diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d30d954..4bd2661 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,10 +46,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -213,10 +218,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -359,10 +369,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - name: check if this commit needs release if: ${{ env.RELEASE_BOT_ENDPOINT != '' }} uses: pulumi/action-release-by-pr-label@main @@ -398,10 +413,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -530,10 +550,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -601,10 +626,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 49819db..6e434a9 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -38,10 +38,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -205,10 +210,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -363,10 +373,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -495,10 +510,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -566,10 +586,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 839c80f..ad6df7f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,10 +38,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -205,10 +210,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -363,10 +373,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -495,10 +510,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -566,10 +586,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -758,10 +783,15 @@ jobs: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true - - id: esc-secrets + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - name: Install pulumictl uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 with: diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 864ee07..4d46b67 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -37,16 +37,24 @@ jobs: comment-notification: runs-on: ubuntu-latest name: comment-notification + permissions: + contents: write + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true persist-credentials: false - ref: ${{ env.PR_COMMIT_SHA }} - - id: esc-secrets + ref: ${{ env.PR_COMMIT_SHA }} + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - name: Create URL to the run output id: vars run: echo @@ -63,16 +71,25 @@ jobs: prerequisites: runs-on: ubuntu-latest name: prerequisites + permissions: + contents: write + id-token: write # For ESC secrets. + pull-requests: write # For schema check comment. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true persist-credentials: false - ref: ${{ env.PR_COMMIT_SHA }} - - id: esc-secrets + ref: ${{ env.PR_COMMIT_SHA }} + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -234,16 +251,24 @@ jobs: - go - java name: build_sdks + permissions: + contents: write + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: lfs: true persist-credentials: false - ref: ${{ env.PR_COMMIT_SHA }} - - id: esc-secrets + ref: ${{ env.PR_COMMIT_SHA }} + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -402,10 +427,15 @@ jobs: with: lfs: true persist-credentials: false - ref: ${{ env.PR_COMMIT_SHA }} - - id: esc-secrets + ref: ${{ env.PR_COMMIT_SHA }} + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - id: version name: Set Provider Version uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 @@ -537,10 +567,15 @@ jobs: with: lfs: true persist-credentials: false - ref: ${{ env.PR_COMMIT_SHA }} - - id: esc-secrets + ref: ${{ env.PR_COMMIT_SHA }} + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets name: Fetch secrets from ESC - uses: ./.github/actions/esc-action + uses: pulumi/esc-action@v1 - name: Mark workflow as successful uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13 with: @@ -551,6 +586,7 @@ jobs: sha: ${{ github.event.pull_request.head.sha || github.sha }} permissions: statuses: write + id-token: write # For ESC secrets. if: github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository needs: diff --git a/.github/workflows/weekly-pulumi-update.yml b/.github/workflows/weekly-pulumi-update.yml index d3a2caf..1f4b4d5 100644 --- a/.github/workflows/weekly-pulumi-update.yml +++ b/.github/workflows/weekly-pulumi-update.yml @@ -34,13 +34,18 @@ jobs: weekly-pulumi-update: runs-on: ubuntu-latest steps: - - id: esc-secrets - name: Fetch secrets from ESC - uses: ./.github/actions/esc-action - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - lfs: true + lfs: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@v1 - name: Install Go uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 with: