[internal] Update GitHub Actions workflow files

2025-09-11 05:38:43 +00:00
parent 0a2dd6e758
commit 84ee162712
7 changed files with 71 additions and 73 deletions
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -35,7 +35,6 @@ env:
  PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
 jobs:
  comment-notification:
-    if: github.event_name == 'repository_dispatch'
    runs-on: ubuntu-latest
    name: comment-notification
    steps:
@@ -44,7 +43,15 @@ jobs:
      with:
        lfs: true
        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@v1
    - name: Create URL to the run output
      id: vars
      run: echo
@@ -53,16 +60,14 @@ jobs:
    - name: Update with Result
      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
+        token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
        body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"
+    if: github.event_name == 'repository_dispatch'
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
-    permissions:
-      id-token: write # For ESC secrets.
-      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -239,9 +244,6 @@ jobs:
        - go
        - java
    name: build_sdks
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -285,7 +287,7 @@ jobs:
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
@@ -452,7 +454,7 @@ jobs:
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
@@ -574,7 +576,6 @@ jobs:
        sha: ${{ github.event.pull_request.head.sha || github.sha }}
    permissions:
      statuses: write
-      id-token: write # For ESC secrets.
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
    needs: