Update GitHub Actions workflows. (#597)

This PR was automatically generated by the update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt repo, from commit 42e0ba87f4de47d7ab085a3916669e193ec1ff4e. --------- Co-authored-by: Bryce Lampe <bryce@pulumi.com>
2025-09-10 21:49:21 +02:00
parent daa144c232
commit a0e387d0a8
5 changed files with 196 additions and 70 deletions
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -37,16 +37,24 @@ jobs:
  comment-notification:
    runs-on: ubuntu-latest
    name: comment-notification
+    permissions:
+      contents: write
+      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
-    - id: esc-secrets
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
      name: Fetch secrets from ESC
-      uses: ./.github/actions/esc-action
+      uses: pulumi/esc-action@v1
    - name: Create URL to the run output
      id: vars
      run: echo
@@ -63,16 +71,25 @@ jobs:
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
+    permissions:
+      contents: write
+      id-token: write # For ESC secrets.
+      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
-    - id: esc-secrets
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
      name: Fetch secrets from ESC
-      uses: ./.github/actions/esc-action
+      uses: pulumi/esc-action@v1
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -234,16 +251,24 @@ jobs:
        - go
        - java
    name: build_sdks
+    permissions:
+      contents: write
+      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
-    - id: esc-secrets
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
      name: Fetch secrets from ESC
-      uses: ./.github/actions/esc-action
+      uses: pulumi/esc-action@v1
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -402,10 +427,15 @@ jobs:
      with:
        lfs: true
        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
-    - id: esc-secrets
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
      name: Fetch secrets from ESC
-      uses: ./.github/actions/esc-action
+      uses: pulumi/esc-action@v1
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -537,10 +567,15 @@ jobs:
      with:
        lfs: true
        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
-    - id: esc-secrets
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
      name: Fetch secrets from ESC
-      uses: ./.github/actions/esc-action
+      uses: pulumi/esc-action@v1
    - name: Mark workflow as successful
      uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
      with:
@@ -551,6 +586,7 @@ jobs:
        sha: ${{ github.event.pull_request.head.sha || github.sha }}
    permissions:
      statuses: write
+      id-token: write # For ESC secrets.
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
    needs: