diff --git a/.github/workflows/acceptance-test.yml b/.github/workflows/acceptance-test.yml index 60dbe8607140..6ceabc030201 100644 --- a/.github/workflows/acceptance-test.yml +++ b/.github/workflows/acceptance-test.yml @@ -21,9 +21,6 @@ on: type: string description: Override the version when building -env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} - jobs: comment-notification: runs-on: ubuntu-latest @@ -34,7 +31,7 @@ jobs: - name: Update with Result uses: peter-evans/create-or-update-comment@v1 with: - token: ${{ secrets.PULUMI_BOT_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} issue-number: ${{ github.event.client_payload.github.payload.issue.number }} body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}" diff --git a/.github/workflows/autorest-scheduled.yml b/.github/workflows/autorest-scheduled.yml index 5e98dcc7739c..7088b2a0b647 100644 --- a/.github/workflows/autorest-scheduled.yml +++ b/.github/workflows/autorest-scheduled.yml @@ -11,11 +11,15 @@ jobs: version: uses: ./.github/workflows/version.yml secrets: inherit + permissions: + id-token: write # For ESC secrets. build_test: uses: ./.github/workflows/build-test.yml secrets: inherit needs: version + permissions: + id-token: write # For ESC secrets. with: ref: ${{ github.ref }} version: ${{ needs.version.outputs.version }} diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 6bbc97d1c016..d6193dd2f8eb 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -32,35 +32,29 @@ on: default: true env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PROVIDER: azure-native PROVIDER_VERSION: ${{ inputs.version }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget # TRAVIS_OS_NAME required by https://github.com/pulumi/scripts/blob/master/ci/publish-tfgen-package TRAVIS_OS_NAME: linux - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e # application id of the "TravisCI" service principal - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} - ARM_CLIENT_CERTIFICATE_PASSWORD_FOR_TEST: ${{ secrets.ARM_CLIENT_CERTIFICATE_PASSWORD }} ARM_LOCATION: westus2 ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 PULUMI_API: https://api.pulumi-staging.io # Feature toggle that's read in provider.go enableAzcoreBackend() PULUMI_ENABLE_AZCORE_BACKEND: ${{ inputs.use_azcore }} - # This is the content of a ~/.azure/ folder, zipped and base64-encoded, for CLI auth. + # AZURE_CLI_FOLDER is the content of a ~/.azure/ folder, zipped and base64-encoded, for CLI auth. # If/when the contained refresh token expires, someone with access to our subscription needs to # `az login` on their own computer and repeat the steps below. - # Generated by using @mikhail's .azure folder and running: + # Generated by using @EronWright's .azure folder and running: # cp -R ~/.azure ~/azure # cd ~/azure # rm -rf .DS_Store logs/ commands/* cliextensions/ extensionCommandTree.json # zip -v azure.zip * # base64 --input azure.zip | clipcopy # Paste into repo secret - AZURE_CLI_FOLDER: ${{ secrets.AZURE_CLI_FOLDER }} jobs: prerequisites: @@ -207,6 +201,15 @@ jobs: ref: ${{ inputs.ref }} submodules: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Setup uses: ./.github/actions/test-setup with: @@ -216,7 +219,7 @@ jobs: # The provider wants the cert as a path to a cert file but GH secrets can only be strings. # We store the base64-encoded cert as a secret, decode it here, and write it out to a file. run: | - echo "${{ secrets.ARM_CLIENT_CERTIFICATE }}" | base64 -d > "${{ runner.temp }}/azure-client-certificate.pfx" + echo "${{ steps.esc-secrets.outputs.ARM_CLIENT_CERTIFICATE }}" | base64 -d > "${{ runner.temp }}/azure-client-certificate.pfx" echo "ARM_CLIENT_CERTIFICATE_PATH_FOR_TEST=${{ runner.temp }}/azure-client-certificate.pfx" >> "$GITHUB_ENV" - name: Write .azure.tmp folder @@ -225,7 +228,7 @@ jobs: # tests using it unintentionally since CLI is the fallback auth method. run: | set -euxo pipefail - echo "${{ secrets.AZURE_CLI_FOLDER }}" | base64 -d > "${{ runner.temp }}/azure-cli-folder.zip" + echo "${{ steps.esc-secrets.outputs.AZURE_CLI_FOLDER }}" | base64 -d > "${{ runner.temp }}/azure-cli-folder.zip" # Unzip it to a temp folder to avoid other tests using it unintentionally (since CLI auth is the fallback method). # We only want one specific test to use it. unzip -d "$HOME/.azure.tmp" "${{ runner.temp }}/azure-cli-folder.zip" @@ -313,6 +316,15 @@ jobs: ref: ${{ inputs.ref }} submodules: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Install Languages & Frameworks uses: ./.github/actions/install with: @@ -334,7 +346,7 @@ jobs: # The provider wants the cert as a path to a cert file but GH secrets can only be strings. # We store the base64-encoded cert as a secret, decode it here, and write it out to a file. run: | - echo "${{ secrets.ARM_CLIENT_CERTIFICATE }}" | base64 -d > "${{ runner.temp }}/azure-client-certificate.pfx" + echo "${{ steps.esc-secrets.outputs.ARM_CLIENT_CERTIFICATE }}" | base64 -d > "${{ runner.temp }}/azure-client-certificate.pfx" echo "ARM_CLIENT_CERTIFICATE_PATH_FOR_TEST=${{ runner.temp }}/azure-client-certificate.pfx" >> "$GITHUB_ENV" - name: Write .azure.tmp folder @@ -343,7 +355,7 @@ jobs: # tests using it unintentionally since CLI is the fallback auth method. run: | set -euxo pipefail - echo "${{ secrets.AZURE_CLI_FOLDER }}" | base64 -d > "${{ runner.temp }}/azure-cli-folder.zip" + echo "${{ steps.esc-secrets.outputs.AZURE_CLI_FOLDER }}" | base64 -d > "${{ runner.temp }}/azure-cli-folder.zip" # Unzip it to a temp folder to avoid other tests using it unintentionally (since CLI auth is the fallback method). # We only want one specific test to use it. unzip -d "$HOME/.azure.tmp" "${{ runner.temp }}/azure-cli-folder.zip" @@ -354,6 +366,8 @@ jobs: env: # specifying this id will cause the OIDC test(s) to run against this AD application OIDC_ARM_CLIENT_ID: ${{ inputs.oidc_arm_client_id }} + ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }} + ARM_CLIENT_CERTIFICATE_PASSWORD_FOR_TEST: ${{ steps.esc-secrets.outputs.ARM_CLIENT_CERTIFICATE_PASSWORD }} run: | set -euo pipefail cd provider && go test -coverprofile="coverage.txt" -coverpkg=./... -timeout 1h -parallel 16 ./... 2>&1 | tee /tmp/gotest.log @@ -362,12 +376,14 @@ jobs: uses: codecov/codecov-action@v4 if: inputs.upload_codecov env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} + CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }} dist: runs-on: ubuntu-latest name: Provider Dist needs: prerequisites + permissions: + id-token: write # required for OIDC auth steps: - name: Checkout Repo uses: actions/checkout@v4 @@ -375,6 +391,15 @@ jobs: submodules: true ref: ${{ inputs.ref }} + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Install Languages & Frameworks uses: ./.github/actions/install with: @@ -395,10 +420,10 @@ jobs: - name: Build dist packages run: make dist env: - AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }} - AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} - AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }} - AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} + AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }} + AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }} + AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }} + AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }} - name: Upload artifacts uses: actions/upload-artifact@v4 diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index 7b3a455f42f3..bf921f176cf5 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -7,8 +7,6 @@ on: - edited env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_API: https://api.pulumi-staging.io jobs: @@ -20,9 +18,17 @@ jobs: uses: actions/checkout@v4 with: submodules: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - uses: peter-evans/slash-command-dispatch@v2 with: - token: ${{ secrets.PULUMI_BOT_TOKEN }} + token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} commands: run-acceptance-tests permission: write diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 5e7a0d0d7a8a..88a69ce100be 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -21,10 +21,14 @@ on: jobs: version: + permissions: + id-token: write # For ESC secrets. uses: ./.github/workflows/version.yml secrets: inherit build_test: + permissions: + id-token: write # For ESC secrets. uses: ./.github/workflows/build-test.yml secrets: inherit needs: version @@ -40,6 +44,8 @@ jobs: retention_days: 30 publish: + permissions: + id-token: write # For ESC secrets. uses: ./.github/workflows/publish.yml secrets: inherit needs: diff --git a/.github/workflows/nightly-sdk-generation.yml b/.github/workflows/nightly-sdk-generation.yml index 6e82c4a35222..66076da7ee9c 100644 --- a/.github/workflows/nightly-sdk-generation.yml +++ b/.github/workflows/nightly-sdk-generation.yml @@ -4,21 +4,10 @@ on: - cron: 35 4 * * 1-5 workflow_dispatch: {} env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PROVIDER: azure-native - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} TRAVIS_OS_NAME: linux - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} ARM_LOCATION: westus2 PULUMI_API: https://api.pulumi-staging.io PROVIDER_VERSION: 3.0.0-alpha.0+dev @@ -27,6 +16,9 @@ jobs: # Use a more powerful runner to fix pulumi/pulumi-azure-native#2767 runs-on: pulumi-ubuntu-8core name: generate-sdk + permissions: + contents: write # For PR. + id-token: write # For ESC secrets. steps: # We do a deep checkout so we're able to push later - name: Checkout Repo @@ -35,6 +27,15 @@ jobs: submodules: true fetch-depth: 0 + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Install Languages & Frameworks uses: ./.github/actions/install with: @@ -42,7 +43,7 @@ jobs: - uses: azure/login@v2 with: - creds: ${{ secrets.AZURE_RBAC_SERVICE_PRINCIPAL }} + creds: ${{ steps.esc-secrets.outputs.AZURE_RBAC_SERVICE_PRINCIPAL }} - name: Cleanup SDK Folder # Remove the per-language folders but preserve the checked-in go.mod @@ -86,7 +87,7 @@ jobs: uses: repo-sync/pull-request@v2.12.1 with: destination_branch: master - github_token: ${{ secrets.PULUMI_BOT_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} pr_body: "*Automated PR*" pr_title: Automated SDK generation @ azure-rest-api-specs ${{ steps.vars.outputs.commit-hash }} @@ -111,7 +112,7 @@ jobs: if: steps.create-pr.outputs.has_changed_files && contains(steps.schema-tools.outputs.summary, 'Looking good! No breaking changes found.') run: gh pr merge ${{ steps.create-pr.outputs.pr_number }} --squash --auto --repo ${{ github.repository }} env: - GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3909fe77c9b0..14eb83856484 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -20,35 +20,20 @@ on: default: true env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PROVIDER: azure-native PROVIDER_VERSION: ${{ inputs.version }} - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - PYPI_USERNAME: __token__ - PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} TRAVIS_OS_NAME: linux - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. - PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} - PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} - ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} ARM_LOCATION: westus2 - ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 - ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 PULUMI_API: https://api.pulumi-staging.io jobs: publish-provider: runs-on: ubuntu-latest name: publish-provider + permissions: + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@v4 @@ -56,6 +41,15 @@ jobs: submodules: true ref: ${{ inputs.ref }} + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Install Languages & Frameworks uses: ./.github/actions/install with: @@ -97,19 +91,19 @@ jobs: # https://github.com/aws-actions/configure-aws-credentials#notice-node12-deprecation-warning uses: aws-actions/configure-aws-credentials@v1-node16 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }} role-duration-seconds: 7200 role-session-name: ${{ env.PROVIDER }}@githubActions role-external-id: upload-pulumi-release - role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} + role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }} - name: Upload Provider Binaries run: aws s3 cp dist s3://get.pulumi.com/releases/plugins/ --recursive - name: Create GH Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v2 if: inputs.publishGhRelease with: tag_name: v${{ inputs.version }} @@ -120,7 +114,7 @@ jobs: generate_release_notes: true files: dist/* env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack @@ -134,12 +128,23 @@ jobs: runs-on: ubuntu-latest name: publish-python-sdk needs: publish-provider + permissions: + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@v4 with: submodules: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Install Languages & Frameworks uses: ./.github/actions/install @@ -159,8 +164,8 @@ jobs: - name: Publish PyPi Package run: > twine upload - -u "${PYPI_USERNAME}" - -p "${PYPI_PASSWORD}" + -u "__token__" + -p "${{ steps.esc-secrets.outputs.PYPI_PASSWORD }}" "${{ github.workspace }}/sdk/python/bin/dist/*" --skip-existing --verbose @@ -177,12 +182,23 @@ jobs: runs-on: ubuntu-latest name: publish-dotnet-sdk needs: publish-provider + permissions: + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@v4 with: submodules: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Checkout Scripts Repo uses: actions/checkout@v4 with: @@ -205,7 +221,7 @@ jobs: - name: Publish NuGet Package run: | find "sdk/dotnet/bin/Debug/" -name 'Pulumi.*.nupkg' \ - -exec dotnet nuget push -k "${NUGET_PUBLISH_KEY}" -s https://api.nuget.org/v3/index.json {} ';' + -exec dotnet nuget push -k "${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}" -s https://api.nuget.org/v3/index.json {} ';' - if: failure() && github.event_name == 'push' name: Notify Slack @@ -219,12 +235,23 @@ jobs: runs-on: ubuntu-latest name: publish-nodejs-sdk needs: publish-provider + permissions: + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@v4 with: submodules: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Install Languages & Frameworks uses: ./.github/actions/install @@ -246,7 +273,7 @@ jobs: working-directory: sdk/nodejs/bin run: npm publish --tag "${{ steps.tag.outputs.tag }}" env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }} - if: failure() && github.event_name == 'push' name: Notify Slack @@ -262,11 +289,23 @@ jobs: needs: publish-provider env: PACKAGE_VERSION: ${{ inputs.version }} + permissions: + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@v4 with: submodules: true + + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Install Languages & Frameworks uses: ./.github/actions/install @@ -292,6 +331,10 @@ jobs: # All other ecosystems handle prereleases correctly, Maven is the exception. if: inputs.prerelease == false run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository + env: + SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }} + SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }} + SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }} - if: failure() && github.event_name == 'push' name: Notify Slack @@ -305,19 +348,30 @@ jobs: runs-on: ubuntu-latest name: publish-go-sdk needs: publish-provider + permissions: + id-token: write # For ESC secrets. steps: - name: Checkout Repo uses: actions/checkout@v4 with: submodules: true + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Install Languages & Frameworks uses: ./.github/actions/install - name: Checkout Go SDK repo uses: actions/checkout@v4 with: - token: ${{ secrets.PULUMI_BOT_TOKEN }} + token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} repository: pulumi/pulumi-azure-native-sdk path: sdk/pulumi-azure-native-sdk fetch-depth: 0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fbb0adca7d52..94101ab01b31 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,6 +41,18 @@ jobs: # not a prerelease if: ${{ !contains(github.ref_name,'-') }} steps: + - name: Checkout Repo + uses: actions/checkout@v4 + + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b + - name: Install pulumictl uses: jaxxstorm/action-install-gh-release@v1.11.0 with: @@ -48,5 +60,5 @@ jobs: - name: Dispatch Event run: pulumictl create docs-build pulumi-azure-native ${{ github.ref_name }} env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} name: dispatch_docs_build diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml index 6d1e9710470d..8e6acb284648 100644 --- a/.github/workflows/version.yml +++ b/.github/workflows/version.yml @@ -7,8 +7,6 @@ on: description: Calculated version value: ${{ jobs.version.outputs.version }} -env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} jobs: version: @@ -18,5 +16,7 @@ jobs: - id: version name: Calculate build version uses: pulumi/provider-version-action@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} outputs: version: ${{ steps.version.outputs.VERSION }} diff --git a/.github/workflows/weekly-pulumi-update.yml b/.github/workflows/weekly-pulumi-update.yml index 7735f88b0442..7e854508a404 100644 --- a/.github/workflows/weekly-pulumi-update.yml +++ b/.github/workflows/weekly-pulumi-update.yml @@ -6,9 +6,7 @@ on: workflow_dispatch: {} env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PROVIDER_VERSION: 3.0.0-alpha.0+dev @@ -16,6 +14,7 @@ jobs: weekly-pulumi-update: # Use a more powerful runner to fix pulumi/pulumi-azure-native#2768 runs-on: pulumi-ubuntu-8core + permissions: write-all steps: - name: Checkout Repo uses: actions/checkout@v4 @@ -23,6 +22,14 @@ jobs: submodules: true # We need a full checkout so we can push commits back fetch-depth: 0 + - env: + ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }} + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Install Languages & Frameworks uses: ./.github/actions/install - name: Update Pulumi/Pulumi @@ -72,12 +79,12 @@ jobs: source_branch: update-pulumi/${{ github.run_id }}-${{ github.run_number }} destination_branch: master pr_title: Automated Pulumi/Pulumi upgrade - github_token: ${{ secrets.PULUMI_BOT_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} - name: Set AutoMerge if: steps.create-pr.outputs.has_changed_files run: gh pr merge ${{ steps.create-pr.outputs.pr_number }} --squash --auto --repo ${{ github.repository }} env: - GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} name: weekly-pulumi-update