diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 830a10b..717aec3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -214,9 +214,6 @@ jobs: - go - java name: build_sdks - permissions: - pull-requests: write # For Renovate SDK updates. - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -258,7 +255,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Setup Java @@ -368,9 +365,6 @@ jobs: name: Tag release if labeled as needs-release needs: publish runs-on: ubuntu-latest - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -414,7 +408,7 @@ jobs: name: test permissions: contents: read - id-token: write # For ESC secrets and Pulumi access token OIDC. + id-token: write steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -456,7 +450,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Setup Java @@ -552,9 +546,6 @@ jobs: runs-on: ubuntu-latest needs: test name: publish - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -596,7 +587,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 @@ -631,9 +622,6 @@ jobs: runs-on: ubuntu-latest needs: publish name: publish_sdk - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -681,7 +669,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Download python SDK diff --git a/.github/workflows/community-moderation.yml b/.github/workflows/community-moderation.yml index b7c9fa8..ebeb263 100644 --- a/.github/workflows/community-moderation.yml +++ b/.github/workflows/community-moderation.yml @@ -8,7 +8,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - persist-credentials: false + persist-credentials: false + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@v1 - id: schema_changed name: Check for diff in schema uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 3db96bd..74276ce 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -206,9 +206,6 @@ jobs: - go - java name: build_sdks - permissions: - pull-requests: write # For Renovate SDK updates. - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -250,7 +247,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Setup Java @@ -371,7 +368,7 @@ jobs: name: test permissions: contents: read - id-token: write # For ESC secrets and Pulumi access token OIDC. + id-token: write steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -413,7 +410,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Setup Java @@ -509,9 +506,6 @@ jobs: runs-on: ubuntu-latest needs: test name: publish - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -553,7 +547,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 @@ -588,9 +582,6 @@ jobs: runs-on: ubuntu-latest needs: publish name: publish_sdk - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -638,7 +629,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Download python SDK @@ -689,9 +680,6 @@ jobs: continue-on-error: true needs: publish name: publish_java_sdk - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index aead29c..06697de 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -3,6 +3,30 @@ name: pull-request on: pull_request_target: {} +env: + PROVIDER: docker-build + PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} + TRAVIS_OS_NAME: linux + PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. + GOVERSION: "1.21.x" + NODEVERSION: "20.x" + PYTHONVERSION: "3.11.8" + DOTNETVERSION: "8.0.x" + JAVAVERSION: "11" + ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e + ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 + ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 + AWS_REGION: us-west-2 + AZURE_LOCATION: westus + GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com + GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci + GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci + GOOGLE_PROJECT: pulumi-ci-gcp-provider + GOOGLE_PROJECT_NUMBER: "895284651812" + GOOGLE_REGION: us-central1 + GOOGLE_ZONE: us-central1-a + PULUMI_API: https://api.pulumi-staging.io jobs: comment-on-pr: @@ -12,7 +36,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@v1 - name: Comment PR uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1863c02..4ae51fe 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,9 +34,6 @@ jobs: prerequisites: runs-on: ubuntu-latest name: prerequisites - permissions: - id-token: write # For ESC secrets. - pull-requests: write # For schema check comment. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -209,9 +206,6 @@ jobs: - go - java name: build_sdks - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -253,7 +247,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Setup Java @@ -374,7 +368,7 @@ jobs: name: test permissions: contents: read - id-token: write # For ESC secrets. + id-token: write steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -416,7 +410,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Setup Java @@ -512,9 +506,6 @@ jobs: runs-on: ubuntu-latest needs: test name: publish - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -556,7 +547,7 @@ jobs: - name: Install Pulumi CLI uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0 - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1 + uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 @@ -591,9 +582,6 @@ jobs: runs-on: ubuntu-latest needs: publish name: publish_sdks - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -641,7 +629,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Download python SDK @@ -692,9 +680,6 @@ jobs: continue-on-error: true needs: publish name: publish_java_sdk - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -794,9 +779,6 @@ jobs: dispatch_docs_build: runs-on: ubuntu-latest needs: publish_go_sdk - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index e052eee..e44acb5 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -35,7 +35,6 @@ env: PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} jobs: comment-notification: - if: github.event_name == 'repository_dispatch' runs-on: ubuntu-latest name: comment-notification steps: @@ -44,7 +43,15 @@ jobs: with: lfs: true persist-credentials: false - ref: ${{ env.PR_COMMIT_SHA }} + ref: ${{ env.PR_COMMIT_SHA }} + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@v1 - name: Create URL to the run output id: vars run: echo @@ -53,16 +60,14 @@ jobs: - name: Update with Result uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 with: - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} issue-number: ${{ github.event.client_payload.github.payload.issue.number }} body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}" + if: github.event_name == 'repository_dispatch' prerequisites: runs-on: ubuntu-latest name: prerequisites - permissions: - id-token: write # For ESC secrets. - pull-requests: write # For schema check comment. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -239,9 +244,6 @@ jobs: - go - java name: build_sdks - permissions: - contents: read - id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -285,7 +287,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Setup Java @@ -452,7 +454,7 @@ jobs: with: dotnet-version: ${{ env.DOTNETVERSION }} - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Setup Java @@ -574,7 +576,6 @@ jobs: sha: ${{ github.event.pull_request.head.sha || github.sha }} permissions: statuses: write - id-token: write # For ESC secrets. if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository needs: diff --git a/.github/workflows/weekly-pulumi-update.yml b/.github/workflows/weekly-pulumi-update.yml index 9feb8f8..17514f3 100644 --- a/.github/workflows/weekly-pulumi-update.yml +++ b/.github/workflows/weekly-pulumi-update.yml @@ -33,7 +33,6 @@ env: jobs: weekly-pulumi-update: runs-on: ubuntu-latest - permissions: write-all steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 @@ -68,7 +67,7 @@ jobs: node-version: ${{ env.NODEVERSION }} registry-url: https://registry.npmjs.org - name: Setup Python - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: ${{ env.PYTHONVERSION }} - name: Setup Java