diff --git a/.config/mise.toml b/.config/mise.toml index f93067e..a733aa2 100644 --- a/.config/mise.toml +++ b/.config/mise.toml @@ -3,11 +3,12 @@ [env] _.source = "{{config_root}}/scripts/get-versions.sh" +PULUMI_HOME = "{{config_root}}/.pulumi" [tools] # Runtimes -# TODO: we may not need `get_env` once https://github.com/jdx/mise/discussions/6339 is fixed +# TODO: we may not need 'get_env' once https://github.com/jdx/mise/discussions/6339 is fixed go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}" node = '20.19.5' python = '3.11.8' @@ -17,12 +18,15 @@ java = 'corretto-11' # Executable tools pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}" -"github:pulumi/pulumictl" = 'latest' -"github:pulumi/schema-tools" = "latest" -gradle = '7.6' +"github:pulumi/pulumictl" = '0.0.50' +"github:pulumi/schema-tools" = "0.6.0" +"aqua:gradle/gradle-distributions" = '7.6.6' golangci-lint = "1.64.8" # See note about about overrides if you need to customize this. "npm:yarn" = "1.22.22" [settings] experimental = true # Required for Go binaries (e.g. pulumictl). -lockfile = true +lockfile = false + +[plugins] +vfox-pulumi = "https://github.com/pulumi/vfox-pulumi" diff --git a/.github/actions/setup-tools/action.yml b/.github/actions/setup-tools/action.yml index ea48463..897b5fa 100644 --- a/.github/actions/setup-tools/action.yml +++ b/.github/actions/setup-tools/action.yml @@ -14,14 +14,16 @@ runs: using: "composite" steps: - name: Setup mise - uses: jdx/mise-action@d16887ba50704baed7de72bd1e82e04391e4457a # v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 + env: + MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 cache_save: ${{ inputs.cache }} github_token: ${{ inputs.github_token }} - name: Setup Go Cache - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: cache: ${{ inputs.cache }} cache-dependency-path: | @@ -32,7 +34,7 @@ runs: *.sum - name: Setup Node - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: # we don't set node-version because we install with mise. # this step is needed to setup npm auth diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 794a1a7..925fbbe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,7 +47,7 @@ jobs: pull-requests: write # For schema check comment. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -59,6 +59,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -122,54 +128,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar provider binaries run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ @@ -218,7 +176,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -230,6 +188,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -240,7 +204,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download Provider Binary uses: ./.github/actions/download-provider - name: Generate SDK @@ -259,54 +223,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar SDK folder run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} . @@ -335,7 +251,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -380,7 +296,7 @@ jobs: id-token: write # For ESC secrets and Pulumi access token OIDC. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -392,6 +308,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -402,7 +324,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download Provider Binary uses: ./.github/actions/download-provider - name: Download SDK @@ -477,7 +399,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -489,6 +411,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -499,7 +427,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Clear GitHub Actions Ubuntu runner disk space uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 with: @@ -510,7 +438,7 @@ jobs: swap-storage: true large-packages: false - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 @@ -550,7 +478,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -562,6 +490,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -570,7 +504,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Checkout Scripts Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: path: ci-scripts repository: pulumi/scripts @@ -578,7 +512,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download python SDK uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -631,7 +565,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -639,7 +573,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Disarm go:embed directives to enable linters that compile source code run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i 's/go:embed/ goembed/g' diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index aafa0eb..f3c6ec5 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -14,6 +14,7 @@ env: GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io + PULUMI_PULUMI_ENABLE_JOURNALING: "true" jobs: command-dispatch-for-testing: @@ -24,7 +25,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - env: @@ -36,7 +37,7 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4 + - uses: peter-evans/slash-command-dispatch@5c11dc7efead556e3bdabf664302212f79eb26fa # v5 with: commands: | run-acceptance-tests diff --git a/.github/workflows/comment-on-stale-issues.yml b/.github/workflows/comment-on-stale-issues.yml index e3ec80e..2751337 100644 --- a/.github/workflows/comment-on-stale-issues.yml +++ b/.github/workflows/comment-on-stale-issues.yml @@ -1,6 +1,7 @@ name: "Comment on stale issues" on: + workflow_dispatch: {} schedule: - cron: "46 4 * * *" # run once per day @@ -9,7 +10,7 @@ jobs: runs-on: ubuntu-latest name: Stale issue job steps: - - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc # v7.1.0 + - uses: aws-actions/stale-issue-cleanup@db44981197ae9cdada9a9c779c052439f9d62eac with: issue-types: issues # only look at issues (ignore pull-requests) diff --git a/.github/workflows/community-moderation.yml b/.github/workflows/community-moderation.yml index 6532d5b..af6fd31 100644 --- a/.github/workflows/community-moderation.yml +++ b/.github/workflows/community-moderation.yml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - id: schema_changed diff --git a/.github/workflows/export-repo-secrets.yml b/.github/workflows/export-repo-secrets.yml index 0039709..93f70f2 100644 --- a/.github/workflows/export-repo-secrets.yml +++ b/.github/workflows/export-repo-secrets.yml @@ -8,7 +8,7 @@ jobs: steps: - name: Generate a GitHub token id: generate-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: 1256780 # Export Secrets GitHub App private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }} diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 8c91e22..be16b2a 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -36,7 +36,7 @@ jobs: name: prerequisites steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -48,6 +48,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -111,54 +117,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar provider binaries run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ @@ -207,7 +165,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -219,6 +177,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -229,7 +193,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download Provider Binary uses: ./.github/actions/download-provider - name: Generate SDK @@ -248,54 +212,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit ${{ matrix.language }} SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit ${{ matrix.language }} SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar SDK folder run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} . @@ -333,7 +249,7 @@ jobs: id-token: write # For ESC secrets and Pulumi access token OIDC. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -345,6 +261,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -355,7 +277,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download Provider Binary uses: ./.github/actions/download-provider - name: Download SDK @@ -430,7 +352,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -442,6 +364,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -452,7 +380,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Clear GitHub Actions Ubuntu runner disk space uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 with: @@ -463,7 +391,7 @@ jobs: swap-storage: true large-packages: false - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 @@ -503,7 +431,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -515,6 +443,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -523,7 +457,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Checkout Scripts Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: path: ci-scripts repository: pulumi/scripts @@ -531,7 +465,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download python SDK uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -585,7 +519,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -597,6 +531,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -607,7 +547,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download java SDK uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -635,7 +575,7 @@ jobs: needs: publish_sdk steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - id: version diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index d481da3..f935603 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -10,7 +10,7 @@ jobs: name: comment-on-pr steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - name: Comment PR diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 661764c..6770653 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,7 +39,7 @@ jobs: pull-requests: write # For schema check comment. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -51,6 +51,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -62,7 +68,7 @@ jobs: uses: ./.github/actions/setup-tools with: cache: 'true' - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 @@ -114,54 +120,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar provider binaries run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ @@ -210,7 +168,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -222,6 +180,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -232,7 +196,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download Provider Binary uses: ./.github/actions/download-provider - name: Generate SDK @@ -251,54 +215,6 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle - - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && - contains(github.actor, 'renovate') && github.event_name == - 'pull_request' - shell: bash - run: > - git diff --quiet -- sdk && echo "no changes to sdk" && exit - - git config --global user.email "bot@pulumi.com" - - git config --global user.name "pulumi-bot" - - # Stash local changes and check out the PR's branch directly. - - git stash - - git fetch - - git checkout "origin/$HEAD_REF" - - - # Apply and add our changes, but don't commit any files we expect to - - # always change due to versioning. - - git stash pop - - git add sdk - - git reset sdk/python/*/pulumi-plugin.json \ - sdk/python/pyproject.toml \ - sdk/dotnet/pulumi-plugin.json \ - sdk/dotnet/*.*.csproj \ - sdk/dotnet/version.txt \ - sdk/go/*/pulumi-plugin.json \ - sdk/go/*/internal/pulumiUtilities.go \ - sdk/nodejs/package.json - - git commit -m 'Commit SDK for Renovate' - - - # Push with pulumi-bot credentials to trigger a re-run of the - - # workflow. https://github.com/orgs/community/discussions/25702 - - git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} "HEAD:$HEAD_REF" - env: - HEAD_REF: ${{ github.head_ref }} - run: git status --porcelain - name: Tar SDK folder run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} . @@ -336,7 +252,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -348,6 +264,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -358,7 +280,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download Provider Binary uses: ./.github/actions/download-provider - name: Download SDK @@ -433,7 +355,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -445,6 +367,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -455,7 +383,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Clear GitHub Actions Ubuntu runner disk space uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 with: @@ -466,7 +394,7 @@ jobs: swap-storage: true large-packages: false - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 @@ -506,7 +434,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -518,6 +446,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -526,7 +460,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Checkout Scripts Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: path: ci-scripts repository: pulumi/scripts @@ -534,7 +468,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download python SDK uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -588,7 +522,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -600,6 +534,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -610,7 +550,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download java SDK uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -638,7 +578,7 @@ jobs: needs: publish_sdk steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - id: version @@ -674,7 +614,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -686,6 +626,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Install pulumictl uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 with: diff --git a/.github/workflows/release_command.yml b/.github/workflows/release_command.yml index 4e2450d..21fad2a 100644 --- a/.github/workflows/release_command.yml +++ b/.github/workflows/release_command.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - env: diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 7810df6..e80fb52 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -32,6 +32,7 @@ env: GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io + PULUMI_PULUMI_ENABLE_JOURNALING: "true" PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} jobs: comment-notification: @@ -40,7 +41,7 @@ jobs: name: comment-notification steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -65,7 +66,7 @@ jobs: pull-requests: write # For schema check comment. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -79,6 +80,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -90,7 +97,7 @@ jobs: uses: ./.github/actions/setup-tools with: cache: 'true' - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - if: github.event_name == 'pull_request' name: Install Schema Tools uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0 @@ -142,8 +149,12 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle + # This worktree check is a safeguard against someone forgetting to + # re-build and commit locally, but we handle that commit automatically in + # the case of dependency bumps. + continue-on-error: ${{ contains(github.actor, 'renovate') }} - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && + if: steps.worktreeClean.outcome == 'failure' && contains(github.actor, 'renovate') && github.event_name == 'pull_request' shell: bash @@ -169,7 +180,7 @@ jobs: git stash pop - git add sdk + git add sdk provider/cmd/docker-build/schema.json git reset sdk/python/*/pulumi-plugin.json \ sdk/python/pyproject.toml \ @@ -240,7 +251,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -254,6 +265,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -264,7 +281,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download provider uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -292,8 +309,9 @@ jobs: sdk/nodejs/package.json sdk/python/pyproject.toml sdk/java/build.gradle + continue-on-error: ${{ contains(github.actor, 'renovate') }} - name: Commit SDK changes for Renovate - if: failure() && steps.worktreeClean.outcome == 'failure' && + if: steps.worktreeClean.outcome == 'failure' && contains(github.actor, 'renovate') && github.event_name == 'pull_request' shell: bash @@ -319,7 +337,7 @@ jobs: git stash pop - git add sdk + git add sdk provider/cmd/docker-build/schema.json git reset sdk/python/*/pulumi-plugin.json \ sdk/python/pyproject.toml \ @@ -379,7 +397,7 @@ jobs: id-token: write steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -393,6 +411,12 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - id: version name: Set Provider Version uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 @@ -403,7 +427,7 @@ jobs: - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Download provider uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -490,7 +514,7 @@ jobs: name: sentinel steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false @@ -525,7 +549,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true persist-credentials: false diff --git a/.github/workflows/weekly-pulumi-update.yml b/.github/workflows/weekly-pulumi-update.yml index 3de934d..cf86048 100644 --- a/.github/workflows/weekly-pulumi-update.yml +++ b/.github/workflows/weekly-pulumi-update.yml @@ -29,6 +29,7 @@ env: GOOGLE_REGION: us-central1 GOOGLE_ZONE: us-central1-a PULUMI_API: https://api.pulumi-staging.io + PULUMI_PULUMI_ENABLE_JOURNALING: "true" jobs: weekly-pulumi-update: @@ -36,7 +37,7 @@ jobs: permissions: write-all steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: lfs: true - env: @@ -48,10 +49,16 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-auth + with: + app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }} + private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} - name: Setup Tools uses: ./.github/actions/setup-tools with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.app-auth.outputs.token }} - name: Update Pulumi/Pulumi id: gomod run: >- diff --git a/.gitignore b/.gitignore index a4cd8b9..85ea1e7 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,7 @@ **/.ionide **/.vscode *.swp +.pulumi Pulumi.*.yaml yarn.lock ci-scripts diff --git a/.goreleaser.yml b/.goreleaser.yml index 2ae51d6..9bb8131 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,5 +1,4 @@ # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt - project_name: pulumi-docker-build builds: - id: build-provider diff --git a/go.mod b/go.mod index 2109d38..a27597d 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/moby/patternmatcher v0.6.0 github.com/muesli/reflow v0.3.0 github.com/otiai10/copy v1.14.0 - github.com/pulumi/providertest v0.3.1 + github.com/pulumi/providertest v0.5.1-0.20251217173405-3861778549dd github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef github.com/pulumi/pulumi-go-provider v1.1.2 github.com/pulumi/pulumi-java/pkg v1.16.0 diff --git a/go.sum b/go.sum index 28b5ca3..b6156d7 100644 --- a/go.sum +++ b/go.sum @@ -894,6 +894,8 @@ github.com/pulumi/inflector v0.2.1 h1:bqyiish3tq//vLeLiEstSFE5K7RNjy/ce47ed4QATu github.com/pulumi/inflector v0.2.1/go.mod h1:HUFCjcPTz96YtTuUlwG3i3EZG4WlniBvR9bd+iJxCUY= github.com/pulumi/providertest v0.3.1 h1:vlftr7TZlObh81mL88IhhF0/9ZbLrZZos4NAvR4HUUw= github.com/pulumi/providertest v0.3.1/go.mod h1:fFHUP4/9DRyYnHWiRnwcynMtM/a7hHR/QcJfcuZKO3A= +github.com/pulumi/providertest v0.5.1-0.20251217173405-3861778549dd h1:rhn4v3qxovNULvz04qrO5HXVvFuRrYvP6CrjgxdaBWM= +github.com/pulumi/providertest v0.5.1-0.20251217173405-3861778549dd/go.mod h1:OBpIGSQrw1FW9VNaHBtKCRxEoTISvx8JsxECmRqRgRQ= github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef h1:cxRa9R9To6OYKacIG2Em6zcM7BDNr6joC43uiV1lSVY= github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef/go.mod h1:VLcnE1lj92EfRi7CRMzdPkQ9OQvrlg2upJM1lBZzNmg= github.com/pulumi/pulumi-go-provider v1.1.2 h1:NUQDXaftBDFTPMBPwxo8FhJUX0ymkv6a1XiXTnCDpvg=