From 1203c3b31f1e8cacccf7ef9e724f57a7df303281 Mon Sep 17 00:00:00 2001 From: Pulumi Bot <30351955+pulumi-bot@users.noreply.github.com> Date: Wed, 10 Sep 2025 18:11:45 +0200 Subject: [PATCH] Update GitHub Actions workflows. (#595) This PR was automatically generated by the update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt repo, from commit 4125efba3dbbc633190a388a9f8b0408d755089c. --- .github/actions/esc-action/index.js | 2 +- .github/workflows/build.yml | 114 +++++++++++++------- .github/workflows/command-dispatch.yml | 16 ++- .github/workflows/community-moderation.yml | 7 +- .github/workflows/export-repo-secrets.yml | 2 +- .github/workflows/prerelease.yml | 108 ++++++++++++------- .github/workflows/pull-request.yml | 14 ++- .github/workflows/release.yml | 117 ++++++++++++++------- .github/workflows/release_command.yml | 11 +- .github/workflows/run-acceptance-tests.yml | 63 ++++++++--- .github/workflows/weekly-pulumi-update.yml | 18 +++- 11 files changed, 334 insertions(+), 138 deletions(-) diff --git a/.github/actions/esc-action/index.js b/.github/actions/esc-action/index.js index bb9fbb4..2299fdc 100644 --- a/.github/actions/esc-action/index.js +++ b/.github/actions/esc-action/index.js @@ -5,7 +5,7 @@ var stream = fs.createWriteStream(file, { flags: "a" }); for (const [name, value] of Object.entries(process.env)) { try { - stream.write(`${name}=${value}\n`); + stream.write(`${name}<> "$GITHUB_ENV" env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' name: Comment on PR with Details of Schema Check uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 @@ -162,7 +181,7 @@ jobs: # workflow. https://github.com/orgs/community/discussions/25702 - git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" + git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" env: HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain @@ -177,10 +196,12 @@ jobs: path: ${{ github.workspace }}/bin/provider.tar.gz - name: Test Provider Library run: make test_provider + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload coverage reports to Codecov uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0 env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0 @@ -189,7 +210,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} build_sdks: needs: prerequisites runs-on: pulumi-ubuntu-8core @@ -208,6 +229,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -225,14 +249,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -320,7 +344,7 @@ jobs: # workflow. https://github.com/orgs/community/discussions/25702 - git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" + git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" env: HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain @@ -340,13 +364,20 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} tag_release_if_labeled_needs_release: name: Tag release if labeled as needs-release needs: publish runs-on: ubuntu-latest steps: + - name: Checkout Repo + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - name: check if this commit needs release if: ${{ env.RELEASE_BOT_ENDPOINT != '' }} uses: pulumi/action-release-by-pr-label@main @@ -354,10 +385,10 @@ jobs: command: "release-if-needed" repo: ${{ github.repository }} commit: ${{ github.sha }} - slack_channel: ${{ secrets.RELEASE_OPS_SLACK_CHANNEL }} + slack_channel: C02MGR8JVST env: - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} + RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }} + RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} test: @@ -383,6 +414,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -400,14 +434,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -502,7 +536,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} publish: runs-on: ubuntu-latest needs: test @@ -512,6 +546,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -538,27 +575,27 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }} role-duration-seconds: 7200 role-session-name: ${{ env.PROVIDER }}@githubActions role-external-id: upload-pulumi-release - role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} + role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }} - name: Run GoReleaser uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 env: GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }} - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} - AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} - AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} - AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} - AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} - SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} + AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} with: args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s version: latest @@ -570,7 +607,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} publish_sdk: runs-on: ubuntu-latest needs: publish @@ -580,6 +617,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -603,14 +643,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -646,16 +686,16 @@ jobs: - name: Publish SDKs run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }} env: - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }} + NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }} PYPI_PUBLISH_ARTIFACTS: all PYPI_USERNAME: __token__ - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }} + SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }} + SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }} + SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }} + PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }} + PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }} - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0 @@ -664,7 +704,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} lint: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index af8e320..5c563c4 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -5,8 +5,11 @@ env: ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} + AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} AWS_REGION: us-west-2 AZURE_LOCATION: westus + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }} DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com @@ -17,6 +20,12 @@ env: GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io + PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} + RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} + S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + jobs: command-dispatch-for-testing: name: command-dispatch-for-testing @@ -25,7 +34,10 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - persist-credentials: false + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4 with: commands: | @@ -35,7 +47,7 @@ jobs: permission: write reaction-token: ${{ secrets.GITHUB_TOKEN }} repository: pulumi/pulumi-docker-build - token: ${{ secrets.PULUMI_BOT_TOKEN }} + token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} name: command-dispatch on: issue_comment: diff --git a/.github/workflows/community-moderation.yml b/.github/workflows/community-moderation.yml index 7eece29..144cb89 100644 --- a/.github/workflows/community-moderation.yml +++ b/.github/workflows/community-moderation.yml @@ -1,7 +1,5 @@ # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} jobs: warn_codegen: name: warn_codegen @@ -10,7 +8,10 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - persist-credentials: false + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action - id: schema_changed name: Check for diff in schema uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 diff --git a/.github/workflows/export-repo-secrets.yml b/.github/workflows/export-repo-secrets.yml index 040683b..0039709 100644 --- a/.github/workflows/export-repo-secrets.yml +++ b/.github/workflows/export-repo-secrets.yml @@ -13,7 +13,7 @@ jobs: app-id: 1256780 # Export Secrets GitHub App private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }} - name: Export secrets to ESC - uses: pulumi/esc-export-secrets-action@v1 + uses: pulumi/esc-export-secrets-action@9d6485759b6adff2538ae91f1b77cc96265c9dad # v1 with: organization: pulumi org-environment: imports/github-secrets diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index db79cfd..4036805 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -19,8 +19,12 @@ env: ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_REGION: us-west-2 + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_UPLOAD_ROLE_ARN: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} AZURE_LOCATION: westus + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }} DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com @@ -30,8 +34,20 @@ env: GOOGLE_PROJECT_NUMBER: "895284651812" GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a + JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} + JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} + JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_API: https://api.pulumi-staging.io + PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} + RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} + RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} IS_PRERELEASE: true + jobs: prerequisites: runs-on: ubuntu-latest @@ -41,6 +57,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -58,7 +77,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 @@ -79,7 +98,7 @@ jobs: echo 'EOF'; } >> "$GITHUB_ENV" env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' name: Comment on PR with Details of Schema Check uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 @@ -154,7 +173,7 @@ jobs: # workflow. https://github.com/orgs/community/discussions/25702 - git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" + git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" env: HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain @@ -169,10 +188,12 @@ jobs: path: ${{ github.workspace }}/bin/provider.tar.gz - name: Test Provider Library run: make test_provider + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload coverage reports to Codecov uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0 env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0 @@ -181,7 +202,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} build_sdks: needs: prerequisites runs-on: pulumi-ubuntu-8core @@ -200,6 +221,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -217,14 +241,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -312,7 +336,7 @@ jobs: # workflow. https://github.com/orgs/community/discussions/25702 - git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" + git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" env: HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain @@ -331,7 +355,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} test: runs-on: pulumi-ubuntu-8core needs: @@ -355,6 +379,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -372,14 +399,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -474,7 +501,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} publish: runs-on: ubuntu-latest needs: test @@ -484,6 +511,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -510,27 +540,27 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }} role-duration-seconds: 7200 role-session-name: ${{ env.PROVIDER }}@githubActions role-external-id: upload-pulumi-release - role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} + role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }} - name: Run GoReleaser uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 env: GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }} - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} - AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} - AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} - AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} - AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} - SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} + AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} with: args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s version: latest @@ -542,7 +572,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} publish_sdk: runs-on: ubuntu-latest needs: publish @@ -552,6 +582,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -575,14 +608,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -618,11 +651,11 @@ jobs: - name: Publish SDKs run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }} env: - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }} + NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }} PYPI_PUBLISH_ARTIFACTS: all PYPI_USERNAME: __token__ - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} + PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0 @@ -631,7 +664,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} publish_java_sdk: runs-on: ubuntu-latest continue-on-error: true @@ -641,7 +674,10 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true + lfs: true + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -659,7 +695,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Java uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0 with: @@ -686,11 +722,11 @@ jobs: run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository env: PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} + SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }} + SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }} + SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }} + PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }} + PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }} publish_go_sdk: runs-on: ubuntu-latest name: publish-go-sdk diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index a298924..1575216 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -18,8 +18,11 @@ env: ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} + AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} AWS_REGION: us-west-2 AZURE_LOCATION: westus + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }} DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com @@ -30,6 +33,12 @@ env: GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io + PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} + RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} + S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + jobs: comment-on-pr: runs-on: ubuntu-latest @@ -38,7 +47,10 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true + lfs: true + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action - name: Comment PR uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 587dd0f..eb7e510 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,8 +20,12 @@ env: ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_REGION: us-west-2 + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + AWS_UPLOAD_ROLE_ARN: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} AZURE_LOCATION: westus + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }} DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com @@ -31,7 +35,19 @@ env: GOOGLE_PROJECT_NUMBER: "895284651812" GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a + JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} + JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} + JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_API: https://api.pulumi-staging.io + PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} + RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} + RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} + jobs: prerequisites: runs-on: ubuntu-latest @@ -41,6 +57,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -58,7 +77,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 @@ -79,7 +98,7 @@ jobs: echo 'EOF'; } >> "$GITHUB_ENV" env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' name: Comment on PR with Details of Schema Check uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 @@ -154,7 +173,7 @@ jobs: # workflow. https://github.com/orgs/community/discussions/25702 - git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" + git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" env: HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain @@ -169,10 +188,12 @@ jobs: path: ${{ github.workspace }}/bin/provider.tar.gz - name: Test Provider Library run: make test_provider + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload coverage reports to Codecov uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0 env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0 @@ -181,7 +202,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} build_sdks: needs: prerequisites runs-on: pulumi-ubuntu-8core @@ -200,6 +221,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -217,14 +241,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -312,7 +336,7 @@ jobs: # workflow. https://github.com/orgs/community/discussions/25702 - git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" + git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" env: HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain @@ -331,7 +355,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} test: runs-on: pulumi-ubuntu-8core needs: @@ -355,6 +379,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -372,14 +399,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -474,7 +501,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} publish: runs-on: ubuntu-latest needs: test @@ -484,6 +511,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -510,27 +540,27 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }} role-duration-seconds: 7200 role-session-name: ${{ env.PROVIDER }}@githubActions role-external-id: upload-pulumi-release - role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} + role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }} - name: Run GoReleaser uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 env: GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }} - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} - AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} - AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} - AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} - AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} - SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }} + AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }} + SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} with: args: -p 3 release --clean --timeout 60m0s version: latest @@ -542,7 +572,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} publish_sdk: runs-on: ubuntu-latest needs: publish @@ -552,6 +582,9 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -575,14 +608,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -618,11 +651,11 @@ jobs: - name: Publish SDKs run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }} env: - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }} + NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }} PYPI_PUBLISH_ARTIFACTS: all PYPI_USERNAME: __token__ - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} + PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0 @@ -631,7 +664,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} publish_java_sdk: runs-on: ubuntu-latest continue-on-error: true @@ -641,7 +674,10 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true + lfs: true + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -659,7 +695,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Java uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0 with: @@ -686,11 +722,11 @@ jobs: run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository env: PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} + SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }} + SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }} + SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }} + PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }} + PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }} publish_go_sdk: runs-on: ubuntu-latest name: publish-go-sdk @@ -729,6 +765,13 @@ jobs: runs-on: ubuntu-latest needs: publish_go_sdk steps: + - name: Checkout Repo + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + lfs: true + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - name: Install pulumictl uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 with: @@ -737,5 +780,5 @@ jobs: run: pulumictl create docs-build pulumi-${{ env.PROVIDER }} "${GITHUB_REF#refs/tags/}" env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} name: dispatch_docs_build diff --git a/.github/workflows/release_command.yml b/.github/workflows/release_command.yml index 5c4413d..aab7724 100644 --- a/.github/workflows/release_command.yml +++ b/.github/workflows/release_command.yml @@ -13,7 +13,10 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - persist-credentials: false + persist-credentials: false + - id: esc-secrets + name: Map environment to ESC outputs + uses: ./.github/actions/esc-action - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: @@ -21,10 +24,10 @@ jobs: repo: ${{ github.repository }} pr: ${{ github.event.client_payload.pull_request.number }} version: ${{ github.event.client_payload.slash_command.args.all }} - slack_channel: ${{ secrets.RELEASE_OPS_STAGING_SLACK_CHANNEL }} + slack_channel: ${{ steps.esc-secrets.outputs.RELEASE_OPS_STAGING_SLACK_CHANNEL }} env: - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} + RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }} + RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: failure() name: Notify failure diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 03d47b8..6ad7c24 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -23,8 +23,11 @@ env: ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} + AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} AWS_REGION: us-west-2 AZURE_LOCATION: westus + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }} DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com @@ -35,12 +38,26 @@ env: GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io + PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} + RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} + S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} jobs: comment-notification: runs-on: ubuntu-latest name: comment-notification steps: + - name: Checkout Repo + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + lfs: true + persist-credentials: false + ref: ${{ env.PR_COMMIT_SHA }} + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - name: Create URL to the run output id: vars run: echo @@ -49,7 +66,7 @@ jobs: - name: Update with Result uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: - token: ${{ secrets.PULUMI_BOT_TOKEN }} + token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} issue-number: ${{ github.event.client_payload.github.payload.issue.number }} body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}" @@ -64,6 +81,9 @@ jobs: lfs: true persist-credentials: false ref: ${{ env.PR_COMMIT_SHA }} + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -81,7 +101,7 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 @@ -102,7 +122,7 @@ jobs: echo 'EOF'; } >> "$GITHUB_ENV" env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]' name: Comment on PR with Details of Schema Check uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 @@ -177,7 +197,7 @@ jobs: # workflow. https://github.com/orgs/community/discussions/25702 - git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" + git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" env: HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain @@ -192,10 +212,12 @@ jobs: path: ${{ github.workspace }}/bin/provider.tar.gz - name: Test Provider Library run: make test_provider + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload coverage reports to Codecov uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0 env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0 @@ -204,7 +226,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository build_sdks: @@ -227,6 +249,9 @@ jobs: lfs: true persist-credentials: false ref: ${{ env.PR_COMMIT_SHA }} + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -244,14 +269,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -338,7 +363,7 @@ jobs: # workflow. https://github.com/orgs/community/discussions/25702 - git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" + git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" env: HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain @@ -358,7 +383,7 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository test: @@ -386,6 +411,9 @@ jobs: lfs: true persist-credentials: false ref: ${{ env.PR_COMMIT_SHA }} + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -403,14 +431,14 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup Node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python @@ -505,13 +533,22 @@ jobs: fields: repo,commit,author,action status: ${{ job.status }} env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }} if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository sentinel: runs-on: ubuntu-latest name: sentinel steps: + - name: Checkout Repo + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + lfs: true + persist-credentials: false + ref: ${{ env.PR_COMMIT_SHA }} + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - name: Mark workflow as successful uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13 with: diff --git a/.github/workflows/weekly-pulumi-update.yml b/.github/workflows/weekly-pulumi-update.yml index 2a89a21..b37976b 100644 --- a/.github/workflows/weekly-pulumi-update.yml +++ b/.github/workflows/weekly-pulumi-update.yml @@ -20,8 +20,11 @@ env: ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} + AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} AWS_REGION: us-west-2 AZURE_LOCATION: westus + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }} DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com @@ -32,10 +35,19 @@ env: GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io + PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} + RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} + S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + jobs: weekly-pulumi-update: runs-on: ubuntu-latest steps: + - id: esc-secrets + name: Fetch secrets from ESC + uses: ./.github/actions/esc-action - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: @@ -50,9 +62,9 @@ jobs: with: repo: pulumi/pulumictl - name: Install Pulumi CLI - uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0 + uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Setup DotNet - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 + uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Node @@ -132,5 +144,5 @@ jobs: gh pr create -t "$msg" -b "$msg" --head "$(git branch --show-current)" env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} name: weekly-pulumi-update