From 0a2dd6e758139c5877a82d1322c5b0bb453c5c42 Mon Sep 17 00:00:00 2001 From: Bryce Lampe Date: Wed, 10 Sep 2025 14:19:45 -0700 Subject: [PATCH] Confirming ESC fixes (#599) Validating https://github.com/pulumi/ci-mgmt/pull/1705. --- .github/workflows/build.yml | 20 ++++++++++--- .github/workflows/community-moderation.yml | 10 +------ .github/workflows/prerelease.yml | 20 ++++++++++--- .github/workflows/pull-request.yml | 34 +--------------------- .github/workflows/release.yml | 26 ++++++++++++++--- .github/workflows/run-acceptance-tests.yml | 24 ++++----------- .github/workflows/weekly-pulumi-update.yml | 3 +- 7 files changed, 64 insertions(+), 73 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4bd2661..830a10b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -214,6 +214,9 @@ jobs: - go - java name: build_sdks + permissions: + pull-requests: write # For Renovate SDK updates. + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -246,7 +249,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org @@ -365,6 +368,9 @@ jobs: name: Tag release if labeled as needs-release needs: publish runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -408,7 +414,7 @@ jobs: name: test permissions: contents: read - id-token: write + id-token: write # For ESC secrets and Pulumi access token OIDC. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -441,7 +447,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org @@ -546,6 +552,9 @@ jobs: runs-on: ubuntu-latest needs: test name: publish + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -622,6 +631,9 @@ jobs: runs-on: ubuntu-latest needs: publish name: publish_sdk + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -660,7 +672,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org diff --git a/.github/workflows/community-moderation.yml b/.github/workflows/community-moderation.yml index ebeb263..b7c9fa8 100644 --- a/.github/workflows/community-moderation.yml +++ b/.github/workflows/community-moderation.yml @@ -8,15 +8,7 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - persist-credentials: false - - env: - ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} - ESC_ACTION_OIDC_AUTH: "true" - ESC_ACTION_OIDC_ORGANIZATION: pulumi - ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization - id: esc-secrets - name: Fetch secrets from ESC - uses: pulumi/esc-action@v1 + persist-credentials: false - id: schema_changed name: Check for diff in schema uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 6e434a9..3db96bd 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -206,6 +206,9 @@ jobs: - go - java name: build_sdks + permissions: + pull-requests: write # For Renovate SDK updates. + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -238,7 +241,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org @@ -368,7 +371,7 @@ jobs: name: test permissions: contents: read - id-token: write + id-token: write # For ESC secrets and Pulumi access token OIDC. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -401,7 +404,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org @@ -506,6 +509,9 @@ jobs: runs-on: ubuntu-latest needs: test name: publish + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -582,6 +588,9 @@ jobs: runs-on: ubuntu-latest needs: publish name: publish_sdk + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -620,7 +629,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org @@ -680,6 +689,9 @@ jobs: continue-on-error: true needs: publish name: publish_java_sdk + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 06697de..aead29c 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -3,30 +3,6 @@ name: pull-request on: pull_request_target: {} -env: - PROVIDER: docker-build - PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - TRAVIS_OS_NAME: linux - PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. - GOVERSION: "1.21.x" - NODEVERSION: "20.x" - PYTHONVERSION: "3.11.8" - DOTNETVERSION: "8.0.x" - JAVAVERSION: "11" - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 - AWS_REGION: us-west-2 - AZURE_LOCATION: westus - GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com - GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci - GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci - GOOGLE_PROJECT: pulumi-ci-gcp-provider - GOOGLE_PROJECT_NUMBER: "895284651812" - GOOGLE_REGION: us-central1 - GOOGLE_ZONE: us-central1-a - PULUMI_API: https://api.pulumi-staging.io jobs: comment-on-pr: @@ -36,15 +12,7 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - env: - ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} - ESC_ACTION_OIDC_AUTH: "true" - ESC_ACTION_OIDC_ORGANIZATION: pulumi - ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization - id: esc-secrets - name: Fetch secrets from ESC - uses: pulumi/esc-action@v1 + lfs: true - name: Comment PR uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ad6df7f..1863c02 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,6 +34,9 @@ jobs: prerequisites: runs-on: ubuntu-latest name: prerequisites + permissions: + id-token: write # For ESC secrets. + pull-requests: write # For schema check comment. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -206,6 +209,9 @@ jobs: - go - java name: build_sdks + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -238,7 +244,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org @@ -368,7 +374,7 @@ jobs: name: test permissions: contents: read - id-token: write + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -401,7 +407,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org @@ -506,6 +512,9 @@ jobs: runs-on: ubuntu-latest needs: test name: publish + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -582,6 +591,9 @@ jobs: runs-on: ubuntu-latest needs: publish name: publish_sdks + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -620,7 +632,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org @@ -680,6 +692,9 @@ jobs: continue-on-error: true needs: publish name: publish_java_sdk + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -779,6 +794,9 @@ jobs: dispatch_docs_build: runs-on: ubuntu-latest needs: publish_go_sdk + permissions: + contents: read + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 4d46b67..e052eee 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -35,26 +35,16 @@ env: PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} jobs: comment-notification: + if: github.event_name == 'repository_dispatch' runs-on: ubuntu-latest name: comment-notification - permissions: - contents: write - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true persist-credentials: false - ref: ${{ env.PR_COMMIT_SHA }} - - env: - ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} - ESC_ACTION_OIDC_AUTH: "true" - ESC_ACTION_OIDC_ORGANIZATION: pulumi - ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization - id: esc-secrets - name: Fetch secrets from ESC - uses: pulumi/esc-action@v1 + ref: ${{ env.PR_COMMIT_SHA }} - name: Create URL to the run output id: vars run: echo @@ -63,16 +53,14 @@ jobs: - name: Update with Result uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: - token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} issue-number: ${{ github.event.client_payload.github.payload.issue.number }} body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}" - if: github.event_name == 'repository_dispatch' prerequisites: runs-on: ubuntu-latest name: prerequisites permissions: - contents: write id-token: write # For ESC secrets. pull-requests: write # For schema check comment. steps: @@ -252,7 +240,7 @@ jobs: - java name: build_sdks permissions: - contents: write + contents: read id-token: write # For ESC secrets. steps: - name: Checkout Repo @@ -288,7 +276,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org @@ -455,7 +443,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org diff --git a/.github/workflows/weekly-pulumi-update.yml b/.github/workflows/weekly-pulumi-update.yml index 1f4b4d5..9feb8f8 100644 --- a/.github/workflows/weekly-pulumi-update.yml +++ b/.github/workflows/weekly-pulumi-update.yml @@ -33,6 +33,7 @@ env: jobs: weekly-pulumi-update: runs-on: ubuntu-latest + permissions: write-all steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -62,7 +63,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Node - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 + uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org