diff --git a/.github/workflows/export-repo-secrets.yml b/.github/workflows/export-repo-secrets.yml new file mode 100644 index 0000000..e5df48d --- /dev/null +++ b/.github/workflows/export-repo-secrets.yml @@ -0,0 +1,25 @@ +permissions: write-all # Equivalent to default permissions plus id-token: write +name: Export secrets to ESC +on: [workflow_dispatch] +jobs: + export-to-esc: + runs-on: ubuntu-latest + name: export GitHub secrets to ESC + steps: + - name: Generate a GitHub token + id: generate-token + uses: actions/create-github-app-token@v1 + with: + app-id: 1256780 # Export Secrets GitHub App + private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }} + - name: Export secrets to ESC + uses: pulumi/esc-export-secrets-action@v1 + with: + organization: pulumi + org-environment: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + exclude-secrets: EXPORT_SECRETS_PRIVATE_KEY + github-token: ${{ steps.generate-token.outputs.token }} + oidc-auth: true + oidc-requested-token-type: urn:pulumi:token-type:access_token:organization + env: + GITHUB_SECRETS: ${{ toJSON(secrets) }} diff --git a/.github/workflows/weekly-pulumi-update.yml b/.github/workflows/weekly-pulumi-update.yml index a7d5f88..85206fb 100644 --- a/.github/workflows/weekly-pulumi-update.yml +++ b/.github/workflows/weekly-pulumi-update.yml @@ -64,6 +64,16 @@ jobs: uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ env.PYTHONVERSION }} + - name: Setup Java + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 + with: + java-version: ${{ env.JAVAVERSION }} + distribution: temurin + cache: gradle + - name: Setup Gradle + uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2 + with: + gradle-version: "7.6" - name: Update Pulumi/Pulumi id: gomod run: >-