Adds Pulumi ESC + GitHub Actions integrations page #12419
Conversation
|
Your site preview for commit f4a6dbb is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-12419-f4a6dbb6.s3-website.us-west-2.amazonaws.com. |
|
|
||
| Using Pulumi Infrastructure as Code (IaC) with GHA? See the next section to see how to leverage Pulumi ESC alongside. | ||
|
|
||
| ## Manage credentials for the [Pulumi CLI Action](https://github.com/marketplace/actions/pulumi-cli-action#pulumi-github-actions) |
There was a problem hiding this comment.
This is where the 'tutorial' part starts, I'd suggest we add this to a new tutorial vs the ref doc.
There was a problem hiding this comment.
@interurban - can we ship this version and break out the tutorial once one is written? Trying to avoid increasing scope on this specific deliverable (docs to match the workshop we're already running).
| @@ -0,0 +1,221 @@ | |||
| --- | |||
| title_tag: Integrate with GitHub Actions | Pulumi ESC | |||
There was a problem hiding this comment.
There is more than one way to do this (like our new auth-actions and OIDC trust), as well as other integrations (like setting environment variables, not just using in Pulumi IaC. Should we have multiple flavors of this doc?
There was a problem hiding this comment.
@cleverguy25 - the scope of this initial commit is to add docs to match the workshop that we're running next week. I suspect that we'll want to add sections for these alternative options but will defer to @interurban on how he wants to staff/deliver those additional docs.
There was a problem hiding this comment.
@cleverguy25 @interurban I ended up filing #12503 to track these suggestions.
Co-authored-by: isaac-pulumi <59850911+isaac-pulumi@users.noreply.github.com>
|
Your site preview for commit c35643d is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-12419-c35643d9.s3-website.us-west-2.amazonaws.com. |
|
Your site preview for commit 6d3da23 is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-12419-6d3da23e.s3-website.us-west-2.amazonaws.com. |
|
Your site preview for commit bc9dc0e is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-12419-bc9dc0ef.s3-website.us-west-2.amazonaws.com. |
|
This page is initially meant only to cover the use cases that are part of the advanced CI/CD workshop as highlighted in the PR description above. Please add additional ESC+GHA use cases, under this issue. |
| ## Log in to your GitHub account | ||
|
|
||
| ESC enables you to log into your GitHub account using credentials stored in an ESC Environment. This allows you to programmatically log in to your GitHub account from your terminal without having to locally store your personal access token. | ||
|
|
||
| Note, that a fine-grained GitHub personal access token is required. Follow the [GitHub instructions](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token) to create one. | ||
|
|
||
| ### Create an ESC Environment | ||
|
|
||
| Use the Pulumi ESC CLI to create and configure an Environment. Alternatively, follow the [Pulumi Cloud console instructions](https://www.pulumi.com/docs/esc/get-started/create-environment/#create-via-the-console). | ||
|
|
||
| ```bash | ||
| # ensure you're logged in | ||
| $ esc login | ||
| # Logged in to pulumi.com as ... | ||
|
|
||
| # create a new ESC Environment | ||
| $ ESC_ENV=my-gh-login | ||
| $ esc env init ${ESC_ENV} | ||
| # Environment created. | ||
| ``` | ||
|
|
||
| Add your fine-grained GitHub personal access token to the Environment. | ||
|
|
||
| ```bash | ||
| # Replace github_pat_123abc with your valid token | ||
| $ esc env set ${ESC_ENV} files.GH_PAT github_pat_123abc --secret | ||
| ``` | ||
|
|
||
| Note: the GitHub token is declared as a `secret`. Once the Environment is saved, Pulumi will encrypt its value and replace it with ciphertext. | ||
|
|
||
| Now that the Pulumi ESC Environment is created, it can be consumed in a variety of ways, such as running other shell commands without having to set the environment variables locally first. | ||
|
|
||
| ### Use ESC with `gh login` | ||
|
|
||
| The `esc run` command opens the Environment you previously created, sets the specified environment variables into a temporary environment, and then uses those environment variables in the context of the `gh` commands. | ||
|
|
||
| Log into your GitHub account without needing to manage the credentials locally. | ||
|
|
||
| ```bash | ||
| # ensure you're currently not logged in | ||
| $ gh auth logout | ||
|
|
||
| # retrieve the esc environment, and | ||
| # authenticate programmatically against github.com | ||
| $ ESC_ENV=my-gh-login | ||
| $ esc run -i ${ESC_ENV} -- sh -c 'gh auth login --with-token < $GH_PAT' | ||
|
|
||
| # confirm you're now logged in | ||
| $ gh auth status | ||
| # github.com | ||
| # ✓ Logged in to github.com account desteves (keyring) | ||
| # - Active account: true | ||
| # - Git operations protocol: https | ||
| # - Token: github_pat_11AAW2NYI0gtUYVcFfShHL_*** | ||
| ``` | ||
|
|
||
| For additional options and details, see `esc run --help`. | ||
|
|
||
| Using Pulumi Infrastructure as Code (IaC) with GitHub Actions? The next section demonstrates Pulumi ESC alongside Pulumi IaC deployments. |
There was a problem hiding this comment.
I'm a little confused about the focus of this page. The title implies that this is about integrating ESC with Github Actions - but these sections don't have anything to do with that. They appear to be about using ESC to log in to the gh CLI?
There was a problem hiding this comment.
Hey Komal, thank you for looking at this. There is a separate issue to track additional ESC with GitHub Actions use cases on this page. The initial scope is to cover the gh cli example you mentioned as well as integrate our Pulumi GH Action + ESC. The later example is more on par with the page title. The goal is to publish these initial use cases for the recent GitHub + Pulumi workshop and add more cases after PulumiUp.
…reflow and describe the examples more clearly
|
Your site preview for commit 146a7dd is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-12419-146a7dd8.s3-website.us-west-2.amazonaws.com. |
|
Your site preview for commit 146a7dd is ready! 🎉 http://www-testing-pulumi-docs-origin-pr-12419-146a7dd8.s3-website.us-west-2.amazonaws.com. |
Proposed changes