

lagoon.UserPlatformRole("lagoonadmin-platform-owner",
    lagoon.UserPlatformRoleArgs(
        user_email=admin_user.email,
        role="OWNER",
    )
)

team_group = lagoon.Group("mysite-team",
    lagoon.GroupArgs(name="project-mysite")
)

lagoon.UserGroupAssignment("lagoonadmin-team",
    lagoon.UserGroupAssignmentArgs(
        user_email=admin_user.email,
        group_name=team_group.name,
        role="MAINTAINER",
    )
)

Limitations in this release:

  • SSH key management is not included. Use the Lagoon UI/CLI or a pulumi-command resource.
  • Direct user-to-project role assignment is not supported. Grant project access through a group using UserGroupAssignment.

Bug Fixes

Fix JWT secret whitespace causing “invalid signature” — The provider now trims leading and trailing whitespace from jwtSecret, token, and jwtAudience values before use. Trailing newlines from shell pipelines would silently corrupt the HMAC signing key.

Debug logging for token generation — The provider logs debug messages during Configure showing whether a token was generated from a JWT secret or loaded from an environment variable. Visible with pulumi --logtostderr -v=9.

For the complete release history including v0.3.0 (.NET/C# SDK), v0.2.x (native Go provider, route resources, group resources), and v0.1.x (original Python dynamic provider), see RELEASE_NOTES.md on GitHub.